RE: how can I track networked games

From: Alex Arndt (aarndt@rogers.com)
Date: 01/04/02 

From: "Alex Arndt" <aarndt@rogers.com>
To: "Mike Gilles" <mike.gilles@itmtech.com>, <Richard.CTR.Mickey@tc.faa.gov>, "Jamie French" <J.French@ottawa.com>, <focus-ids@securityfocus.com>
Date: Thu, 3 Jan 2002 19:27:20 -0500

Greetings,

An important port to add to your list would be Microsoft DirectPlay.
This is the networking portion the DirectX suite and binds to one
distinct port - UDP 28800.

Any game that is DirectX compatible will normally use this port, but
as Jamie pointed out, there's no guarantees that you'll always see
play on the default ports.

In any case, the best way to find those games is using either your
sniffers or monitoring your throughput on the outbound interface of
your border router. A sudden spike in high port UDP (especially around
lunch or at the beginning/end of the day) is a pretty good sign some
gaming is going on.

Hope this helps!

Alex Arndt, GCIA
"Within all order is the potential for chaos..."

-----Original Message-----
From: Mike Gilles [mailto:mike.gilles@itmtech.com]
Sent: Thursday, January 03, 2002 4:12 PM
To: Richard.CTR.Mickey@tc.faa.gov; focus-ids@securityfocus.com
Subject: RE: how can I track networked games

Rich,

Here's a list of the ports "typically" used by some of the most popular
online games currently.
<snip>
So here they are:

Half Life, TFC:
any to or from 27005
any to or from 27015
any to or from 27016

Quake 3: Arena:
any to or from 26000, 27000, 27910, 27960

Starcraft:
any to or from 6112

Quake II:
any to or from 27901
any to or from 27910

QuakeWorld:
any to or from 27500
any to or from 27001

Unreal:
any to or from 7777

Diablo2 and Battlenet:
any to or from 6112
any to or from TCP 116, 118
<snip>
BTW: No one plays DOOM anymore, but if they did, I think it operates on UDP
port 666.

Hope this helps,

 Michael John Gilles
 Lead Security Engineer, MCSE
 <snip>
-----Original Message-----
From: Richard.CTR.Mickey@tc.faa.gov
[mailto:Richard.CTR.Mickey@tc.faa.gov]
Sent: Thursday, January 03, 2002 10:39 AM
To: focus-ids@securityfocus.com
Subject: how can I track networked games

I would like to watch for networked games (such as Doom), but it seems they
use a multitude of options for connecting. I found clients that connect via
IPX, TCP, UDP and Server side Java applets just poking around the Internet.

Any help with Snort rules or general strategies for monitoring these will be
appreciated.

Thanks in Advance.

Rich

Relevant Pages

  • Re: oops again
    ... If you leave your car at the mall with the keys ... >> networking from your server on up can you determine this. ... >> You configure the Firewall on the Router to just block every single port. ...
    (microsoft.public.inetserver.iis)
  • Re: Enhanced Remote Desktop Web Connection Page
    ... To download a modified client, ... the advanced client on the bottom of the list... ... My Networking Blog: http://www.networkblog.net ... >I've been frustrated by the inability to put the port number in on the ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: Ethernet for MegaSTe
    ... network access) every time I needed to use the floppy drive, ... if you can get a NetUSBee you can have Sting/MintNet networking ... takes 30 minutes to transfer a few files from the MegaSTe to the Mac ... If you really cant get rid of the stuff in the cartridge port and get ...
    (comp.sys.atari.st)
  • Re: Remote Desktop Web Connection
    ... Can you telnet the port? ... Networking, Internet, Routing, VPN Troubleshooting on ... How to Setup Windows, Network, VPN & Remote Access on ...
    (microsoft.public.windowsxp.work_remotely)
  • Printing from Word
    ... I have had continuous problems printing from an XP to a printer connected to ... this may be a networking problem, I would like to know what Word ... toTCPIP, the system tries a network connection to remote IP port 445, ... WinXP keeps trying for some time or number ...
    (microsoft.public.word.newusers)