The Distributed Denial of Service attacks are now the most common and easy weapon to create trouble and to do a very visible damage to a target, with an after all very little effort.For example is the most common weapon used by hacktivists, since it requires only a very common tool (like LOIC), and relies on the rage of hundreds, if not thousands, of people. They are also very hard to be eluded, since if the attacker has behind him a huge bandwidth, there’s little to do if not close your firewalls to avoid more damage on the internal server. In both cases, the attacker wins, and the site is off for some time.This is actually the good news, since the attack can’t stand for long, and so the “Tango Down”, if correctly detected and responded with a full closure, can last for a few minutes, giving the attacker just the time to enjoy his action on Twitter.I have to admit that quite often many companies are capable to DDoS themselves, putting online a poor server and network architecture. So when the service goes online, everything falls down on millions of user requesting the page. This causes indeed more trouble than the hacktivists, don’t you think? :-)Back to the topic, this is the classical way to do a DDoS attack, but there are more, and more interesting to be analyzed and more stylish in their execution.Working in this field I often do a post-mortem analysis on these attacks, and recently I’ve found this extremely fascinating method.In this case the DDoS attack is executed not directly by the attacker, but using as a “botnet” a large numbers of custom game servers around the globe. Making them attack the target.The following image shows how the attack is performed. The first thing that catches the eye is that, considering that the custom game servers are located anywhere in the world, and they appear and die constantly, is practically impossible to identify the attacker’s identity. This kind of attack is not-so-well known, even if there is someone that began reporting it from last year. http://cert.lexsi.com/weblog/index.php/2011/10/18/422-new-dos-attack-amp…But how this can happen?Because the custom game servers are vulnerable to a specific attack. The attack implies asking, with a particular packet, the game status of the server. This is a very small UDP request, but when made spoofing the source IP, the game server responds to that IP with a huge amount of information.Last year one of the developers of this kind of custom game server reported (http://icculus.org/pipermail/cod/2011-August/015397.html) this vulnerabilities, and immediately released a patch to resolve the issue. But of course in many cases these are illegal servers, the software is downloaded form who knows where, and they are active in many countries, like Russia or China, so we can’t expect that the administrators would care patching the server software or caring about any kind of requests. In the best case they will shut down the server at all and begin another one.As said I’ve worked directly on this case, so let’s give a look on the attack details, analyzing the real traffic. As you may guess, I’m not disclosing the attacked site, or the game servers IP or URLs. This is just a case study analysis.The first thing to observe is the kind of packets, as said they’re all UDP traffic, with variable sizes, sent to the 21 port of the attacked IP. Looking better into the conversation, we can see that this packet is a statusResponse from a Call of Duty custom game server. I can go on for days, the game servers involved where thousands and everyone fired a huge amount of responses. I guess the players weren’t that happy at the attack time! As said Call of Duty was not the only game used, but also some Quake game servers were used to perform the DDoS. And in this case also we have a statusResponse packet.This is a really stylish and classy attack, much more organized than those performed with LOIC, I think everyone will agree. What to do to avoid these attacks? Very little unfortunately.Blacklisting the game servers is a poor tactic since they came and go day by day, so it’s pretty much useless.Maybe this kind of attack will slow down as the patching process goes on, but there will always be vulnerable servers from those countries, and they likely will be used to perform this kind of DDoS attacks.As always, the best defense is constantly monitoring what happens on your network. In this case you can quickly respond by activating some blacklist and try to mitigate the attack. But if you don’t see, you’ll never know what’s happening!!! Federicointch.me/federicoFederico “glamis” Filacchione, a security professional, tries constantly to spread security awareness, explaining that security is not a simple tool, but thinking to the same old stuff in a totally different way (and it’s not that hard!).
Leave a Reply