[cod] New cod4 attack
Marco Padovan
evcz at evcz.tk
Tue Nov 1 08:30:03 EDT 2011
Looks like a standard attack pattern...
we need the incoming traffic too in order to understand what was being
exploited...
I suppose nothing new was happening here and you just hit the patch "limits"
Take a look at the previous list messages... the current patch actually
has a limit:
the "protection" become ineffective once the tracked ips list is
filled... you either need to increase it to an insane number or just
restart the server before it gets filled :)
HINT: incoming src udp port 80 is the most exploited one and I have yet
to find a legit gameplayer packet generated from that port............
Il 01/11/2011 13:18, Håvard Pedersen ha scritto:
> The only info my host had stored was this:
>
> tcpdump ouput during 3 minutes period. 7 records.
> 12:32:48.533303 IP 91.229.142.201.28970 > 91.220.163.3.80: UDP, length 563,
> 12:33:10.471172 IP 91.229.142.201.28970 > 91.220.163.3.80: UDP, length 563,
> 12:33:12.665673 IP 91.229.142.201.28970 > 91.220.163.3.80: UDP, length 563,
> 12:33:26.951329 IP 91.229.142.201.28970 > 91.220.163.3.80: UDP, length 563,
> 12:33:46.409945 IP 91.229.142.201.28970 > 91.220.163.3.80: UDP, length 563,
> 12:33:53.707567 IP 91.229.142.201.28970 > 91.220.163.3.80: UDP, length 563,
>
> Håvard Pedersen
> http://fuzzy76.net/
>
>
>
>
>
> On Tue, Nov 1, 2011 at 12:21, Marco Padovan <evcz at evcz.tk> wrote:
>> Please post a tcpdump capture or additional details
>>
>> Il 01/11/2011 11:47, Håvard Pedersen ha scritto:
>>
>> Sorry, I should have been clearer. My server is used as a relay, it is
>> not the target. (Got a call from my host about massive amounts of
>> outgoing UDP from my COD4 port)
>>
>> Håvard Pedersen
>> http://fuzzy76.net/
>>
>>
>>
>>
>>
>> On Tue, Nov 1, 2011 at 11:45, Morpheus <morpheus at clantoc.org> wrote:
>>
>> If you're the target of an attack, the patch won't help you; it only
>> prevents attacks to be relayed.
>>
>> Le 01/11/2011 11:42, Håvard Pedersen a écrit :
>>
>> My patched Linux cod4 server experienced a new attack today and had to
>> be taken offline. :( Probably a new attack?
>>
>> Håvard Pedersen
>> http://fuzzy76.net/
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>>
>>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
More information about the cod
mailing list