Strange DoS / new halflife server bug?

From: Probe Networks (jf_at_probe-networks.de)
Date: 07/07/03

  • Next message: Oliver Friedrichs: "DeepSight Extractor 4.1 Release" 
    To: incidents@securityfocus.com
Date: 07 Jul 2003 01:59:08 +0200

    Hi,

    we are currently experiencing a huge (200Mbit/s) DDoS:

    tcpdump shows:
    01:45:39.146537 216.177.55.145.27017 > XXX.domain: 65535 zoneRef
    NoChange*|% [17737q][|domain]
    01:45:39.146642 server23.cs-arena.de.27030 > XXX.domain: 65535 zoneRef
    NoChange*|% [17736q][|domain] (DF)
    01:45:39.146736 hctc-206-195.hctc.com.27015 > XXX.domain: 65535 zoneRef
    NoChange*|% [17729q][|domain] (DF)
    01:45:39.146838 server23.cs-arena.de.27030 > XXX.domain: 65535 zoneRef
    NoChange*|% [17736q][|domain] (DF)
    01:45:39.146944 216.177.55.145.27017 > XXX.domain: 65535 zoneRef
    NoChange*|% [17737q][|domain]
    01:45:39.147141 hctc-206-195.hctc.com.27015 > XXX.domain: 65535 zoneRef
    NoChange*|% [17729q][|domain] (DF)
    01:45:39.147248 216.177.55.145.27017 > XXX.domain: 65535 zoneRef
    NoChange*|% [17737q][|domain]
    01:45:39.147560 disciple.wishes.he.was.staff.of.ugradio.org.27015 >
    XXX.domain: 65279 zoneRef NoChange*|% [42514q] 3584/767/65535 (1400)
    (DF)
    01:45:39.147668 216.177.55.145.27017 > XXX.domain: 65535 zoneRef
    NoChange*|% [17737q][|domain]
    01:45:39.147764 bmf.fukt.bth.se.27015 > XXX.domain: 65535 zoneRef
    NoChange*|% [17732q][|domain]
    01:45:39.149412 81.2.130.160.27015 > XXX.domain: 65535 zoneRef
    NoChange*|% [17738q][|domain] (DF)
    01:45:39.149498 64.237.43.194.27015 > XXX.domain: 65535 zoneRef
    NoChange*|% [17726q][|domain] (DF)
    01:45:39.149584 64.237.43.194.27015 > XXX.domain: 65535 zoneRef
    NoChange*|% [17726q][|domain] (DF)

    I've never seen this characteristics on any DoS, all the attacking IPs
    appear to be running halflife/counterstrike gameservers.
    As far as i could get out using hlsw (www.hlsw.com) all servers are
    running the same, newest available, version of halflife/counterstrike. 

    -- 
Regards,
Jonas Frey
----------------------------------------------------------------
Probe Networks Jonas Frey        e-Mail: jf@probe-networks.de
Provinzialstr. 104               D-66740 Saarlouis
Tel: +(49) (0) 180 5959723       Fax: +(49) (0) 180 5998480
Internet: www.probe-networks.de  Hotline: 0800 1656531
----------------------------------------------------------------
----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------
  • Next message: Oliver Friedrichs: "DeepSight Extractor 4.1 Release"