<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=ISO-8859-1" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.7601.17744"></HEAD>
<BODY bgColor=#ffffff text=#000000>
<DIV><FONT size=2 face=Arial>like this ?</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><PRE>IPTABLES -A INPUT -p UDP -m length --length 42 -m recent --set --name getstatus_cod
IPTABLES -A INPUT -p UDP -m string --algo bm --string "getstatus" -m recent --update --seconds 1 --hitcount 20 --name getstatus_cod -j DROP</PRE></DIV>
<BLOCKQUOTE
style="BORDER-LEFT: #000000 2px solid; PADDING-LEFT: 5px; PADDING-RIGHT: 0px; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="FONT: 10pt arial; BACKGROUND: #e4e4e4; font-color: black"><B>From:</B>
<A title=evcz@evcz.tk href="mailto:evcz@evcz.tk">Marco Padovan</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=cod@icculus.org
href="mailto:cod@icculus.org">Call of Duty server admin list.</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Friday, February 24, 2012 1:35
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Re: [cod] CoD2 UDP flood</DIV>
<DIV><BR></DIV><FONT size=-1><FONT face=Verdana>iptables
rules</FONT></FONT><BR><BR>Il 24/02/2012 13:28, <A
class=moz-txt-link-abbreviated
href="mailto:david.lauriou@wanadoo.fr">david.lauriou@wanadoo.fr</A> ha
scritto:
<BLOCKQUOTE cite=mid:5FFB5CF414B043ADA2D67047DA398F6B@DAVIDPC type="cite">
<META name=GENERATOR content="MSHTML 8.00.7601.17744">
<STYLE></STYLE>
<DIV><FONT size=2 face=Arial>for COD4 what is the best method to remove udp
Flooding exploit ?</FONT></DIV>
<DIV> </DIV>
<BLOCKQUOTE
style="BORDER-LEFT: #000000 2px solid; PADDING-LEFT: 5px; PADDING-RIGHT: 0px; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="FONT: 10pt arial; BACKGROUND: #e4e4e4; font-color: black"><B>From:</B>
<A title=evcz@evcz.tk href="mailto:evcz@evcz.tk"
moz-do-not-send="true">Marco Padovan</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=cod@icculus.org
href="mailto:cod@icculus.org" moz-do-not-send="true">Call of Duty server
admin list.</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Friday, February 24, 2012 12:10
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Re: [cod] CoD2 UDP
flood</DIV>
<DIV><BR></DIV><FONT size=-1><FONT face=Verdana>Be aware that there are
two different ways to talk about offset: packet offset (includes header)
and payload offset</FONT></FONT> (does not include header)<BR><BR>Il
24/02/2012 10:41, Geoff Goas ha scritto:
<BLOCKQUOTE
cite=mid:CAB8_CqKt=euaic0khRyEDAVW95k8jfv51qOwrGWJTRcMwivvmg@mail.gmail.com
type="cite">You're right, and I see my error. That is frustrating
because I have no idea why it doesn't work with the offset specified
then.<BR><BR>
<DIV class=gmail_quote>On Fri, Feb 24, 2012 at 4:10 AM, Luca Farflame
Fabbro <SPAN dir=ltr><<A href="mailto:farflame@cybergames.it"
moz-do-not-send="true">farflame@cybergames.it</A>></SPAN> wrote:<BR>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>
<DIV style="WORD-WRAP: break-word">
<DIV>Try this command</DIV>tcpdump -c 4 -nnvvvXS dst port 28960
<DIV>where port is the port that you want to monitor</DIV>
<DIV>should be something like</DIV>
<DIV><BR></DIV>
<DIV>
<DIV><FONT face="'Courier New'"> 0x0000:
4500 002b 35b3 0000 7511 179b b612 80ad
E..+5...u.......</FONT></DIV>
<DIV><FONT face="'Courier New'"> 0x0010:
c0a8 010c 7012 7120 0017 0000 ffff ffff
....p.q.........</FONT></DIV>
<DIV><FONT face="'Courier New'"> 0x0020:
6765 7473 7461 7475 730a 0000 0000
getstatus.....</FONT></DIV></DIV>
<DIV>
<DIV class=h5>
<DIV><BR></DIV>
<DIV>On Feb 24, 2012, at 9:54 AM, Geoff Goas wrote:</DIV>
<DIV>
<DIV><BR>
<BLOCKQUOTE type="cite">That is strange, because if I use those
values, it does not work. If I use "--from 31" alone, then it works.
As soon as I change that to 32, it stops working. When I inspect the
packets in Wireshark, the "getstatus" string starts at offset 48 if
counting from 1. Would there be a way for iptables to print to log
what it sees in the specified offset range?<BR><BR>
<DIV class=gmail_quote>On Fri, Feb 24, 2012 at 3:28 AM, Luca
Farflame Fabbro <SPAN dir=ltr><<A
href="mailto:farflame@cybergames.it" target=_blank
moz-do-not-send="true">farflame@cybergames.it</A>></SPAN>
wrote:<BR>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>
<DIV style="WORD-WRAP: break-word">It doesn't matter the length of
the packet.
