nanog mailing list archives
Re: DDoS - CoD? - Activision contact
From: Jeff Walter <jeffw () he net>
Date: Wed, 07 Sep 2011 08:35:03 -0700
On 9/6/2011 6:02 AM, BH wrote:
Looking around, I believe the issue is that the IP has ended up on a master game list, so we are now getting the queries directed at US.
Having written multiple versions of a Quake III master server (again, much self-hate) I pulled one of my old master query scripts out of mothballs and checked. You are not listed on the CoD4 master server (assuming you did not alter the UDP frames you originally posted). If you were you would be seeing "getInfo" and "getStatus" queries, but you're not. You're seeing the "getInfoResponse" and "getStatusResponse" packets from a server which is listed on the master server. This is an attack, nothing sinister is happening.
Your best bet is to filter all UDP traffic except for what you need (DNS comes to mind). You might also want to get in contact with killkuter () hotmail com and encourage them to install the previously mentioned patched server executable to prevent their server from being used as an attack amplifier.
-- Jeff Walter Network Engineer Hurricane Electric
Attachment:
jeffw.vcf
Description:
Current thread:
- DDoS - CoD? BH (Sep 06)
- Re: DDoS - CoD? Dobbins, Roland (Sep 06)
- RE: DDoS - CoD? John van Oppen (Sep 06)
- Re: DDoS - CoD? BH (Sep 06)
- Re: DDoS - CoD? Greg Chalmers (Sep 06)
- Re: DDoS - CoD? Alexander Harrowell (Sep 06)
- Re: DDoS - CoD? - Activision contact BH (Sep 06)
- Re: DDoS - CoD? - Activision contact Jeff Walter (Sep 07)
- Re: DDoS - CoD? Dobbins, Roland (Sep 06)
- Re: DDoS - CoD? Mark Grigsby (Sep 06)
- Re: DDoS - CoD? George Herbert (Sep 06)
- Re: DDoS - CoD? Ryan Gelobter (Sep 08)