Home page logo

nanog logo nanog mailing list archives

RE: UDP port 80 DDoS attack
From: Drew Weaver <drew.weaver () thenap com>
Date: Wed, 8 Feb 2012 14:27:20 -0500


Just a general note on the UDP 80 style DoS attacks.

I'm not entirely certain that UDP 80 attacks are always related to the gameserver bug that you're citing below.

We have seen in the wild php scripts that are hard coded to use UDP 80 to deliver DoS attacks towards their targets.

Basically it's just GET /script.php?ip.of.victim and instant UDP 80 flood, I've also seen perl versions of the same 
script.. most notably UDP.PL

What would be interesting is to see just how much UDP 80 traffic exists on the Internet at any given moment.

I don't know if Arbor's ATLAS really tracks traffic in that way but it would be interesting to get a semi-global view 
of just how many PPS/BPS are being wasted on these types of floods.

Maybe even as a research paper =)


-----Original Message-----
From: Fredrik Holmqvist / I2B [mailto:fredrik () i2b se] 
Sent: Sunday, February 05, 2012 6:47 PM
To: nanog () nanog org
Subject: Re: UDP port 80 DDoS attack


We had a customer that was attacked by the same "game server feature".
We received aprox 10 Gbit of traffic against the customer.

The attacker sends spoofed packets to the game server with the target IP as "source", the gameserver sends replies back 
via UDP to the target host. The attacker sends a couple of hundred packets per second and thus generating a 10 Mbit UDP 

There is fixes/workarounds for the game servers, just a matter of the admin taking care of it.
See: http://rankgamehosting.ru/index.php?showtopic=1320

The "attacking" IPs aren't spoofed, so just compile a list and send e-mails to each provider.

We had 1000+ IPs gathered and sent 100+ abuse e-mails, only received reply from less than 20%.
Sad that people care so little about mitigating DDoS/UDP/ICMP floods.

On Sun, 5 Feb 2012 18:36:13 -0500, Ray Gasnick III <rgasnick () milestechnologies com> wrote:
We just saw a huge flux of traffic occur this morning that spiked one 
of our upstream ISPs gear and killed the layer 2 link on another 
becuase of a DDoS attack on UDP port 80.

Wireshark shows this appears to be from a compromised game server 
(call of duty) with source IPs in a variety of different prefixes.

Only solution thus far was to dump the victim IP address in our block 
into the BGP Black hole community with one of our 2 providers and 
completely stop advertising to the other.

Anybody see this recently and have any tips on mitigation,  reply on 
or off list.

Thank You,

Ray Gasnick III
CISSP, Technology Specialist: Network Security & Infrastructure Miles 

Phone: (856) 439-0999 x127
Direct: (856) 793-3821
How am I doing?  Email my manager at
itmanager () milestechnologies com<mailto:itmanager () milestechnologies com

Computer Networking – IT Support – Business Software – Website Design 
– Online Marketing & PR

Fredrik Holmqvist
I2B (Internet 2 Business)
070-740 5033

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]