[cod] CoD2 UDP flood
Boyd G. Gafford Ph.D.
drboyd at westportresearch.com
Fri Feb 24 18:13:19 EST 2012
Wow, that's a lot of blocked IPs. Did you increase the default from 128
blocked IPs to something higher or are you using the defaults?
On 02/24/2012 05:05 PM, River Hosting wrote:
>
> No problem at all. Just a notice; I am running the script every 5
> seconds so the log will include duplicate IP-adresses... Second, since
> iptables áre working now, all other IPs are just blocked (not shown here).
>
> Log: http://riverhosting.nl/includes/02-24-2012.log
>
> Met vriendelijke groeten,
>
> Julian Maartens
> River Hosting
>
> info at riverhosting.nl <mailto:info at riverhosting.nl>
> http://www.riverhosting.nl <http://www.riverhosting.nl/>
>
> *Van:*Boyd G. Gafford Ph.D. [mailto:drboyd at westportresearch.com]
> *Verzonden:* vrijdag 24 februari 2012 23:27
> *Aan:* Call of Duty server admin list.
> *Onderwerp:* Re: [cod] CoD2 UDP flood
>
> That's good news! I would love to see ServerArk's log for the past
> 24/48 hours, would you mind posting it? It should show what IP's have
> been detected as flood attacks and blocked.
>
> :)
>
> Thanks,
>
> / Boyd/
>
>
> On 02/24/2012 03:38 PM, River Hosting wrote:
>
> Hello again guys,
>
> I was adding some new rules into the firewall and it looks like the
> flooding has stopped!
>
> Now using;
>
> - /serverark/ (recently posted on this list)
>
> - /getstatus_ban.sh/ (recently posted aswell)
>
> - /iptables/
>
> Since this morning the traffic dropped from 6 Mbit/s to 45 Kb/s.
>
> When filtering, shutting down all gameservers running on your box for
> about 24-48 hours may do the trick. After that time just reboot them
> and let the magic happen... :)
>
> Met vriendelijke groeten,
>
> With kind regards,
>
> Julian Maartens
> River Hosting
>
> info at riverhosting.nl <mailto:info at riverhosting.nl>
> http://www.riverhosting.nl <http://www.riverhosting.nl/>
>
> *Van:*Marco Padovan [mailto:evcz at evcz.tk]
> *Verzonden:* vrijdag 24 februari 2012 14:05
> *Aan:* Call of Duty server admin list.
> *Onderwerp:* Re: [cod] CoD2 UDP flood
>
> You can either use the one you linked from modsrepository or the more
> "complex" one that was posted on this list
>
> Il 24/02/2012 14:03, david.lauriou at wanadoo.fr
> <mailto:david.lauriou at wanadoo.fr> ha scritto:
>
> the rules is ?
>
> ----- Original Message -----
>
> *From:*Marco Padovan <mailto:evcz at evcz.tk>
>
> *To:*cod at icculus.org <mailto:cod at icculus.org>
>
> *Sent:*Friday, February 24, 2012 2:00 PM
>
> *Subject:*Re: [cod] CoD2 UDP flood
>
> that rule is very basic.
>
> cod1, cod1.5, cod2 and cod4 all suffer the same problem and are
> exploited in the same exact way.
>
> So an iptables that fixes the cod4 problem works also for cod2 and
> cod1
>
> Il 24/02/2012 13:51, david.lauriou at wanadoo.fr
> <mailto:david.lauriou at wanadoo.fr> ha scritto:
>
> i've find this :
> http://wiki.modsrepository.com/index.php/Call_of_Duty_4:_Servers
>
> its for cod4 not for COD2 !
>
> ----- Original Message -----
>
> *From:*Marco Padovan <mailto:evcz at evcz.tk>
>
> *To:*cod at icculus.org <mailto:cod at icculus.org>
>
> *Sent:*Friday, February 24, 2012 1:49 PM
>
> *Subject:*Re: [cod] CoD2 UDP flood
>
> NO!
>
> Read the messages that got posted in the last 2 days...
>
> This should be a proper ruleset:
> http://icculus.org/pipermail/cod/2012-February/015927.html
>
> Il 24/02/2012 13:47, david.lauriou at wanadoo.fr
> <mailto:david.lauriou at wanadoo.fr> ha scritto:
>
> like this ?
