Re: Ethereal ideas - Slightly OT

From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 01/17/05


Date: Sun, 16 Jan 2005 17:50:30 -0600

In article <_NmGd.10305$7N2.5509@fe04.lga>, Jeff Franks wrote:

>I have a game server using an iptables firewall. Recently, a hacker has
>been able to figure out how to use the single open port to join the game and
>then he does something that crashes the server app (via the game port). I
>assume he's sending some un-normal packet or flooding it or something.
>Anyway, he's doing this to multiple servers on the net and no one seems to
>give a rip, because "it's a game".

OK Jeff, I want you to reread what you posted, and tell us if you seen any
information about what game this might be - what O/S it might be running on,
or indeed _anything_ useful.

>Well, the "game" to me has become, "make this jerk go away". Soooooo,

Fine - block his IP. If he's playing musical addresses, block the entire
block he's using.

>I have been able to capture multiple "shutdowns" on my server with Ethereal.
>The problem is, I have no clue what I'm looking at.

Are the packets "normal" - that is, size, IP flags, IP options, TCP or UDP
flags/options, etc? Size here merely refers to IP standards of 46 to 1500
octets (or whatever your MSS is). Fragmentation? If so, fragmentation
offsets?

>I can see some odd sized packets, but nothing jumps off the screen at me as
>the problem.

As above

>How do I go about analyzing the data I captured?

Is the game open source? See what the packets are doing by reading the
source. If the game is closed source, or some windoze proprietary crap,
send notification to the company that supplied it, and offer to send them
the packets as a tarball or zip file.

>Any help on this will be greatly appreciated....heck I'll name a new server
>after you if you point me in the right direction :)

No thanks. Some of us spend all freakin' day on computers - the last thing
I'd be doing is running/playing games on it. ;-)

        Old guy



Relevant Pages

  • Re: PPP/modem/serial port stalls under moderate CPU load
    ... >> I'm having a problem where my ppp connection stalls (meaning I don't have ... >> any packets coming or going) whenever my CPU load becomes moderately high. ... Quitting the game causes the packets to come back ...
    (alt.os.linux)
  • Re: Limiting Packet Size
    ... > I have a server app (a game) that is being shutdown by a hacker. ... he is simply sending a series of oversized packets to the game ... run into problems and might have to come up with some special CONNMARK ... If the patch never ends up existing do not run the software.... ...
    (comp.os.linux.security)
  • Re: PPP/modem/serial port stalls under moderate CPU load
    ... > any packets coming or going) whenever my CPU load becomes moderately high. ... Quitting the game causes the packets to come back ...
    (alt.os.linux)
  • Re: PPP/modem/serial port stalls under moderate CPU load
    ... > any packets coming or going) whenever my CPU load becomes moderately high. ... Quitting the game causes the packets to come back ...
    (alt.os.linux)
  • Re: PPP/modem/serial port stalls under moderate CPU load
    ... > any packets coming or going) whenever my CPU load becomes moderately high. ... Quitting the game causes the packets to come back ...
    (alt.os.linux)