<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=ISO-8859-1" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.7601.17744"></HEAD>
<BODY bgColor=#ffffff text=#000000>
<DIV><FONT size=2 face=Arial>the rules is ?</FONT></DIV>
<DIV> </DIV>
<BLOCKQUOTE
style="BORDER-LEFT: #000000 2px solid; PADDING-LEFT: 5px; PADDING-RIGHT: 0px; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="FONT: 10pt arial; BACKGROUND: #e4e4e4; font-color: black"><B>From:</B>
<A title=evcz@evcz.tk href="mailto:evcz@evcz.tk">Marco Padovan</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=cod@icculus.org
href="mailto:cod@icculus.org">cod@icculus.org</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Friday, February 24, 2012 2:00
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Re: [cod] CoD2 UDP flood</DIV>
<DIV><BR></DIV><FONT size=-1><FONT face=Verdana>that rule is very
basic.<BR><BR>cod1, cod1.5, cod2 and cod4 all suffer the same problem and are
exploited in the same exact way.<BR><BR>So an iptables that fixes the cod4
problem works also for cod2 and cod1<BR></FONT></FONT><BR>Il 24/02/2012 13:51,
<A class=moz-txt-link-abbreviated
href="mailto:david.lauriou@wanadoo.fr">david.lauriou@wanadoo.fr</A> ha
scritto:
<BLOCKQUOTE cite=mid:B1B47B587A62421EBC134635AC09C070@DAVIDPC type="cite">
<META name=GENERATOR content="MSHTML 8.00.7601.17744">
<DIV><FONT size=2 face=Arial>i've find this : <A
href="http://wiki.modsrepository.com/index.php/Call_of_Duty_4:_Servers"
moz-do-not-send="true">http://wiki.modsrepository.com/index.php/Call_of_Duty_4:_Servers</A><BR><BR>its
for cod4 not for COD2 !</FONT></DIV>
<DIV> </DIV>
<BLOCKQUOTE
style="BORDER-LEFT: #000000 2px solid; PADDING-LEFT: 5px; PADDING-RIGHT: 0px; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="FONT: 10pt arial; BACKGROUND: #e4e4e4; font-color: black"><B>From:</B>
<A title=evcz@evcz.tk href="mailto:evcz@evcz.tk"
moz-do-not-send="true">Marco Padovan</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=cod@icculus.org
href="mailto:cod@icculus.org" moz-do-not-send="true">cod@icculus.org</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Friday, February 24, 2012 1:49
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Re: [cod] CoD2 UDP
flood</DIV>
<DIV><BR></DIV><FONT size=-1><FONT face=Verdana>NO!<BR><BR>Read the
messages that got posted in the last 2 days...<BR><BR>This should be a
proper ruleset:<BR></FONT></FONT><A
href="http://icculus.org/pipermail/cod/2012-February/015927.html"
moz-do-not-send="true">http://icculus.org/pipermail/cod/2012-February/015927.html</A><BR><BR>Il
24/02/2012 13:47, <A class=moz-txt-link-abbreviated
href="mailto:david.lauriou@wanadoo.fr"
moz-do-not-send="true">david.lauriou@wanadoo.fr</A> ha scritto:
<BLOCKQUOTE cite=mid:5411B6234B1445D19576CBC47594060B@DAVIDPC
type="cite"><META name=GENERATOR content="MSHTML 8.00.7601.17744">
<DIV><FONT size=2 face=Arial>like this ?</FONT></DIV>
<DIV> </DIV>
<DIV><PRE>IPTABLES -A INPUT -p UDP -m length --length 42 -m recent --set --name getstatus_cod
IPTABLES -A INPUT -p UDP -m string --algo bm --string "getstatus" -m recent --update --seconds 1 --hitcount 20 --name getstatus_cod -j DROP</PRE></DIV>
<BLOCKQUOTE
style="BORDER-LEFT: #000000 2px solid; PADDING-LEFT: 5px; PADDING-RIGHT: 0px; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="FONT: 10pt arial; BACKGROUND: #e4e4e4; font-color: black"><B>From:</B>
