DDoS - CoD? - Activision contact

Jeff Walter jeffw at he.net
Wed Sep 7 15:35:03 UTC 2011

On 9/6/2011 6:02 AM, BH wrote:
> Looking around, I believe the issue is that the IP has ended up on a 
> master game list, so we are now getting the queries directed at US.

Having written multiple versions of a Quake III master server (again, 
much self-hate) I pulled one of my old master query scripts out of 
mothballs and checked.  You are not listed on the CoD4 master server 
(assuming you did not alter the UDP frames you originally posted).  If 
you were you would be seeing "getInfo" and "getStatus" queries, but 
you're not.  You're seeing the "getInfoResponse" and "getStatusResponse" 
packets from a server which is listed on the master server.  This is an 
attack, nothing sinister is happening.

Your best bet is to filter all UDP traffic except for what you need (DNS 
comes to mind).  You might also want to get in contact with 
killkuter at hotmail.com and encourage them to install the previously 
mentioned patched server executable to prevent their server from being 
used as an attack amplifier.

Jeff Walter
Network Engineer
Hurricane Electric
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jeffw.vcf
Type: text/x-vcard
Size: 314 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20110907/d730b0ab/attachment.vcf>

More information about the NANOG mailing list