[cod] COD 4 UDP security leak

Marco Padovan evcz at evcz.tk
Fri Jan 6 18:15:59 EST 2012 

Additionally please be aware that the recent module is very limited by
default

IIRC correctly it just track 20packets per source

/sys/module/xt_recent/parameters/ip_pkt_list_tot
and
/sys/module/xt_recent/parameters/ip_list_tot

might be two values you want to tweak too ;)

Il 07/01/2012 00:10, NewLight Systems ha scritto:
> You can play with your hitcount. This can be due to HLSW, xfire, etc
>
>
> El 07/01/12 0:02, Jeff Love escribió:
>> I'm getting a lot of matches on those rules. This is after less than an hour in place.
>>
>> pkts bytes target     prot opt in     out     source               destination
>> 288K   12M            udp  --  *      *       0.0.0.0/0            0.0.0.0/0           length 42
>> recent: SET name: getstatus_cod side: source
>>  254K   11M DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING
>> match "getstatus" ALGO name bm TO 65535recent: UPDATE seconds: 1 hit_count: 20 name:
>> getstatus_cod side: source
>>
>> Jeff Love
>> Burgh Gaming
>>
>>> I've with this rules since some months ago and no problem.
>>>
>>> The key is that:
>>>
>>> /sbin/iptables -A INPUT -p UDP -m length --length 42 -m recent --set
>>> --name getstatus_cod
>>> /sbin/iptables -A INPUT -p UDP -m string --algo bm --string "getstatus"
>>> -m recent --update --seconds 1 --hitcount 20 --name getstatus_cod -j DROP
>>>
>>> If hitcount isn't overloaded packets are accepted
>>>
>>> El 06/01/12 22:39, Jeff Love escribió:
>>>> Are we sure that a getstatus packet length is 42, and that there are no legitimate client packet
>>>> length 1162-1168?
>>>> If so, this seems like a good fix. I just want to be sure I'm not blocking legitimate client
>>>> packets.
>>>>
>>>> Jeff Love
>>>> Burgh Gaming
>>>>
>>>>> You can try this:
>>>>>
>>>>> /sbin/iptables -A OUTPUT -p UDP -m length --length 1162:1168 -j DROP
>>>>> /sbin/iptables -A FORWARD -p UDP -m length --length 1162:1168 -j DROP
>>>>> /sbin/iptables -A INPUT -p UDP -m length --length 1162:1168 -j DROP
>>>>> /sbin/iptables -A INPUT -p UDP -m length --length 42 -m recent --set
>>>>> --name getstatus_cod
>>>>> /sbin/iptables -A INPUT -p UDP -m string --algo bm --string "getstatus"
>>>>> -m recent --update --seconds 1 --hitcount 20 --name getstatus_cod -j DROP
>>>>>
>>>>> This prevents your servers to be exploitable. If you are the target
>>>>> there's nothing in your hand to take UDP floods down, only your ISP can
>>>>> blackhole offending IPS
>>>>>
>>>> _______________________________________________
>>>> cod mailing list
>>>> cod at icculus.org
>>>> http://icculus.org/mailman/listinfo/cod
>>>>
>>> --
>>>
>>>
>>> *David Aguilar Valero*
>>>
>>> Dpto. Comercial y Soporte técnico
>>>
>>> NewLight Systems
>>>
>>> *Servidores de juegos, HW, Dedicados*
>>>
>>>
>>> *crk01 at nls.es* <mailto:c>
>>>
>>> crk01 at newlightsystems.com <mailto:crk01 at newlightsystems.com>
>>>
>>> tecnico at newlightsystems.com <mailto:tecnico at newlightsystems.com>
>>>
>>> #NewLight_Systems @ irc-hispano.org
>>>
>>> *www.newlightsystems.com* <http://www.newlightsystems.com/>
>>>
>>> *www.nls.es* <http://www.nls.es/>
>>>
>>> This email and any files or attachments transmitted with it are intended
>>> solely for the use of the intended recipient. This email is confidential
>>> and may contain legally privileged information. If you are not the
>>> intended recipient you should not read, disseminate, distribute, or copy
>>> this email. If you have received this email in error, please notify the
>>> sender immediately and delete it from your system.
>>>
>>>
>>> --
>>> This message has been scanned for viruses and
>>> dangerous content by MailScanner, and is
>>> believed to be clean.
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org
>>> http://icculus.org/mailman/listinfo/cod
>>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>>
>
> -- 
>
>
> *David Aguilar Valero*
>
> Dpto. Comercial y Soporte técnico
>
> NewLight Systems
>
> *Servidores de juegos, HW, Dedicados*
>
>
> *crk01 at nls.es* <mailto:c>
>
> crk01 at newlightsystems.com <mailto:crk01 at newlightsystems.com>
>
> tecnico at newlightsystems.com <mailto:tecnico at newlightsystems.com>
>
> #NewLight_Systems @ irc-hispano.org
>
> *www.newlightsystems.com* <http://www.newlightsystems.com/>
>
> *www.nls.es* <http://www.nls.es/>
>
> This email and any files or attachments transmitted with it are
> intended solely for the use of the intended recipient. This email is
> confidential and may contain legally privileged information. If you
> are not the intended recipient you should not read, disseminate,
> distribute, or copy this email. If you have received this email in
> error, please notify the sender immediately and delete it from your
> system.
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120107/5b04982b/attachment.htm>

More information about the cod mailing list