DDoS Attacks Cause of Game Servers

John Kristoff jtk at cymru.com
Thu Jan 31 14:52:36 UTC 2013

On Thu, 31 Jan 2013 10:34:29 +0330
Shahab Vahabzadeh <sh.vahabzadeh at gmail.com> wrote:

> Attacks takes only 20 or 30 minutes and it happens only 4 times in
> two days. I could'nt capture any packet but this is out put of my
> "show ip accounting" that time:

Attacks on gaming systems or at the gamers themselves are unfortunately
quite common.  Many of the DNS 'IN ANY' amplification and reflection
attacks for instance appear to involve online games.  We've also seen
some similar reflection attacks involving CoD systems as someone else
alluded in a link post.  Dissimilar in attack profile, but similar in
target were the frequent, but brief Xbox packet floods that attempted
to disrupt a gamer's session.

It can be extremely difficult to assign attribution for any particular
attack without a great deal of effort on your part, often in being
prepared with lots of data collection in advance, plus the selfless
cooperation of other network operators.  The latter is often the
biggest challenge given that you're often relying on the good will and
limited available time of 3rd parties to work on it.

While many of the most recent attacks are performing address spoofing,
collecting raw packet detail and knowing where it enters your network
can offer at least the start of where to look for it.  You can at least
start with your peer or upstream.  Examine IP TTLs to gauge at least
how far back those packets are coming from.  If your network is
diverse enough from a global routing perspective, you may be able to
triangulate it better.

I'd be particularly interested in working with folks in tracking down
the DNS 'IN ANY' style attacks to the attack code or source attacks.
Please shoot me an email off list or see me at NANOG 57 to discuss.


More information about the NANOG mailing list