[cod] Re: Those of you still running servers older than 1.5...
Rüdiger Meier
sweet_f_a at gmx.de
Sat Jun 28 21:00:37 EDT 2008
On Saturday 28 June 2008 21:47:14 Geoff Goas wrote:
> Nevermind... just tried it out on my busy servers and its way too CPU
> intensive. I think I need to do better matching.
Why your are filtering in PREROUTING? Do you run a dedicated firewall?
If not you should IMO filter in INPUT chain.
Also you should add more specific rules (interface, port range, udp and maybe
packetzize ...) to avoid that each packet goes through the expensive string
compare.
Cant you just filter for too big packets. I see "--to 65535" - so If I
understand right all these packets are bigger than 65535 bytes.
Is cod4 using regular packets which are that big?
BTW If you really want to log (what is it good for expectly for testing?) you
should "--limit" your logging rule because one could DoS your syslog/HD.
cu,
Rudi
> On Sat, Jun 28, 2008 at 3:30 PM, Geoff Goas <gitman at gmail.com> wrote:
> > If your servers are being crashed due to the 'stat 7' packet exploit, use
> > the following iptables rules to block that particular packet:
> >
> > -A PREROUTING -m string --hex-string "|737461747300007907|" --algo kmp
> > --to 65535 -j LOG --log-prefix "COD4STATS_EXPLOIT "
> > -A PREROUTING -m string --hex-string "|737461747300007907|" --algo kmp
> > --to 65535 -j DROP
> > The first rule will log the attempt to syslog, the second will drop the
> > packet.
> >
> > --
> > Geoff Goas
> > Network Engineer
More information about the Cod
mailing list