[cod] COD 4 UDP security leak

Jeff Love jl at burghcom.com
Fri Jan 6 18:02:59 EST 2012 

I'm getting a lot of matches on those rules. This is after less than an hour in place.

pkts bytes target     prot opt in     out     source               destination
288K   12M            udp  --  *      *       0.0.0.0/0            0.0.0.0/0           length 42
recent: SET name: getstatus_cod side: source
 254K   11M DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING
match "getstatus" ALGO name bm TO 65535recent: UPDATE seconds: 1 hit_count: 20 name:
getstatus_cod side: source

Jeff Love
Burgh Gaming

> I've with this rules since some months ago and no problem.
>
> The key is that:
>
> /sbin/iptables -A INPUT -p UDP -m length --length 42 -m recent --set
> --name getstatus_cod
> /sbin/iptables -A INPUT -p UDP -m string --algo bm --string "getstatus"
> -m recent --update --seconds 1 --hitcount 20 --name getstatus_cod -j DROP
>
> If hitcount isn't overloaded packets are accepted
>
> El 06/01/12 22:39, Jeff Love escribió:
>> Are we sure that a getstatus packet length is 42, and that there are no legitimate client packet
>> length 1162-1168?
>> If so, this seems like a good fix. I just want to be sure I'm not blocking legitimate client
>> packets.
>>
>> Jeff Love
>> Burgh Gaming
>>
>>> You can try this:
>>>
>>> /sbin/iptables -A OUTPUT -p UDP -m length --length 1162:1168 -j DROP
>>> /sbin/iptables -A FORWARD -p UDP -m length --length 1162:1168 -j DROP
>>> /sbin/iptables -A INPUT -p UDP -m length --length 1162:1168 -j DROP
>>> /sbin/iptables -A INPUT -p UDP -m length --length 42 -m recent --set
>>> --name getstatus_cod
>>> /sbin/iptables -A INPUT -p UDP -m string --algo bm --string "getstatus"
>>> -m recent --update --seconds 1 --hitcount 20 --name getstatus_cod -j DROP
>>>
>>> This prevents your servers to be exploitable. If you are the target
>>> there's nothing in your hand to take UDP floods down, only your ISP can
>>> blackhole offending IPS
>>>
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>>
>
> --
>
>
> *David Aguilar Valero*
>
> Dpto. Comercial y Soporte técnico
>
> NewLight Systems
>
> *Servidores de juegos, HW, Dedicados*
>
>
> *crk01 at nls.es* <mailto:c>
>
> crk01 at newlightsystems.com <mailto:crk01 at newlightsystems.com>
>
> tecnico at newlightsystems.com <mailto:tecnico at newlightsystems.com>
>
> #NewLight_Systems @ irc-hispano.org
>
> *www.newlightsystems.com* <http://www.newlightsystems.com/>
>
> *www.nls.es* <http://www.nls.es/>
>
> This email and any files or attachments transmitted with it are intended
> solely for the use of the intended recipient. This email is confidential
> and may contain legally privileged information. If you are not the
> intended recipient you should not read, disseminate, distribute, or copy
> this email. If you have received this email in error, please notify the
> sender immediately and delete it from your system.
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>

More information about the cod mailing list