Clicky

Good Afternoon,

I have a Windows 2008 dedicated server which runs a server daemon for the video game "Renegade".  This daemon has a serious flaw, any large quantity of any size UDP packets will cause it to crash.  Lately I have been experiencing serious problems with this, as one small computer can use a simple perl script to send several small (2-byte) packets to the server on port 5000 and crash it, in spite of the actual dedicated box being unaffected.

I have searched for the best solution for this, and the only thing I can come up with is to create a Snort rule using rate limiting to drop packets from an IP that has been sending a large number of them in a short time, however Snot is a bit difficult to learn.

I was hoping someone here might be able to provide me with a Snort rule to accomplish this, or perhaps another alternative to keep the server from crashing under this load.  It must be run on Windows and cannot be moved to Linux, where iptables would offer a simple solution.

asked 05/12/2011 04:58

PrivateKey's gravatar image

PrivateKey ♦♦


3 Answers:
The following snort rule will drop udp packets to your W2K8 server with payload size of more than 2 bytes .

drop udp 192.168.1.0/24 any -> W2k8-IP/24 5000 (dsize:> 2; msg: "UDP Packet attack";)

Cheers..
link
expert_tanmay's gravatar image

expert_tanmay

I think my answer is correct using snort. The other way around is to switch on windows firewall which comes by default on W2K8..

Thanks..
link
expert_tanmay's gravatar image

expert_tanmay

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
link
younghv's gravatar image

younghv

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

×4
×38
×10
×5

Asked: 05/12/2011 04:58

Seen: 570 times

Last updated: 10/18/2011 09:16