[cod] "reflection attacks" ... cod servers exploited ?

Marco Padovan evolutioncrazy at gmail.com
Sat Jan 22 07:32:12 EST 2011 

I've no clue about windows... which kind of firewall are you using?
Do you have any hardware firewall?

On linux you can easily block all those packets (that affect marginally 
also your gameservers) using iptables... I'm not sure if windows "by 
default" is as flexible as iptables...

Il 21/01/2011 23:36, STIPE Admin ha scritto:
>
> I am too experiencing a similar issue. I'm unsure if this is a 
> reflection attack but all my COD servers are acting like BOTNETs -- 
> that is, it seems to be DOS attacking targets at high speeds. So far I 
> have been banning multiple IP addresses a day manually but it's hard 
> to keep up as new IPs form up every hour. Has anyone found a solution 
> to this yet? I use Windows to run my COD servers btw.
>
> **
>
> *From:*Marco Padovan [mailto:evolutioncrazy at gmail.com]
> *Sent:* Wednesday, 19 January 2011 12:51 AM
> *To:* Call of Duty server admin list.
> *Subject:* Re: [cod] "reflection attacks" ... cod servers exploited ?
>
> We are getting hit HARD (.eu)
>
> I dunno what's the tool you are referring to... could you please mail 
> me some references privately so I can analyze it?
>
> Basically we are currently dealing on a daily basis with this kind of 
> attacks since december ...
>
> We find ourself handling 10k incoming spoofed packets per second 
> during certain times of the day...
>
> What are you referring to small flow? 1k/sec? 100packets/sec?
> Which kind of rate limiting figures did you all applied?
> We are trying to defend our self with very very strict network 
> filters... but that's damaging also our services that certain times 
> appear unreachable (even if they are not)
>
> In our case it looks like it's not just against other gameservers... 
> but also against random hosts...
> Source packets sometimes are from port 80 udp and, if not blocked, 
> replies would do an udp flood to the poor host if enough gameservers 
> were involved... (even if no udp service was running on port 80) :(
>
> The worst thing is that the damage to us as "reflectors" is very low 
> as we are used to handle a shitload of packets so it's difficult to 
> say if there's an attack going on or not :/
>
> Additionally, as I'm providing services to different GSP brands in 
> different countries, I found out that attacks are basically spread on 
> ALL the servers... using all the servers available on the master list 
> as reflectors and targeting only a little number of victims... they 
> are not exploiting just a single GSP / gameserver :|
>
>
> Il 18/01/2011 07:51, John ha scritto:
>
> On 1/17/2011 10:44 PM, Geoff Goas wrote:
>
> John, you've seen an increase in attacks on victims or you are seeing 
> your servers being used as reflection servers?
>
> How are you detecting either/or?
>
>
> Both. As a victim, from traffic dumps made during large (D)DoS attacks 
> and from received complaints by the IP owners at other GSPs that have 
> been concurrent with the attacks on our clients. A a reflector is from 
> a complaint; it's more difficult to detect those from the side of the 
> server being used as the reflector because the flow is small.
>
> -John
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20110122/1ef39e08/attachment-0001.htm>

More information about the cod mailing list