Jump to content

Exploit in CoD4 (ddos) ?


sArAkUzZa

Recommended Posts

Hi,

 

please take look at attachement. Someone had similiar problems?

 

It puts 10mbit load on my server and game servers are empty. On netstat command I can not find outgoing connections. Firewall has been working and configured but obviously problem is in game servers.

I can not find IP it is connecting to

 

Any help, thoughts?

 

regards

untitled.thumb.JPG.fe49d0511f9f4854119100cf1a24bbc2.JPG

Link to comment
Share on other sites

  • Replies 149
  • Created
  • Last Reply

Someone could be using some of the servers to DDOS others as there is a method where the attacker will ping one of your game servers for info with a spoofed packet with the IP changed to the one they want to target. The game server then spews out the server info towards the spoofed IP, thus sending out useless traffic.

 

Not really sure how to stop it other than ISP's checking for spoofed packets or infinity ward from changing the way their server work.

Link to comment
Share on other sites

I will not pretend to understand how the person is doing it, but it involves monitoring packets and banning the offending IPs.

 

It is currently being used by the person whom I am getting it from in a webhosting environment without issue. It may need to be tweaked a bit to perform properly for game servers.

 

As I said, I will post more info as I get it.

Link to comment
Share on other sites

Now it becomes more serious since it does portscans

 

Thu Sep  8 14:10:49 2011 UDP     28984 =>    91.220.163.3 21   
Thu Sep  8 14:10:49 2011 UDP     29961 =>    91.220.163.3 21   
Thu Sep  8 14:10:49 2011 UDP     29961 =>    91.220.163.3 21   
Thu Sep  8 14:10:49 2011 UDP     28964 =>    91.220.163.3 21   
Thu Sep  8 14:10:49 2011 UDP     29965 =>    91.220.163.3 21   
Thu Sep  8 14:10:49 2011 UDP     29965 =>    91.220.163.3 21   
Thu Sep  8 14:10:49 2011 UDP     29961 =>    91.220.163.3 21   
Thu Sep  8 14:10:49 2011 UDP     29961 =>    91.220.163.3 21   
Thu Sep  8 14:11:11 2011 UDP     28858 =>    91.220.163.3 21   
Thu Sep  8 14:11:11 2011 UDP     28995 =>    91.220.163.3 21   
Thu Sep  8 14:11:11 2011 UDP     28995 =>    91.220.163.3 21   
Thu Sep  8 14:11:11 2011 UDP     28970 =>    91.220.163.3 21   
Thu Sep  8 14:11:11 2011 UDP     28970 =>    91.220.163.3 21   

Link to comment
Share on other sites

pass the traffic through a filter, look at the header, then drop all packets with that header. There are some different open source query cache code out there you can use to do this.

 

We do this quite frequently with Source DDoS and it works...Sometimes it gives a bit of a hiccup to the end user as your passing all traffic through an internal proxy basically, but it will suffice to help alleviate and thwart the attack.

Link to comment
Share on other sites

pass the traffic through a filter, look at the header, then drop all packets with that header. There are some different open source query cache code out there you can use to do this.

 

We do this quite frequently with Source DDoS and it works...Sometimes it gives a bit of a hiccup to the end user as your passing all traffic through an internal proxy basically, but it will suffice to help alleviate and thwart the attack.

 

This is basically what I have someone working on. However it would be tuned specifically for games.

 

Each packet would be inspected and malformed packets would trigger an instaban on that IP address that was sending it.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Who's Online   0 Members, 0 Anonymous, 17 Guests (See full list)

    • There are no registered users currently online

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. Terms of Use