[cod] CoD2 UDP flood

River Hosting info at riverhosting.nl
Fri Feb 24 16:38:49 EST 2012 

Hello again guys,

 

I was adding some new rules into the firewall and it looks like the flooding
has stopped!

 

Now using;

- serverark (recently posted on this list)

- getstatus_ban.sh (recently posted aswell)

- iptables

 

Since this morning the traffic dropped from 6 Mbit/s to 45 Kb/s.

When filtering, shutting down all gameservers running on your box for about
24-48 hours may do the trick. After that time just reboot them and let the
magic happen... :)

 

 

Met vriendelijke groeten,

With kind regards,

Julian Maartens
River Hosting

 <mailto:info at riverhosting.nl> info at riverhosting.nl
 <http://www.riverhosting.nl/> http://www.riverhosting.nl

 

Van: Marco Padovan [mailto:evcz at evcz.tk] 
Verzonden: vrijdag 24 februari 2012 14:05
Aan: Call of Duty server admin list.
Onderwerp: Re: [cod] CoD2 UDP flood

 

You can either use the one you linked from modsrepository or the more
"complex" one that was posted on this list

Il 24/02/2012 14:03, david.lauriou at wanadoo.fr ha scritto: 

the rules is ?

 

----- Original Message ----- 

From: Marco Padovan <mailto:evcz at evcz.tk>  

To: cod at icculus.org 

Sent: Friday, February 24, 2012 2:00 PM

Subject: Re: [cod] CoD2 UDP flood

 

that rule is very basic.

cod1, cod1.5, cod2 and cod4 all suffer the same problem and are exploited in
the same exact way.

So an iptables that fixes the cod4 problem works also for cod2 and cod1

Il 24/02/2012 13:51, david.lauriou at wanadoo.fr ha scritto: 

i've find this :
http://wiki.modsrepository.com/index.php/Call_of_Duty_4:_Servers

its for cod4 not for COD2 !

 

----- Original Message ----- 

From: Marco Padovan <mailto:evcz at evcz.tk>  

To: cod at icculus.org 

Sent: Friday, February 24, 2012 1:49 PM

Subject: Re: [cod] CoD2 UDP flood

 

NO!

Read the messages that got posted in the last 2 days...

This should be a proper ruleset:
http://icculus.org/pipermail/cod/2012-February/015927.html

Il 24/02/2012 13:47, david.lauriou at wanadoo.fr ha scritto: 

like this ?

 

IPTABLES -A INPUT -p UDP -m length --length 42 -m recent --set --name
getstatus_cod
IPTABLES -A INPUT -p UDP -m string --algo bm --string "getstatus" -m recent
--update --seconds 1 --hitcount 20 --name getstatus_cod -j DROP

----- Original Message ----- 

From: Marco Padovan <mailto:evcz at evcz.tk>  

To: Call of Duty server admin <mailto:cod at icculus.org>  list. 

Sent: Friday, February 24, 2012 1:35 PM

Subject: Re: [cod] CoD2 UDP flood

 

iptables rules

Il 24/02/2012 13:28, david.lauriou at wanadoo.fr ha scritto: 

for COD4 what is the best method to remove udp Flooding exploit ?

 

----- Original Message ----- 

From: Marco Padovan <mailto:evcz at evcz.tk>  

To: Call of Duty server admin <mailto:cod at icculus.org>  list. 

Sent: Friday, February 24, 2012 12:10 PM

Subject: Re: [cod] CoD2 UDP flood

 

Be aware that there are two different ways to talk about offset: packet
offset (includes header) and payload offset (does not include header)

Il 24/02/2012 10:41, Geoff Goas ha scritto: 

You're right, and I see my error. That is frustrating because I have no idea
why it doesn't work with the offset specified then.

On Fri, Feb 24, 2012 at 4:10 AM, Luca Farflame Fabbro
<farflame at cybergames.it> wrote:

Try this command

tcpdump -c 4 -nnvvvXS dst port 28960 

where port is the port that you want to monitor

should be something like

 

        0x0000:  4500 002b 35b3 0000 7511 179b b612 80ad  E..+5...u.......

        0x0010:  c0a8 010c 7012 7120 0017 0000 ffff ffff  ....p.q.........

        0x0020:  6765 7473 7461 7475 730a 0000 0000       getstatus.....

 

On Feb 24, 2012, at 9:54 AM, Geoff Goas wrote:





That is strange, because if I use those values, it does not work. If I use
"--from 31" alone, then it works. As soon as I change that to 32, it stops
working. When I inspect the packets in Wireshark, the "getstatus" string
starts at offset 48 if counting from 1. Would there be a way for iptables to
print to log what it sees in the specified offset range?

On Fri, Feb 24, 2012 at 3:28 AM, Luca Farflame Fabbro
<farflame at cybergames.it> wrote:

It doesn't matter the length of the packet.  

That rule will try to find the string "gestatus" starting at position 32
bytes from start of packet and searching for it at maximum at position 41.

The Q3 protocol for that command expects the string to be in that range.

 

On Feb 24, 2012, at 1:11 AM, Geoff Goas wrote:

 

Is the offset range of 32-41 based on a 60-byte packet?

On Thu, Feb 23, 2012 at 10:34 AM, Marco Padovan <evcz at evcz.tk> wrote:

iptables -A INPUT -p udp -m string --string "getstatus" --algo bm --from 32
--to 41 -j DROP

-- 
Geoff Goas
Systems Engineer

_______________________________________________
cod mailing list
cod at icculus.org
http://icculus.org/mailman/listinfo/cod

 


_______________________________________________
cod mailing list
cod at icculus.org
http://icculus.org/mailman/listinfo/cod




-- 
Geoff Goas
Systems Engineer

_______________________________________________
cod mailing list
cod at icculus.org
http://icculus.org/mailman/listinfo/cod

 


_______________________________________________
cod mailing list
cod at icculus.org
http://icculus.org/mailman/listinfo/cod




-- 
Geoff Goas
Systems Engineer






_______________________________________________
cod mailing list
cod at icculus.org
http://icculus.org/mailman/listinfo/cod
  _____  


_______________________________________________
cod mailing list
cod at icculus.org
http://icculus.org/mailman/listinfo/cod






_______________________________________________
cod mailing list
cod at icculus.org
http://icculus.org/mailman/listinfo/cod
  _____  


_______________________________________________
cod mailing list
cod at icculus.org
http://icculus.org/mailman/listinfo/cod






_______________________________________________
cod mailing list
cod at icculus.org
http://icculus.org/mailman/listinfo/cod
  _____  


_______________________________________________
cod mailing list
cod at icculus.org
http://icculus.org/mailman/listinfo/cod






_______________________________________________
cod mailing list
cod at icculus.org
http://icculus.org/mailman/listinfo/cod
  _____  


_______________________________________________
cod mailing list
cod at icculus.org
http://icculus.org/mailman/listinfo/cod






_______________________________________________
cod mailing list
cod at icculus.org
http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120224/7a93afca/attachment-0001.htm>

More information about the cod mailing list