Exploit in CoD4 (ddos) ?

[sArAkUzZa]

Keep it up ECF. This is something really necessary. 10mbit bandwith is no joke, especially running 24-7

[adamnp]

Keep it up ECF. This is something really necessary. 10mbit bandwith is no joke, especially running 24-7

 

 

Nullroute the IP's they are utilizing for the attack....Remember, this is an exploit used to produce a Denial of service....They are not 'attacking you' -- They are using your gameservers (vulnerability) as a broadcast to transmit the attack on to others.

 

There should be 'master server' that is telling your 'leafs' what to attack....You could probobally isolate this host and subdue the attack until someone else finds your addresses as a vulnerability.

 

There are other options that cost $...Not sure what you are loosing, or what you are willing to put out to stop the attack, but there are options...

 

./smurf!

[adamnp]

This is basically what I have someone working on. However it would be tuned specifically for games.

 

Each packet would be inspected and malformed packets would trigger an instaban on that IP address that was sending it.

 

That would be nice if there was something that basically included all ports and 'safe' packets in a whitelist....

 

There are a couple open source projects like I said, not sure if this info might help whoever you have doing it, but I can provide more information....I'm just not going to do it here, because obviously the source also provides the hole, which we don't need to be distributing...

[sArAkUzZa]

HI,

 

i have been isolating IPs that leech most bandwith, it has been reduced now. But how to find "master server"??

[ECF]

The person I am speaking with coded this himself. After testing, the code will be encypted so no one will be able to decompile it (for obvious reasons...)

[gordo]

nice work mate , doing alot of good for people

[peace]

http://www.kevinos.net/index.php?/topic/24-release-cod4-server-flooder/

[lpgservers]

Wouldn't really recommend sharing that link...

[adamnp]

Wouldn't really recommend sharing that link...

 

lol -- my sentiments exactly....

[Goran]

http://www.kevinos.net/index.php?/topic/24-release-cod4-server-flooder/

 

that guy is limited on our end

[sArAkUzZa]

Great for you

 

Also, traffic has been reduced now after banning most of IPs

[peace]

I posted it to let you know there's a new threat. His IP's have been already blocked on our servers.

[Bubka3]

Fail his site trys to resize around your screen. Good thing I have the javascript for that turned off.

[lpgservers]

I posted it to let you know there's a new threat. His IP's have been already blocked on our servers.

 

A simple statement to that effect would have been sufficient.

[gordo]

any news on this?

[sArAkUzZa]

Also interested!

[gordo]

bump!!

[sArAkUzZa]

this seems to be serious issue, after some time it causes box to crash, eventually, full reinstall is needed

[peace]

How can it possibly cause box to crash? Wasn't it just a udp flood?

[sArAkUzZa]

Seems just udp flood, but since this is happening box crashed down few times. Event viewer says nothing

[peace]

How do you know if it was crash and not network unavailability because of UDP flood? Did it show blue screen?

[sArAkUzZa]

there is hole in event viewer, 8-9 minutes of nothing and then startup informations start to show in viewer. Unfortunately, no reasons of crash.

[sArAkUzZa]

bumping this....any solution?

[omnigenus]

First of all, sorry for my English.

 

The problem you're all facing is a spoofed IP UDP attack.

 

I'll try to explain what's happening here, for those of you who don't understand what's going on:

1. attacker uses a spoofed IP address (victim's address) as a source
   
2. attacker floods your CoD4 servers with "getstatus" query at a rate of 5-10 queries per second
   
3. your servers respond to those queries, sending packets containing the server info back to the spoofed (false) source address.
   

 

Every CoD4 server responds to those queries, thus sending large amounts of data to that spoofed IP address i mentioned before (the real victim).

 

This problem gets even bigger, knowing that every CoD4 server can get hit by more than just one spoofed address.

 

So, in a nutshell, your servers are just a tool for the attacker to flood his real target(s), and that target is the IP you're sending all that data to.

 

To present this mathematically (bandwidth stuff):

- getstatus query payload is 14 bytes in size

- response to every single one of those queries is at least 500 bytes in size.

 

So, multiply all those responses by few hundreds (or thousands) per second, per server, and you have yourself a real outgoing traffic mess

 

 

*************** NOW TO THE GOOD PART ***************

 

 

I've noticed this problem some time ago and i made myself a fix for this mess.

 

I set down and began programming the plugin for Luigi Auriemma's Proxocket tool.

 

We're now using this fix on our Win2008R2 and it's working fine.

 

Our plugin contains more then just this fix, but i'm willing to help you with this problem.

 

If you're interested to test it on your servers, send me a PM/mail and i'll make a fix, striping all our additional code and leaving the solution for this attack.

 

I'm kinda busy, so please have patience, as i'm not going to answer right away.

 

And yeah, i don't plan to charge for this...don't worry. When some of you confirm that it's working on their boxes also, i'll upload the solution to this thread.

[ECF]

Thank you very much for sharing Omni