<DIV>That rule will try to find the string "gestatus" starting at
position 32 bytes from start of packet and searching for it at
maximum at position 41.</DIV>
<DIV>The Q3 protocol for that command expects the string to be in
that range.<BR>
<DIV><BR>
<DIV>
<DIV>
<DIV>On Feb 24, 2012, at 1:11 AM, Geoff Goas
wrote:</DIV><BR></DIV>
<BLOCKQUOTE type="cite">
<DIV>Is the offset range of 32-41 based on a 60-byte
packet?<BR><BR>
<DIV class=gmail_quote>On Thu, Feb 23, 2012 at 10:34 AM, Marco
Padovan <SPAN dir=ltr><<A href="mailto:evcz@evcz.tk"
target=_blank moz-do-not-send="true">evcz@evcz.tk</A>></SPAN>
wrote:<BR>
<BLOCKQUOTE
style="BORDER-LEFT: rgb(204,204,204) 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>
<DIV bgcolor="#FFFFFF" text="#000000">iptables -A INPUT -p udp
-m string --string "getstatus" --algo bm --from 32 --to 41 -j
DROP<BR><BR></DIV></BLOCKQUOTE></DIV></DIV>
<DIV>-- <BR><I><B><FONT size=1><SPAN
style="FONT-FAMILY: tahoma,sans-serif">Geoff Goas</SPAN><BR
style="FONT-FAMILY: tahoma,sans-serif"><SPAN
style="FONT-FAMILY: tahoma,sans-serif">Systems
Engineer</SPAN></FONT></B></I><BR><BR>_______________________________________________<BR>cod
mailing list<BR><A href="mailto:cod@icculus.org" target=_blank
moz-do-not-send="true">cod@icculus.org</A><BR><A
href="http://icculus.org/mailman/listinfo/cod" target=_blank
moz-do-not-send="true">http://icculus.org/mailman/listinfo/cod</A><BR></DIV></BLOCKQUOTE></DIV><BR></DIV></DIV></DIV><BR>_______________________________________________<BR>cod
mailing list<BR><A href="mailto:cod@icculus.org" target=_blank
moz-do-not-send="true">cod@icculus.org</A><BR><A
href="http://icculus.org/mailman/listinfo/cod" target=_blank
moz-do-not-send="true">http://icculus.org/mailman/listinfo/cod</A><BR><BR></BLOCKQUOTE></DIV><BR><BR
clear=all><BR>-- <BR><I><B><FONT size=1><SPAN
style="FONT-FAMILY: tahoma,sans-serif">Geoff Goas</SPAN><BR
style="FONT-FAMILY: tahoma,sans-serif"><SPAN
style="FONT-FAMILY: tahoma,sans-serif">Systems
Engineer</SPAN></FONT></B></I><BR><BR>_______________________________________________<BR>cod
mailing list<BR><A href="mailto:cod@icculus.org" target=_blank
moz-do-not-send="true">cod@icculus.org</A><BR><A
href="http://icculus.org/mailman/listinfo/cod" target=_blank
moz-do-not-send="true">http://icculus.org/mailman/listinfo/cod</A><BR></BLOCKQUOTE></DIV><BR></DIV></DIV></DIV></DIV><BR>_______________________________________________<BR>cod
mailing list<BR><A href="mailto:cod@icculus.org"
moz-do-not-send="true">cod@icculus.org</A><BR><A
href="http://icculus.org/mailman/listinfo/cod" target=_blank
moz-do-not-send="true">http://icculus.org/mailman/listinfo/cod</A><BR><BR></BLOCKQUOTE></DIV><BR><BR
clear=all><BR>-- <BR><I><B><FONT size=1><SPAN
style="FONT-FAMILY: tahoma,sans-serif">Geoff Goas</SPAN><BR
style="FONT-FAMILY: tahoma,sans-serif"><SPAN
style="FONT-FAMILY: tahoma,sans-serif">Systems
Engineer</SPAN></FONT></B></I><BR><BR><BR>
<FIELDSET class=mimeAttachmentHeader></FIELDSET> <BR><PRE wrap="">_______________________________________________
cod mailing list
<A class=moz-txt-link-abbreviated href="mailto:cod@icculus.org" moz-do-not-send="true">cod@icculus.org</A>
<A class=moz-txt-link-freetext href="http://icculus.org/mailman/listinfo/cod" moz-do-not-send="true">http://icculus.org/mailman/listinfo/cod</A>
</PRE></BLOCKQUOTE>
<P></P>
<HR>
_______________________________________________<BR>cod mailing list<BR><A
class=moz-txt-link-abbreviated
href="mailto:cod@icculus.org">cod@icculus.org</A><BR><A
class=moz-txt-link-freetext
href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</A><BR></BLOCKQUOTE><BR>
<FIELDSET class=mimeAttachmentHeader></FIELDSET> <BR><PRE wrap="">_______________________________________________
cod mailing list
<A class=moz-txt-link-abbreviated href="mailto:cod@icculus.org">cod@icculus.org</A>
<A class=moz-txt-link-freetext href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</A>
</PRE></BLOCKQUOTE>
<P>
<HR>
<P></P>_______________________________________________<BR>cod mailing
list<BR>cod@icculus.org<BR>http://icculus.org/mailman/listinfo/cod<BR></BLOCKQUOTE></BODY></HTML>