Those of you who use our route servers should use the Looking Glass at http://www.wix.net.nz/cgi-bin/mrlg-ape.cgi to check that you are peering with both route servers. Some of you have a session with rs1 but not with rs2. It would make sense for you to add the second server for redundancy. The configuration details are identical apart from the IP address of the BGP peer. 192.203.154.2 instead of 192.203.154.1.
Hi all. I have recently had the misfortune of coming across a DoS using port 139/netbios-ssn as a bounce point to create a denial of service on another UDP service. The service being attacked is none other than HLDS, the halflife dedicated server package for counter strike. What appear to be happening is the attacker sends minimum sized packets to the reflector on port 139 using source addr/port of our game server. HLDS in its infinite wisdom replies to the incoming packet with a 1195byte datagram, which is 100 times larger than the original packet from the attacker. We've noticed about 1Mbit outgoing due to this, being attacked by one IP. Not sure if this concerns anyone, however with a decent amplifier network this could be a good way for someone to deal to your outbound. Heres what I'm seeing: 14:43:47.197860 62.93.201.241.139 > 210.54.151.19.27015: udp 10 14:43:47.197927 62.93.201.241.139 > 210.54.151.19.27015: udp 10 14:43:47.197994 62.93.201.241.139 > 210.54.151.19.27015: udp 10 14:43:47.198061 62.93.201.241.139 > 210.54.151.19.27015: udp 10 14:43:47.201615 210.54.151.19.27015 > 62.93.201.241.139: udp 1195 (DF) 14:43:47.201715 210.54.151.19.27015 > 62.93.201.241.139: udp 1195 (DF) 14:43:47.201816 210.54.151.19.27015 > 62.93.201.241.139: udp 1195 (DF) 14:43:47.201917 210.54.151.19.27015 > 62.93.201.241.139: udp 1195 (DF) You get the idea :) Cheers James Spooner
James, <snip>
What appear to be happening is the attacker sends minimum sized packets to the reflector on port 139 using source addr/port of our game server.
HLDS in its infinite wisdom replies to the incoming packet with a 1195byte datagram, which is 100 times larger than the original packet from the attacker. We've noticed about 1Mbit outgoing due to this, being attacked by one IP.
<snip> We see this quite frequently however our analysis indicates that the Windows machine that appears to be generating the traffic is actually the target. The attacker typically generates spoofed UDP traffic from port 139 of the target IP to the HLDS server, which in this scenario is the amplifier. The HLDS server then replies with these huge packets in response to specifically crafted GameSpy requests crafted to maximize response size, thereby amplifying the attack 100 plus times. I assume they choose port 139 on the target specifically, to create a CPU utilization attack in addition to the bandwidth consumption attack. You may consider blocking packets sourced from port 139 to your HLDS servers to mitigate this specific style attack, however we see just as many that use arbitrary source ports for the spoofed GameSpy requests. Cheers, -- Daniel Kerr
participants (3)
-
Andy Linton -
Daniel Kerr -
James Spooner