DOS / gameservers

mailinglist_at_xebec.de
Date: 07/18/03

  • Next message: Donald Voss: "RE: Strange 4 MB Emails"
    To: incidents@securityfocus.com
    Date: Fri, 18 Jul 2003 12:01:39 +0200
    
    

    Hi all,

    I would like to ask all people operating halflife (and other) gameservers for
    help:

    one of our customers has a 200+ Mbit/s DOS attack running, sources are all
    over the world, the (maybe modified) attack/program used may be found here:
    http://www.pivx.com/kristovich/adv/mk001/
    http://www.pivx.com/kristovich/poc/bf1942dos.c

    a few lines from tcpdump:
    11:12:55.015721 80.253.xx.xx.27015 > 62.93.yy.yy.139: udp 1295 (DF) (ttl 54,
    id 0, len 1323)
    11:12:55.015838 217.160.xx.xx.27300 > 62.93.yy.yy.139: udp 1400 (DF) (ttl 57,
    id 0, len 1428)
    11:12:55.015871 217.160.xx.xx.27300 > 62.93.yy.yy.139: udp 351 (DF) (ttl 57,
    id 0, len 379)
    11:12:55.015980 80.253.xx.xx.27015 > 62.93.yy.yy.139: udp 1295 (DF) (ttl 54,
    id 0, len 1323)
    11:12:55.016080 194.47.xx.xx.27016 > 62.93.yy.y.139: udp 1165 (ttl 102, id
    50472, len 1193)

    what happens:
    someone is spoofing the ip's of our customer's server, with source port 139,
    to hl (or other gamespy enabled server's, see url above); there is no impact
    on our server's because we filter that kind of traffic, only problem is that
    the uplink is filling up.

    what I want to ask you:
    if you are running gameserver listed in the pivx advisory, please update the
    software version, and:
    _please_ filter incoming traffic like that:
    drop all udp packets with source port < 1024 and destination port ==
    gameserver port; i'm giving a small example with cisco ACL's:

    access-list 199 remark q3
    access-list 199 permit udp any gt 1023 any eq 7777
    access-list 199 remark bf1942
    access-list 199 permit udp any gt 1023 any eq 23000
    access-list 199 permit udp any gt 1023 any range 14500 14700
    access-list 199 remark halflife
    access-list 199 permit udp any gt 1023 any range 27000 28000
    access-list 199 remark medal of honor
    access-list 199 permit udp any gt 1023 any eq 12203
    access-list 199 deny udp any any
    (this isn't perfect, but it shouldn't drop useful traffic and will help to
    improve the situation !)

    Thanks a lot,

    Roland v. Herget

    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    ----------------------------------------------------------------------------


  • Next message: Donald Voss: "RE: Strange 4 MB Emails"