Ok so i have setup a ventrilo server for me and my friends on my server computer...
I have a problem though. I have to use version 2.3.0 for them to enter (they are to lazy to upgrade their clients), and that version has a HUGE flaw in it.
More about it HERE
Now, my idea is to check if the exploit program sends a random or specific packet to DDoS the server. If it sends a specific one, then maybe i can filter it out to prevent noobs from using the program to shutdown the server.
Now, does anyone have a nice packet filtering solution? maybe it would work with iptables?
[Question]Packet filter?
[Question]Packet filter?
"The best place to hide a tree, is in a forest"
- Big-E
- Administrator
- Posts: 1332
- Joined: 16 May 2007, 16:00
- 16
- Location: IN UR ____ , ____ING UR _____ .
- Contact:
Interesting you post this - I was just reading about stateful packet inspection and how it has generally replaced packet filtering. However, if you wish to go the route of packet filtering, I've come across this link here:
http://www.linuxtopia.org/Linux_Firewal ... /x529.html
It looks to be well written, just by skimming it briefly. Regardless, enjoy.
http://www.linuxtopia.org/Linux_Firewal ... /x529.html
It looks to be well written, just by skimming it briefly. Regardless, enjoy.
- computathug
- Administrator
- Posts: 2693
- Joined: 29 Mar 2007, 16:00
- 17
- Location: UK
- Contact:
- bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 19
- Location: In your eye floaters.
- Contact:
um, it's a DoS, not a DDoS....against a real DDoS you can't do much, but when the DoS is triggered by specially crafted packets it might be possible to filter them with iptables. best capture such a packet and analyze it with Wireshark.
the filter possibilities can be by the set flags for example. if the DoS is caused by a flood from one IP you can limit the packets/second-rate (-dstlimit switch). also the packetsize would be interesting, because if the packets have a specific size you can filter them by the size (-length switch).
the filter possibilities can be by the set flags for example. if the DoS is caused by a flood from one IP you can limit the packets/second-rate (-dstlimit switch). also the packetsize would be interesting, because if the packets have a specific size you can filter them by the size (-length switch).
Well, i tested the exploit on the server and it seems like it's still running fine. Also me and b_b were talking a little about a Suck-o Voice communication server on his new server, so...you never know what happens ^^
Anyway in the purpose of learning i will go through with the packet filtering since it seems like the exploit sends a specific packet to DoS the server after all =3
Anyway in the purpose of learning i will go through with the packet filtering since it seems like the exploit sends a specific packet to DoS the server after all =3
"The best place to hide a tree, is in a forest"
Yarr, the file has been uploaded to http://documentcat.com/exploit.zip
Just use this filter to remove the other crap... "(ip.src == 192.168.0.2) && !(ip.dst == 89.40.197.20)"
Exploit text quote
Just use this filter to remove the other crap... "(ip.src == 192.168.0.2) && !(ip.dst == 89.40.197.20)"
Exploit text quote
It doesn't look like the "maxclients" change worked, so i guess i will have to find a way around that ^^Ventrilo <= 2.3.0 server crash 0.1
by Luigi Auriemma
e-mail: xxx@xxx.org
web: xxx.org
- target 192.168.0.4 : 3784
- check server:
NAME: Documentcat Vent
PHONETIC: D C V
COMMENT:
AUTH: 1
MAXCLIENTS: 8
VOICECODEC: 0,GSM 6.10
VOICEFORMAT: 1,11 KHz%2C 16 bit
UPTIME: 66457
CLIENTCOUNT: 0
- send BOOM packet:
- check server:
NAME: Documentcat Vent
PHONETIC: D C V
COMMENT:
AUTH: 1
MAXCLIENTS: 8
VOICECODEC: 0,GSM 6.10
VOICEFORMAT: 1,11 KHz%2C 16 bit
UPTIME: 66463
CLIENTCOUNT: 0
Server doesn't seem vulnerable