>
> IPTABLES -A INPUT -p UDP -m length --length 42 -m recent --set --name getstatus_cod
>
> IPTABLES -A INPUT -p UDP -m string --algo bm --string "getstatus" -m recent --update --seconds 1 --hitcount 20 --name getstatus_cod -j DROP
>
> ----- Original Message -----
>
> *From:*Marco Padovan <mailto:evcz at evcz.tk>
>
> *To:*Call of Duty server admin list. <mailto:cod at icculus.org>
>
> *Sent:*Friday, February 24, 2012 1:35 PM
>
> *Subject:*Re: [cod] CoD2 UDP flood
>
> iptables rules
>
> Il 24/02/2012 13:28, david.lauriou at wanadoo.fr
> <mailto:david.lauriou at wanadoo.fr> ha scritto:
>
> for COD4 what is the best method to remove udp Flooding
> exploit ?
>
> ----- Original Message -----
>
> *From:*Marco Padovan <mailto:evcz at evcz.tk>
>
> *To:*Call of Duty server admin list.
> <mailto:cod at icculus.org>
>
> *Sent:*Friday, February 24, 2012 12:10 PM
>
> *Subject:*Re: [cod] CoD2 UDP flood
>
> Be aware that there are two different ways to talk
> about offset: packet offset (includes header) and
> payload offset (does not include header)
>
> Il 24/02/2012 10:41, Geoff Goas ha scritto:
>
> You're right, and I see my error. That is frustrating
> because I have no idea why it doesn't work with the
> offset specified then.
>
> On Fri, Feb 24, 2012 at 4:10 AM, Luca Farflame Fabbro
> <farflame at cybergames.it
> <mailto:farflame at cybergames.it>> wrote:
>
> Try this command
>
> tcpdump -c 4 -nnvvvXS dst port 28960
>
> where port is the port that you want to monitor
>
> should be something like
>
> 0x0000: 4500 002b 35b3 0000 7511 179b b612
> 80ad E..+5...u.......
>
> 0x0010: c0a8 010c 7012 7120 0017 0000 ffff
> ffff ....p.q.........
>
> 0x0020: 6765 7473 7461 7475 730a 0000 0000
> getstatus.....
>
> On Feb 24, 2012, at 9:54 AM, Geoff Goas wrote:
>
>
>
>
> That is strange, because if I use those values, it
> does not work. If I use "--from 31" alone, then it
> works. As soon as I change that to 32, it stops
> working. When I inspect the packets in Wireshark, the
> "getstatus" string starts at offset 48 if counting
> from 1. Would there be a way for iptables to print to
> log what it sees in the specified offset range?
>
> On Fri, Feb 24, 2012 at 3:28 AM, Luca Farflame Fabbro
> <farflame at cybergames.it
> <mailto:farflame at cybergames.it>> wrote:
>
> It doesn't matter the length of the packet.
>
> That rule will try to find the string "gestatus"
> starting at position 32 bytes from start of packet and
> searching for it at maximum at position 41.
>
> The Q3 protocol for that command expects the string to
> be in that range.
>
> On Feb 24, 2012, at 1:11 AM, Geoff Goas wrote:
>
> Is the offset range of 32-41 based on a 60-byte
> packet?
>
> On Thu, Feb 23, 2012 at 10:34 AM, Marco Padovan
> <evcz at evcz.tk <mailto:evcz at evcz.tk>> wrote:
>
> iptables -A INPUT -p udp -m string --string
> "getstatus" --algo bm --from 32 --to 41 -j DROP
>
> --
> */Geoff Goas
> Systems Engineer/*
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
>
>
> --
> */Geoff Goas
> Systems Engineer/*
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
>
>
> --
> */Geoff Goas
> Systems Engineer/*
>
>
>
>
>
> _______________________________________________
>
> cod mailing list
>
> cod at icculus.org <mailto:cod at icculus.org>
>
> http://icculus.org/mailman/listinfo/cod
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
>
>
>
> _______________________________________________
>
> cod mailing list
>
> cod at icculus.org <mailto:cod at icculus.org>
>
> http://icculus.org/mailman/listinfo/cod
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
>
>
>
> _______________________________________________
>
> cod mailing list
>
> cod at icculus.org <mailto:cod at icculus.org>
>
> http://icculus.org/mailman/listinfo/cod
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
>
>
>
> _______________________________________________
>
> cod mailing list
>
> cod at icculus.org <mailto:cod at icculus.org>
>
> http://icculus.org/mailman/listinfo/cod
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120224/248178b9/attachment-0001.htm>
More information about the cod
mailing list