[cod] CoD2 UDP flood
Marco Padovan
evcz at evcz.tk
Fri Feb 24 08:04:35 EST 2012
You can either use the one you linked from modsrepository or the more
"complex" one that was posted on this list
Il 24/02/2012 14:03, david.lauriou at wanadoo.fr ha scritto:
> the rules is ?
>
>
> ----- Original Message -----
> *From:* Marco Padovan <mailto:evcz at evcz.tk>
> *To:* cod at icculus.org <mailto:cod at icculus.org>
> *Sent:* Friday, February 24, 2012 2:00 PM
> *Subject:* Re: [cod] CoD2 UDP flood
>
> that rule is very basic.
>
> cod1, cod1.5, cod2 and cod4 all suffer the same problem and are
> exploited in the same exact way.
>
> So an iptables that fixes the cod4 problem works also for cod2 and
> cod1
>
> Il 24/02/2012 13:51, david.lauriou at wanadoo.fr ha scritto:
>> i've find this :
>> http://wiki.modsrepository.com/index.php/Call_of_Duty_4:_Servers
>>
>> its for cod4 not for COD2 !
>>
>>
>> ----- Original Message -----
>> *From:* Marco Padovan <mailto:evcz at evcz.tk>
>> *To:* cod at icculus.org <mailto:cod at icculus.org>
>> *Sent:* Friday, February 24, 2012 1:49 PM
>> *Subject:* Re: [cod] CoD2 UDP flood
>>
>> NO!
>>
>> Read the messages that got posted in the last 2 days...
>>
>> This should be a proper ruleset:
>> http://icculus.org/pipermail/cod/2012-February/015927.html
>>
>> Il 24/02/2012 13:47, david.lauriou at wanadoo.fr ha scritto:
>>> like this ?
>>>
>>> IPTABLES -A INPUT -p UDP -m length --length 42 -m recent --set --name getstatus_cod
>>> IPTABLES -A INPUT -p UDP -m string --algo bm --string "getstatus" -m recent --update --seconds 1 --hitcount 20 --name getstatus_cod -j DROP
>>>
>>> ----- Original Message -----
>>> *From:* Marco Padovan <mailto:evcz at evcz.tk>
>>> *To:* Call of Duty server admin list.
>>> <mailto:cod at icculus.org>
>>> *Sent:* Friday, February 24, 2012 1:35 PM
>>> *Subject:* Re: [cod] CoD2 UDP flood
>>>
>>> iptables rules
>>>
>>> Il 24/02/2012 13:28, david.lauriou at wanadoo.fr ha scritto:
>>>> for COD4 what is the best method to remove udp Flooding
>>>> exploit ?
>>>>
>>>>
>>>> ----- Original Message -----
>>>> *From:* Marco Padovan <mailto:evcz at evcz.tk>
>>>> *To:* Call of Duty server admin list.
>>>> <mailto:cod at icculus.org>
>>>> *Sent:* Friday, February 24, 2012 12:10 PM
>>>> *Subject:* Re: [cod] CoD2 UDP flood
>>>>
>>>> Be aware that there are two different ways to talk
>>>> about offset: packet offset (includes header) and
>>>> payload offset (does not include header)
>>>>
>>>> Il 24/02/2012 10:41, Geoff Goas ha scritto:
>>>>> You're right, and I see my error. That is
>>>>> frustrating because I have no idea why it doesn't
>>>>> work with the offset specified then.
>>>>>
>>>>> On Fri, Feb 24, 2012 at 4:10 AM, Luca Farflame
>>>>> Fabbro <farflame at cybergames.it
>>>>> <mailto:farflame at cybergames.it>> wrote:
>>>>>
>>>>> Try this command
>>>>> tcpdump -c 4 -nnvvvXS dst port 28960
>>>>> where port is the port that you want to monitor
>>>>> should be something like
>>>>>
>>>>> 0x0000: 4500 002b 35b3 0000 7511 179b
>>>>> b612 80ad E..+5...u.......
>>>>> 0x0010: c0a8 010c 7012 7120 0017 0000
>>>>> ffff ffff ....p.q.........
>>>>> 0x0020: 6765 7473 7461 7475 730a 0000
>>>>> 0000 getstatus.....
>>>>>
>>>>> On Feb 24, 2012, at 9:54 AM, Geoff Goas wrote:
>>>>>
>>>>>> That is strange, because if I use those
>>>>>> values, it does not work. If I use "--from
>>>>>> 31" alone, then it works. As soon as I change
>>>>>> that to 32, it stops working. When I inspect
>>>>>> the packets in Wireshark, the "getstatus"
>>>>>> string starts at offset 48 if counting from
>>>>>> 1. Would there be a way for iptables to print
>>>>>> to log what it sees in the specified offset
>>>>>> range?
>>>>>>
>>>>>> On Fri, Feb 24, 2012 at 3:28 AM, Luca
>>>>>> Farflame Fabbro <farflame at cybergames.it
>>>>>> <mailto:farflame at cybergames.it>> wrote:
>>>>>>
>>>>>> It doesn't matter the length of the packet.
>>>>>> That rule will try to find the string
>>>>>> "gestatus" starting at position 32 bytes
>>>>>> from start of packet and searching for it
>>>>>> at maximum at position 41.
>>>>>> The Q3 protocol for that command expects
>>>>>> the string to be in that range.
>>>>>>
>>>>>> On Feb 24, 2012, at 1:11 AM, Geoff Goas
>>>>>> wrote:
>>>>>>
>>>>>>> Is the offset range of 32-41 based on a
>>>>>>> 60-byte packet?
>>>>>>>
>>>>>>> On Thu, Feb 23, 2012 at 10:34 AM, Marco
>>>>>>> Padovan <evcz at evcz.tk
>>>>>>> <mailto:evcz at evcz.tk>> wrote:
>>>>>>>
>>>>>>> iptables -A INPUT -p udp -m string
>>>>>>> --string "getstatus" --algo bm
>>>>>>> --from 32 --to 41 -j DROP
>>>>>>>
>>>>>>> --
>>>>>>> /*Geoff Goas
>>>>>>> Systems Engineer*/
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> cod mailing list
>>>>>>> cod at icculus.org <mailto:cod at icculus.org>
>>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> cod mailing list
>>>>>> cod at icculus.org <mailto:cod at icculus.org>
>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> /*Geoff Goas
>>>>>> Systems Engineer*/
>>>>>>
>>>>>> _______________________________________________
>>>>>> cod mailing list
>>>>>> cod at icculus.org <mailto:cod at icculus.org>
>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> cod mailing list
>>>>> cod at icculus.org <mailto:cod at icculus.org>
>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> /*Geoff Goas
>>>>> Systems Engineer*/
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> cod mailing list
>>>>> cod at icculus.org
>>>>> http://icculus.org/mailman/listinfo/cod
>>>> ------------------------------------------------------------------------
>>>> _______________________________________________
>>>> cod mailing list
>>>> cod at icculus.org
>>>> http://icculus.org/mailman/listinfo/cod
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> cod mailing list
>>>> cod at icculus.org
>>>> http://icculus.org/mailman/listinfo/cod
>>> ------------------------------------------------------------------------
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org
>>> http://icculus.org/mailman/listinfo/cod
>>>
>>>
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org
>>> http://icculus.org/mailman/listinfo/cod
>> ------------------------------------------------------------------------
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>>
>>
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>
> ------------------------------------------------------------------------
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120224/194617a8/attachment-0001.htm>
More information about the cod
mailing list