<A title=evcz@evcz.tk href="mailto:evcz@evcz.tk"
moz-do-not-send="true">Marco Padovan</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=cod@icculus.org
href="mailto:cod@icculus.org" moz-do-not-send="true">Call of Duty
server admin list.</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Friday, February 24, 2012
1:35 PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Re: [cod] CoD2 UDP
flood</DIV>
<DIV><BR></DIV><FONT size=-1><FONT face=Verdana>iptables
rules</FONT></FONT><BR><BR>Il 24/02/2012 13:28, <A
class=moz-txt-link-abbreviated href="mailto:david.lauriou@wanadoo.fr"
moz-do-not-send="true">david.lauriou@wanadoo.fr</A> ha scritto:
<BLOCKQUOTE cite=mid:5FFB5CF414B043ADA2D67047DA398F6B@DAVIDPC
type="cite">
<META name=GENERATOR content="MSHTML 8.00.7601.17744">
<STYLE></STYLE>
<DIV><FONT size=2 face=Arial>for COD4 what is the best method to
remove udp Flooding exploit ?</FONT></DIV>
<DIV> </DIV>
<BLOCKQUOTE
style="BORDER-LEFT: #000000 2px solid; PADDING-LEFT: 5px; PADDING-RIGHT: 0px; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="FONT: 10pt arial; BACKGROUND: #e4e4e4; font-color: black"><B>From:</B>
<A title=evcz@evcz.tk href="mailto:evcz@evcz.tk"
moz-do-not-send="true">Marco Padovan</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=cod@icculus.org
href="mailto:cod@icculus.org" moz-do-not-send="true">Call of Duty
server admin list.</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Friday, February 24,
2012 12:10 PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Re: [cod] CoD2 UDP
flood</DIV>
<DIV><BR></DIV><FONT size=-1><FONT face=Verdana>Be aware that
there are two different ways to talk about offset: packet offset
(includes header) and payload offset</FONT></FONT> (does not
include header)<BR><BR>Il 24/02/2012 10:41, Geoff Goas ha scritto:
<BLOCKQUOTE
cite=mid:CAB8_CqKt=euaic0khRyEDAVW95k8jfv51qOwrGWJTRcMwivvmg@mail.gmail.com
type="cite">You're right, and I see my error. That is
frustrating because I have no idea why it doesn't work with the
offset specified then.<BR><BR>
<DIV class=gmail_quote>On Fri, Feb 24, 2012 at 4:10 AM, Luca
Farflame Fabbro <SPAN dir=ltr><<A
href="mailto:farflame@cybergames.it"
moz-do-not-send="true">farflame@cybergames.it</A>></SPAN>
wrote:<BR>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>
<DIV style="WORD-WRAP: break-word">
<DIV>Try this command</DIV>tcpdump -c 4 -nnvvvXS dst port
28960
<DIV>where port is the port that you want to monitor</DIV>
<DIV>should be something like</DIV>
<DIV><BR></DIV>
<DIV>
<DIV><FONT face="'Courier New'">
0x0000: 4500 002b 35b3 0000 7511 179b b612 80ad
E..+5...u.......</FONT></DIV>
<DIV><FONT face="'Courier New'">
0x0010: c0a8 010c 7012 7120 0017 0000 ffff ffff
....p.q.........</FONT></DIV>
<DIV><FONT face="'Courier New'">
0x0020: 6765 7473 7461 7475 730a 0000 0000
getstatus.....</FONT></DIV></DIV>
<DIV>
<DIV class=h5>
<DIV><BR></DIV>
<DIV>On Feb 24, 2012, at 9:54 AM, Geoff Goas wrote:</DIV>
<DIV>
<DIV><BR>
<BLOCKQUOTE type="cite">That is strange, because if I use
those values, it does not work. If I use "--from 31" alone,
then it works. As soon as I change that to 32, it stops
working. When I inspect the packets in Wireshark, the
"getstatus" string starts at offset 48 if counting from 1.
