<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font size="-1"><font face="Verdana">You can either use the one you
linked from modsrepository or the more "complex" one that was
posted on this list</font></font><br>
<br>
Il 24/02/2012 14:03, <a class="moz-txt-link-abbreviated" href="mailto:david.lauriou@wanadoo.fr">david.lauriou@wanadoo.fr</a> ha scritto:
<blockquote cite="mid:FE800EA23EA342F1BDBF79308F484B77@DAVIDPC"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<meta name="GENERATOR" content="MSHTML 8.00.7601.17744">
<div><font face="Arial" size="2">the rules is ?</font></div>
<div> </div>
<blockquote style="BORDER-LEFT: #000000 2px solid; PADDING-LEFT:
5px; PADDING-RIGHT: 0px; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px">
<div style="FONT: 10pt arial">----- Original Message ----- </div>
<div style="FONT: 10pt arial; BACKGROUND: #e4e4e4; font-color:
black"><b>From:</b> <a moz-do-not-send="true"
title="evcz@evcz.tk" href="mailto:evcz@evcz.tk">Marco
Padovan</a> </div>
<div style="FONT: 10pt arial"><b>To:</b> <a
moz-do-not-send="true" title="cod@icculus.org"
href="mailto:cod@icculus.org">cod@icculus.org</a> </div>
<div style="FONT: 10pt arial"><b>Sent:</b> Friday, February 24,
2012 2:00 PM</div>
<div style="FONT: 10pt arial"><b>Subject:</b> Re: [cod] CoD2 UDP
flood</div>
<div><br>
</div>
<font size="-1"><font face="Verdana">that rule is very basic.<br>
<br>
cod1, cod1.5, cod2 and cod4 all suffer the same problem and
are exploited in the same exact way.<br>
<br>
So an iptables that fixes the cod4 problem works also for
cod2 and cod1<br>
</font></font><br>
Il 24/02/2012 13:51, <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:david.lauriou@wanadoo.fr">david.lauriou@wanadoo.fr</a>
ha scritto:
<blockquote cite="mid:B1B47B587A62421EBC134635AC09C070@DAVIDPC"
type="cite">
<meta name="GENERATOR" content="MSHTML 8.00.7601.17744">
<div><font face="Arial" size="2">i've find this : <a
href="http://wiki.modsrepository.com/index.php/Call_of_Duty_4:_Servers"
moz-do-not-send="true">http://wiki.modsrepository.com/index.php/Call_of_Duty_4:_Servers</a><br>
<br>
its for cod4 not for COD2 !</font></div>
<div> </div>
<blockquote style="BORDER-LEFT: #000000 2px solid;
PADDING-LEFT: 5px; PADDING-RIGHT: 0px; MARGIN-LEFT: 5px;
MARGIN-RIGHT: 0px">
<div style="FONT: 10pt arial">----- Original Message ----- </div>
<div style="FONT: 10pt arial; BACKGROUND: #e4e4e4;
font-color: black"><b>From:</b> <a title="evcz@evcz.tk"
href="mailto:evcz@evcz.tk" moz-do-not-send="true">Marco
Padovan</a> </div>
<div style="FONT: 10pt arial"><b>To:</b> <a
title="cod@icculus.org" href="mailto:cod@icculus.org"
moz-do-not-send="true">cod@icculus.org</a> </div>
<div style="FONT: 10pt arial"><b>Sent:</b> Friday, February
24, 2012 1:49 PM</div>
<div style="FONT: 10pt arial"><b>Subject:</b> Re: [cod] CoD2
UDP flood</div>
<div><br>
</div>
<font size="-1"><font face="Verdana">NO!<br>
<br>
Read the messages that got posted in the last 2 days...<br>
<br>
This should be a proper ruleset:<br>
</font></font><a
href="http://icculus.org/pipermail/cod/2012-February/015927.html"
moz-do-not-send="true">http://icculus.org/pipermail/cod/2012-February/015927.html</a><br>
<br>
Il 24/02/2012 13:47, <a class="moz-txt-link-abbreviated"
href="mailto:david.lauriou@wanadoo.fr"
moz-do-not-send="true">david.lauriou@wanadoo.fr</a> ha
scritto:
<blockquote
cite="mid:5411B6234B1445D19576CBC47594060B@DAVIDPC"
type="cite">
<meta name="GENERATOR" content="MSHTML 8.00.7601.17744">
<div><font face="Arial" size="2">like this ?</font></div>
<div> </div>
<div>
<pre>IPTABLES -A INPUT -p UDP -m length --length 42 -m recent --set --name getstatus_cod
IPTABLES -A INPUT -p UDP -m string --algo bm --string "getstatus" -m recent --update --seconds 1 --hitcount 20 --name getstatus_cod -j DROP</pre>
