<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font size="-1"><font face="Verdana">iptables rules</font></font><br>
<br>
Il 24/02/2012 13:28, <a class="moz-txt-link-abbreviated" href="mailto:david.lauriou@wanadoo.fr">david.lauriou@wanadoo.fr</a> ha scritto:
<blockquote cite="mid:5FFB5CF414B043ADA2D67047DA398F6B@DAVIDPC"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<meta name="GENERATOR" content="MSHTML 8.00.7601.17744">
<style></style>
<div><font face="Arial" size="2">for COD4 what is the best method
to remove udp Flooding exploit ?</font></div>
<div> </div>
<blockquote style="BORDER-LEFT: #000000 2px solid; PADDING-LEFT:
5px; PADDING-RIGHT: 0px; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px">
<div style="FONT: 10pt arial">----- Original Message ----- </div>
<div style="FONT: 10pt arial; BACKGROUND: #e4e4e4; font-color:
black"><b>From:</b> <a moz-do-not-send="true"
title="evcz@evcz.tk" href="mailto:evcz@evcz.tk">Marco
Padovan</a> </div>
<div style="FONT: 10pt arial"><b>To:</b> <a
moz-do-not-send="true" title="cod@icculus.org"
href="mailto:cod@icculus.org">Call of Duty server admin
list.</a> </div>
<div style="FONT: 10pt arial"><b>Sent:</b> Friday, February 24,
2012 12:10 PM</div>
<div style="FONT: 10pt arial"><b>Subject:</b> Re: [cod] CoD2 UDP
flood</div>
<div><br>
</div>
<font size="-1"><font face="Verdana">Be aware that there are two
different ways to talk about offset: packet offset (includes
header) and payload offset</font></font> (does not include
header)<br>
<br>
Il 24/02/2012 10:41, Geoff Goas ha scritto:
<blockquote
cite="mid:CAB8_CqKt=euaic0khRyEDAVW95k8jfv51qOwrGWJTRcMwivvmg@mail.gmail.com"
type="cite">You're right, and I see my error. That is
frustrating because I have no idea why it doesn't work with
the offset specified then.<br>
<br>
<div class="gmail_quote">On Fri, Feb 24, 2012 at 4:10 AM, Luca
Farflame Fabbro <span dir="ltr"><<a
href="mailto:farflame@cybergames.it"
moz-do-not-send="true">farflame@cybergames.it</a>></span>
wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px
0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">
<div style="WORD-WRAP: break-word">
<div>Try this command</div>
tcpdump -c 4 -nnvvvXS dst port 28960
<div>where port is the port that you want to monitor</div>
<div>should be something like</div>
<div><br>
</div>
<div>
<div><font face="'Courier New'"> 0x0000: 4500
002b 35b3 0000 7511 179b b612 80ad
E..+5...u.......</font></div>
<div><font face="'Courier New'"> 0x0010: c0a8
010c 7012 7120 0017 0000 ffff ffff
....p.q.........</font></div>
<div><font face="'Courier New'"> 0x0020: 6765
7473 7461 7475 730a 0000 0000 getstatus.....</font></div>
</div>
<div>
<div class="h5">
<div><br>
</div>
<div>On Feb 24, 2012, at 9:54 AM, Geoff Goas wrote:</div>
<div>
<div><br>
<blockquote type="cite">That is strange, because
if I use those values, it does not work. If I
use "--from 31" alone, then it works. As soon
as I change that to 32, it stops working. When
I inspect the packets in Wireshark, the
"getstatus" string starts at offset 48 if
counting from 1. Would there be a way for
iptables to print to log what it sees in the
specified offset range?<br>
<br>
<div class="gmail_quote">On Fri, Feb 24, 2012
at 3:28 AM, Luca Farflame Fabbro <span
dir="ltr"><<a
href="mailto:farflame@cybergames.it"
target="_blank" moz-do-not-send="true">farflame@cybergames.it</a>></span>
wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px
solid; MARGIN: 0px 0px 0px 0.8ex;
PADDING-LEFT: 1ex" class="gmail_quote">
<div style="WORD-WRAP: break-word">It
doesn't matter the length of the
packet.
<div>That rule will try to find the
string "gestatus" starting at position
32 bytes from start of packet and
searching for it at maximum at
position 41.</div>
<div>The Q3 protocol for that command
expects the string to be in that
range.<br>
<div><br>
<div>
<div>
<div>On Feb 24, 2012, at 1:11
AM, Geoff Goas wrote:</div>
<br>
</div>
<blockquote type="cite">
<div>Is the offset range of
32-41 based on a 60-byte
packet?<br>
<br>
<div class="gmail_quote">On
Thu, Feb 23, 2012 at 10:34
AM, Marco Padovan <span
dir="ltr"><<a
href="mailto:evcz@evcz.tk"
target="_blank"
moz-do-not-send="true">evcz@evcz.tk</a>></span>
wrote:<br>
<blockquote
style="BORDER-LEFT:
rgb(204,204,204) 1px
solid; MARGIN: 0px 0px 0px
0.8ex; PADDING-LEFT: 1ex"
class="gmail_quote">
<div text="#000000"
bgcolor="#FFFFFF">iptables
-A INPUT -p udp -m
string --string
"getstatus" --algo bm
--from 32 --to 41 -j
DROP<br>
<br>
</div>
</blockquote>
</div>
</div>
<div>-- <br>
<i><b><font size="1"><span
style="FONT-FAMILY:
tahoma,sans-serif">Geoff
Goas</span><br
style="FONT-FAMILY:
tahoma,sans-serif">
<span
style="FONT-FAMILY:
tahoma,sans-serif">Systems
Engineer</span></font></b></i><br>
<br>
_______________________________________________<br>
cod mailing list<br>
<a
href="mailto:cod@icculus.org"
target="_blank"
moz-do-not-send="true">cod@icculus.org</a><br>
<a
href="http://icculus.org/mailman/listinfo/cod"
target="_blank"
moz-do-not-send="true">http://icculus.org/mailman/listinfo/cod</a><br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org"
target="_blank" moz-do-not-send="true">cod@icculus.org</a><br>
<a
href="http://icculus.org/mailman/listinfo/cod"
target="_blank" moz-do-not-send="true">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<i><b><font size="1"><span style="FONT-FAMILY:
tahoma,sans-serif">Geoff Goas</span><br
style="FONT-FAMILY: tahoma,sans-serif">
<span style="FONT-FAMILY:
tahoma,sans-serif">Systems Engineer</span></font></b></i><br>
<br>
_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org"
target="_blank" moz-do-not-send="true">cod@icculus.org</a><br>
<a
href="http://icculus.org/mailman/listinfo/cod"
target="_blank" moz-do-not-send="true">http://icculus.org/mailman/listinfo/cod</a><br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org" moz-do-not-send="true">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod"
target="_blank" moz-do-not-send="true">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<i><b><font size="1"><span style="FONT-FAMILY:
tahoma,sans-serif">Geoff Goas</span><br
style="FONT-FAMILY: tahoma,sans-serif">
<span style="FONT-FAMILY: tahoma,sans-serif">Systems
Engineer</span></font></b></i><br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
<p> </p>
<hr> _______________________________________________<br>
cod mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a><br>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a><br>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</body>
</html>