We had an interesting email today about one of our servers denial of service attacking addresses on the internet. Our hosting providers monitor their internet pipes for malevolent traffic patterns and our server was setting off alarms. Their email instructed us that we had two hours to reply before they turned off our internet service entirely. We weren’t super pleased.
The source port of the traffic was 27015… a common default game server port. We looked deeper into the traffic and noticed that udp packets were being blasted off to lots of remote hosts. At first this looked like regular game server traffic but on closer inspection it was not.
Some googling turned up the reason. Apparently it is possible to hand craft a packet to all of duty 4 dedicated game servers and have them reply to the wrong source… This can be done at high velocity across lots of game servers to effectively cloak your denial of service attack. We firewalled off the source of the phony packets quickly.
The take away here (tldr) is that game servers can be used as mirrors for anonymous denial of service attacks. Pretty clever and bad all at the same time. Hopefully patches are created to prevent this kind of thing in the future. Even writing something like as game server can cause security problems. The entire call of duty server network is basically one big denial of service mirror. Wild.
If you are having this problem yourself and wondering how to fix it, here is the iptables-fu for it!
$IPT -A INPUT -p UDP -m length --length 42 -m recent --set --name getstatus_cod
$IPT -A INPUT -p UDP -m string --algo bm --string "getstatus" -m recent --update --seconds 1 --hitcount 20 --name getstatus_cod -j DROP