Yeah I'm working on it... I'll keep you updated<br><br>
<div class="gmail_quote">On Sat, Jun 28, 2008 at 9:00 PM, Rüdiger Meier <<a href="mailto:sweet_f_a@gmx.de">sweet_f_a@gmx.de</a>> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div class="Ih2E3d">On Saturday 28 June 2008 21:47:14 Geoff Goas wrote:<br>> Nevermind... just tried it out on my busy servers and its way too CPU<br>> intensive. I think I need to do better matching.<br><br></div>
Why your are filtering in PREROUTING? Do you run a dedicated firewall?<br>If not you should IMO filter in INPUT chain.<br>Also you should add more specific rules (interface, port range, udp and maybe<br>packetzize ...) to avoid that each packet goes through the expensive string<br>
compare.<br>Cant you just filter for too big packets. I see "--to 65535" - so If I<br>understand right all these packets are bigger than 65535 bytes.<br>Is cod4 using regular packets which are that big?<br><br>BTW If you really want to log (what is it good for expectly for testing?) you<br>
should "--limit" your logging rule because one could DoS your syslog/HD.<br><br>cu,<br>Rudi<br>
<div class="Ih2E3d"><br>> On Sat, Jun 28, 2008 at 3:30 PM, Geoff Goas <<a href="mailto:gitman@gmail.com">gitman@gmail.com</a>> wrote:<br>> > If your servers are being crashed due to the 'stat 7' packet exploit, use<br>
> > the following iptables rules to block that particular packet:<br>> ><br>> > -A PREROUTING -m string --hex-string "|737461747300007907|" --algo kmp<br>> > --to 65535 -j LOG --log-prefix "COD4STATS_EXPLOIT "<br>
> > -A PREROUTING -m string --hex-string "|737461747300007907|" --algo kmp<br>> > --to 65535 -j DROP<br>> > The first rule will log the attempt to syslog, the second will drop the<br>> > packet.<br>
> ><br>> > --<br>> > Geoff Goas<br>> > Network Engineer<br><br><br><br></div>---<br>To unsubscribe, send a blank email to <a href="mailto:cod-unsubscribe@icculus.org">cod-unsubscribe@icculus.org</a><br>
Mailing list archives: <a href="http://icculus.org/cgi-bin/ezmlm/ezmlm-cgi?38" target="_blank">http://icculus.org/cgi-bin/ezmlm/ezmlm-cgi?38</a><br><br><br></blockquote></div><br><br clear="all"><br>-- <br>Geoff Goas<br>Network Engineer