Hello again, the plot thickens. Indeed, we now assume that the attacks we encountered during the weekend were tests for something bigger, because we have been tested again. This time, however, the 97 mBit spike was outgoing, not incoming. We backtraced the traffic to two of our game server machines and saw that they were the only hosts on the network segment with Unreal Tournament (UT) servers. That rang a bell. I did a quick search through my Bugtraq folder and found this: http://www.pivx.com/luigi/adv/ueng-adv.txt Generally, this says whoever hosts Unreal servers is f-ed. Now the bigger picture shows up - it seems that there are now several exploits for the specific bounce and DoS attacks for UT and UT2003, the successor to Unreal Tournament and kiddies are starting to use it. I sure hope that this is not the start of a large-scale attack against our and our uplink's network, since it seems almost impossible to backtrack the source to a UDP bounce attack. Anyone got a clue if that is possible using the uplink provider's backbone traffic management system? --ck -- php development | hosting | housing | professional game server hosting http://www.de-punkt.de [ chris@de-punkt.de ] http://www.stormix.de +49 511 1237504 | +49 511 1237505 | laportestr. 2a, 30449 hannover.de Filoo auf dem Linuxtag 2003 (F15) - http://www.de-punkt.de/lt2003.php ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Jul 02 2003 - 08:56:09 PDT