A Distributed Denial of Service technique is actively exploited in the wild by attackers since a few months.
It leverages a vulnerability in game servers running First Person Shooter games based on the Quake III model (Call of Duty, Enemy Territory, etc.) to redirect traffic response to a victim. Some of these gaming servers accept a “GetStatus” request in a small UDP/80 packet from a spoofed source IP address and the server replies by redirecting the answer to the spoofed victim’s IP on port 80.
Amplification is thus achieved as the packet replied can be 10, 20 or 30 times bigger than the request.

See an example of such redirected flow below :

---

|Date flow start|Proto|Src IP Addr:Port|Dst IP Addr:Port|Flags|Packets|Bytes|Flows|bps|pps|Bpp| 

|2011-10-10 15:55:48.971|UDP|66.23.233.XX:27960|A.B.C.D:80|......|10000|13.3 M|1|2.1 M|195|1329|

---

Thousands of gaming servers can be found online through specific search engines and may enable this kind of attack, but only some of them can be used to conduct such attack.
Indeed, games server admins or their hosting providers can mitigate such risks for example by applying patches (when available) or firewall rules (ACL, iptables, etc.) to block or at least limit such fraudulent .

But for the moment, multi-Gbps DDoS attacks can still be conducted. The volume of “packet love” sent depends on the source (often compromised) machines’ capacity and the number of game servers used as amplifiers…

Thanks to Daniel L. for proofreading