DDoS - CoD?

Mark Grigsby mark at pcinw.net
Tue Sep 6 15:26:51 UTC 2011

Recently (last month) Ryan Gordon (the person responsible for porting COD to
Linux) released a patch for cod4 servers to address this specific issue.
 Here is the announcement and a link to the original email as well.  The
discussion also indicated that all of the Quake III based games suffered
from the same issue.


So we're getting reports of DDoS attacks, where botnets will send
> infostring queries to COD4 dedicated servers as fast as possible with
> spoofed addresses. They send a small UDP packet, and the server replies
> with a larger packet to the faked address. Multiply this by however fast
> you can stuff UDP packets into the server's incoming packet buffer per
> frame, times 7500+ public COD4 servers, and you can really bring a
> victim to its knees with a serious flood of unwanted packets.
> I've got a patch for COD4 for this, and I need admins to test it before
> I make an official release.
>     http://treefort.icculus.org/cod/cod4-lnxsrv-query-limit-test.tar.bz2
On Tue, Sep 6, 2011 at 6:47 AM, Jeff Walter <jeffw at he.net> wrote:

> Call of Duty is apparently using the same flawed protocol as Quake III
> servers, so you can think of it as an amplification attack.  (I wish I'd
> forgotten all about this stuff)
> You send "\xff\xff\xff\xffgetstatus\n" in a UDP packet with a spoofed
> source, and the server responds with everything you see.  With decent
> amplification (15B -> ~500B) and the number of CoD servers in world you
> could very easily build up a sizable attack.
> --
> Jeff Walter
> Network Engineer
> Hurricane Electric

Mark Grigsby
Network Operations Manager
PCINW (Preferred Connections Inc., NW)
3555 Gateway St. Ste. 205
Springfield, OR  97477
Voice: 800-787-3806 ext 408
DID: 541-762-1171
Fax:  541-684-0283

More information about the NANOG mailing list