[cod] CoD2 UDP flood
Marco Padovan
evcz at evcz.tk
Fri Feb 24 07:49:24 EST 2012
NO!
Read the messages that got posted in the last 2 days...
This should be a proper ruleset:
http://icculus.org/pipermail/cod/2012-February/015927.html
Il 24/02/2012 13:47, david.lauriou at wanadoo.fr ha scritto:
> like this ?
>
> IPTABLES -A INPUT -p UDP -m length --length 42 -m recent --set --name getstatus_cod
> IPTABLES -A INPUT -p UDP -m string --algo bm --string "getstatus" -m recent --update --seconds 1 --hitcount 20 --name getstatus_cod -j DROP
>
> ----- Original Message -----
> *From:* Marco Padovan <mailto:evcz at evcz.tk>
> *To:* Call of Duty server admin list. <mailto:cod at icculus.org>
> *Sent:* Friday, February 24, 2012 1:35 PM
> *Subject:* Re: [cod] CoD2 UDP flood
>
> iptables rules
>
> Il 24/02/2012 13:28, david.lauriou at wanadoo.fr ha scritto:
>> for COD4 what is the best method to remove udp Flooding exploit ?
>>
>>
>> ----- Original Message -----
>> *From:* Marco Padovan <mailto:evcz at evcz.tk>
>> *To:* Call of Duty server admin list. <mailto:cod at icculus.org>
>> *Sent:* Friday, February 24, 2012 12:10 PM
>> *Subject:* Re: [cod] CoD2 UDP flood
>>
>> Be aware that there are two different ways to talk about
>> offset: packet offset (includes header) and payload offset
>> (does not include header)
>>
>> Il 24/02/2012 10:41, Geoff Goas ha scritto:
>>> You're right, and I see my error. That is frustrating
>>> because I have no idea why it doesn't work with the offset
>>> specified then.
>>>
>>> On Fri, Feb 24, 2012 at 4:10 AM, Luca Farflame Fabbro
>>> <farflame at cybergames.it <mailto:farflame at cybergames.it>> wrote:
>>>
>>> Try this command
>>> tcpdump -c 4 -nnvvvXS dst port 28960
>>> where port is the port that you want to monitor
>>> should be something like
>>>
>>> 0x0000: 4500 002b 35b3 0000 7511 179b b612 80ad
>>> E..+5...u.......
>>> 0x0010: c0a8 010c 7012 7120 0017 0000 ffff ffff
>>> ....p.q.........
>>> 0x0020: 6765 7473 7461 7475 730a 0000 0000
>>> getstatus.....
>>>
>>> On Feb 24, 2012, at 9:54 AM, Geoff Goas wrote:
>>>
>>>> That is strange, because if I use those values, it does
>>>> not work. If I use "--from 31" alone, then it works. As
>>>> soon as I change that to 32, it stops working. When I
>>>> inspect the packets in Wireshark, the "getstatus"
>>>> string starts at offset 48 if counting from 1. Would
>>>> there be a way for iptables to print to log what it
>>>> sees in the specified offset range?
>>>>
>>>> On Fri, Feb 24, 2012 at 3:28 AM, Luca Farflame Fabbro
>>>> <farflame at cybergames.it
>>>> <mailto:farflame at cybergames.it>> wrote:
>>>>
>>>> It doesn't matter the length of the packet.
>>>> That rule will try to find the string "gestatus"
>>>> starting at position 32 bytes from start of packet
>>>> and searching for it at maximum at position 41.
>>>> The Q3 protocol for that command expects the string
>>>> to be in that range.
>>>>
>>>> On Feb 24, 2012, at 1:11 AM, Geoff Goas wrote:
>>>>
>>>>> Is the offset range of 32-41 based on a 60-byte
>>>>> packet?
>>>>>
>>>>> On Thu, Feb 23, 2012 at 10:34 AM, Marco Padovan
>>>>> <evcz at evcz.tk <mailto:evcz at evcz.tk>> wrote:
>>>>>
>>>>> iptables -A INPUT -p udp -m string --string
>>>>> "getstatus" --algo bm --from 32 --to 41 -j DROP
>>>>>
>>>>> --
>>>>> /*Geoff Goas
>>>>> Systems Engineer*/
>>>>>
>>>>> _______________________________________________
>>>>> cod mailing list
>>>>> cod at icculus.org <mailto:cod at icculus.org>
>>>>> http://icculus.org/mailman/listinfo/cod
>>>>
>>>>
>>>> _______________________________________________
>>>> cod mailing list
>>>> cod at icculus.org <mailto:cod at icculus.org>
>>>> http://icculus.org/mailman/listinfo/cod
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> /*Geoff Goas
>>>> Systems Engineer*/
>>>>
>>>> _______________________________________________
>>>> cod mailing list
>>>> cod at icculus.org <mailto:cod at icculus.org>
>>>> http://icculus.org/mailman/listinfo/cod
>>>
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org <mailto:cod at icculus.org>
>>> http://icculus.org/mailman/listinfo/cod
>>>
>>>
>>>
>>>
>>> --
>>> /*Geoff Goas
>>> Systems Engineer*/
>>>
>>>
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org
>>> http://icculus.org/mailman/listinfo/cod
>> ------------------------------------------------------------------------
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>>
>>
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>
> ------------------------------------------------------------------------
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120224/a81f8128/attachment.htm>
More information about the cod
mailing list