[cod] New cod4 attack

Håvard Pedersen fuzzy76 at fuzzy76.net
Tue Nov 1 08:39:07 EDT 2011


Unfortunately, that is all info I have. OTOH, if this IS a new type of
attack pattern, I guess you will have plenty of other sources pretty
soon (I was sternly instructed by my host to not start up cod4 again
until it had been fixed).

My server is automatically restarted nightly... I am guessing that
should be enought to empty the ip cache?

Håvard Pedersen
http://fuzzy76.net/


On Tue, Nov 1, 2011 at 13:30, Marco Padovan <evcz at evcz.tk> wrote:
> Looks like a standard attack pattern...
> we need the incoming traffic too in order to understand what was being
> exploited...
> I suppose nothing new was happening here and you just hit the patch "limits"
>
> Take a look at the previous list messages... the current patch actually
> has a limit:
> the "protection" become ineffective once the tracked ips list is
> filled... you either need to increase it to an insane number or just
> restart the server before it gets filled :)
>
> HINT: incoming src udp port 80 is the most exploited one and I have yet
> to find a legit gameplayer packet generated from that port............
>
> Il 01/11/2011 13:18, Håvard Pedersen ha scritto:
>> The only info my host had stored was this:
>>
>> tcpdump ouput during 3 minutes period. 7 records.
>> 12:32:48.533303 IP 91.229.142.201.28970 > 91.220.163.3.80: UDP, length 563,
>> 12:33:10.471172 IP 91.229.142.201.28970 > 91.220.163.3.80: UDP, length 563,
>> 12:33:12.665673 IP 91.229.142.201.28970 > 91.220.163.3.80: UDP, length 563,
>> 12:33:26.951329 IP 91.229.142.201.28970 > 91.220.163.3.80: UDP, length 563,
>> 12:33:46.409945 IP 91.229.142.201.28970 > 91.220.163.3.80: UDP, length 563,
>> 12:33:53.707567 IP 91.229.142.201.28970 > 91.220.163.3.80: UDP, length 563,
>>
>> Håvard Pedersen
>> http://fuzzy76.net/
>>
>>
>>
>>
>>
>> On Tue, Nov 1, 2011 at 12:21, Marco Padovan <evcz at evcz.tk> wrote:
>>> Please post a tcpdump capture or additional details
>>>
>>> Il 01/11/2011 11:47, Håvard Pedersen ha scritto:
>>>
>>> Sorry, I should have been clearer. My server is used as a relay, it is
>>> not the target. (Got a call from my host about massive amounts of
>>> outgoing UDP from my COD4 port)
>>>
>>> Håvard Pedersen
>>> http://fuzzy76.net/
>>>
>>>
>>>
>>>
>>>
>>> On Tue, Nov 1, 2011 at 11:45, Morpheus <morpheus at clantoc.org> wrote:
>>>
>>> If you're the target of an attack, the patch won't help you; it only
>>> prevents attacks to be relayed.
>>>
>>> Le 01/11/2011 11:42, Håvard Pedersen a écrit :
>>>
>>> My patched Linux cod4 server experienced a new attack today and had to
>>> be taken offline. :( Probably a new attack?
>>>
>>> Håvard Pedersen
>>> http://fuzzy76.net/
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org
>>> http://icculus.org/mailman/listinfo/cod
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org
>>> http://icculus.org/mailman/listinfo/cod
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org
>>> http://icculus.org/mailman/listinfo/cod
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org
>>> http://icculus.org/mailman/listinfo/cod
>>>
>>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>


More information about the cod mailing list