Re: DoS "Probing" on one of our hosts

[Christopher Kunz <chrislist () de-punkt de>]

Hello again,

the plot thickens. Indeed, we now assume that the attacks we encountered 
during the weekend were tests for something bigger, because we have been 
tested again. This time, however, the 97 mBit spike was outgoing, not 
incoming.
We backtraced the traffic to two of our game server machines and saw 
that they were the only hosts on the network segment with Unreal 
Tournament (UT) servers. That rang a bell. I did a quick search through 
my Bugtraq folder and found this:

http://www.pivx.com/luigi/adv/ueng-adv.txt

Generally, this says whoever hosts Unreal servers is f-ed. Now the 
bigger picture shows up - it seems that there are now several exploits 
for the specific bounce and DoS attacks for UT and UT2003, the successor 
to Unreal Tournament and kiddies are starting to use it.

I sure hope that this is not the start of a large-scale attack against 
our and our uplink's network, since it seems almost impossible to 
backtrack the source to a UDP bounce attack. Anyone got a clue if that 
is possible using the uplink provider's backbone traffic management system?

--ck

--
php development | hosting |  housing | professional game server hosting
http://www.de-punkt.de   [ chris () de-punkt de ]    http://www.stormix.de
+49 511 1237504 | +49 511 1237505 | laportestr. 2a, 30449 hannover.de
Filoo auf dem Linuxtag 2003 (F15) - http://www.de-punkt.de/lt2003.php


----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------