Would there be a way for iptables to print to log what it
sees in the specified offset range?<BR><BR>
<DIV class=gmail_quote>On Fri, Feb 24, 2012 at 3:28 AM, Luca
Farflame Fabbro <SPAN dir=ltr><<A
href="mailto:farflame@cybergames.it" target=_blank
moz-do-not-send="true">farflame@cybergames.it</A>></SPAN>
wrote:<BR>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>
<DIV style="WORD-WRAP: break-word">It doesn't matter the
length of the packet.
<DIV>That rule will try to find the string "gestatus"
starting at position 32 bytes from start of packet and
searching for it at maximum at position 41.</DIV>
<DIV>The Q3 protocol for that command expects the string
to be in that range.<BR>
<DIV><BR>
<DIV>
<DIV>
<DIV>On Feb 24, 2012, at 1:11 AM, Geoff Goas
wrote:</DIV><BR></DIV>
<BLOCKQUOTE type="cite">
<DIV>Is the offset range of 32-41 based on a 60-byte
packet?<BR><BR>
<DIV class=gmail_quote>On Thu, Feb 23, 2012 at 10:34 AM,
Marco Padovan <SPAN dir=ltr><<A
href="mailto:evcz@evcz.tk" target=_blank
moz-do-not-send="true">evcz@evcz.tk</A>></SPAN>
wrote:<BR>
<BLOCKQUOTE
style="BORDER-LEFT: rgb(204,204,204) 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>
<DIV bgcolor="#FFFFFF" text="#000000">iptables -A
INPUT -p udp -m string --string "getstatus" --algo bm
--from 32 --to 41 -j
DROP<BR><BR></DIV></BLOCKQUOTE></DIV></DIV>
<DIV>-- <BR><I><B><FONT size=1><SPAN
style="FONT-FAMILY: tahoma,sans-serif">Geoff
Goas</SPAN><BR
style="FONT-FAMILY: tahoma,sans-serif"><SPAN
style="FONT-FAMILY: tahoma,sans-serif">Systems
Engineer</SPAN></FONT></B></I><BR><BR>_______________________________________________<BR>cod
mailing list<BR><A href="mailto:cod@icculus.org"
target=_blank
moz-do-not-send="true">cod@icculus.org</A><BR><A
href="http://icculus.org/mailman/listinfo/cod"
target=_blank
moz-do-not-send="true">http://icculus.org/mailman/listinfo/cod</A><BR></DIV></BLOCKQUOTE></DIV><BR></DIV></DIV></DIV><BR>_______________________________________________<BR>cod
mailing list<BR><A href="mailto:cod@icculus.org"
target=_blank
moz-do-not-send="true">cod@icculus.org</A><BR><A
href="http://icculus.org/mailman/listinfo/cod"
target=_blank
moz-do-not-send="true">http://icculus.org/mailman/listinfo/cod</A><BR><BR></BLOCKQUOTE></DIV><BR><BR
clear=all><BR>-- <BR><I><B><FONT size=1><SPAN
style="FONT-FAMILY: tahoma,sans-serif">Geoff Goas</SPAN><BR
style="FONT-FAMILY: tahoma,sans-serif"><SPAN
style="FONT-FAMILY: tahoma,sans-serif">Systems
Engineer</SPAN></FONT></B></I><BR><BR>_______________________________________________<BR>cod
mailing list<BR><A href="mailto:cod@icculus.org"
target=_blank
moz-do-not-send="true">cod@icculus.org</A><BR><A
href="http://icculus.org/mailman/listinfo/cod" target=_blank
moz-do-not-send="true">http://icculus.org/mailman/listinfo/cod</A><BR></BLOCKQUOTE></DIV><BR></DIV></DIV></DIV></DIV><BR>_______________________________________________<BR>cod
mailing list<BR><A href="mailto:cod@icculus.org"
moz-do-not-send="true">cod@icculus.org</A><BR><A
href="http://icculus.org/mailman/listinfo/cod" target=_blank
