DDoS - CoD?
BH
lists at blackhat.bz
Tue Sep 6 07:53:38 UTC 2011
Hi all,
I am wondering if anyone has seen a large DDoS before, specifically on
port 80 UDP with data that seems to be relating to Call of Duty 4. I did
a quick packet capture, and the payload looks like this:
14:50:42.716247 IP Y1.YY.YY.YY.28960 > XX.XX.XX.XX.80: UDP, length 499
0x0000: 4500 020f 0000 4000 2a11 5203 58bf 8138 E..... at .*.R.X..8
0x0010: cbaa 5739 7120 0050 01fb 3e2e ffff ffff ..W9q..P..>.....
0x0020: 7374 6174 7573 5265 7370 6f6e 7365 0a5c statusResponse.\
0x0030: 5f41 646d 696e 5c6b 696c 6c6b 7574 6572 _Admin\killkuter
0x0040: 5c5f 456d 6169 6c5c 6b69 6c6c 6b75 7465 \_Email\killkute
0x0050: 7240 686f 746d 6169 6c2e 636f 6d5c 5f4c r at hotmail.com\_L
0x0060: 6f63 6174 696f 6e5c 4652 5c5f 6d61 6e75 ocation\FR\_manu
0x0070: 6164 6d69 6e6d 6f64 5c30 2e31 312e 3320 adminmod\0.11.3.
0x0080: 6265 7461 5c5f 5765 6273 6974 655c 6874 beta\_Website\ht
0x0090: 7470 3a2f 2f77 7777 2e73 7974 2e74 6561 tp://www.syt.tea
0x00a0: 6d2e 7374 5c67 5f63 6f6d 7061 7373 5368 m.st\g_compassSh
0x00b0: 6f77 456e 656d 6965 735c 305c 675f 6761 owEnemies\0\g_ga
0x00c0: 6d65 7479 7065 5c77 6172 5c67 616d 656e metype\war\gamen
0x00d0: 616d 655c 4361 6c6c 206f 6620 4475 7479 ame\Call.of.Duty
0x00e0: 2034 5c6d 6170 6e61 6d65 5c6d 705f 626c .4\mapname\mp_bl
0x00f0: 6f63 5c70 726f 746f 636f 6c5c 365c 7368 oc\protocol\6\sh
0x0100: 6f72 7476 6572 7369 6f6e 5c31 2e37 5c73 ortversion\1.7\s
0x0110: 765f 616c 6c6f 7741 6e6f 6e79 6d6f 7573 v_allowAnonymous
0x0120: 5c30 5c73 765f 6469 7361 626c 6543 6c69 \0\sv_disableCli
0x0130: 656e 7443 6f6e 736f 6c65 5c30 5c73 765f entConsole\0\sv_
0x0140: 666c 6f6f 6470 726f 7465 6374 5c31 5c73 floodprotect\1\s
0x0150: 765f 686f 7374 6e61 6d65 5c5e 3120 5359 v_hostname\^1.SY
0x0160: 5420 2d20 5e33 5444 4d20 4843 202d 205e T.-.^3TDM.HC.-.^
0x0170: 3120 6372 6163 6b20 5c73 765f 6d61 7863 1.crack.\sv_maxc
0x0180: 6c69 656e 7473 5c32 305c 7376 5f6d 6178 lients\20\sv_max
0x0190: 5069 6e67 5c31 3530 5c73 765f 6d61 7852 Ping\150\sv_maxR
0x01a0: 6174 655c 3235 3030 305c 7376 5f6d 696e ate\25000\sv_min
0x01b0: 5069 6e67 5c30 5c73 765f 7072 6976 6174 Ping\0\sv_privat
0x01c0: 6543 6c69 656e 7473 5c36 5c73 765f 7075 eClients\6\sv_pu
0x01d0: 6e6b 6275 7374 6572 5c30 5c73 765f 7075 nkbuster\0\sv_pu
0x01e0: 7265 5c31 5c73 765f 766f 6963 655c 305c re\1\sv_voice\0\
0x01f0: 7569 5f6d 6178 636c 6965 6e74 735c 3332 ui_maxclients\32
0x0200: 5c70 7377 7264 5c30 5c6d 6f64 5c30 0a \pswrd\0\mod\0.
14:50:42.716292 IP Y1.YY.YY.YY.28965 > XX.XX.XX.XX.80: UDP, length 870
0x0000: 4500 0382 0000 4000 2f11 27e7 c1c0 3be0 E..... at ./.'...;.
0x0010: cbaa 5739 7125 0050 036e 1547 ffff ffff ..W9q%.P.n.G....
