nanog mailing list archives
Re: where to go to understand DDoS attack vector
From: Brian Rak <brak () gameservers com>
Date: Tue, 26 Aug 2014 13:31:23 -0400
On 8/26/2014 12:52 PM, me wrote:
It's pretty tough to say without knowing exactly what game is running there. While 27015 was originally used for Half Life, it's been used by a wide range of games at this point. Pretty much all the Valve games use this port, as well as a number of third party games that are based on the Steamworks SDK.On 08/26/2014 07:58 AM, Roland Dobbins wrote:On Aug 26, 2014, at 8:37 PM, John York <johny () griffintechnology com> wrote:In this case, 17 is both the protocol and port number. Confusing coincidence :)Not in this output which the OP sent to the list:8:33:58.482193 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c E.....@.8 <mailto:E.....@.8>.....;. 0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000 @^....i.....C... 0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............18:33:58.482193 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c E.....@.8 <mailto:E.....@.8>.....;. 0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000 @^....i.....C... 0x0020: 0000 0000 0000 0000 0000 0000 0000 .............. 18:33:58.484625 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c E.....@.8 <mailto:E.....@.8>.....;. 0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000 @^....i.....C... 0x0020: 0000 0000 0000 0000 0000 0000 0000 .............. 18:33:58.486137 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1 0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c E.....@.8 <mailto:E.....@.8>.....;. 0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000 @^....i.....C... 0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............Source port 2072, destination port 27015.Been awhile since I got to dig into hex tcpdump but spent the time anyway. A UDP data segment that is 9 bytes long and only contains a "C" (0x43) ? And looks like to a Steam/Half-life (27015) gaming port. Not sure what the "C" is used for with those systems but guessing it's some sort of request?
Trying to figure out exactly what the game server thinks the packet is is not likely to help you figure out why it's being sent. You should instead be figuring out why your IPMI controller is compromised. It could also be reflection, 2072 is within the port range that is usually used for KVM or remote media by the IPMI controllers (though, they're usually TCP and not UDP).
Current thread:
- where to go to understand DDoS attack vector Miles Fidelman (Aug 26)
- Re: where to go to understand DDoS attack vector Roland Dobbins (Aug 26)
- Re: where to go to understand DDoS attack vector Miles Fidelman (Aug 26)
- Re: where to go to understand DDoS attack vector Roland Dobbins (Aug 26)
- Re: where to go to understand DDoS attack vector Stephen Satchell (Aug 26)
- Re: where to go to understand DDoS attack vector Roland Dobbins (Aug 26)
- RE: where to go to understand DDoS attack vector John York (Aug 26)
- Re: where to go to understand DDoS attack vector Roland Dobbins (Aug 26)
- Re: where to go to understand DDoS attack vector me (Aug 26)
- Re: where to go to understand DDoS attack vector Brian Rak (Aug 26)
- Re: where to go to understand DDoS attack vector Miles Fidelman (Aug 26)
- Re: where to go to understand DDoS attack vector John (Aug 26)
- Re: where to go to understand DDoS attack vector Miles Fidelman (Aug 26)
- Re: where to go to understand DDoS attack vector Roland Dobbins (Aug 26)
- Message not available
- Re: where to go to understand DDoS attack vector Larry Sheldon (Aug 26)
- Re: where to go to understand DDoS attack vector Brian Rak (Aug 26)
- Re: where to go to understand DDoS attack vector Roland Dobbins (Aug 26)