[cod] CoD2 UDP flood
Marco Padovan
evcz at evcz.tk
Fri Feb 24 08:00:57 EST 2012
that rule is very basic.
cod1, cod1.5, cod2 and cod4 all suffer the same problem and are
exploited in the same exact way.
So an iptables that fixes the cod4 problem works also for cod2 and cod1
Il 24/02/2012 13:51, david.lauriou at wanadoo.fr ha scritto:
> i've find this :
> http://wiki.modsrepository.com/index.php/Call_of_Duty_4:_Servers
>
> its for cod4 not for COD2 !
>
>
> ----- Original Message -----
> *From:* Marco Padovan <mailto:evcz at evcz.tk>
> *To:* cod at icculus.org <mailto:cod at icculus.org>
> *Sent:* Friday, February 24, 2012 1:49 PM
> *Subject:* Re: [cod] CoD2 UDP flood
>
> NO!
>
> Read the messages that got posted in the last 2 days...
>
> This should be a proper ruleset:
> http://icculus.org/pipermail/cod/2012-February/015927.html
>
> Il 24/02/2012 13:47, david.lauriou at wanadoo.fr ha scritto:
>> like this ?
>>
>> IPTABLES -A INPUT -p UDP -m length --length 42 -m recent --set --name getstatus_cod
>> IPTABLES -A INPUT -p UDP -m string --algo bm --string "getstatus" -m recent --update --seconds 1 --hitcount 20 --name getstatus_cod -j DROP
>>
>> ----- Original Message -----
>> *From:* Marco Padovan <mailto:evcz at evcz.tk>
>> *To:* Call of Duty server admin list. <mailto:cod at icculus.org>
>> *Sent:* Friday, February 24, 2012 1:35 PM
>> *Subject:* Re: [cod] CoD2 UDP flood
>>
>> iptables rules
>>
>> Il 24/02/2012 13:28, david.lauriou at wanadoo.fr ha scritto:
>>> for COD4 what is the best method to remove udp Flooding
>>> exploit ?
>>>
>>>
>>> ----- Original Message -----
>>> *From:* Marco Padovan <mailto:evcz at evcz.tk>
>>> *To:* Call of Duty server admin list.
>>> <mailto:cod at icculus.org>
>>> *Sent:* Friday, February 24, 2012 12:10 PM
>>> *Subject:* Re: [cod] CoD2 UDP flood
>>>
>>> Be aware that there are two different ways to talk about
>>> offset: packet offset (includes header) and payload
>>> offset (does not include header)
>>>
>>> Il 24/02/2012 10:41, Geoff Goas ha scritto:
>>>> You're right, and I see my error. That is frustrating
>>>> because I have no idea why it doesn't work with the
>>>> offset specified then.
>>>>
>>>> On Fri, Feb 24, 2012 at 4:10 AM, Luca Farflame Fabbro
>>>> <farflame at cybergames.it
>>>> <mailto:farflame at cybergames.it>> wrote:
>>>>
>>>> Try this command
>>>> tcpdump -c 4 -nnvvvXS dst port 28960
>>>> where port is the port that you want to monitor
>>>> should be something like
>>>>
>>>> 0x0000: 4500 002b 35b3 0000 7511 179b b612
>>>> 80ad E..+5...u.......
>>>> 0x0010: c0a8 010c 7012 7120 0017 0000 ffff
>>>> ffff ....p.q.........
>>>> 0x0020: 6765 7473 7461 7475 730a 0000 0000
>>>> getstatus.....
>>>>
>>>> On Feb 24, 2012, at 9:54 AM, Geoff Goas wrote:
>>>>
>>>>> That is strange, because if I use those values, it
>>>>> does not work. If I use "--from 31" alone, then it
>>>>> works. As soon as I change that to 32, it stops
>>>>> working. When I inspect the packets in Wireshark,
>>>>> the "getstatus" string starts at offset 48 if
>>>>> counting from 1. Would there be a way for iptables
>>>>> to print to log what it sees in the specified
>>>>> offset range?
>>>>>
>>>>> On Fri, Feb 24, 2012 at 3:28 AM, Luca Farflame
>>>>> Fabbro <farflame at cybergames.it
>>>>> <mailto:farflame at cybergames.it>> wrote:
>>>>>
>>>>> It doesn't matter the length of the packet.
>>>>> That rule will try to find the string
>>>>> "gestatus" starting at position 32 bytes from
>>>>> start of packet and searching for it at
>>>>> maximum at position 41.
>>>>> The Q3 protocol for that command expects the
>>>>> string to be in that range.
>>>>>
>>>>> On Feb 24, 2012, at 1:11 AM, Geoff Goas wrote:
>>>>>
>>>>>> Is the offset range of 32-41 based on a
>>>>>> 60-byte packet?
>>>>>>
>>>>>> On Thu, Feb 23, 2012 at 10:34 AM, Marco
>>>>>> Padovan <evcz at evcz.tk <mailto:evcz at evcz.tk>>
>>>>>> wrote:
>>>>>>
>>>>>> iptables -A INPUT -p udp -m string
>>>>>> --string "getstatus" --algo bm --from 32
>>>>>> --to 41 -j DROP
>>>>>>
>>>>>> --
>>>>>> /*Geoff Goas
>>>>>> Systems Engineer*/
>>>>>>
>>>>>> _______________________________________________
>>>>>> cod mailing list
>>>>>> cod at icculus.org <mailto:cod at icculus.org>
>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> cod mailing list
>>>>> cod at icculus.org <mailto:cod at icculus.org>
>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> /*Geoff Goas
>>>>> Systems Engineer*/
>>>>>
>>>>> _______________________________________________
>>>>> cod mailing list
>>>>> cod at icculus.org <mailto:cod at icculus.org>
>>>>> http://icculus.org/mailman/listinfo/cod
>>>>
>>>>
>>>> _______________________________________________
>>>> cod mailing list
>>>> cod at icculus.org <mailto:cod at icculus.org>
>>>> http://icculus.org/mailman/listinfo/cod
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> /*Geoff Goas
>>>> Systems Engineer*/
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> cod mailing list
>>>> cod at icculus.org
>>>> http://icculus.org/mailman/listinfo/cod
>>> ------------------------------------------------------------------------
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org
>>> http://icculus.org/mailman/listinfo/cod
>>>
>>>
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org
>>> http://icculus.org/mailman/listinfo/cod
>> ------------------------------------------------------------------------
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>>
>>
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>
> ------------------------------------------------------------------------
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120224/4ee37d39/attachment-0001.htm>
More information about the cod
mailing list