Jonas Frey (Probe Networks) wrote: > Hi, > > we have analyzed this further, and we even got some machines on our network (2nd datacenter, seperated from the attacked machine) > which are sending out these packets to various hosts. Either there is a new flaw in the halflife/counterstrike servers and/or we have a new worm. > As soon as i get a chance to get access to one of the attacking hosts, i will try to get out what this actually causes. > > This is a bug in hlds. We had one of our boxes shell out 5 mbit per second to an (obviously faked) ip responding to named requests just like the ones from your previous post. Using the source and destination ports, we could single out one instance of hlds. After killing it and patching hlds up to the latest version, the DoS didn't occur again. This is, BTW, related to my thread "DoS probing". --ck -- php development | hosting | housing | professional game server hosting http://www.de-punkt.de [ chris@de-punkt.de ] http://www.stormix.de +49 511 1237504 | +49 511 1237505 | laportestr. 2a, 30449 hannover.de Filoo auf dem Linuxtag 2003 (F15) - http://www.de-punkt.de/lt2003.php ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jul 08 2003 - 08:57:39 PDT