James, <snip>
What appear to be happening is the attacker sends minimum sized packets to the reflector on port 139 using source addr/port of our game server.
HLDS in its infinite wisdom replies to the incoming packet with a 1195byte datagram, which is 100 times larger than the original packet from the attacker. We've noticed about 1Mbit outgoing due to this, being attacked by one IP.
<snip> We see this quite frequently however our analysis indicates that the Windows machine that appears to be generating the traffic is actually the target. The attacker typically generates spoofed UDP traffic from port 139 of the target IP to the HLDS server, which in this scenario is the amplifier. The HLDS server then replies with these huge packets in response to specifically crafted GameSpy requests crafted to maximize response size, thereby amplifying the attack 100 plus times. I assume they choose port 139 on the target specifically, to create a CPU utilization attack in addition to the bandwidth consumption attack. You may consider blocking packets sourced from port 139 to your HLDS servers to mitigate this specific style attack, however we see just as many that use arbitrary source ports for the spoofed GameSpy requests. Cheers, -- Daniel Kerr