Limiting Packet Size

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I have a server app (a game) that is being shutdown by a hacker.  From what
I can tell, he is simply sending a series of oversized packets to the game
port and BZZZT, the game errors out.  Granted this is an old game that
should be able to handle a buffer overrun, but that being the case.....

Can I use IPTables to detect when a BO is occurring or to monitor packet
size and stop this kind of event?

any ideas are appreciated.


Re: Limiting Packet Size

Quoted text here. Click to load it
well firstly you need to know what is 'special' about the packets that you
can use to identify them.  Ethereal is your friend here.

In the case you described, if you know packets should never be any larger
than 'x' then simply use:

iptables -A INPUT -p <proto> --dport <port> -m length --length <x>: -j DROP

where '<x>' is the maximum size plus one byte of the packet's you would
expect to see, protocol is (most likely) either 'tcp' or 'udp' and <port> is
the port number used.  If the exploit is spread over several packets then you
run into problems and might have to come up with some special CONNMARK

One word of advice, no matter what people tell you 'string' is not a Good
Idea(tm) in *any* firewall; it should only be used to very quickly in the
short term to protect an application from an exploit where no patch exists.  
If the patch never ends up existing do not run the software....

Good luck


Quoted text here. Click to load it

Site Timeline