Hi, after quite some more research i now know what this is and how its caused: This is a distributed denial of service attack caused by misconfigured/old versions of halflife [valve software] (game)servers. The public available exploits CANNOT create this attack. Both of them (bf1942.c from pivx and spew_spy.c from Wraithnix) are targeted at Unreal/Battle field 1942 servers. Halflife uses a different protocol and simply doesnt answer to packets created by bf1942/spew_spy). They also do not have any feature to cause a distributed denial of service attack (e.g. read possible vulnerable servers from a file). The exploit that causes this traffic sends a "rules" or "players" command to a halflife server which then replys to the (spoofed) source with almost 400 to 1000 times amplification of data (as noted on the pivx advisory.). [It turned out that just "rules" uses more bandwidth than "players" because there is not always someone playing on these servers.] As this wouldnt be enough havoc, the attacker can cause even more traffic by specifing a desitination port (on the spoofed source) of e.g. 53 (DNS). The running DNS Server will reply with some data then and use even up more bandwidth. (See pivx advisory) So we have a very dangerous (almost _nothing_ compared to [papa]smurf) DDoS tool out there, which almost has infinite resources as there are thousands of vulnerable servers out there with alot of bandwidth. I have modified spew_spy.c from Wraithnix to read vulnerable (game)servers from a file and to feature halflife exploitation, but i'll rather not make this public available. Someone could even make it query some masterserver and recieve its vulnerable server-list from there. -- Regards, Jonas Frey ---------------------------------------------------------------- Probe Networks Jonas Frey e-Mail: jf@probe-networks.de Provinzialstr. 104 D-66740 Saarlouis Tel: +(49) (0) 180 5959723 Fax: +(49) (0) 180 5998480 Internet: www.probe-networks.de Hotline: 0800 1656531 ---------------------------------------------------------------- On Mon, 2003-07-07 at 01:59, Jonas Frey (Probe Networks) wrote: > Hi, > > we are currently experiencing a huge (200Mbit/s) DDoS: > > tcpdump shows: > 01:45:39.146537 216.177.55.145.27017 > XXX.domain: 65535 zoneRef > NoChange*|% [17737q][|domain] > 01:45:39.146642 server23.cs-arena.de.27030 > XXX.domain: 65535 zoneRef > NoChange*|% [17736q][|domain] (DF) > 01:45:39.146736 hctc-206-195.hctc.com.27015 > XXX.domain: 65535 zoneRef > NoChange*|% [17729q][|domain] (DF) > 01:45:39.146838 server23.cs-arena.de.27030 > XXX.domain: 65535 zoneRef > NoChange*|% [17736q][|domain] (DF) > 01:45:39.146944 216.177.55.145.27017 > XXX.domain: 65535 zoneRef > NoChange*|% [17737q][|domain] > 01:45:39.147141 hctc-206-195.hctc.com.27015 > XXX.domain: 65535 zoneRef > NoChange*|% [17729q][|domain] (DF) > 01:45:39.147248 216.177.55.145.27017 > XXX.domain: 65535 zoneRef > NoChange*|% [17737q][|domain] > 01:45:39.147560 disciple.wishes.he.was.staff.of.ugradio.org.27015 > > XXX.domain: 65279 zoneRef NoChange*|% [42514q] 3584/767/65535 (1400) > (DF) > 01:45:39.147668 216.177.55.145.27017 > XXX.domain: 65535 zoneRef > NoChange*|% [17737q][|domain] > 01:45:39.147764 bmf.fukt.bth.se.27015 > XXX.domain: 65535 zoneRef > NoChange*|% [17732q][|domain] > 01:45:39.149412 81.2.130.160.27015 > XXX.domain: 65535 zoneRef > NoChange*|% [17738q][|domain] (DF) > 01:45:39.149498 64.237.43.194.27015 > XXX.domain: 65535 zoneRef > NoChange*|% [17726q][|domain] (DF) > 01:45:39.149584 64.237.43.194.27015 > XXX.domain: 65535 zoneRef > NoChange*|% [17726q][|domain] (DF) > > I've never seen this characteristics on any DoS, all the attacking IPs > appear to be running halflife/counterstrike gameservers. > As far as i could get out using hlsw (www.hlsw.com) all servers are > running the same, newest available, version of halflife/counterstrike. > > > -- > Regards, > Jonas Frey > > ---------------------------------------------------------------- > Probe Networks Jonas Frey e-Mail: jf@probe-networks.de > Provinzialstr. 104 D-66740 Saarlouis > Tel: +(49) (0) 180 5959723 Fax: +(49) (0) 180 5998480 > Internet: www.probe-networks.de Hotline: 0800 1656531 > ---------------------------------------------------------------- > > > ---------------------------------------------------------------------------- > Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the > world's premier technical IT security event! 10 tracks, 15 training sessions, > 1,800 delegates from 30 nations including all of the top experts, from CSO's to > "underground" security specialists. See for yourself what the buzz is about! > Early-bird registration ends July 3. This event will sell out. www.blackhat.com > ---------------------------------------------------------------------------- > ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sat Jul 19 2003 - 08:40:45 PDT