DDoS - CoD?

George Herbert george.herbert at gmail.com
Tue Sep 6 13:19:23 CDT 2011


Arrgghhh....

This reminds me of the WebNFS attack.  Which is why Sun aborted
WebNFS's public launch, after I pointed it out during its Solaris 2.6
early access program.

Never run a volume-multiplying service on UDP if you can help it,
exposed to the outside world, without serious in-band source
verification.  Amplification attacks are a classic easy DDOS win.


-george

On Tue, Sep 6, 2011 at 6:47 AM, Jeff Walter <jeffw at he.net> wrote:
> Call of Duty is apparently using the same flawed protocol as Quake III
> servers, so you can think of it as an amplification attack.  (I wish I'd
> forgotten all about this stuff)
>
> You send "\xff\xff\xff\xffgetstatus\n" in a UDP packet with a spoofed
> source, and the server responds with everything you see.  With decent
> amplification (15B -> ~500B) and the number of CoD servers in world you
> could very easily build up a sizable attack.
>
> --
> Jeff Walter
> Network Engineer
> Hurricane Electric
>



-- 
-george william herbert
george.herbert at gmail.com




More information about the NANOG mailing list