[Question]Packet filter?

Post by **ayu** » 12 Jan 2008, 18:12

Ok so i have setup a ventrilo server for me and my friends on my server computer...

I have a problem though. I have to use version 2.3.0 for them to enter (they are to lazy to upgrade their clients), and that version has a HUGE flaw in it.

More about it HERE

Now, my idea is to check if the exploit program sends a random or specific packet to DDoS the server. If it sends a specific one, then maybe i can filter it out to prevent noobs from using the program to shutdown the server.

Now, does anyone have a nice packet filtering solution? maybe it would work with iptables?

Post by **Big-E** » 12 Jan 2008, 19:51

Interesting you post this - I was just reading about stateful packet inspection and how it has generally replaced packet filtering. However, if you wish to go the route of packet filtering, I've come across this link here:

http://www.linuxtopia.org/Linux_Firewal ... /x529.html

It looks to be well written, just by skimming it briefly. Regardless, enjoy.

Post by **ayu** » 12 Jan 2008, 19:54

hmmm, is that packet filtering though?

Says IP filtering ^^

Just want to be sure before i read it all =)

Post by **Big-E** » 12 Jan 2008, 20:10

Well, you DO want to filter TCP/IP packets, right? Well then, it's a pretty good resource to read up on..I've not read it all but it looks to be what you are after.

Post by **computathug** » 12 Jan 2008, 20:52

hey cats i think this is what your looking for, i might have read wroing its near 3am int he morn and i had a drink but nvm take a look any way.

http://www.netfilter.org/documentation/ ... HOWTO.html

i see what you are trying to do and will take a look tomorrow

Post by **bad_brain** » 13 Jan 2008, 05:55

um, it's a DoS, not a DDoS....against a real DDoS you can't do much, but when the DoS is triggered by specially crafted packets it might be possible to filter them with iptables. best capture such a packet and analyze it with Wireshark.
the filter possibilities can be by the set flags for example. if the DoS is caused by a flood from one IP you can limit the packets/second-rate (-dstlimit switch). also the packetsize would be interesting, because if the packets have a specific size you can filter them by the size (-length switch).

Post by **ayu** » 13 Jan 2008, 06:05

Well it was late when i wrote the post

guess my finger slipped on the D button

Post by **ayu** » 13 Jan 2008, 09:39

Well, i tested the exploit on the server and it seems like it's still running fine. Also me and b_b were talking a little about a Suck-o Voice communication server on his new server, so...you never know what happens ^^

Anyway in the purpose of learning i will go through with the packet filtering since it seems like the exploit sends a specific packet to DoS the server after all =3

Post by **bad_brain** » 13 Jan 2008, 11:14

can you capture the sent packets and provide the Wireshark file?

Post by **ayu** » 13 Jan 2008, 12:26

Yarr, the file has been uploaded to http://documentcat.com/exploit.zip

Just use this filter to remove the other crap... "(ip.src == 192.168.0.2) && !(ip.dst == 89.40.197.20)"

Exploit text quote

Ventrilo <= 2.3.0 server crash 0.1
by Luigi Auriemma
e-mail: xxx@xxx.org
web: xxx.org

- target 192.168.0.4 : 3784

- check server:
NAME: Documentcat Vent
PHONETIC: D C V
COMMENT:
AUTH: 1
MAXCLIENTS: 8
VOICECODEC: 0,GSM 6.10
VOICEFORMAT: 1,11 KHz%2C 16 bit
UPTIME: 66457
CLIENTCOUNT: 0

- send BOOM packet:

- check server:
NAME: Documentcat Vent
PHONETIC: D C V
COMMENT:
AUTH: 1
MAXCLIENTS: 8
VOICECODEC: 0,GSM 6.10
VOICEFORMAT: 1,11 KHz%2C 16 bit
UPTIME: 66463
CLIENTCOUNT: 0

Server doesn't seem vulnerable

It doesn't look like the "maxclients" change worked, so i guess i will have to find a way around that ^^