Jump to content

Exploit in CoD4 (ddos) ?


sArAkUzZa

Recommended Posts

  • Replies 149
  • Created
  • Last Reply
Keep it up ECF. This is something really necessary. 10mbit bandwith is no joke, especially running 24-7

 

 

Nullroute the IP's they are utilizing for the attack....Remember, this is an exploit used to produce a Denial of service....They are not 'attacking you' -- They are using your gameservers (vulnerability) as a broadcast to transmit the attack on to others.

 

There should be 'master server' that is telling your 'leafs' what to attack....You could probobally isolate this host and subdue the attack until someone else finds your addresses as a vulnerability.

 

There are other options that cost $...Not sure what you are loosing, or what you are willing to put out to stop the attack, but there are options...

 

./smurf!

Link to comment
Share on other sites

This is basically what I have someone working on. However it would be tuned specifically for games.

 

Each packet would be inspected and malformed packets would trigger an instaban on that IP address that was sending it.

 

That would be nice if there was something that basically included all ports and 'safe' packets in a whitelist....

 

There are a couple open source projects like I said, not sure if this info might help whoever you have doing it, but I can provide more information....I'm just not going to do it here, because obviously the source also provides the hole, which we don't need to be distributing... :)

Link to comment
Share on other sites

First of all, sorry for my English.

 

The problem you're all facing is a spoofed IP UDP attack.

 

I'll try to explain what's happening here, for those of you who don't understand what's going on:

  1. attacker uses a spoofed IP address (victim's address) as a source
  2. attacker floods your CoD4 servers with "getstatus" query at a rate of 5-10 queries per second
  3. your servers respond to those queries, sending packets containing the server info back to the spoofed (false) source address.

 

Every CoD4 server responds to those queries, thus sending large amounts of data to that spoofed IP address i mentioned before (the real victim).

 

This problem gets even bigger, knowing that every CoD4 server can get hit by more than just one spoofed address.

 

So, in a nutshell, your servers are just a tool for the attacker to flood his real target(s), and that target is the IP you're sending all that data to.

 

To present this mathematically (bandwidth stuff):

- getstatus query payload is 14 bytes in size

- response to every single one of those queries is at least 500 bytes in size.

 

So, multiply all those responses by few hundreds (or thousands) per second, per server, and you have yourself a real outgoing traffic mess :~

 

 

*************** NOW TO THE GOOD PART ***************

 

 

I've noticed this problem some time ago and i made myself a fix for this mess.

 

I set down and began programming the plugin for Luigi Auriemma's Proxocket tool.

 

We're now using this fix on our Win2008R2 and it's working fine.

 

Our plugin contains more then just this fix, but i'm willing to help you with this problem.

 

If you're interested to test it on your servers, send me a PM/mail and i'll make a fix, striping all our additional code and leaving the solution for this attack.

 

I'm kinda busy, so please have patience, as i'm not going to answer right away.

 

And yeah, i don't plan to charge for this...don't worry. When some of you confirm that it's working on their boxes also, i'll upload the solution to this thread.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Who's Online   0 Members, 0 Anonymous, 18 Guests (See full list)

    • There are no registered users currently online

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. Terms of Use