Quote:
Originally Posted by Darchi
Our server was used in a UDP Flood attack.
|
We've seen more of those threads recently.
Quote:
Originally Posted by Darchi
I was under the impression that Ports were only active when they were being listened to by a service.
|
They're talking outbound traffic from your server to
their ports.
Quote:
Originally Posted by Darchi
So my question is, how can I check which traffic it was?
|
You could capture traffic:
Code:
tcpdump -C 50 -W 3 -p -n -nn -s 0 -i eth -w /path/to/eth.pcap
where "eth" is your 'net-facing Ethernet device name (like "eth0") and "/path/to/eth.pcap" is the path and file name on a partition with enough space to support storing 3 packet captures of 50 megs each. Once you have got these packet captures feel free to send me an email so we can discuss where I can download the files for analysis. (See
this post for what analysis might look like and
this post for the rule set we came up with in his case.)
Quote:
Originally Posted by Darchi
Are there any countermeasures I can set up to prevent this?
|
Ensure your server, services (whatever you provide next to the games) are properly hardened. Ensure game admin console is only accessible by authorized admins. Ensure the game has seen all vendor patches and doesn't enable plugins, extension, mods or whatever else is vulnerable to in-game trickery. Finally you could run iptables with rate limiting and logging rules. For a rate-limiting example see
this post.