RE: [fw-wiz] port 27015

From: Bill James (bubbagates_at_comcast.net)
Date: 01/03/04

  • Next message: Bill James: "RE: [fw-wiz] Comparisons between Router ACLs and Firewalls"
    To: "'hermit921'" <hermit921@yahoo.com>, <firewall-wizards@honor.icsalabs.com>
    Date: Sat, 3 Jan 2004 17:20:57 -0500
    
    

    You could have had a previous block of IP's that once had a half-life
    server or someone connected to Gamespy from your network

     
    Bill James

    The objective of all dedicated employees should be to thoroughly analyze
    all situations, anticipate all problems prior to their occurrence, have
    answers for these problems, and move swiftly to solve these problems
    when called upon.

    However, When you are up to your ass in alligators it is difficult to
    remind yourself your initial objective was to drain the swamp.
     

    > -----Original Message-----
    > From: firewall-wizards-admin@honor.icsalabs.com
    > [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
    > Of hermit921
    > Sent: Friday, January 02, 2004 12:59 PM
    > To: firewall-wizards@honor.icsalabs.com
    > Subject: Re: [fw-wiz] port 27015
    >
    > I am aware of the Half-Life game association. What I saw was
    > 10 different IP sources scanning my entire class B on port
    > 27015, all starting within one hour of each other. That
    > didn't sound like a normal game behavior. But after that
    > day, the scans didn't return.
    >
    > hermit921
    >
    >
    > At 02:15 PM 1/1/2004, Don Parker wrote:
    > >Hi there, port 27015 is often associated with Half Life
    > online gaming
    > >servers. Are you running one of these? There are some security
    > >considerations to mull over if you are as these can be used in DDoS
    > >attacks and the such. Just google for "port 27015 tcp" and
    > you will get
    > >quite a few hits on it.
    > >
    > >Cheers,
    > >
    > >Don
    > >
    > >-------------------------------------------
    > >Don Parker, GCIA
    > >Intrusion Detection Specialist
    > >Rigel Kent Security & Advisory Services Inc
    > www.rigelksecurity.com ph
    > >:613.249.8340
    > >fax:613.249.8319
    > >--------------------------------------------
    > >
    > >On Dec 22, hermit921 <hermit921@yahoo.com> wrote:
    > >
    > >Starting at 10:49 UTC December 22 I started seeing a 20-30 incoming
    > >packets per second on TCP port 27015. Every few minutes
    > another source
    > >appeared. Any idea what is going on?
    > >
    > >Thanks,
    > >hermit921
    > >
    > >_______________________________________________
    > >firewall-wizards mailing list
    > >firewall-wizards@honor.icsalabs.com
    > ><a href='http://honor.icsalabs.com/mailman/listinfo/firewall-
    > >wizards'>http://honor.icsalabs.com/mailman/listinfo/firewall-
    > wizards</a
    > >>
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Bill James: "RE: [fw-wiz] Comparisons between Router ACLs and Firewalls"

    Relevant Pages

    • [NEWS] Half-Life Servers Buffer Overflow and Denial of Service Vulnerability (Exploit)
      ... install and use a Thawte Digital Certificate on you Apache web server. ... There is a buffer overflow in the connection routine of the Half-Life ... Both the dedicated server and the game server are vulnerable. ... int getproto; ...
      (Securiteam)
    • [EXPL] Half-Life Exploit Code Released (Malformed Packet)
      ... A vulnerability in Half-Life allows an attacker to cause the server to no ... int main ...
      (Securiteam)
    • Half-life fake players bug
      ... The protocol of Half-life multiplayer server is simple, and I have seen that it is really similar to the Quake3 protocol, but this last is compressed or ciphred. ... With a same %cd_key, in the same server can play max 4 players, so we use a key filled with random chars and we can insert infinite player from the same IP. ... I have attached a proof-of-concept of the attack that run on Linux and Win. ...
      (Bugtraq)