[cod] CoD2 UDP flood
Boyd G. Gafford Ph.D.
drboyd at westportresearch.com
Tue Feb 28 09:20:43 EST 2012
Due to the flexibility of iptables rules, I'm currently investigating
doing the same logic that ServerArk does as a daemon with just
iptables. It would require setting a rate limit on all packets, not
just getstatus or getinfo packets (although their setting to 2/sec or
maybe up it to 4/sec would still be in effect to prevent being used in a
reflection attack).
Geoff, if you would be so kind to share them, I'll see what I can do to
enhance the set of rules to handle multiple UDP floods actually FROM a
reflection attack (instead of just preventing being part of one).
Thanks,
/Boyd/
On 02/28/2012 05:09 AM, escapedturkey wrote:
> Can you please share your changes? I assumed the rules would cover
> multiple IP aliases. This is incorrect?
>
> Thanks. =)
>
> On Tue, Feb 28, 2012 at 2:47 AM, Geoff Goas <gitman at gmail.com
> <mailto:gitman at gmail.com>> wrote:
>
> Well I can say the iptables rules have been running fantastically.
> I added a few tweaks such as not blocking the server's own set of
> IP's (there are quite a few internal queries going on), and also
> setting the hashlimit-mode to be based on source and destination
> IP since I have different server instances on different addresses,
> and I wanted a little more granularity to the matching. My ingress
> rates are still noticeably higher than they used to be, but at
> least the outbound bandwidth isn't being exploited anymore.
>
> Does anyone know the default value for hashlimit-htable-expire? I
> haven't been able to find it, so I've manually set it to 30 seconds.
>
>
>
> On 02/24/2012 03:38 PM, River Hosting wrote:
>
> Hello again guys,
>
> I was adding some new rules into the firewall and it looks
> like the flooding has stopped!
>
> Now using;
>
> - /serverark/ (recently posted on this list)
>
> - /getstatus_ban.sh/ (recently posted aswell)
>
> - /iptables/
>
> Since this morning the traffic dropped from 6 Mbit/s to 45 Kb/s.
>
> When filtering, shutting down all gameservers running on your
> box for about 24-48 hours may do the trick. After that time
> just reboot them and let the magic happen... :)
>
> Met vriendelijke groeten,
>
> With kind regards,
>
> Julian Maartens
> River Hosting
>
> info at riverhosting.nl <mailto:info at riverhosting.nl>
> http://www.riverhosting.nl <http://www.riverhosting.nl/>
>
> *Van:*Marco Padovan [mailto:evcz at evcz.tk]
> *Verzonden:* vrijdag 24 februari 2012 14:05
> *Aan:* Call of Duty server admin list.
> *Onderwerp:* Re: [cod] CoD2 UDP flood
>
> You can either use the one you linked from modsrepository or
> the more "complex" one that was posted on this list
>
> Il 24/02/2012 14:03, david.lauriou at wanadoo.fr
> <mailto:david.lauriou at wanadoo.fr> ha scritto:
>
> the rules is ?
>
> ----- Original Message -----
>
> *From:*Marco Padovan <mailto:evcz at evcz.tk>
>
> *To:*cod at icculus.org <mailto:cod at icculus.org>
>
> *Sent:*Friday, February 24, 2012 2:00 PM
>
> *Subject:*Re: [cod] CoD2 UDP flood
>
> that rule is very basic.
>
> cod1, cod1.5, cod2 and cod4 all suffer the same problem
> and are exploited in the same exact way.
>
> So an iptables that fixes the cod4 problem works also for
> cod2 and cod1
>
> Il 24/02/2012 13:51, david.lauriou at wanadoo.fr
> <mailto:david.lauriou at wanadoo.fr> ha scritto:
>
> i've find this :
> http://wiki.modsrepository.com/index.php/Call_of_Duty_4:_Servers
>
> its for cod4 not for COD2 !
>
> ----- Original Message -----
>
> *From:*Marco Padovan <mailto:evcz at evcz.tk>
>
> *To:*cod at icculus.org <mailto:cod at icculus.org>
>
> *Sent:*Friday, February 24, 2012 1:49 PM
>
> *Subject:*Re: [cod] CoD2 UDP flood
>
> NO!
>
> Read the messages that got posted in the last 2 days...
>
> This should be a proper ruleset:
> http://icculus.org/pipermail/cod/2012-February/015927.html
>
> Il 24/02/2012 13:47, david.lauriou at wanadoo.fr
> <mailto:david.lauriou at wanadoo.fr> ha scritto:
>
> like this ?
>
> IPTABLES -A INPUT -p UDP -m length --length 42 -m recent --set --name getstatus_cod
>
> IPTABLES -A INPUT -p UDP -m string --algo bm --string "getstatus" -m recent --update --seconds 1 --hitcount 20 --name getstatus_cod -j DROP
>
> ----- Original Message -----
>
> *From:*Marco Padovan <mailto:evcz at evcz.tk>
>
> *To:*Call of Duty server admin list.
