UDP port 80 DDoS attack

Fredrik Holmqvist / I2B fredrik at i2b.se
Sun Feb 5 17:47:11 CST 2012


Hi.

We had a customer that was attacked by the same "game server feature".
We received aprox 10 Gbit of traffic against the customer.

The attacker sends spoofed packets to the game server with the target
IP as "source", the gameserver sends replies back via UDP to the target
host. The attacker sends a couple of hundred packets per second and thus
generating a 10 Mbit UDP flood.

There is fixes/workarounds for the game servers, just a matter of the
admin taking care of it.
See: http://rankgamehosting.ru/index.php?showtopic=1320

The "attacking" IPs aren't spoofed, so just compile a list and send
e-mails to each provider.

We had 1000+ IPs gathered and sent 100+ abuse e-mails, only received
reply from less than 20%.
Sad that people care so little about mitigating DDoS/UDP/ICMP floods.


On Sun, 5 Feb 2012 18:36:13 -0500, Ray Gasnick III
<rgasnick at milestechnologies.com> wrote:
> We just saw a huge flux of traffic occur this morning that spiked one
> of our upstream ISPs gear and killed the layer 2 link on another
> becuase of a DDoS attack on UDP port 80.
> 
> 
> 
> Wireshark shows this appears to be from a compromised game server
> (call of duty) with source IPs in a variety of different prefixes.
> 
> 
> 
> Only solution thus far was to dump the victim IP address in our block
> into the BGP Black hole community with one of our 2 providers and
> completely stop advertising to the other.
> 
> 
> 
> Anybody see this recently and have any tips on mitigation,  reply on
> or off list.
> 
> 
> 
> Thank You,
> 
> Ray Gasnick III
> CISSP, Technology Specialist: Network Security & Infrastructure
> Miles Technologies
> www.milestechnologies.com<http://www.milestechnologies.com/>
> 
> Phone: (856) 439-0999 x127
> Direct: (856) 793-3821
> How am I doing?  Email my manager at
> itmanager at milestechnologies.com<mailto:itmanager at milestechnologies.com>
> 
> Computer Networking – IT Support – Business Software – Website Design
> – Online Marketing & PR

-- 
Fredrik Holmqvist
I2B (Internet 2 Business)
070-740 5033




More information about the NANOG mailing list