[cod] CoD2 UDP flood
Marco Padovan
evcz at evcz.tk
Fri Feb 24 07:35:18 EST 2012
iptables rules
Il 24/02/2012 13:28, david.lauriou at wanadoo.fr ha scritto:
> for COD4 what is the best method to remove udp Flooding exploit ?
>
>
> ----- Original Message -----
> *From:* Marco Padovan <mailto:evcz at evcz.tk>
> *To:* Call of Duty server admin list. <mailto:cod at icculus.org>
> *Sent:* Friday, February 24, 2012 12:10 PM
> *Subject:* Re: [cod] CoD2 UDP flood
>
> Be aware that there are two different ways to talk about offset:
> packet offset (includes header) and payload offset (does not
> include header)
>
> Il 24/02/2012 10:41, Geoff Goas ha scritto:
>> You're right, and I see my error. That is frustrating because I
>> have no idea why it doesn't work with the offset specified then.
>>
>> On Fri, Feb 24, 2012 at 4:10 AM, Luca Farflame Fabbro
>> <farflame at cybergames.it <mailto:farflame at cybergames.it>> wrote:
>>
>> Try this command
>> tcpdump -c 4 -nnvvvXS dst port 28960
>> where port is the port that you want to monitor
>> should be something like
>>
>> 0x0000: 4500 002b 35b3 0000 7511 179b b612 80ad
>> E..+5...u.......
>> 0x0010: c0a8 010c 7012 7120 0017 0000 ffff ffff
>> ....p.q.........
>> 0x0020: 6765 7473 7461 7475 730a 0000 0000
>> getstatus.....
>>
>> On Feb 24, 2012, at 9:54 AM, Geoff Goas wrote:
>>
>>> That is strange, because if I use those values, it does not
>>> work. If I use "--from 31" alone, then it works. As soon as
>>> I change that to 32, it stops working. When I inspect the
>>> packets in Wireshark, the "getstatus" string starts at
>>> offset 48 if counting from 1. Would there be a way for
>>> iptables to print to log what it sees in the specified
>>> offset range?
>>>
>>> On Fri, Feb 24, 2012 at 3:28 AM, Luca Farflame Fabbro
>>> <farflame at cybergames.it <mailto:farflame at cybergames.it>> wrote:
>>>
>>> It doesn't matter the length of the packet.
>>> That rule will try to find the string "gestatus"
>>> starting at position 32 bytes from start of packet and
>>> searching for it at maximum at position 41.
>>> The Q3 protocol for that command expects the string to
>>> be in that range.
>>>
>>> On Feb 24, 2012, at 1:11 AM, Geoff Goas wrote:
>>>
>>>> Is the offset range of 32-41 based on a 60-byte packet?
>>>>
>>>> On Thu, Feb 23, 2012 at 10:34 AM, Marco Padovan
>>>> <evcz at evcz.tk <mailto:evcz at evcz.tk>> wrote:
>>>>
>>>> iptables -A INPUT -p udp -m string --string
>>>> "getstatus" --algo bm --from 32 --to 41 -j DROP
>>>>
>>>> --
>>>> /*Geoff Goas
>>>> Systems Engineer*/
>>>>
>>>> _______________________________________________
>>>> cod mailing list
>>>> cod at icculus.org <mailto:cod at icculus.org>
>>>> http://icculus.org/mailman/listinfo/cod
>>>
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org <mailto:cod at icculus.org>
>>> http://icculus.org/mailman/listinfo/cod
>>>
>>>
>>>
>>>
>>> --
>>> /*Geoff Goas
>>> Systems Engineer*/
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org <mailto:cod at icculus.org>
>>> http://icculus.org/mailman/listinfo/cod
>>
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org <mailto:cod at icculus.org>
>> http://icculus.org/mailman/listinfo/cod
>>
>>
>>
>>
>> --
>> /*Geoff Goas
>> Systems Engineer*/
>>
>>
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>
> ------------------------------------------------------------------------
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120224/25ab4485/attachment.htm>
More information about the cod
mailing list