Exploit in CoD4 (ddos) ?

[sArAkUzZa]

Hi,

 

please take look at attachement. Someone had similiar problems?

 

It puts 10mbit load on my server and game servers are empty. On netstat command I can not find outgoing connections. Firewall has been working and configured but obviously problem is in game servers.

I can not find IP it is connecting to

 

Any help, thoughts?

 

regards

[Shepsie]

Someone could be using some of the servers to DDOS others as there is a method where the attacker will ping one of your game servers for info with a spoofed packet with the IP changed to the one they want to target. The game server then spews out the server info towards the spoofed IP, thus sending out useless traffic.

 

Not really sure how to stop it other than ISP's checking for spoofed packets or infinity ward from changing the way their server work.

[sArAkUzZa]

maybe luigi has patch?? :/

[adamnp]

More than likely what Shepsie said is the culprit... There are a couple workarounds I believe already out there. There was another post in these boards about it in the past that had a bit of information pertaining to this.

[sArAkUzZa]

I can not find anything, it is litteraly eating up bandwith and putting load on boxes.

 

Offering money for solving this issue. Leave contact information here if you are interested.

[sArAkUzZa]

Also, now there are visible connections with IP adresses or hostnames

[ECF]

I may have a solution to this problem. I will post once I can confirm.

[peace]

Use Network Monitor by Microsoft to see all network activity with IP addresses. With NM you can detect UDP Flood source IP's and ban them on IPSec.

 

http://www.microsoft.com/download/en/details.aspx?id=4865

[sArAkUzZa]

I tried banning IPs but it now there are not IPs at all. Under "source" tab there is something lik "hosted-by" or "gibson".

 

ECF can I open ticket and give you login data so we can work together on this issue. I had partial sucess with blocking traffic.

[peace]

If you are using NM you have options to see IP's instead of hostnames.

[sArAkUzZa]

There are literally hundreds of IPs

[peace]

Look by destination IP and port. Also check packet sizes.

[sArAkUzZa]

Banning 20-30-50 IPs is just temporary solution.

[peace]

So is it udp flood?

[sArAkUzZa]

yes, udp flood, on gameserver ports

[ECF]

This solution is not part of TCAdmin. It is from an outside source. I will be getting the code for it tonight.

 

What OS are you running?

[sArAkUzZa]

I could provide you with login for Box, making ekstra account is not problem.

 

Server 2k8

[peace]

ECF, if its udp flood than how can you possibly protect you system against it? Even if you block all IP's in OS level than your network interface still will be loaded as long as flood is coming.

[ECF]

I will not pretend to understand how the person is doing it, but it involves monitoring packets and banning the offending IPs.

 

It is currently being used by the person whom I am getting it from in a webhosting environment without issue. It may need to be tweaked a bit to perform properly for game servers.

 

As I said, I will post more info as I get it.

[sArAkUzZa]

I hope that will solve issues.

[sArAkUzZa]

Now it becomes more serious since it does portscans

 

Thu Sep  8 14:10:49 2011 UDP     28984 =>    91.220.163.3 21   
Thu Sep  8 14:10:49 2011 UDP     29961 =>    91.220.163.3 21   
Thu Sep  8 14:10:49 2011 UDP     29961 =>    91.220.163.3 21   
Thu Sep  8 14:10:49 2011 UDP     28964 =>    91.220.163.3 21   
Thu Sep  8 14:10:49 2011 UDP     29965 =>    91.220.163.3 21   
Thu Sep  8 14:10:49 2011 UDP     29965 =>    91.220.163.3 21   
Thu Sep  8 14:10:49 2011 UDP     29961 =>    91.220.163.3 21   
Thu Sep  8 14:10:49 2011 UDP     29961 =>    91.220.163.3 21   
Thu Sep  8 14:11:11 2011 UDP     28858 =>    91.220.163.3 21   
Thu Sep  8 14:11:11 2011 UDP     28995 =>    91.220.163.3 21   
Thu Sep  8 14:11:11 2011 UDP     28995 =>    91.220.163.3 21   
Thu Sep  8 14:11:11 2011 UDP     28970 =>    91.220.163.3 21   
Thu Sep  8 14:11:11 2011 UDP     28970 =>    91.220.163.3 21   

[peace]

As a temporary measure ban all attacker subnets. I guess there's not more than 5-10 different subnets.

[gordo]

There is no way to stop it , just wait till they get bored or infinity ward fix this issue.

[adamnp]

pass the traffic through a filter, look at the header, then drop all packets with that header. There are some different open source query cache code out there you can use to do this.

 

We do this quite frequently with Source DDoS and it works...Sometimes it gives a bit of a hiccup to the end user as your passing all traffic through an internal proxy basically, but it will suffice to help alleviate and thwart the attack.

[ECF]

pass the traffic through a filter, look at the header, then drop all packets with that header. There are some different open source query cache code out there you can use to do this.

 

We do this quite frequently with Source DDoS and it works...Sometimes it gives a bit of a hiccup to the end user as your passing all traffic through an internal proxy basically, but it will suffice to help alleviate and thwart the attack.

 

This is basically what I have someone working on. However it would be tuned specifically for games.

 

Each packet would be inspected and malformed packets would trigger an instaban on that IP address that was sending it.