Re: Limiting Packet Size

From: Alexander Clouter (alex_at_digriz.junk-this.org.uk)
Date: 04/05/05 

Date: Tue, 05 Apr 2005 18:39:32 -0000

On 2005-04-05, Jeff Franks <jfranks1970@NoSPMcharter.net> wrote:
> I have a server app (a game) that is being shutdown by a hacker. From what
> I can tell, he is simply sending a series of oversized packets to the game
> port and BZZZT, the game errors out. Granted this is an old game that
> should be able to handle a buffer overrun, but that being the case.....
>
> Can I use IPTables to detect when a BO is occurring or to monitor packet
> size and stop this kind of event?
>
well firstly you need to know what is 'special' about the packets that you
can use to identify them. Ethereal is your friend here.

In the case you described, if you know packets should never be any larger
than 'x' then simply use:

iptables -A INPUT -p <proto> --dport <port> -m length --length <x>: -j DROP

where '<x>' is the maximum size plus one byte of the packet's you would
expect to see, protocol is (most likely) either 'tcp' or 'udp' and <port> is
the port number used. If the exploit is spread over several packets then you
run into problems and might have to come up with some special CONNMARK
approach.

One word of advice, no matter what people tell you 'string' is not a Good
Idea(tm) in *any* firewall; it should only be used to very quickly in the
short term to protect an application from an exploit where no patch exists.
If the patch never ends up existing do not run the software....

Good luck

Alex

> any ideas are appreciated.
>
> jf
>
>

Relevant Pages
Quantcast