What is a DRDoS attack?

A DRDoS ("Distributed Reflected Denial of Service") attack is a special type of DDoS. In a DRDoS, the target is not attacked directly; instead, the attacker sends faked (spoofed) traffic to a set of other IPs, which then respond to that traffic to the IP that was spoofed, and in doing so flood the victim offline. By sending packets that elicit a much larger response, the DRDoS initiator can generate a very large attack with a very small amount of traffic.

This type of attack has become very common lately. Here's a more specific example:
  1. The attacker decides to target IP address 127.0.0.1:27015, which is a CS:S server that he has been banned from.
  2. The attacker connects to a machine that he had previously compromised and uses a traffic generator tool to send simple query packets to a large number of other game servers, specifying a (fake) source of 127.0.0.1:27015. Each query packet is less than 50 bytes, so the attacker can send many thousands of these per second without using much bandwidth; even a very low-end machine can do it.
  3. These game servers ("reflectors") respond to 127.0.0.1:27015 with much larger packets, often 500+ bytes long, containing lists of their rules and connected players.
  4. The CS:S server at 127.0.0.1:27015, upon receiving the huge wave of attack traffic from thousands of different IPs, is overwhelmed. It is unable to serve legitimate clients or respond to queries itself, causing a denial of service.
Many ISPs apply filters to their egress traffic, which (for the most part) prevents customers from pretending to be IPs that they are not, also preventing them from being used to launch attacks like this. Unfortunately, not every provider can or does.

Commonly, DRDoS attacks use Quake3, Wolfenstein:ET, CoD* servers, and other old Quake3-engine-based games as the reflectors. These games don't have facilities to limit query response rates and send large response packets, making them ideal for this purpose.

If you were linked to this post because you are being used as a reflector in order to attack an IP here, please understand that we are not actually sending the queries -- we are the victim that is being hit with responses from servers like yours. Your primary course of action should be to block that spoofed traffic from reaching your servers via an ACL. You could also try to find out the true source of this traffic by contacting your upstream and asking them to track down where the spoofed packets are coming from (and having them do the same with that provider). Most ISPs won't do this unless large sums and the FBI are involved, but it doesn't hurt to try.

If you run Q3/ET/CoD*/etc servers (any version) on Windows, this patch is one workaround: http://files.nfoe.net/cod4/CoD4_Getstatus_Flood_Fix.zip

If you run CoD4 servers (1.7) on Linux, the latest beta version of CoD4 is the way to go: http://treefort.icculus.org/cod/cod4-ln ... st.tar.bz2

If you run other Q3-engine games on Linux, and you have the "string", "hashlimit", and "recent" iptables kernel modules available, you can filter the traffic with rules like these:
# add a host to the banlist and then drop the packet.
iptables -N QUERY-BLOCK
iptables -A QUERY-BLOCK -m recent --reap --seconds 30
iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts -j DROP

# is this a query packet? if so, block commonly attacked ports outright,
# then see if it's a known attacking IP, then see if it is sending at a high
# rate and should be added to the list of known attacking IPs.
iptables -N QUERY-CHECK
iptables -A QUERY-CHECK -p udp -m string ! --string "getstatus" --algo bm --from 32 --to 33 -j RETURN
iptables -A QUERY-CHECK -p udp --sport 0:1025 -j DROP
iptables -A QUERY-CHECK -p udp --sport 3074 -j DROP
iptables -A QUERY-CHECK -p udp --sport 7777 -j DROP
iptables -A QUERY-CHECK -p udp --sport 27015:27100 -j DROP
iptables -A QUERY-CHECK -p udp --sport 25200 -j DROP
iptables -A QUERY-CHECK -p udp --sport 25565 -j DROP
# is it already blocked? continue blocking it and update the counter so it
# gets blocked for at least another 30 seconds.
iptables -A QUERY-CHECK -m recent --update --name blocked-hosts --seconds 30 --hitcount 1 -j DROP
# check to see if it exceeds our rate threshold,
# and add it to the list if it does.
iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip --hashlimit-name getstatus --hashlimit-above 2/second -j QUERY-BLOCK

# look at all the packets going to q3/cod*/et/etc servers
iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK
If you were linked to this post because you saw a flood of game query responses, some of which came from our IP addresses, please understand that our servers are not the ones launching an attack. They are simply replying to seemingly-legitimate queries (there's no way for them to tell that they are not legitimate). If you contact us, we can attempt to block traffic specifically to your IP, but this won't do much for you, because your attack is likely being reflected by thousands of other IPs, as well. There are two primary ways that you can address such an attack on your end -- and usually both are needed:

- By calling your upstream and having them apply an ACL to filter some of the source ports for you (a range from 27960-29000 to block common Q3-engine attacks, for instance).
- By using a Linux firewall on your side to block the remaining traffic, through the use of the "string" iptables module. Use a rule like this on the target machine:

 

iptables -A INPUT -p udp -m string --string "statusResponse" --algo bm --from 32 --to 33 -j DROP
Since we also have the patches mentioned in the prior section applied to all our servers, attacks reflected through our IPs should be rare.
  • Email, SSL
  • 1 Users Found This Useful
Was this answer helpful?

Related Articles

What are DoS attacks and how does PCS handle them?

A DoS (Denial of Service) attack involves denying access to a computer resource. There are many...