[cod] New cod4 attack

Marco Padovan evcz at evcz.tk
Tue Nov 1 08:43:11 EDT 2011 

Depends on how many different players you get on your server...

With just that data it's basically impossible to see if something else
was happening :(

You need full incoming tcpdump capture :(
Something like:
tcpdump -nnvvXS host 91.220.163.3

I see it hard to "get it fixed" without traffic samples :(

Il 01/11/2011 13:39, Håvard Pedersen ha scritto:
> Unfortunately, that is all info I have. OTOH, if this IS a new type of
> attack pattern, I guess you will have plenty of other sources pretty
> soon (I was sternly instructed by my host to not start up cod4 again
> until it had been fixed).
>
> My server is automatically restarted nightly... I am guessing that
> should be enought to empty the ip cache?
>
> Håvard Pedersen
> http://fuzzy76.net/
>
>
> On Tue, Nov 1, 2011 at 13:30, Marco Padovan <evcz at evcz.tk> wrote:
>> Looks like a standard attack pattern...
>> we need the incoming traffic too in order to understand what was being
>> exploited...
>> I suppose nothing new was happening here and you just hit the patch "limits"
>>
>> Take a look at the previous list messages... the current patch actually
>> has a limit:
>> the "protection" become ineffective once the tracked ips list is
>> filled... you either need to increase it to an insane number or just
>> restart the server before it gets filled :)
>>
>> HINT: incoming src udp port 80 is the most exploited one and I have yet
>> to find a legit gameplayer packet generated from that port............
>>
>> Il 01/11/2011 13:18, Håvard Pedersen ha scritto:
>>> The only info my host had stored was this:
>>>
>>> tcpdump ouput during 3 minutes period. 7 records.
>>> 12:32:48.533303 IP 91.229.142.201.28970 > 91.220.163.3.80: UDP, length 563,
>>> 12:33:10.471172 IP 91.229.142.201.28970 > 91.220.163.3.80: UDP, length 563,
>>> 12:33:12.665673 IP 91.229.142.201.28970 > 91.220.163.3.80: UDP, length 563,
>>> 12:33:26.951329 IP 91.229.142.201.28970 > 91.220.163.3.80: UDP, length 563,
>>> 12:33:46.409945 IP 91.229.142.201.28970 > 91.220.163.3.80: UDP, length 563,
>>> 12:33:53.707567 IP 91.229.142.201.28970 > 91.220.163.3.80: UDP, length 563,
>>>
>>> Håvard Pedersen
>>> http://fuzzy76.net/
>>>
>>>
>>>
>>>
>>>
>>> On Tue, Nov 1, 2011 at 12:21, Marco Padovan <evcz at evcz.tk> wrote:
>>>> Please post a tcpdump capture or additional details
>>>>
>>>> Il 01/11/2011 11:47, Håvard Pedersen ha scritto:
>>>>
>>>> Sorry, I should have been clearer. My server is used as a relay, it is
>>>> not the target. (Got a call from my host about massive amounts of
>>>> outgoing UDP from my COD4 port)
>>>>
>>>> Håvard Pedersen
>>>> http://fuzzy76.net/
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, Nov 1, 2011 at 11:45, Morpheus <morpheus at clantoc.org> wrote:
>>>>
>>>> If you're the target of an attack, the patch won't help you; it only
>>>> prevents attacks to be relayed.
>>>>
>>>> Le 01/11/2011 11:42, Håvard Pedersen a écrit :
>>>>
>>>> My patched Linux cod4 server experienced a new attack today and had to
>>>> be taken offline. :( Probably a new attack?
>>>>
>>>> Håvard Pedersen
>>>> http://fuzzy76.net/
>>>> _______________________________________________
>>>> cod mailing list
>>>> cod at icculus.org
>>>> http://icculus.org/mailman/listinfo/cod
>>>>
>>>> _______________________________________________
>>>> cod mailing list
>>>> cod at icculus.org
>>>> http://icculus.org/mailman/listinfo/cod
>>>>
>>>> _______________________________________________
>>>> cod mailing list
>>>> cod at icculus.org
>>>> http://icculus.org/mailman/listinfo/cod
>>>>
>>>> _______________________________________________
>>>> cod mailing list
>>>> cod at icculus.org
>>>> http://icculus.org/mailman/listinfo/cod
>>>>
>>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org
>>> http://icculus.org/mailman/listinfo/cod
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20111101/c5475f99/attachment.htm>

More information about the cod mailing list