[cod] CoD2 UDP flood
Boyd G. Gafford Ph.D.
drboyd at westportresearch.com
Fri Feb 24 10:35:44 EST 2012
Something I noticed when I was using libpcap natively from C, and that
is OpenVZ VPS's have a 16-byte Ethernet header instead of the usual 14
byte Ethernet header that a typical physical server has. Maybe
something like that is making a difference in the offset?
/Boyd/
On 02/24/2012 05:10 AM, Marco Padovan wrote:
> Be aware that there are two different ways to talk about offset:
> packet offset (includes header) and payload offset (does not include
> header)
>
> Il 24/02/2012 10:41, Geoff Goas ha scritto:
>> You're right, and I see my error. That is frustrating because I have
>> no idea why it doesn't work with the offset specified then.
>>
>> On Fri, Feb 24, 2012 at 4:10 AM, Luca Farflame Fabbro
>> <farflame at cybergames.it <mailto:farflame at cybergames.it>> wrote:
>>
>> Try this command
>> tcpdump -c 4 -nnvvvXS dst port 28960
>> where port is the port that you want to monitor
>> should be something like
>>
>> 0x0000: 4500 002b 35b3 0000 7511 179b b612 80ad
>> E..+5...u.......
>> 0x0010: c0a8 010c 7012 7120 0017 0000 ffff ffff
>> ....p.q.........
>> 0x0020: 6765 7473 7461 7475 730a 0000 0000
>> getstatus.....
>>
>> On Feb 24, 2012, at 9:54 AM, Geoff Goas wrote:
>>
>>> That is strange, because if I use those values, it does not
>>> work. If I use "--from 31" alone, then it works. As soon as I
>>> change that to 32, it stops working. When I inspect the packets
>>> in Wireshark, the "getstatus" string starts at offset 48 if
>>> counting from 1. Would there be a way for iptables to print to
>>> log what it sees in the specified offset range?
>>>
>>> On Fri, Feb 24, 2012 at 3:28 AM, Luca Farflame Fabbro
>>> <farflame at cybergames.it <mailto:farflame at cybergames.it>> wrote:
>>>
>>> It doesn't matter the length of the packet.
>>> That rule will try to find the string "gestatus" starting at
>>> position 32 bytes from start of packet and searching for it
>>> at maximum at position 41.
>>> The Q3 protocol for that command expects the string to be in
>>> that range.
>>>
>>> On Feb 24, 2012, at 1:11 AM, Geoff Goas wrote:
>>>
>>>> Is the offset range of 32-41 based on a 60-byte packet?
>>>>
>>>> On Thu, Feb 23, 2012 at 10:34 AM, Marco Padovan
>>>> <evcz at evcz.tk <mailto:evcz at evcz.tk>> wrote:
>>>>
>>>> iptables -A INPUT -p udp -m string --string "getstatus"
>>>> --algo bm --from 32 --to 41 -j DROP
>>>>
>>>> --
>>>> /*Geoff Goas
>>>> Systems Engineer*/
>>>>
>>>> _______________________________________________
>>>> cod mailing list
>>>> cod at icculus.org <mailto:cod at icculus.org>
>>>> http://icculus.org/mailman/listinfo/cod
>>>
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org <mailto:cod at icculus.org>
>>> http://icculus.org/mailman/listinfo/cod
>>>
>>>
>>>
>>>
>>> --
>>> /*Geoff Goas
>>> Systems Engineer*/
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org <mailto:cod at icculus.org>
>>> http://icculus.org/mailman/listinfo/cod
>>
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org <mailto:cod at icculus.org>
>> http://icculus.org/mailman/listinfo/cod
>>
>>
>>
>>
>> --
>> /*Geoff Goas
>> Systems Engineer*/
>>
>>
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120224/c453cc83/attachment-0001.htm>
More information about the cod
mailing list