[cod] COD 4 UDP security leak
Jeff Love
jl at burghcom.com
Fri Jan 6 16:39:33 EST 2012
Are we sure that a getstatus packet length is 42, and that there are no legitimate client packet
length 1162-1168?
If so, this seems like a good fix. I just want to be sure I'm not blocking legitimate client packets.
Jeff Love
Burgh Gaming
> You can try this:
>
> /sbin/iptables -A OUTPUT -p UDP -m length --length 1162:1168 -j DROP
> /sbin/iptables -A FORWARD -p UDP -m length --length 1162:1168 -j DROP
> /sbin/iptables -A INPUT -p UDP -m length --length 1162:1168 -j DROP
> /sbin/iptables -A INPUT -p UDP -m length --length 42 -m recent --set
> --name getstatus_cod
> /sbin/iptables -A INPUT -p UDP -m string --algo bm --string "getstatus"
> -m recent --update --seconds 1 --hitcount 20 --name getstatus_cod -j DROP
>
> This prevents your servers to be exploitable. If you are the target
> there's nothing in your hand to take UDP floods down, only your ISP can
> blackhole offending IPS
>
More information about the cod
mailing list