[cod] COD 4 UDP security leak

NewLight Systems nls at newlightsystems.com
Fri Jan 6 16:49:01 EST 2012


I've with this rules since some months ago and no problem.

The key is that:

/sbin/iptables -A INPUT -p UDP -m length --length 42 -m recent --set
--name getstatus_cod
/sbin/iptables -A INPUT -p UDP -m string --algo bm --string "getstatus"
-m recent --update --seconds 1 --hitcount 20 --name getstatus_cod -j DROP

If hitcount isn't overloaded packets are accepted

El 06/01/12 22:39, Jeff Love escribió:
> Are we sure that a getstatus packet length is 42, and that there are no legitimate client packet
> length 1162-1168?
> If so, this seems like a good fix. I just want to be sure I'm not blocking legitimate client packets.
>
> Jeff Love
> Burgh Gaming
>
>> You can try this:
>>
>> /sbin/iptables -A OUTPUT -p UDP -m length --length 1162:1168 -j DROP
>> /sbin/iptables -A FORWARD -p UDP -m length --length 1162:1168 -j DROP
>> /sbin/iptables -A INPUT -p UDP -m length --length 1162:1168 -j DROP
>> /sbin/iptables -A INPUT -p UDP -m length --length 42 -m recent --set
>> --name getstatus_cod
>> /sbin/iptables -A INPUT -p UDP -m string --algo bm --string "getstatus"
>> -m recent --update --seconds 1 --hitcount 20 --name getstatus_cod -j DROP
>>
>> This prevents your servers to be exploitable. If you are the target
>> there's nothing in your hand to take UDP floods down, only your ISP can
>> blackhole offending IPS
>>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>

-- 


*David Aguilar Valero*

Dpto. Comercial y Soporte técnico

NewLight Systems

*Servidores de juegos, HW, Dedicados*


*crk01 at nls.es* <mailto:c>

crk01 at newlightsystems.com <mailto:crk01 at newlightsystems.com>

tecnico at newlightsystems.com <mailto:tecnico at newlightsystems.com>

#NewLight_Systems @ irc-hispano.org

*www.newlightsystems.com* <http://www.newlightsystems.com/>

*www.nls.es* <http://www.nls.es/>

This email and any files or attachments transmitted with it are intended
solely for the use of the intended recipient. This email is confidential
and may contain legally privileged information. If you are not the
intended recipient you should not read, disseminate, distribute, or copy
this email. If you have received this email in error, please notify the
sender immediately and delete it from your system.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120106/95c89d94/attachment.htm>


More information about the cod mailing list