<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#ffffff">
The 12 pps number that I quoted was in reference to the kind of
inbound rate that I have been seeing from each external IP in an
attack. Multiplied by thousands of game servers, this adds to enough
to overwhelm the processing abilities of a CS:S server, for
instance. <br>
<br>
From the standpoint of a reflector, there's not too much that you
can do to prevent your servers from being used to attack the target,
apart from potentially:<br>
<br>
a) Rate-limiting queries for each source-destination IP tuple with
firewall rules<br>
b) Monitoring the network overall to look for large numbers of
packets in from or out to any single external source, and
potentially blocking (temporarily) inbound queries or your outbound
responses from/to that IP<br>
c) Given a sufficiently lengthy attack, trying to get your upstream
to track down the true source of the traffic -- but this is a long
shot, as most ISPs will not do it without major damage involved<br>
<br>
From the standpoint of a target (which is mostly what I see on my
end), detecting an attack based on the inbound packet rate and then
blocking the IP set of attackers based on automated traffic
analysis, or using a rule that nukes any inbound packets containing
the string "statusResponse" at position 32, can be effective -- as
long as the attack isn't completely overwhelming the uplink (in
which case, a null route or upstream filtering is necessary).<br>
<br>
-John<br>
<br>
On 1/18/2011 2:15 PM, Marco Padovan wrote:
<blockquote cite="mid:4D3610EF.8050701@gmail.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
<font size="-1"><font face="Verdana">Thanks for the detailed reply
:)<br>
<br>
Within 8hours got 7million inbound spoofed packets.<br>
<br>
Those were 7million abusive requests ... all apparently coming
from a single IP source (I'm seeing that same source querying
hundreds of other gameservers in different dacenters)<br>
That's something like a constant flow of 200packets/seconds
from a single source... looks like they are trying to exploit
some of our gameservers as reflectors...<br>
The source ip appear offline and unreacheable ... dunno which
services it is serving... but seeing the rates I'm pretty sure
that the source it's really that ip...<br>
<br>
In this moment these are the stats on a connection:<br>
rx: 12.28 Mbit/s 15878 p/s tx: 11.95 Mbit/s
9805 p/s<br>
<br>
Nearly 5k out of those 15k incoming packets are spoofed.<br>
5000packets / second filtered out...<br>
<br>
the 12p/s figure you were referring to is very rare here.. or
at least it's covered by these big attacks...<br>
<br>
Unless you were talking about 12packets to each single
gameserver instance... in such a case that would be
possible... we have a lot of gameservers running and the stats
I was referring above were overall stats...<br>
</font></font><br>
Il 18/01/2011 21:59, John ha scritto:
<blockquote cite="mid:4D35FF31.1000300@nuclearfallout.net"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
On 1/18/2011 5:51 AM, Marco Padovan wrote:
<blockquote cite="mid:4D359AD2.5070500@gmail.com" type="cite"><font
size="-1"><font face="Verdana">We are getting hit HARD (.eu)<br>
<br>
I dunno what's the tool you are referring to... could you
please mail me some references privately so I can analyze
it?<br>
</font></font></blockquote>
<br>
I was guessing that there is a new tool out there that is making
this easy. I don't know for certain if this is actually the
case, but it seems likely, considering the attack frequency and
large-ranging target set.<br>
<br>
<blockquote cite="mid:4D359AD2.5070500@gmail.com" type="cite"><font
size="-1"><font face="Verdana"> Basically we are currently
dealing on a daily basis with </font></font><font
size="-1"><font face="Verdana">this kind of attacks</font></font><font
size="-1"><font face="Verdana"> since december ...<br>
<br>
We find ourself handling 10k incoming spoofed packets per
second during certain times of the day...<br>
<br>
What are you referring to small flow? 1k/sec?
100packets/sec?<br>
</font></font></blockquote>
<br>
On the reflector side, maybe a dozen packets per second, at
most. So few that we don't even notice a problem with the
server.<br>
<br>
<blockquote cite="mid:4D359AD2.5070500@gmail.com" type="cite"><font
size="-1"><font face="Verdana"> Which kind of rate limiting
figures did you all applied?<br>
We are trying to defend our self with very very strict
network filters... but that's damaging also our services
that certain times appear unreachable (even if they are
not)<br>
</font></font></blockquote>
<br>
I haven't seen many of the reflections; I've mostly seen these
attacks as a target. In those cases, filtering by strings that
are specific to query responses seems to work best (when the
attack is small enough to be filtered on our end), but other
techniques have also been necessary at times.<br>
<br>
<blockquote cite="mid:4D359AD2.5070500@gmail.com" type="cite"><font
size="-1"><font face="Verdana"> In our case it looks like
it's not just against other gameservers... but also
against random hosts...<br>
Source packets sometimes are from port 80 udp and, if not
blocked, replies would do an udp flood to the poor host if
enough gameservers were involved... (even if no udp
service was running on port 80) :(<br>
</font></font></blockquote>
<br>
Against TCP-based services on a unique IP, an ACL on the
upstream side to filter all UDP should take care of this for
them, at least.<br>
<br>
The attacks are most effective against other game servers that
respond on UDP. Source servers, for instance, seem to be
particularly vulnerable.<br>
<br>
<blockquote cite="mid:4D359AD2.5070500@gmail.com" type="cite"><font
size="-1"><font face="Verdana"> The worst thing is that the
damage to us as "reflectors" is very low as we are used to
handle a shitload of packets so it's difficult to say if
there's an attack going on or not :/<br>
</font></font></blockquote>
<br>
Nod, I agree. From the reflector's perspective, the attacks are
almost impossible to detect.<br>
<br>
<blockquote cite="mid:4D359AD2.5070500@gmail.com" type="cite"><font
size="-1"><font face="Verdana"> Additionally, as I'm
providing services to different GSP brands in different
countries, I found out that attacks are basically spread
on ALL the servers... using all the servers available on
the master list as reflectors and targeting only a little
number of victims... they are not exploiting just a single
GSP / gameserver :|<br>
</font></font></blockquote>
<br>
That's what I have seen as well. I counted the IPs involved in
one attack early this month and found that there were over 3500
used in a 30-second span of time. <br>
<br>
Black Ops servers were frequently used for this in December but
I believe that GS coordinated with Treyarch to get a rate
limiting feature put in place with that game.<br>
<br>
-John<br>
<pre wrap=""><fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
cod mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
cod mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
<br>
</body>
</html>