[cod] CoD2 UDP flood

Luca Farflame Fabbro farflame at cybergames.it
Fri Feb 24 04:10:57 EST 2012 

Try this command
tcpdump -c 4 -nnvvvXS dst port 28960
where port is the port that you want to monitor
should be something like

        0x0000:  4500 002b 35b3 0000 7511 179b b612 80ad  E..+5...u.......
        0x0010:  c0a8 010c 7012 7120 0017 0000 ffff ffff  ....p.q.........
        0x0020:  6765 7473 7461 7475 730a 0000 0000       getstatus.....

On Feb 24, 2012, at 9:54 AM, Geoff Goas wrote:

> That is strange, because if I use those values, it does not work. If I use "--from 31" alone, then it works. As soon as I change that to 32, it stops working. When I inspect the packets in Wireshark, the "getstatus" string starts at offset 48 if counting from 1. Would there be a way for iptables to print to log what it sees in the specified offset range?
> 
> On Fri, Feb 24, 2012 at 3:28 AM, Luca Farflame Fabbro <farflame at cybergames.it> wrote:
> It doesn't matter the length of the packet. 
> That rule will try to find the string "gestatus" starting at position 32 bytes from start of packet and searching for it at maximum at position 41.
> The Q3 protocol for that command expects the string to be in that range.
>  
> On Feb 24, 2012, at 1:11 AM, Geoff Goas wrote:
> 
>> Is the offset range of 32-41 based on a 60-byte packet?
>> 
>> On Thu, Feb 23, 2012 at 10:34 AM, Marco Padovan <evcz at evcz.tk> wrote:
>> iptables -A INPUT -p udp -m string --string "getstatus" --algo bm --from 32 --to 41 -j DROP
>> 
>> -- 
>> Geoff Goas
>> Systems Engineer
>> 
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
> 
> 
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
> 
> 
> 
> 
> -- 
> Geoff Goas
> Systems Engineer
> 
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120224/0c0d1a31/attachment.htm>

More information about the cod mailing list