Find the answer to your Linux question:
Results 1 to 5 of 5
Hi there I have game servers and a player is using a exploit to crash the server This is how the player connects 77.85.164.123.27005 = Hacker server.ip.x.x.27015 = server ip ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Feb 2013
    Posts
    3

    Block exploit for my server (IPTABLES)


    Hi there

    I have game servers and a player is using a exploit to crash the server

    This is how the player connects

    77.85.164.123.27005 = Hacker
    server.ip.x.x.27015 = server ip no advertise
    **** = next is the new attack/connection

    Code:
    00:09:36.420420 IP 77.85.164.123.27005 > server.ip.x.x.27015: UDP, length 23
    00:09:36.458123 IP 77.85.164.123.27005 > server.ip.x.x.27015: UDP, length 254
    00:09:36.470179 IP 77.85.164.123.27005 > server.ip.x.x.27015: UDP, length 1848
    00:09:36.485893 IP 77.85.164.123.27005 > server.ip.x.x.27015: UDP, length 1876
    00:09:36.501401 IP 77.85.164.123.27005 > server.ip.x.x.27015: UDP, length 1848
    
    **** **** **** **** **** **** **** **** **** **** ****
    
    00:13:36.838353 IP 77.85.164.123.27005 > server.ip.x.x.27015: UDP, length 23
    00:13:36.894425 IP 77.85.164.123.27005 > server.ip.x.x.27015: UDP, length 254
    00:13:36.906426 IP 77.85.164.123.27005 > server.ip.x.x.27015: UDP, length 1828
    00:13:36.921706 IP 77.85.164.123.27005 > server.ip.x.x.27015: UDP, length 1856
    00:13:36.937433 IP 77.85.164.123.27005 > server.ip.x.x.27015: UDP, length 1828
    
    
    **** **** **** **** **** **** **** **** **** **** ****
    00:25:36.767128 IP (tos 0x0, ttl 123, id 16385, offset 0, flags [none], proto UDP (17), length 51)
    77.85.164.123.27005 > server.ip.x.x.27015: [udp sum ok] UDP, length 23
    00:25:36.804151 IP (tos 0x0, ttl 123, id 16390, offset 0, flags [none], proto UDP (17), length 282)
    77.85.164.123.27005 > server.ip.x.x.27015: [udp sum ok] UDP, length 254
    00:25:36.821373 IP (tos 0x0, ttl 123, id 16391, offset 0, flags [+], proto UDP (17), length 1492)
    77.85.164.123.27005 > server.ip.x.x.27015: UDP, length 1969
    00:25:36.838801 IP (tos 0x0, ttl 123, id 16392, offset 0, flags [+], proto UDP (17), length 1492)
    77.85.164.123.27005 > server.ip.x.x.27015: UDP, length 1997
    00:25:36.855259 IP (tos 0x0, ttl 123, id 16393, offset 0, flags [+], proto UDP (17), length 1492)
    77.85.164.123.27005 > server.ip.x.x.27015: UDP, length 1969
    **** **** **** **** **** **** **** **** **** **** ****
    
    
    **** **** **** **** **** **** **** **** **** **** ****
    77.85.164.123.27005 > server.ip.x.x.27015: [udp sum ok] UDP, length 23
    00:37:36.803713 IP (tos 0x0, ttl 123, id 19598, offset 0, flags [none], proto UDP (17), length 281)
    77.85.164.123.27005 > server.ip.x.x.27015: [udp sum ok] UDP, length 253
    00:37:36.816076 IP (tos 0x0, ttl 123, id 19599, offset 0, flags [+], proto UDP (17), length 1492)
    77.85.164.123.27005 > server.ip.x.x.27015: UDP, length 1723
    00:37:36.830937 IP (tos 0x0, ttl 123, id 19600, offset 0, flags [+], proto UDP (17), length 1492)
    77.85.164.123.27005 > server.ip.x.x.27015: UDP, length 1751
    00:37:36.845914 IP (tos 0x0, ttl 123, id 19601, offset 0, flags [+], proto UDP (17), length 1492)
    77.85.164.123.27005 > server.ip.x.x.27015: UDP, length 1723
    **** **** **** **** **** **** **** **** **** **** ****
    
