[cod] CoD2 UDP flood

david.lauriou at wanadoo.fr david.lauriou at wanadoo.fr
Fri Feb 24 07:47:41 EST 2012


like this ?

IPTABLES -A INPUT -p UDP -m length --length 42 -m recent --set --name getstatus_cod
IPTABLES -A INPUT -p UDP -m string --algo bm --string "getstatus" -m recent --update --seconds 1 --hitcount 20 --name getstatus_cod -j DROP----- Original Message ----- 
  From: Marco Padovan 
  To: Call of Duty server admin list. 
  Sent: Friday, February 24, 2012 1:35 PM
  Subject: Re: [cod] CoD2 UDP flood


  iptables rules

  Il 24/02/2012 13:28, david.lauriou at wanadoo.fr ha scritto: 
    for COD4 what is the best method to remove udp Flooding exploit ?

      ----- Original Message ----- 
      From: Marco Padovan 
      To: Call of Duty server admin list. 
      Sent: Friday, February 24, 2012 12:10 PM
      Subject: Re: [cod] CoD2 UDP flood


      Be aware that there are two different ways to talk about offset: packet offset (includes header) and payload offset (does not include header)

      Il 24/02/2012 10:41, Geoff Goas ha scritto: 
        You're right, and I see my error. That is frustrating because I have no idea why it doesn't work with the offset specified then.


        On Fri, Feb 24, 2012 at 4:10 AM, Luca Farflame Fabbro <farflame at cybergames.it> wrote:

          Try this command
          tcpdump -c 4 -nnvvvXS dst port 28960 
          where port is the port that you want to monitor
          should be something like


                  0x0000:  4500 002b 35b3 0000 7511 179b b612 80ad  E..+5...u.......
                  0x0010:  c0a8 010c 7012 7120 0017 0000 ffff ffff  ....p.q.........
                  0x0020:  6765 7473 7461 7475 730a 0000 0000       getstatus.....


          On Feb 24, 2012, at 9:54 AM, Geoff Goas wrote:


            That is strange, because if I use those values, it does not work. If I use "--from 31" alone, then it works. As soon as I change that to 32, it stops working. When I inspect the packets in Wireshark, the "getstatus" string starts at offset 48 if counting from 1. Would there be a way for iptables to print to log what it sees in the specified offset range?


            On Fri, Feb 24, 2012 at 3:28 AM, Luca Farflame Fabbro <farflame at cybergames.it> wrote:

              It doesn't matter the length of the packet.  
              That rule will try to find the string "gestatus" starting at position 32 bytes from start of packet and searching for it at maximum at position 41.
              The Q3 protocol for that command expects the string to be in that range.



              On Feb 24, 2012, at 1:11 AM, Geoff Goas wrote:


                Is the offset range of 32-41 based on a 60-byte packet?


                On Thu, Feb 23, 2012 at 10:34 AM, Marco Padovan <evcz at evcz.tk> wrote:

                  iptables -A INPUT -p udp -m string --string "getstatus" --algo bm --from 32 --to 41 -j DROP


                -- 
                Geoff Goas
                Systems Engineer

                _______________________________________________
                cod mailing list
                cod at icculus.org
                http://icculus.org/mailman/listinfo/cod




              _______________________________________________
              cod mailing list
              cod at icculus.org
              http://icculus.org/mailman/listinfo/cod





            -- 
            Geoff Goas
            Systems Engineer

            _______________________________________________
            cod mailing list
            cod at icculus.org
            http://icculus.org/mailman/listinfo/cod




          _______________________________________________
          cod mailing list
          cod at icculus.org
          http://icculus.org/mailman/listinfo/cod





        -- 
        Geoff Goas
        Systems Engineer


         

_______________________________________________
cod mailing list
cod at icculus.org
http://icculus.org/mailman/listinfo/cod


--------------------------------------------------------------------------
      _______________________________________________
      cod mailing list
      cod at icculus.org
      http://icculus.org/mailman/listinfo/cod


     

_______________________________________________
cod mailing list
cod at icculus.org
http://icculus.org/mailman/listinfo/cod


------------------------------------------------------------------------------


  _______________________________________________
  cod mailing list
  cod at icculus.org
  http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120224/25344efc/attachment-0001.htm>


More information about the cod mailing list