> <mailto:cod at icculus.org>
>
> *Sent:*Friday, February 24, 2012 1:35 PM
>
> *Subject:*Re: [cod] CoD2 UDP flood
>
> iptables rules
>
> Il 24/02/2012 13:28, david.lauriou at wanadoo.fr
> <mailto:david.lauriou at wanadoo.fr> ha scritto:
>
> for COD4 what is the best method to remove udp
> Flooding exploit ?
>
> ----- Original Message -----
>
> *From:*Marco Padovan <mailto:evcz at evcz.tk>
>
> *To:*Call of Duty server admin list.
> <mailto:cod at icculus.org>
>
> *Sent:*Friday, February 24, 2012 12:10 PM
>
> *Subject:*Re: [cod] CoD2 UDP flood
>
> Be aware that there are two different ways to
> talk about offset: packet offset (includes
> header) and payload offset (does not include
> header)
>
> Il 24/02/2012 10:41, Geoff Goas ha scritto:
>
> You're right, and I see my error. That is
> frustrating because I have no idea why it
> doesn't work with the offset specified then.
>
> On Fri, Feb 24, 2012 at 4:10 AM, Luca Farflame
> Fabbro <farflame at cybergames.it
> <mailto:farflame at cybergames.it>> wrote:
>
> Try this command
>
> tcpdump -c 4 -nnvvvXS dst port 28960
>
> where port is the port that you want to monitor
>
> should be something like
>
> 0x0000: 4500 002b 35b3 0000 7511 179b
> b612 80ad E..+5...u.......
>
> 0x0010: c0a8 010c 7012 7120 0017 0000
> ffff ffff ....p.q.........
>
> 0x0020: 6765 7473 7461 7475 730a 0000
> 0000 getstatus.....
>
> On Feb 24, 2012, at 9:54 AM, Geoff Goas wrote:
>
>
>
>
>
> That is strange, because if I use those
> values, it does not work. If I use "--from 31"
> alone, then it works. As soon as I change that
> to 32, it stops working. When I inspect the
> packets in Wireshark, the "getstatus" string
> starts at offset 48 if counting from 1. Would
> there be a way for iptables to print to log
> what it sees in the specified offset range?
>
> On Fri, Feb 24, 2012 at 3:28 AM, Luca Farflame
> Fabbro <farflame at cybergames.it
> <mailto:farflame at cybergames.it>> wrote:
>
> It doesn't matter the length of the packet.
>
> That rule will try to find the string
> "gestatus" starting at position 32 bytes from
> start of packet and searching for it at
> maximum at position 41.
>
> The Q3 protocol for that command expects the
> string to be in that range.
>
> On Feb 24, 2012, at 1:11 AM, Geoff Goas wrote:
>
> Is the offset range of 32-41 based on a
> 60-byte packet?
>
> On Thu, Feb 23, 2012 at 10:34 AM, Marco
> Padovan <evcz at evcz.tk
> <mailto:evcz at evcz.tk>> wrote:
>
> iptables -A INPUT -p udp -m string
> --string "getstatus" --algo bm --from 32
> --to 41 -j DROP
>
> --
> */Geoff Goas
> Systems Engineer/*
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
>
>
> --
> */Geoff Goas
> Systems Engineer/*
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
>
>
> --
> */Geoff Goas
> Systems Engineer/*
>
>
>
>
>
>
> _______________________________________________
>
> cod mailing list
>
> cod at icculus.org <mailto:cod at icculus.org>
>
> http://icculus.org/mailman/listinfo/cod
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
>
>
>
>
> _______________________________________________
>
> cod mailing list
>
> cod at icculus.org <mailto:cod at icculus.org>
>
> http://icculus.org/mailman/listinfo/cod
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
>
>
>
>
> _______________________________________________
>
> cod mailing list
>
> cod at icculus.org <mailto:cod at icculus.org>
>
> http://icculus.org/mailman/listinfo/cod
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
>
>
>
>
> _______________________________________________
>
> cod mailing list
>
> cod at icculus.org <mailto:cod at icculus.org>
>
> http://icculus.org/mailman/listinfo/cod
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
>
>
>
>
> _______________________________________________
>
> cod mailing list
>
> cod at icculus.org <mailto:cod at icculus.org>
>
> http://icculus.org/mailman/listinfo/cod
>
>
>
>
>
> _______________________________________________
>
> cod mailing list
>
> cod at icculus.org <mailto:cod at icculus.org>
>
> http://icculus.org/mailman/listinfo/cod
>
>
>
>
> _______________________________________________
>
> cod mailing list
>
> cod at icculus.org <mailto:cod at icculus.org>
>
> http://icculus.org/mailman/listinfo/cod
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
>
>
>
> --
> /*Geoff Goas
> Systems Engineer*/
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
>
>
> --
> EscapedTurkey.com Billing and Support
> https://www.escapedturkey.com/helpdesk
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120228/952ee923/attachment-0001.htm>
More information about the cod
mailing list