    
    00:41:36.718241 IP (tos 0x0, ttl 123, id 8480, offset 0, flags [none], proto UDP (17), length 51)
    77.85.164.123.27005 > server.ip.x.x.27015: [udp sum ok] UDP, length 23
    00:41:36.753982 IP (tos 0x0, ttl 123, id 8485, offset 0, flags [none], proto UDP (17), length 282)
    77.85.164.123.27005 > server.ip.x.x.27015: [udp sum ok] UDP, length 254
    00:41:36.766237 IP (tos 0x0, ttl 123, id 8486, offset 0, flags [+], proto UDP (17), length 1492)
    77.85.164.123.27005 > server.ip.x.x.27015: UDP, length 1855
    00:41:36.781768 IP (tos 0x0, ttl 123, id 8487, offset 0, flags [+], proto UDP (17), length 1492)
    77.85.164.123.27005 > server.ip.x.x.27015: UDP, length 1883
    00:41:36.797257 IP (tos 0x0, ttl 123, id 8488, offset 0, flags [+], proto UDP (17), length 1492)
    77.85.164.123.27005 > server.ip.x.x.27015: UDP, length 1855
    00:41:37.213272 IP (tos 0x0, ttl 124, id 6221, offset 0, flags [DF], proto UDP (17), length 53)
    78.142.51.58.12174 > server.ip.x.x.27015: [udp sum ok] UDP, length 25
    
    **** **** **** **** **** **** **** **** **** **** ****
    
    
    01:05:33.100636 IP (tos 0x0, ttl 124, id 29501, offset 0, flags [DF], proto UDP (17), length 37)
    78.142.51.58.12174 > server.ip.x.x.27015: [udp sum ok] UDP, length 9
    01:05:36.779054 IP (tos 0x0, ttl 123, id 27719, offset 0, flags [none], proto UDP (17), length 51)
    77.85.164.123.27005 > server.ip.x.x.27015: [udp sum ok] UDP, length 23
    01:05:36.817047 IP (tos 0x0, ttl 123, id 27728, offset 0, flags [none], proto UDP (17), length 281)
    77.85.164.123.27005 > server.ip.x.x.27015: [udp sum ok] UDP, length 253
    01:05:36.829596 IP (tos 0x0, ttl 123, id 27729, offset 0, flags [+], proto UDP (17), length 1492)
    77.85.164.123.27005 > server.ip.x.x.27015: UDP, length 1630
    01:05:36.843396 IP (tos 0x0, ttl 123, id 27730, offset 0, flags [+], proto UDP (17), length 1492)
    77.85.164.123.27005 > server.ip.x.x.27015: UDP, length 1658
    01:05:36.895090 IP (tos 0x0, ttl 123, id 27731, offset 0, flags [+], proto UDP (17), length 1492)
    77.85.164.123.27005 > server.ip.x.x.27015: UDP, length 1630
    01:05:40.900873 IP (tos 0x0, ttl 124, id 29789, offset 0, flags [DF], proto UDP (17), length 53)
    78.142.51.58.12174 > server.ip.x.x.27015: [udp sum ok] UDP, length 25
    Can we block it with iptables some kind of a string like this one for example

    iptables -A FORWARD -p udp -m udp --dport 27010:27030 -m string --algo bm --hex-string "|636f 6e74 6163 7420 2248 4c58 4272 7574|" -j DROP
    Last edited by cities; 02-09-2013 at 02:34 AM. Reason: title

  2. #2
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    Hello and welcome!

    Is there some reason why you don't just block the ip address of the user? e.g.:

    Code:
    iptables -A INPUT -s 77.85.164.123 -j DROP

  3. #3
    Just Joined!
    Join Date
    Feb 2013
    Posts
    3
    Yes he can change ip dynamic network.
    And this ISP has tones of C class networks.

    That is not the way and also he or others can do it from other ISP the idea is to filter it !

  4. #4
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    Well, then have you tried your iptables rule and it does not work? Can you emulate an attack to test?

  5. #5
    Just Joined!
    Join Date
    Feb 2013
    Posts
    3
    The code in my first comment is the packet/connection that hi sends and the server crashes.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •