[cod] CoD2 UDP flood

escapedturkey escapedturkey at escapedturkey.com
Tue Feb 28 06:09:27 EST 2012 

Can you please share your changes? I assumed the rules would cover multiple
IP aliases. This is incorrect?

Thanks. =)

On Tue, Feb 28, 2012 at 2:47 AM, Geoff Goas <gitman at gmail.com> wrote:

> Well I can say the iptables rules have been running fantastically. I added
> a few tweaks such as not blocking the server's own set of IP's (there are
> quite a few internal queries going on), and also setting the hashlimit-mode
> to be based on source and destination IP since I have different server
> instances on different addresses, and I wanted a little more granularity to
> the matching. My ingress rates are still noticeably higher than they used
> to be, but at least the outbound bandwidth isn't being exploited anymore.
>
> Does anyone know the default value for hashlimit-htable-expire? I haven't
> been able to find it, so I've manually set it to 30 seconds.
>
>
>
>  On 02/24/2012 03:38 PM, River Hosting wrote:
>>
>> Hello again guys,
>>
>>
>>
>> I was adding some new rules into the firewall and it looks like the
>> flooding has stopped!
>>
>>
>>
>> Now using;
>>
>> - *serverark* (recently posted on this list)
>>
>> - *getstatus_ban.sh* (recently posted aswell)
>>
>> - *iptables*
>>
>>
>>
>> Since this morning the traffic dropped from 6 Mbit/s to 45 Kb/s.
>>
>> When filtering, shutting down all gameservers running on your box for
>> about 24-48 hours may do the trick. After that time just reboot them and
>> let the magic happen... :)
>>
>>
>>
>>
>>
>> Met vriendelijke groeten,
>>
>> With kind regards,
>>
>> Julian Maartens
>> River Hosting
>>
>> info at riverhosting.nl
>> http://www.riverhosting.nl
>>
>>
>>
>> *Van:* Marco Padovan [mailto:evcz at evcz.tk <evcz at evcz.tk>]
>> *Verzonden:* vrijdag 24 februari 2012 14:05
>> *Aan:* Call of Duty server admin list.
>> *Onderwerp:* Re: [cod] CoD2 UDP flood
>>
>>
>>
>> You can either use the one you linked from modsrepository or the more
>> "complex" one that was posted on this list
>>
>> Il 24/02/2012 14:03, david.lauriou at wanadoo.fr ha scritto:
>>
>> the rules is ?
>>
>>
>>
>>  ----- Original Message -----
>>
>> *From:* Marco Padovan <evcz at evcz.tk>
>>
>> *To:* cod at icculus.org
>>
>> *Sent:* Friday, February 24, 2012 2:00 PM
>>
>> *Subject:* Re: [cod] CoD2 UDP flood
>>
>>
>>
>> that rule is very basic.
>>
>> cod1, cod1.5, cod2 and cod4 all suffer the same problem and are exploited
>> in the same exact way.
>>
>> So an iptables that fixes the cod4 problem works also for cod2 and cod1
>>
>> Il 24/02/2012 13:51, david.lauriou at wanadoo.fr ha scritto:
>>
>> i've find this :
>> http://wiki.modsrepository.com/index.php/Call_of_Duty_4:_Servers
>>
>> its for cod4 not for COD2 !
>>
>>
>>
>>  ----- Original Message -----
>>
>> *From:* Marco Padovan <evcz at evcz.tk>
>>
>> *To:* cod at icculus.org
>>
>> *Sent:* Friday, February 24, 2012 1:49 PM
>>
>> *Subject:* Re: [cod] CoD2 UDP flood
>>
>>
>>
>> NO!
>>
>> Read the messages that got posted in the last 2 days...
>>
>> This should be a proper ruleset:
>> http://icculus.org/pipermail/cod/2012-February/015927.html
>>
>> Il 24/02/2012 13:47, david.lauriou at wanadoo.fr ha scritto:
>>
>> like this ?
>>
>>
>>
>> IPTABLES -A INPUT -p UDP -m length --length 42 -m recent --set --name getstatus_cod
>>
>> IPTABLES -A INPUT -p UDP -m string --algo bm --string "getstatus" -m recent --update --seconds 1 --hitcount 20 --name getstatus_cod -j DROP
>>
>>   ----- Original Message -----
>>
>> *From:* Marco Padovan <evcz at evcz.tk>
>>
>> *To:* Call of Duty server admin list. <cod at icculus.org>
>>
>> *Sent:* Friday, February 24, 2012 1:35 PM
>>
>> *Subject:* Re: [cod] CoD2 UDP flood
>>
>>
>>
>> iptables rules
>>
>> Il 24/02/2012 13:28, david.lauriou at wanadoo.fr ha scritto:
>>
>> for COD4 what is the best method to remove udp Flooding exploit ?
>>
>>
>>
>>  ----- Original Message -----
>>
>> *From:* Marco Padovan <evcz at evcz.tk>
>>
>> *To:* Call of Duty server admin list. <cod at icculus.org>
>>
>> *Sent:* Friday, February 24, 2012 12:10 PM
>>
>> *Subject:* Re: [cod] CoD2 UDP flood
>>
>>
>>
>> Be aware that there are two different ways to talk about offset: packet
>> offset (includes header) and payload offset (does not include header)
>>
>> Il 24/02/2012 10:41, Geoff Goas ha scritto:
>>
>> You're right, and I see my error. That is frustrating because I have no
>> idea why it doesn't work with the offset specified then.
>>
>> On Fri, Feb 24, 2012 at 4:10 AM, Luca Farflame Fabbro <
>> farflame at cybergames.it> wrote:
>>
>> Try this command
>>
>> tcpdump -c 4 -nnvvvXS dst port 28960
>>
>> where port is the port that you want to monitor
>>
>> should be something like
>>
>>
>>
>>         0x0000:  4500 002b 35b3 0000 7511 179b b612 80ad  E..+5...u.......
>>
>>         0x0010:  c0a8 010c 7012 7120 0017 0000 ffff ffff  ....p.q.........
>>
>>         0x0020:  6765 7473 7461 7475 730a 0000 0000       getstatus.....
>>
>>
>>
>> On Feb 24, 2012, at 9:54 AM, Geoff Goas wrote:
>>
>>
>>
>>
>>
>>  That is strange, because if I use those values, it does not work. If I
>> use "--from 31" alone, then it works. As soon as I change that to 32, it
>> stops working. When I inspect the packets in Wireshark, the "getstatus"
>> string starts at offset 48 if counting from 1. Would there be a way for
>> iptables to print to log what it sees in the specified offset range?
>>
>> On Fri, Feb 24, 2012 at 3:28 AM, Luca Farflame Fabbro <
>> farflame at cybergames.it> wrote:
>>
>> It doesn't matter the length of the packet.
>>
>> That rule will try to find the string "gestatus" starting at position 32
>> bytes from start of packet and searching for it at maximum at position 41.
>>
>> The Q3 protocol for that command expects the string to be in that range.
>>
>>
>>
>> On Feb 24, 2012, at 1:11 AM, Geoff Goas wrote:
>>
>>
>>
>>  Is the offset range of 32-41 based on a 60-byte packet?
>>
>> On Thu, Feb 23, 2012 at 10:34 AM, Marco Padovan <evcz at evcz.tk> wrote:
>>
>> iptables -A INPUT -p udp -m string --string "getstatus" --algo bm --from
>> 32 --to 41 -j DROP
>>
>> --
>> *Geoff Goas
>> Systems Engineer*
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>>
>>
>>
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>>
>>
>>
>>
>> --
>> *Geoff Goas
>> Systems Engineer*
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>>
>>
>>
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>>
>>
>>
>>
>> --
>> *Geoff Goas
>> Systems Engineer*
>>
>>
>>
>>
>>
>>
>>  _______________________________________________
>>
>> cod mailing list
>>
>> cod at icculus.org
>>
>> http://icculus.org/mailman/listinfo/cod
>>
>>  ------------------------------
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>>
>>
>>
>>
>>
>>
>>  _______________________________________________
>>
>> cod mailing list
>>
>> cod at icculus.org
>>
>> http://icculus.org/mailman/listinfo/cod
>>
>>  ------------------------------
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>>
>>
>>
>>
>>
>>
>>  _______________________________________________
>>
>> cod mailing list
>>
>> cod at icculus.org
>>
>> http://icculus.org/mailman/listinfo/cod
>>
>>  ------------------------------
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>>
>>
>>
>>
>>
>>
>>  _______________________________________________
>>
>> cod mailing list
>>
>> cod at icculus.org
>>
>> http://icculus.org/mailman/listinfo/cod
>>
>>  ------------------------------
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>>
>>
>>
>>
>>
>>
>>  _______________________________________________
>>
>> cod mailing list
>>
>> cod at icculus.org
>>
>> http://icculus.org/mailman/listinfo/cod
>>
>>
>>
>>
>>
>>  _______________________________________________
>>
>> cod mailing list
>>
>> cod at icculus.org
>>
>> http://icculus.org/mailman/listinfo/cod
>>
>>
>>
>>
>>  _______________________________________________
>>
>> cod mailing list
>>
>> cod at icculus.org
>>
>> http://icculus.org/mailman/listinfo/cod
>>
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>>
>>
>
>
>
> --
> *Geoff Goas
> Systems Engineer*
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>
>


-- 
EscapedTurkey.com Billing and Support
https://www.escapedturkey.com/helpdesk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120228/7d5bd5b2/attachment-0001.htm>

More information about the cod mailing list