Re: Ethereal ideas - Slightly OT

From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 01/17/05

Date: Sun, 16 Jan 2005 17:50:30 -0600

In article <_NmGd.10305$7N2.5509@fe04.lga>, Jeff Franks wrote:

>I have a game server using an iptables firewall. Recently, a hacker has
>been able to figure out how to use the single open port to join the game and
>then he does something that crashes the server app (via the game port). I
>assume he's sending some un-normal packet or flooding it or something.
>Anyway, he's doing this to multiple servers on the net and no one seems to
>give a rip, because "it's a game".

OK Jeff, I want you to reread what you posted, and tell us if you seen any
information about what game this might be - what O/S it might be running on,
or indeed _anything_ useful.

>Well, the "game" to me has become, "make this jerk go away". Soooooo,

Fine - block his IP. If he's playing musical addresses, block the entire
block he's using.

>I have been able to capture multiple "shutdowns" on my server with Ethereal.
>The problem is, I have no clue what I'm looking at.

Are the packets "normal" - that is, size, IP flags, IP options, TCP or UDP
flags/options, etc? Size here merely refers to IP standards of 46 to 1500
octets (or whatever your MSS is). Fragmentation? If so, fragmentation

>I can see some odd sized packets, but nothing jumps off the screen at me as
>the problem.

As above

>How do I go about analyzing the data I captured?

Is the game open source? See what the packets are doing by reading the
source. If the game is closed source, or some windoze proprietary crap,
send notification to the company that supplied it, and offer to send them
the packets as a tarball or zip file.

>Any help on this will be greatly appreciated....heck I'll name a new server
>after you if you point me in the right direction :)

No thanks. Some of us spend all freakin' day on computers - the last thing
I'd be doing is running/playing games on it. ;-)

        Old guy