Strange DoS / new halflife server bug?

From: Probe Networks (jf@probe-networks.de)
Date: Sun Jul 06 2003 - 16:59:08 PDT

Next message: morning_wood: "[Full-Disclosure] myServer - Remote Denial of Service"

Previous message: Probe Networks: "Strange DoS / new halflife server bug? (1st update:worm?)"
Next in thread: Jamie: "Re: Strange DoS / new halflife server bug?"
Reply: Jamie: "Re: Strange DoS / new halflife server bug?"
Reply: Probe Networks: "Re: Strange DoS / new halflife server bug? (Update)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

we are currently experiencing a huge (200Mbit/s) DDoS:

tcpdump shows:
01:45:39.146537 216.177.55.145.27017 > XXX.domain:  65535 zoneRef
NoChange*|% [17737q][|domain]
01:45:39.146642 server23.cs-arena.de.27030 > XXX.domain:  65535 zoneRef
NoChange*|% [17736q][|domain] (DF)
01:45:39.146736 hctc-206-195.hctc.com.27015 > XXX.domain:  65535 zoneRef
NoChange*|% [17729q][|domain] (DF)
01:45:39.146838 server23.cs-arena.de.27030 > XXX.domain:  65535 zoneRef
NoChange*|% [17736q][|domain] (DF)
01:45:39.146944 216.177.55.145.27017 > XXX.domain:  65535 zoneRef
NoChange*|% [17737q][|domain]
01:45:39.147141 hctc-206-195.hctc.com.27015 > XXX.domain:  65535 zoneRef
NoChange*|% [17729q][|domain] (DF)
01:45:39.147248 216.177.55.145.27017 > XXX.domain:  65535 zoneRef
NoChange*|% [17737q][|domain]
01:45:39.147560 disciple.wishes.he.was.staff.of.ugradio.org.27015 >
XXX.domain:  65279 zoneRef NoChange*|% [42514q] 3584/767/65535 (1400)
(DF)
01:45:39.147668 216.177.55.145.27017 > XXX.domain:  65535 zoneRef
NoChange*|% [17737q][|domain]
01:45:39.147764 bmf.fukt.bth.se.27015 > XXX.domain:  65535 zoneRef
NoChange*|% [17732q][|domain]
01:45:39.149412 81.2.130.160.27015 > XXX.domain:  65535 zoneRef
NoChange*|% [17738q][|domain] (DF)
01:45:39.149498 64.237.43.194.27015 > XXX.domain:  65535 zoneRef
NoChange*|% [17726q][|domain] (DF)
01:45:39.149584 64.237.43.194.27015 > XXX.domain:  65535 zoneRef
NoChange*|% [17726q][|domain] (DF)

I've never seen this characteristics on any DoS, all the attacking IPs
appear to be running halflife/counterstrike gameservers. 
As far as i could get out using hlsw (www.hlsw.com) all servers are
running the same, newest available, version of halflife/counterstrike.


-- 
Regards,
Jonas Frey

----------------------------------------------------------------
Probe Networks Jonas Frey        e-Mail: jf@probe-networks.de
Provinzialstr. 104               D-66740 Saarlouis
Tel: +(49) (0) 180 5959723       Fax: +(49) (0) 180 5998480
Internet: www.probe-networks.de  Hotline: 0800 1656531
----------------------------------------------------------------


----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: morning_wood: "[Full-Disclosure] myServer - Remote Denial of Service"
Previous message: Probe Networks: "Strange DoS / new halflife server bug? (1st update:worm?)"
Next in thread: Jamie: "Re: Strange DoS / new halflife server bug?"
Reply: Jamie: "Re: Strange DoS / new halflife server bug?"
Reply: Probe Networks: "Re: Strange DoS / new halflife server bug? (Update)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 07 2003 - 12:53:56 PDT