<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=ISO-8859-1" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.7601.17744">
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff text=#000000>
<DIV><FONT size=2 face=Arial>for COD4 what is the best method to remove udp
Flooding exploit ?</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<BLOCKQUOTE
style="BORDER-LEFT: #000000 2px solid; PADDING-LEFT: 5px; PADDING-RIGHT: 0px; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="FONT: 10pt arial; BACKGROUND: #e4e4e4; font-color: black"><B>From:</B>
<A title=evcz@evcz.tk href="mailto:evcz@evcz.tk">Marco Padovan</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=cod@icculus.org
href="mailto:cod@icculus.org">Call of Duty server admin list.</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Friday, February 24, 2012 12:10
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Re: [cod] CoD2 UDP flood</DIV>
<DIV><BR></DIV><FONT size=-1><FONT face=Verdana>Be aware that there are two
different ways to talk about offset: packet offset (includes header) and
payload offset</FONT></FONT> (does not include header)<BR><BR>Il 24/02/2012
10:41, Geoff Goas ha scritto:
<BLOCKQUOTE
cite=mid:CAB8_CqKt=euaic0khRyEDAVW95k8jfv51qOwrGWJTRcMwivvmg@mail.gmail.com
type="cite">You're right, and I see my error. That is frustrating because I
have no idea why it doesn't work with the offset specified then.<BR><BR>
<DIV class=gmail_quote>On Fri, Feb 24, 2012 at 4:10 AM, Luca Farflame Fabbro
<SPAN dir=ltr><<A href="mailto:farflame@cybergames.it"
moz-do-not-send="true">farflame@cybergames.it</A>></SPAN> wrote:<BR>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>
<DIV style="WORD-WRAP: break-word">
<DIV>Try this command</DIV>tcpdump -c 4 -nnvvvXS dst port 28960
<DIV>where port is the port that you want to monitor</DIV>
<DIV>should be something like</DIV>
<DIV><BR></DIV>
<DIV>
<DIV><FONT face="'Courier New'"> 0x0000:
4500 002b 35b3 0000 7511 179b b612 80ad
E..+5...u.......</FONT></DIV>
<DIV><FONT face="'Courier New'"> 0x0010:
c0a8 010c 7012 7120 0017 0000 ffff ffff
....p.q.........</FONT></DIV>
<DIV><FONT face="'Courier New'"> 0x0020:
6765 7473 7461 7475 730a 0000 0000
getstatus.....</FONT></DIV></DIV>
<DIV>
<DIV class=h5>
<DIV><BR></DIV>
<DIV>On Feb 24, 2012, at 9:54 AM, Geoff Goas wrote:</DIV>
<DIV>
<DIV><BR>
<BLOCKQUOTE type="cite">That is strange, because if I use those values,
it does not work. If I use "--from 31" alone, then it works. As soon as
I change that to 32, it stops working. When I inspect the packets in
Wireshark, the "getstatus" string starts at offset 48 if counting from
1. Would there be a way for iptables to print to log what it sees in the
specified offset range?<BR><BR>
<DIV class=gmail_quote>On Fri, Feb 24, 2012 at 3:28 AM, Luca Farflame
Fabbro <SPAN dir=ltr><<A href="mailto:farflame@cybergames.it"
target=_blank
moz-do-not-send="true">farflame@cybergames.it</A>></SPAN> wrote:<BR>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>
<DIV style="WORD-WRAP: break-word">It doesn't matter the length of the
packet.
