[cod] COD 4 UDP security leak

Marco Padovan evcz at evcz.tk
Fri Jan 6 18:22:43 EST 2012 

additionally:
there are attacks with 42bytes and other with 43bytes... length can be
changed and the gameserver can be exploited just by padding the packet
if you filter by length...

as a confirm please issue on one of your servers this command:
tcpdump -nn dst host 69.172.200.88

at the moment that's an ongoing 43bytes attack if I'm not mistaken... so
that one could be evading your rule and you might see outgoing traffic

Il 07/01/2012 00:10, NewLight Systems ha scritto:
> You can play with your hitcount. This can be due to HLSW, xfire, etc
>
>
> El 07/01/12 0:02, Jeff Love escribió:
>> I'm getting a lot of matches on those rules. This is after less than an hour in place.
>>
>> pkts bytes target     prot opt in     out     source               destination
>> 288K   12M            udp  --  *      *       0.0.0.0/0            0.0.0.0/0           length 42
>> recent: SET name: getstatus_cod side: source
>>  254K   11M DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING
>> match "getstatus" ALGO name bm TO 65535recent: UPDATE seconds: 1 hit_count: 20 name:
>> getstatus_cod side: source
>>
>> Jeff Love
>> Burgh Gaming
>>
>>> I've with this rules since some months ago and no problem.
>>>
>>> The key is that:
>>>
>>> /sbin/iptables -A INPUT -p UDP -m length --length 42 -m recent --set
>>> --name getstatus_cod
>>> /sbin/iptables -A INPUT -p UDP -m string --algo bm --string "getstatus"
>>> -m recent --update --seconds 1 --hitcount 20 --name getstatus_cod -j DROP
>>>
>>> If hitcount isn't overloaded packets are accepted
>>>
>>> El 06/01/12 22:39, Jeff Love escribió:
>>>> Are we sure that a getstatus packet length is 42, and that there are no legitimate client packet
>>>> length 1162-1168?
>>>> If so, this seems like a good fix. I just want to be sure I'm not blocking legitimate client
>>>> packets.
>>>>
>>>> Jeff Love
>>>> Burgh Gaming
>>>>
>>>>> You can try this:
>>>>>
>>>>> /sbin/iptables -A OUTPUT -p UDP -m length --length 1162:1168 -j DROP
>>>>> /sbin/iptables -A FORWARD -p UDP -m length --length 1162:1168 -j DROP
>>>>> /sbin/iptables -A INPUT -p UDP -m length --length 1162:1168 -j DROP
>>>>> /sbin/iptables -A INPUT -p UDP -m length --length 42 -m recent --set
>>>>> --name getstatus_cod
>>>>> /sbin/iptables -A INPUT -p UDP -m string --algo bm --string "getstatus"
>>>>> -m recent --update --seconds 1 --hitcount 20 --name getstatus_cod -j DROP
>>>>>
>>>>> This prevents your servers to be exploitable. If you are the target
>>>>> there's nothing in your hand to take UDP floods down, only your ISP can
>>>>> blackhole offending IPS
>>>>>
>>>> _______________________________________________
>>>> cod mailing list
>>>> cod at icculus.org
>>>> http://icculus.org/mailman/listinfo/cod
>>>>
>>> --
>>>
>>>
>>> *David Aguilar Valero*
>>>
>>> Dpto. Comercial y Soporte técnico
>>>
>>> NewLight Systems
>>>
>>> *Servidores de juegos, HW, Dedicados*
>>>
>>>
>>> *crk01 at nls.es* <mailto:c>
>>>
>>> crk01 at newlightsystems.com <mailto:crk01 at newlightsystems.com>
>>>
>>> tecnico at newlightsystems.com <mailto:tecnico at newlightsystems.com>
>>>
>>> #NewLight_Systems @ irc-hispano.org
>>>
>>> *www.newlightsystems.com* <http://www.newlightsystems.com/>
>>>
>>> *www.nls.es* <http://www.nls.es/>
>>>
>>> This email and any files or attachments transmitted with it are intended
>>> solely for the use of the intended recipient. This email is confidential
>>> and may contain legally privileged information. If you are not the
>>> intended recipient you should not read, disseminate, distribute, or copy
>>> this email. If you have received this email in error, please notify the
>>> sender immediately and delete it from your system.
>>>
>>>
>>> --
>>> This message has been scanned for viruses and
>>> dangerous content by MailScanner, and is
>>> believed to be clean.
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org
>>> http://icculus.org/mailman/listinfo/cod
>>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>>
>
> -- 
>
>
> *David Aguilar Valero*
>
> Dpto. Comercial y Soporte técnico
>
> NewLight Systems
>
> *Servidores de juegos, HW, Dedicados*
>
>
> *crk01 at nls.es* <mailto:c>
>
> crk01 at newlightsystems.com <mailto:crk01 at newlightsystems.com>
>
> tecnico at newlightsystems.com <mailto:tecnico at newlightsystems.com>
>
> #NewLight_Systems @ irc-hispano.org
>
> *www.newlightsystems.com* <http://www.newlightsystems.com/>
>
> *www.nls.es* <http://www.nls.es/>
>
> This email and any files or attachments transmitted with it are
> intended solely for the use of the intended recipient. This email is
> confidential and may contain legally privileged information. If you
> are not the intended recipient you should not read, disseminate,
> distribute, or copy this email. If you have received this email in
> error, please notify the sender immediately and delete it from your
> system.
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120107/be2a1dbc/attachment-0001.htm>

More information about the cod mailing list