</div>
<blockquote style="BORDER-LEFT: #000000 2px solid;
PADDING-LEFT: 5px; PADDING-RIGHT: 0px; MARGIN-LEFT: 5px;
MARGIN-RIGHT: 0px">
<div style="FONT: 10pt arial">----- Original Message
----- </div>
<div style="FONT: 10pt arial; BACKGROUND: #e4e4e4;
font-color: black"><b>From:</b> <a
title="evcz@evcz.tk" href="mailto:evcz@evcz.tk"
moz-do-not-send="true">Marco Padovan</a> </div>
<div style="FONT: 10pt arial"><b>To:</b> <a
title="cod@icculus.org"
href="mailto:cod@icculus.org" moz-do-not-send="true">Call
of Duty server admin list.</a> </div>
<div style="FONT: 10pt arial"><b>Sent:</b> Friday,
February 24, 2012 1:35 PM</div>
<div style="FONT: 10pt arial"><b>Subject:</b> Re: [cod]
CoD2 UDP flood</div>
<div><br>
</div>
<font size="-1"><font face="Verdana">iptables rules</font></font><br>
<br>
Il 24/02/2012 13:28, <a
class="moz-txt-link-abbreviated"
href="mailto:david.lauriou@wanadoo.fr"
moz-do-not-send="true">david.lauriou@wanadoo.fr</a> ha
scritto:
<blockquote
cite="mid:5FFB5CF414B043ADA2D67047DA398F6B@DAVIDPC"
type="cite">
<meta name="GENERATOR" content="MSHTML
8.00.7601.17744">
<style></style>
<div><font face="Arial" size="2">for COD4 what is the
best method to remove udp Flooding exploit ?</font></div>
<div> </div>
<blockquote style="BORDER-LEFT: #000000 2px solid;
PADDING-LEFT: 5px; PADDING-RIGHT: 0px; MARGIN-LEFT:
5px; MARGIN-RIGHT: 0px">
<div style="FONT: 10pt arial">----- Original Message
----- </div>
<div style="FONT: 10pt arial; BACKGROUND: #e4e4e4;
font-color: black"><b>From:</b> <a
title="evcz@evcz.tk" href="mailto:evcz@evcz.tk"
moz-do-not-send="true">Marco Padovan</a> </div>
<div style="FONT: 10pt arial"><b>To:</b> <a
title="cod@icculus.org"
href="mailto:cod@icculus.org"
moz-do-not-send="true">Call of Duty server admin
list.</a> </div>
<div style="FONT: 10pt arial"><b>Sent:</b> Friday,
February 24, 2012 12:10 PM</div>
<div style="FONT: 10pt arial"><b>Subject:</b> Re:
[cod] CoD2 UDP flood</div>
<div><br>
</div>
<font size="-1"><font face="Verdana">Be aware that
there are two different ways to talk about
offset: packet offset (includes header) and
payload offset</font></font> (does not include
header)<br>
<br>
Il 24/02/2012 10:41, Geoff Goas ha scritto:
<blockquote
cite="mid:CAB8_CqKt=euaic0khRyEDAVW95k8jfv51qOwrGWJTRcMwivvmg@mail.gmail.com"
type="cite">You're right, and I see my error. That
is frustrating because I have no idea why it
doesn't work with the offset specified then.<br>
<br>
<div class="gmail_quote">On Fri, Feb 24, 2012 at
4:10 AM, Luca Farflame Fabbro <span dir="ltr"><<a
href="mailto:farflame@cybergames.it"
moz-do-not-send="true">farflame@cybergames.it</a>></span>
wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid;
MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class="gmail_quote">
<div style="WORD-WRAP: break-word">
<div>Try this command</div>
tcpdump -c 4 -nnvvvXS dst port 28960
<div>where port is the port that you want to
monitor</div>
<div>should be something like</div>
<div><br>
</div>
<div>
<div><font face="'Courier New'">
0x0000: 4500 002b 35b3 0000 7511 179b
b612 80ad E..+5...u.......</font></div>
<div><font face="'Courier New'">
0x0010: c0a8 010c 7012 7120 0017 0000
ffff ffff ....p.q.........</font></div>
<div><font face="'Courier New'">
0x0020: 6765 7473 7461 7475 730a 0000
0000 getstatus.....</font></div>
</div>
<div>
<div class="h5">
<div><br>
</div>
<div>On Feb 24, 2012, at 9:54 AM, Geoff
Goas wrote:</div>
<div>
<div><br>
<blockquote type="cite">That is
strange, because if I use those
values, it does not work. If I use
"--from 31" alone, then it works.
As soon as I change that to 32, it
stops working. When I inspect the
packets in Wireshark, the
"getstatus" string starts at
offset 48 if counting from 1.
