<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#ffffff">
On 1/18/2011 5:51 AM, Marco Padovan wrote:
<blockquote cite="mid:4D359AD2.5070500@gmail.com" type="cite"><font
size="-1"><font face="Verdana">We are getting hit HARD (.eu)<br>
<br>
I dunno what's the tool you are referring to... could you
please mail me some references privately so I can analyze it?<br>
</font></font></blockquote>
<br>
I was guessing that there is a new tool out there that is making
this easy. I don't know for certain if this is actually the case,
but it seems likely, considering the attack frequency and
large-ranging target set.<br>
<br>
<blockquote cite="mid:4D359AD2.5070500@gmail.com" type="cite"><font
size="-1"><font face="Verdana"> Basically we are currently
dealing on a daily basis with </font></font><font size="-1"><font
face="Verdana">this kind of attacks</font></font><font
size="-1"><font face="Verdana"> since december ...<br>
<br>
We find ourself handling 10k incoming spoofed packets per
second during certain times of the day...<br>
<br>
What are you referring to small flow? 1k/sec? 100packets/sec?<br>
</font></font></blockquote>
<br>
On the reflector side, maybe a dozen packets per second, at most. So
few that we don't even notice a problem with the server.<br>
<br>
<blockquote cite="mid:4D359AD2.5070500@gmail.com" type="cite"><font
size="-1"><font face="Verdana"> Which kind of rate limiting
figures did you all applied?<br>
We are trying to defend our self with very very strict network
filters... but that's damaging also our services that certain
times appear unreachable (even if they are not)<br>
</font></font></blockquote>
<br>
I haven't seen many of the reflections; I've mostly seen these
attacks as a target. In those cases, filtering by strings that are
specific to query responses seems to work best (when the attack is
small enough to be filtered on our end), but other techniques have
also been necessary at times.<br>
<br>
<blockquote cite="mid:4D359AD2.5070500@gmail.com" type="cite"><font
size="-1"><font face="Verdana"> In our case it looks like it's
not just against other gameservers... but also against random
hosts...<br>
Source packets sometimes are from port 80 udp and, if not
blocked, replies would do an udp flood to the poor host if
enough gameservers were involved... (even if no udp service
was running on port 80) :(<br>
</font></font></blockquote>
<br>
Against TCP-based services on a unique IP, an ACL on the upstream
side to filter all UDP should take care of this for them, at least.<br>
<br>
The attacks are most effective against other game servers that
respond on UDP. Source servers, for instance, seem to be
particularly vulnerable.<br>
<br>
<blockquote cite="mid:4D359AD2.5070500@gmail.com" type="cite"><font
size="-1"><font face="Verdana"> The worst thing is that the
damage to us as "reflectors" is very low as we are used to
handle a shitload of packets so it's difficult to say if
there's an attack going on or not :/<br>
</font></font></blockquote>
<br>
Nod, I agree. From the reflector's perspective, the attacks are
almost impossible to detect.<br>
<br>
<blockquote cite="mid:4D359AD2.5070500@gmail.com" type="cite"><font
size="-1"><font face="Verdana"> Additionally, as I'm providing
services to different GSP brands in different countries, I
found out that attacks are basically spread on ALL the
servers... using all the servers available on the master list
as reflectors and targeting only a little number of victims...
they are not exploiting just a single GSP / gameserver :|<br>
</font></font></blockquote>
<br>
That's what I have seen as well. I counted the IPs involved in one
attack early this month and found that there were over 3500 used in
a 30-second span of time. <br>
<br>
Black Ops servers were frequently used for this in December but I
believe that GS coordinated with Treyarch to get a rate limiting
feature put in place with that game.<br>
<br>
-John<br>
</body>
</html>