Hi all, I would like to ask all people operating halflife (and other) gameservers for help: one of our customers has a 200+ Mbit/s DOS attack running, sources are all over the world, the (maybe modified) attack/program used may be found here: http://www.pivx.com/kristovich/adv/mk001/ http://www.pivx.com/kristovich/poc/bf1942dos.c a few lines from tcpdump: 11:12:55.015721 80.253.xx.xx.27015 > 62.93.yy.yy.139: udp 1295 (DF) (ttl 54, id 0, len 1323) 11:12:55.015838 217.160.xx.xx.27300 > 62.93.yy.yy.139: udp 1400 (DF) (ttl 57, id 0, len 1428) 11:12:55.015871 217.160.xx.xx.27300 > 62.93.yy.yy.139: udp 351 (DF) (ttl 57, id 0, len 379) 11:12:55.015980 80.253.xx.xx.27015 > 62.93.yy.yy.139: udp 1295 (DF) (ttl 54, id 0, len 1323) 11:12:55.016080 194.47.xx.xx.27016 > 62.93.yy.y.139: udp 1165 (ttl 102, id 50472, len 1193) what happens: someone is spoofing the ip's of our customer's server, with source port 139, to hl (or other gamespy enabled server's, see url above); there is no impact on our server's because we filter that kind of traffic, only problem is that the uplink is filling up. what I want to ask you: if you are running gameserver listed in the pivx advisory, please update the software version, and: _please_ filter incoming traffic like that: drop all udp packets with source port < 1024 and destination port == gameserver port; i'm giving a small example with cisco ACL's: access-list 199 remark q3 access-list 199 permit udp any gt 1023 any eq 7777 access-list 199 remark bf1942 access-list 199 permit udp any gt 1023 any eq 23000 access-list 199 permit udp any gt 1023 any range 14500 14700 access-list 199 remark halflife access-list 199 permit udp any gt 1023 any range 27000 28000 access-list 199 remark medal of honor access-list 199 permit udp any gt 1023 any eq 12203 access-list 199 deny udp any any (this isn't perfect, but it shouldn't drop useful traffic and will help to improve the situation !) Thanks a lot, Roland v. Herget ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Jul 18 2003 - 10:53:11 PDT