DDoS - CoD?

Mark Grigsby mark at pcinw.net
Tue Sep 6 10:26:51 CDT 2011


Recently (last month) Ryan Gordon (the person responsible for porting COD to
Linux) released a patch for cod4 servers to address this specific issue.
 Here is the announcement and a link to the original email as well.  The
discussion also indicated that all of the Quake III based games suffered
from the same issue.

http://icculus.org/pipermail/cod/2011-August/015397.html

So we're getting reports of DDoS attacks, where botnets will send
> infostring queries to COD4 dedicated servers as fast as possible with
> spoofed addresses. They send a small UDP packet, and the server replies
> with a larger packet to the faked address. Multiply this by however fast
> you can stuff UDP packets into the server's incoming packet buffer per
> frame, times 7500+ public COD4 servers, and you can really bring a
> victim to its knees with a serious flood of unwanted packets.
>
> I've got a patch for COD4 for this, and I need admins to test it before
> I make an official release.
>
>     http://treefort.icculus.org/cod/cod4-lnxsrv-query-limit-test.tar.bz2
>
>
>
On Tue, Sep 6, 2011 at 6:47 AM, Jeff Walter <jeffw at he.net> wrote:

> Call of Duty is apparently using the same flawed protocol as Quake III
> servers, so you can think of it as an amplification attack.  (I wish I'd
> forgotten all about this stuff)
>
> You send "\xff\xff\xff\xffgetstatus\n" in a UDP packet with a spoofed
> source, and the server responds with everything you see.  With decent
> amplification (15B -> ~500B) and the number of CoD servers in world you
> could very easily build up a sizable attack.
>
> --
> Jeff Walter
> Network Engineer
> Hurricane Electric
>



-- 
Mark Grigsby
Network Operations Manager
PCINW (Preferred Connections Inc., NW)
3555 Gateway St. Ste. 205
Springfield, OR  97477
Voice: 800-787-3806 ext 408
DID: 541-762-1171
Fax:  541-684-0283



More information about the NANOG mailing list