Oki here we are, one Weekend some weeks ago:
NIC down, restart adapter could bring it back up.

Everything normal exept...
Hm...
Wait! Traffic!


A closer look on the traffic and Adresses brought strange facts:
1.) The recieved packet has 14 bytes. Content is "getstatus". No way to filter this with snort, every game client does it (when parsing masterlist).
2.) Depending on how full the server is, the size of the answer packet is bigger.
3.) All Floods come with around 1 Mbits, they generate 15-20 Mbits upstream.
2.) Its all BF2 Servers! Battlefield? I didnt find any clear Info about that, the attacked servers are quake3 v. 1.16 (not urban terror)

oki, what to do now?
Snort is not an option, the Packet content is ok. The Number of Packets isnt.
First, i started to collect those IPs manually from Pfsense-Ntop Packet HTML Output.
Lateron i found a REST Api, built a DB backend which records 60Sec averages (which have bigger then 500 Packets/sec incoming)
Overall P/sec Throughput is stored too.
Last thing is a schedule, it saves new IPs every ***** to Firewall (and a separate table)

Ah. Thats the list it collected the last 3 Days:

109.236.82.149
109.236.82.181
141.101.125.235
17.172.232.128
173.193.254.106
173.199.91.39
173.203.183.173
173.231.3.184
174.91.111.108
176.56.228.36
176.9.63.244
182.177.143.49
188.125.140.19
193.150.209.233
195.71.68.33
199.59.163.38
204.61.222.58
205.234.137.219
208.116.44.116
208.43.227.56
208.64.127.48
209.170.124.203
210.148.52.182
212.1.15.12
212.1.208.54
213.103.219.155
213.64.155.236
213.89.170.104
213.89.183.254
216.119.216.188
216.245.213.202
217.23.12.122
217.25.100.100
217.88.247.23
24.183.208.71
24.226.58.219
46.21.154.182
46.37.177.194
50.28.67.28
62.90.138.114
64.34.216.132
64.90.45.202
65.188.169.27
65.34.222.211
66.147.244.84
66.225.198.130
66.252.2.90
66.84.13.92
67.197.152.21
67.201.15.20
67.222.129.248
68.113.195.133
68.32.215.245
69.24.178.242
70.39.121.221
71.43.194.194
72.20.13.77
72.20.18.1
72.20.40.77
72.8.129.1
72.8.129.19
72.91.159.209
74.14.51.221
74.53.201.162
74.63.209.212
74.89.29.33
75.46.67.92
76.125.151.240
76.172.7.77
78.46.74.18
80.217.190.214
80.246.145.185
81.169.179.102
81.226.233.112
82.170.111.113
85.214.53.51
85.227.233.141
85.230.217.129
85.230.220.96
85.30.48.7
86.145.35.242
89.163.170.18
89.165.10.202
89.27.32.59
89.69.103.2
89.77.81.150
91.121.176.210
91.218.36.6
91.229.248.13
93.114.44.164
94.52.44.211
95.208.188.212
95.211.109.94
97.81.128.139
98.126.245.107

Now is peace.

_________________

so bf2 script kiddies kill q3 servers? 8o

anyways good job!

_________________
"Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live."
- Martin Golding

hm seems they are beeing abused by other skeletor hax kidz

heres btw what i meant with this nerdish description...

_________________

Honestly, I found the first post much easier to understand than the third one.

_________________
ssh natirips@*.255.255.255 sudo chown -R natirips / \; echo Also, »QUESTION EVERYTHING«

thanks...

_________________

lol, of course.
The 3rd post he made for the 'user' type person, like me - we like to look at pictures.
It almost makes sense to me now.
Anyways cool that it is peacetime again. congratz

_________________

he, apparat collected new addresses...

_________________

So the flood continues... just use the BFG9000 to kill them all.

Glad you found a sexy solution for that

_________________

ah i found the solution to kill existing states in pfsense remotely:

from ./diag_dump_states.php


So im sending this via teh php

_________________