[cod] Re: Those of you still running servers older than 1.5...

Sat Jun 28 21:50:41 EDT 2008

Yeah I'm working on it... I'll keep you updated

On Sat, Jun 28, 2008 at 9:00 PM, Rüdiger Meier <sweet_f_a at gmx.de> wrote:

> On Saturday 28 June 2008 21:47:14 Geoff Goas wrote:
> > Nevermind... just tried it out on my busy servers and its way too CPU
> > intensive. I think I need to do better matching.
>
> Why your are filtering in PREROUTING? Do you run a dedicated firewall?
> If not you should IMO filter in INPUT chain.
> Also you should  add more specific rules (interface, port range, udp and
> maybe
> packetzize ...) to avoid that each packet goes through the expensive string
> compare.
> Cant you just filter for too big packets. I see "--to 65535" - so If I
> understand right all these packets are bigger than 65535 bytes.
> Is cod4 using regular packets which are that big?
>
> BTW If you really want to log (what is it good for expectly for testing?)
> you
> should "--limit" your logging rule because one could DoS your syslog/HD.
>
> cu,
> Rudi
>
> > On Sat, Jun 28, 2008 at 3:30 PM, Geoff Goas <gitman at gmail.com> wrote:
> > > If your servers are being crashed due to the 'stat 7' packet exploit,
> use
> > > the following iptables rules to block that particular packet:
> > >
> > > -A PREROUTING -m string --hex-string "|737461747300007907|" --algo kmp
> > > --to 65535 -j LOG --log-prefix "COD4STATS_EXPLOIT "
> > > -A PREROUTING -m string --hex-string "|737461747300007907|" --algo kmp
> > > --to 65535 -j DROP
> > > The first rule will log the attempt to syslog, the second will drop the
> > > packet.
> > >
> > > --
> > > Geoff Goas
> > > Network Engineer
>
>
>
> ---
> To unsubscribe, send a blank email to cod-unsubscribe at icculus.org
> Mailing list archives: http://icculus.org/cgi-bin/ezmlm/ezmlm-cgi?38
>
>
>

-- 
Geoff Goas
Network Engineer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20080628/18a29d82/attachment.htm>