[cod] COD 4 UDP security leak

Marco Padovan evcz at evcz.tk
Fri Jan 6 18:27:53 EST 2012 

To monitor in realtime a specific recent "bucket" you can use this command:

watch -n 1 -d cat /proc/net/ipt_recent/getstatus_cod

Il 07/01/2012 00:02, Jeff Love ha scritto:
> I'm getting a lot of matches on those rules. This is after less than an hour in place.
>
> pkts bytes target     prot opt in     out     source               destination
> 288K   12M            udp  --  *      *       0.0.0.0/0            0.0.0.0/0           length 42
> recent: SET name: getstatus_cod side: source
>  254K   11M DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING
> match "getstatus" ALGO name bm TO 65535recent: UPDATE seconds: 1 hit_count: 20 name:
> getstatus_cod side: source
>
> Jeff Love
> Burgh Gaming
>
>> I've with this rules since some months ago and no problem.
>>
>> The key is that:
>>
>> /sbin/iptables -A INPUT -p UDP -m length --length 42 -m recent --set
>> --name getstatus_cod
>> /sbin/iptables -A INPUT -p UDP -m string --algo bm --string "getstatus"
>> -m recent --update --seconds 1 --hitcount 20 --name getstatus_cod -j DROP
>>
>> If hitcount isn't overloaded packets are accepted
>>
>> El 06/01/12 22:39, Jeff Love escribió:
>>> Are we sure that a getstatus packet length is 42, and that there are no legitimate client packet
>>> length 1162-1168?
>>> If so, this seems like a good fix. I just want to be sure I'm not blocking legitimate client
>>> packets.
>>>
>>> Jeff Love
>>> Burgh Gaming
>>>
>>>> You can try this:
>>>>
>>>> /sbin/iptables -A OUTPUT -p UDP -m length --length 1162:1168 -j DROP
>>>> /sbin/iptables -A FORWARD -p UDP -m length --length 1162:1168 -j DROP
>>>> /sbin/iptables -A INPUT -p UDP -m length --length 1162:1168 -j DROP
>>>> /sbin/iptables -A INPUT -p UDP -m length --length 42 -m recent --set
>>>> --name getstatus_cod
>>>> /sbin/iptables -A INPUT -p UDP -m string --algo bm --string "getstatus"
>>>> -m recent --update --seconds 1 --hitcount 20 --name getstatus_cod -j DROP
>>>>
>>>> This prevents your servers to be exploitable. If you are the target
>>>> there's nothing in your hand to take UDP floods down, only your ISP can
>>>> blackhole offending IPS
>>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org
>>> http://icculus.org/mailman/listinfo/cod
>>>
>> --
>>
>>
>> *David Aguilar Valero*
>>
>> Dpto. Comercial y Soporte técnico
>>
>> NewLight Systems
>>
>> *Servidores de juegos, HW, Dedicados*
>>
>>
>> *crk01 at nls.es* <mailto:c>
>>
>> crk01 at newlightsystems.com <mailto:crk01 at newlightsystems.com>
>>
>> tecnico at newlightsystems.com <mailto:tecnico at newlightsystems.com>
>>
>> #NewLight_Systems @ irc-hispano.org
>>
>> *www.newlightsystems.com* <http://www.newlightsystems.com/>
>>
>> *www.nls.es* <http://www.nls.es/>
>>
>> This email and any files or attachments transmitted with it are intended
>> solely for the use of the intended recipient. This email is confidential
>> and may contain legally privileged information. If you are not the
>> intended recipient you should not read, disseminate, distribute, or copy
>> this email. If you have received this email in error, please notify the
>> sender immediately and delete it from your system.
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120107/801de486/attachment.htm>

More information about the cod mailing list