0x0020: 7374 6174 7573 5265 7370 6f6e 7365 0a5c statusResponse.\
0x0030: 7368 6f72 7476 6572 7369 6f6e 5c30 2e34 shortversion\0.4
0x0040: 2d34 325c 7376 5f6d 6178 636c 6965 6e74 -42\sv_maxclient
0x0050: 735c 3138 5c5f 4164 6d69 6e5c 447a 696e s\18\_Admin\Dzin
0x0060: 5c5f 456d 6169 6c5c 6164 6d69 6e40 6261 \_Email\admin at ba
0x0070: 6c6b 616e 2d77 6172 732e 636f 6d5c 5f4c lkan-wars.com\_L
0x0080: 6f63 6174 696f 6e5c 5468 6520 556e 696f ocation\The.Unio
0x0090: 6e20 6f66 2053 6f76 6965 7420 536f 6369 n.of.Soviet.Soci
0x00a0: 616c 6973 7469 6320 5265 7075 626c 6963 alistic.Republic
0x00b0: 735c 5f57 6562 7369 7465 5c68 7474 703a s\_Website\http:
0x00c0: 2f2f 6261 6c6b 616e 2d77 6172 732e 636f //balkan-wars.co
0x00d0: 6d5c 6169 775f 7265 6d6f 7465 4b69 636b m\aiw_remoteKick
0x00e0: 5c31 5c61 6977 5f73 6563 7572 655c 305c \1\aiw_secure\0\
0x00f0: 675f 6761 6d65 7479 7065 5c77 6172 5c67 g_gametype\war\g
0x0100: 5f68 6172 6463 6f72 655c 305c 6761 6d65 _hardcore\0\game
0x0110: 6e61 6d65 5c49 5734 5c6d 6170 6e61 6d65 name\IW4\mapname
0x0120: 5c6d 705f 6272 6563 6f75 7274 5c70 726f \mp_brecourt\pro
0x0130: 746f 636f 6c5c 3134 345c 7363 725f 6761 tocol\144\scr_ga
0x0140: 6d65 5f61 6c6c 6f77 6b69 6c6c 6361 6d5c me_allowkillcam\
0x0150: 315c 7363 725f 7465 616d 5f66 6674 7970 1\scr_team_fftyp
0x0160: 655c 305c 7376 5f61 6c6c 6f77 416e 6f6e e\0\sv_allowAnon
0x0170: 796d 6f75 735c 305c 7376 5f61 6c6c 6f77 ymous\0\sv_allow
0x0180: 436c 6965 6e74 436f 6e73 6f6c 655c 315c ClientConsole\1\
0x0190: 7376 5f66 6c6f 6f64 5072 6f74 6563 745c sv_floodProtect\
0x01a0: 315c 7376 5f68 6f73 746e 616d 655c 7c46 1\sv_hostname\|F
0x01b0: 5233 3344 4f4d 7c20 4669 6768 7465 7273 R33DOM|.Fighters
0x01c0: 2055 4b20 4e6f 5475 6265 2d4e 6f41 6b69 .UK.NoTube-NoAki
0x01d0: 6d62 6f2d 5444 4d20 3234 2f37 5c73 765f mbo-TDM.24/7\sv_
0x01e0: 6d61 7850 696e 675c 3330 305c 7376 5f6d maxPing\300\sv_m
0x01f0: 6178 5261 7465 5c31 3530 3030 305c 7376 axRate\150000\sv
0x0200: 5f6d 696e 5069 6e67 5c30 5c73 765f 7072 _minPing\0\sv_pr
0x0210: 6976 6174 6543 6c69 656e 7473 5c30 5c73 ivateClients\0\s
0x0220: 765f 7072 6976 6174 6543 6c69 656e 7473 v_privateClients
0x0230: 466f 7243 6c69 656e 7473 5c30 0a30 2039 ForClients\0.0.9
0x0240: 3939 2022 5768 6974 6573 7061 726b 6c65 99."Whitesparkle
0x0250: 7322 0a30 2038 3920 226d 6174 7269 6361 s".0.89."matrica
0x0260: 2033 220a 3020 3734 2022 5368 616b 7567 .3".0.74."Shakug
0x0270: 616e 220a 3020 3536 2022 3336 3048 6561 an".0.56."360Hea
0x0280: 6453 686f 7422 0a36 3030 2037 3620 2261 dShot".600.76."a
0x0290: 7665 6c6c 7573 220a 3630 3020 3132 3220 vellus".600.122.
0x02a0: 2253 696c 7665 7222 0a34 3030 2031 3133 "Silver".400.113
0x02b0: 2022 4576 616c 6f6e 220a 3131 3030 2037 ."Evalon".1100.7
0x02c0: 3720 225e 345b 4d5e 3969 575e 345d 4465 7."^4[M^9iW^4]De
0x02d0: 725e 220a 3130 3020 3937 2022 416e 6472 r^".100.97."Andr
0x02e0: 6579 2053 756b 6163 6822 0a31 3030 2036 ey.Sukach".100.6
0x02f0: 3620 2244 7a65 6968 6e6f 3933 220a 3230 6."Dzeihno93".20
0x0300: 3020 3839 2022 5265 6e22 0a30 2031 3338 0.89."Ren".0.138
0x0310: 2022 d1d1 d1d0 220a 3230 3020 3334 2022 ."....".200.34."
0x0320: 7061 7631 220a 3430 3020 3138 3720 224b pav1".400.187."K
0x0330: 6172 6c6f 735f 3538 220a 3230 3020 3237 arlos_58".200.27
0x0340: 3020 226d 4f6e 7374 6572 220a 3730 3020 0."mOnster".700.
0x0350: 3137 3220 224d 6572 6365 6e61 7279 220a 172."Mercenary".
0x0360: 3130 3230 2039 3620 226e 696b 6f6c 6122 1020.96."nikola"
0x0370: 0a33 3030 2031 3234 2022 5349 444f 4922 .300.124."SIDOI"
0x0380: 0a00
As far as I know CoD 4 doesn't use port 80 UDP, and I can't see anything
else that would. The box doesn't have anything listening for port 80/udp
(it does run a web server) and never has.
Has anyone seen similar traffic before? I am struggling to figure out
what is causing this traffic, or if its existing traffic being replayed
to try and avoid filters.
Thanks
More information about the NANOG
mailing list