Would there be a way for iptables
to print to log what it sees in
the specified offset range?<br>
<br>
<div class="gmail_quote">On Fri,
Feb 24, 2012 at 3:28 AM, Luca
Farflame Fabbro <span dir="ltr"><<a
href="mailto:farflame@cybergames.it" target="_blank"
moz-do-not-send="true">farflame@cybergames.it</a>></span>
wrote:<br>
<blockquote style="BORDER-LEFT:
#ccc 1px solid; MARGIN: 0px
0px 0px 0.8ex; PADDING-LEFT:
1ex" class="gmail_quote">
<div style="WORD-WRAP:
break-word">It doesn't
matter the length of the
packet.
<div>That rule will try to
find the string "gestatus"
starting at position 32
bytes from start of packet
and searching for it at
maximum at position 41.</div>
<div>The Q3 protocol for
that command expects the
string to be in that
range.<br>
<div><br>
<div>
<div>
<div>On Feb 24,
2012, at 1:11 AM,
Geoff Goas wrote:</div>
<br>
</div>
<blockquote
type="cite">
<div>Is the offset
range of 32-41
based on a 60-byte
packet?<br>
<br>
<div
class="gmail_quote">On
Thu, Feb 23,
2012 at 10:34
AM, Marco
Padovan <span
dir="ltr"><<a
href="mailto:evcz@evcz.tk" target="_blank" moz-do-not-send="true">evcz@evcz.tk</a>></span>
wrote:<br>
<blockquote
style="BORDER-LEFT:
rgb(204,204,204)
1px solid;
MARGIN: 0px
0px 0px 0.8ex;
PADDING-LEFT:
1ex"
class="gmail_quote">
<div
bgcolor="#FFFFFF"
text="#000000">iptables
-A INPUT -p
udp -m string
--string
"getstatus"
--algo bm
--from 32 --to
41 -j DROP<br>
<br>
</div>
</blockquote>
</div>
</div>
<div>-- <br>
<i><b><font
size="1"><span
style="FONT-FAMILY:
tahoma,sans-serif">Geoff Goas</span><br style="FONT-FAMILY:
tahoma,sans-serif">
<span
style="FONT-FAMILY:
tahoma,sans-serif">Systems Engineer</span></font></b></i><br>
<br>
_______________________________________________<br>
cod mailing list<br>
<a
href="mailto:cod@icculus.org"
target="_blank"
moz-do-not-send="true">cod@icculus.org</a><br>
<a
href="http://icculus.org/mailman/listinfo/cod"
target="_blank"
moz-do-not-send="true">http://icculus.org/mailman/listinfo/cod</a><br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a
href="mailto:cod@icculus.org"
target="_blank"
moz-do-not-send="true">cod@icculus.org</a><br>
<a
href="http://icculus.org/mailman/listinfo/cod"
target="_blank"
moz-do-not-send="true">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<i><b><font size="1"><span
style="FONT-FAMILY:
tahoma,sans-serif">Geoff
Goas</span><br
style="FONT-FAMILY:
tahoma,sans-serif">
<span style="FONT-FAMILY:
tahoma,sans-serif">Systems
Engineer</span></font></b></i><br>
<br>
_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org"
target="_blank"
moz-do-not-send="true">cod@icculus.org</a><br>
<a
href="http://icculus.org/mailman/listinfo/cod"
target="_blank"
moz-do-not-send="true">http://icculus.org/mailman/listinfo/cod</a><br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org"
moz-do-not-send="true">cod@icculus.org</a><br>
<a
href="http://icculus.org/mailman/listinfo/cod"
target="_blank" moz-do-not-send="true">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<i><b><font size="1"><span style="FONT-FAMILY:
tahoma,sans-serif">Geoff Goas</span><br
style="FONT-FAMILY: tahoma,sans-serif">
<span style="FONT-FAMILY: tahoma,sans-serif">Systems
Engineer</span></font></b></i><br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org" moz-do-not-send="true">cod@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod" moz-do-not-send="true">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
<hr> _______________________________________________<br>
cod mailing list<br>
<a class="moz-txt-link-abbreviated"
href="mailto:cod@icculus.org"
moz-do-not-send="true">cod@icculus.org</a><br>
<a class="moz-txt-link-freetext"
href="http://icculus.org/mailman/listinfo/cod"
moz-do-not-send="true">http://icculus.org/mailman/listinfo/cod</a><br>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org" moz-do-not-send="true">cod@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod" moz-do-not-send="true">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
<hr> _______________________________________________<br>
cod mailing list<br>
<a class="moz-txt-link-abbreviated"
href="mailto:cod@icculus.org" moz-do-not-send="true">cod@icculus.org</a><br>
<a class="moz-txt-link-freetext"
href="http://icculus.org/mailman/listinfo/cod"
moz-do-not-send="true">http://icculus.org/mailman/listinfo/cod</a><br>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org" moz-do-not-send="true">cod@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod" moz-do-not-send="true">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
<hr> _______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:cod@icculus.org">cod@icculus.org</a><br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a><br>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
<p> </p>
<hr> _______________________________________________<br>
cod mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a><br>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a><br>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</body>
</html>