moz-do-not-send="true">http://icculus.org/mailman/listinfo/cod</A><BR><BR></BLOCKQUOTE></DIV><BR><BR
clear=all><BR>-- <BR><I><B><FONT size=1><SPAN
style="FONT-FAMILY: tahoma,sans-serif">Geoff Goas</SPAN><BR
style="FONT-FAMILY: tahoma,sans-serif"><SPAN
style="FONT-FAMILY: tahoma,sans-serif">Systems
Engineer</SPAN></FONT></B></I><BR><BR><BR>
<FIELDSET class=mimeAttachmentHeader></FIELDSET> <BR><PRE wrap="">_______________________________________________
cod mailing list
<A class=moz-txt-link-abbreviated href="mailto:cod@icculus.org" moz-do-not-send="true">cod@icculus.org</A>
<A class=moz-txt-link-freetext href="http://icculus.org/mailman/listinfo/cod" moz-do-not-send="true">http://icculus.org/mailman/listinfo/cod</A>
</PRE></BLOCKQUOTE>
<HR>
_______________________________________________<BR>cod mailing
list<BR><A class=moz-txt-link-abbreviated
href="mailto:cod@icculus.org"
moz-do-not-send="true">cod@icculus.org</A><BR><A
class=moz-txt-link-freetext
href="http://icculus.org/mailman/listinfo/cod"
moz-do-not-send="true">http://icculus.org/mailman/listinfo/cod</A><BR></BLOCKQUOTE><BR>
<FIELDSET class=mimeAttachmentHeader></FIELDSET> <BR><PRE wrap="">_______________________________________________
cod mailing list
<A class=moz-txt-link-abbreviated href="mailto:cod@icculus.org" moz-do-not-send="true">cod@icculus.org</A>
<A class=moz-txt-link-freetext href="http://icculus.org/mailman/listinfo/cod" moz-do-not-send="true">http://icculus.org/mailman/listinfo/cod</A>
</PRE></BLOCKQUOTE>
<HR>
_______________________________________________<BR>cod mailing
list<BR><A class=moz-txt-link-abbreviated
href="mailto:cod@icculus.org"
moz-do-not-send="true">cod@icculus.org</A><BR><A
class=moz-txt-link-freetext
href="http://icculus.org/mailman/listinfo/cod"
moz-do-not-send="true">http://icculus.org/mailman/listinfo/cod</A><BR></BLOCKQUOTE><BR>
<FIELDSET class=mimeAttachmentHeader></FIELDSET> <BR><PRE wrap="">_______________________________________________
cod mailing list
<A class=moz-txt-link-abbreviated href="mailto:cod@icculus.org" moz-do-not-send="true">cod@icculus.org</A>
<A class=moz-txt-link-freetext href="http://icculus.org/mailman/listinfo/cod" moz-do-not-send="true">http://icculus.org/mailman/listinfo/cod</A>
</PRE></BLOCKQUOTE>
<P></P>
<HR>
_______________________________________________<BR>cod mailing list<BR><A
class=moz-txt-link-abbreviated
href="mailto:cod@icculus.org">cod@icculus.org</A><BR><A
class=moz-txt-link-freetext
href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</A><BR></BLOCKQUOTE><BR>
<FIELDSET class=mimeAttachmentHeader></FIELDSET> <BR><PRE wrap="">_______________________________________________
cod mailing list
<A class=moz-txt-link-abbreviated href="mailto:cod@icculus.org">cod@icculus.org</A>
<A class=moz-txt-link-freetext href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</A>
</PRE></BLOCKQUOTE>
<P>
<HR>
<P></P>_______________________________________________<BR>cod mailing
list<BR>cod@icculus.org<BR>http://icculus.org/mailman/listinfo/cod<BR></BLOCKQUOTE></BODY></HTML>