[cod] New cod4 attack
Håvard Pedersen
fuzzy76 at fuzzy76.net
Tue Nov 1 08:48:05 EDT 2011
This particular server has probably seen a maximum of 2 players the
last 30 days :-P
I'll take a note of the tcpdump sample, and try it out if the occasion
rises again.
Håvard Pedersen
http://fuzzy76.net/
On Tue, Nov 1, 2011 at 13:43, Marco Padovan <evcz at evcz.tk> wrote:
> Depends on how many different players you get on your server...
>
> With just that data it's basically impossible to see if something else was
> happening :(
>
> You need full incoming tcpdump capture :(
> Something like:
> tcpdump -nnvvXS host 91.220.163.3
>
> I see it hard to "get it fixed" without traffic samples :(
>
> Il 01/11/2011 13:39, Håvard Pedersen ha scritto:
>
> Unfortunately, that is all info I have. OTOH, if this IS a new type of
> attack pattern, I guess you will have plenty of other sources pretty
> soon (I was sternly instructed by my host to not start up cod4 again
> until it had been fixed).
>
> My server is automatically restarted nightly... I am guessing that
> should be enought to empty the ip cache?
>
> Håvard Pedersen
> http://fuzzy76.net/
>
>
> On Tue, Nov 1, 2011 at 13:30, Marco Padovan <evcz at evcz.tk> wrote:
>
> Looks like a standard attack pattern...
> we need the incoming traffic too in order to understand what was being
> exploited...
> I suppose nothing new was happening here and you just hit the patch "limits"
>
> Take a look at the previous list messages... the current patch actually
> has a limit:
> the "protection" become ineffective once the tracked ips list is
> filled... you either need to increase it to an insane number or just
> restart the server before it gets filled :)
>
> HINT: incoming src udp port 80 is the most exploited one and I have yet
> to find a legit gameplayer packet generated from that port............
>
> Il 01/11/2011 13:18, Håvard Pedersen ha scritto:
>
> The only info my host had stored was this:
>
> tcpdump ouput during 3 minutes period. 7 records.
> 12:32:48.533303 IP 91.229.142.201.28970 > 91.220.163.3.80: UDP, length 563,
> 12:33:10.471172 IP 91.229.142.201.28970 > 91.220.163.3.80: UDP, length 563,
> 12:33:12.665673 IP 91.229.142.201.28970 > 91.220.163.3.80: UDP, length 563,
> 12:33:26.951329 IP 91.229.142.201.28970 > 91.220.163.3.80: UDP, length 563,
> 12:33:46.409945 IP 91.229.142.201.28970 > 91.220.163.3.80: UDP, length 563,
> 12:33:53.707567 IP 91.229.142.201.28970 > 91.220.163.3.80: UDP, length 563,
>
> Håvard Pedersen
> http://fuzzy76.net/
>
>
>
>
>
> On Tue, Nov 1, 2011 at 12:21, Marco Padovan <evcz at evcz.tk> wrote:
>
> Please post a tcpdump capture or additional details
>
> Il 01/11/2011 11:47, Håvard Pedersen ha scritto:
>
> Sorry, I should have been clearer. My server is used as a relay, it is
> not the target. (Got a call from my host about massive amounts of
> outgoing UDP from my COD4 port)
>
> Håvard Pedersen
> http://fuzzy76.net/
>
>
>
>
>
> On Tue, Nov 1, 2011 at 11:45, Morpheus <morpheus at clantoc.org> wrote:
>
> If you're the target of an attack, the patch won't help you; it only
> prevents attacks to be relayed.
>
> Le 01/11/2011 11:42, Håvard Pedersen a écrit :
>
> My patched Linux cod4 server experienced a new attack today and had to
> be taken offline. :( Probably a new attack?
>
> Håvard Pedersen
> http://fuzzy76.net/
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>
>
More information about the cod
mailing list