<DIV>That rule will try to find the string "gestatus" starting at
position 32 bytes from start of packet and searching for it at maximum
at position 41.</DIV>
<DIV>The Q3 protocol for that command expects the string to be in that
range.<BR>
<DIV><BR>
<DIV>
<DIV>
<DIV>On Feb 24, 2012, at 1:11 AM, Geoff Goas wrote:</DIV><BR></DIV>
<BLOCKQUOTE type="cite">
<DIV>Is the offset range of 32-41 based on a 60-byte packet?<BR><BR>
<DIV class=gmail_quote>On Thu, Feb 23, 2012 at 10:34 AM, Marco
Padovan <SPAN dir=ltr><<A href="mailto:evcz@evcz.tk"
target=_blank moz-do-not-send="true">evcz@evcz.tk</A>></SPAN>
wrote:<BR>
<BLOCKQUOTE
style="BORDER-LEFT: rgb(204,204,204) 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>
<DIV text="#000000" bgcolor="#FFFFFF">iptables -A INPUT -p udp -m
string --string "getstatus" --algo bm --from 32 --to 41 -j
DROP<BR><BR></DIV></BLOCKQUOTE></DIV></DIV>
<DIV>-- <BR><I><B><FONT size=1><SPAN
style="FONT-FAMILY: tahoma,sans-serif">Geoff Goas</SPAN><BR
style="FONT-FAMILY: tahoma,sans-serif"><SPAN
style="FONT-FAMILY: tahoma,sans-serif">Systems
Engineer</SPAN></FONT></B></I><BR><BR>_______________________________________________<BR>cod
mailing list<BR><A href="mailto:cod@icculus.org" target=_blank
moz-do-not-send="true">cod@icculus.org</A><BR><A
href="http://icculus.org/mailman/listinfo/cod" target=_blank
moz-do-not-send="true">http://icculus.org/mailman/listinfo/cod</A><BR></DIV></BLOCKQUOTE></DIV><BR></DIV></DIV></DIV><BR>_______________________________________________<BR>cod
mailing list<BR><A href="mailto:cod@icculus.org" target=_blank
moz-do-not-send="true">cod@icculus.org</A><BR><A
href="http://icculus.org/mailman/listinfo/cod" target=_blank
moz-do-not-send="true">http://icculus.org/mailman/listinfo/cod</A><BR><BR></BLOCKQUOTE></DIV><BR><BR
clear=all><BR>-- <BR><I><B><FONT size=1><SPAN
style="FONT-FAMILY: tahoma,sans-serif">Geoff Goas</SPAN><BR
style="FONT-FAMILY: tahoma,sans-serif"><SPAN
style="FONT-FAMILY: tahoma,sans-serif">Systems
Engineer</SPAN></FONT></B></I><BR><BR>_______________________________________________<BR>cod
mailing list<BR><A href="mailto:cod@icculus.org" target=_blank
moz-do-not-send="true">cod@icculus.org</A><BR><A
href="http://icculus.org/mailman/listinfo/cod" target=_blank
moz-do-not-send="true">http://icculus.org/mailman/listinfo/cod</A><BR></BLOCKQUOTE></DIV><BR></DIV></DIV></DIV></DIV><BR>_______________________________________________<BR>cod
mailing list<BR><A href="mailto:cod@icculus.org"
moz-do-not-send="true">cod@icculus.org</A><BR><A
href="http://icculus.org/mailman/listinfo/cod" target=_blank
moz-do-not-send="true">http://icculus.org/mailman/listinfo/cod</A><BR><BR></BLOCKQUOTE></DIV><BR><BR
clear=all><BR>-- <BR><I><B><FONT size=1><SPAN
style="FONT-FAMILY: tahoma,sans-serif">Geoff Goas</SPAN><BR
style="FONT-FAMILY: tahoma,sans-serif"><SPAN
style="FONT-FAMILY: tahoma,sans-serif">Systems
Engineer</SPAN></FONT></B></I><BR><BR><BR>
<FIELDSET class=mimeAttachmentHeader></FIELDSET> <BR><PRE wrap="">_______________________________________________
cod mailing list
<A class=moz-txt-link-abbreviated href="mailto:cod@icculus.org">cod@icculus.org</A>
<A class=moz-txt-link-freetext href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</A>
</PRE></BLOCKQUOTE>
<P>
<HR>
<P></P>_______________________________________________<BR>cod mailing
list<BR>cod@icculus.org<BR>http://icculus.org/mailman/listinfo/cod<BR></BLOCKQUOTE></BODY></HTML>