While trivial for someone who knows what they are doing to edit the code, rebuild and most likely bypass this, the following iptables rule will drop the exploit as provided for me (tested on a hl2 deathmatch and cstrike:source server)
# log it iptables -A INPUT -p udp --dport 27015 -m string --hex-string "|dc4adc4adc4adc4adc4a|" --algo bm -j LOG --log-level info --log-prefix "Valve Disconnect DoS :: " # drop it iptables -A INPUT -p udp --dport 27015 -m string --hex-string "|dc4adc4adc4adc4adc4a|" --algo bm -j DROP If you've got someone being cute and DoS'ing your machine over and over with the same packets you can use this approach to block it pretty easily. If the above isn't working and you suspect the packets are not the default from the provided website/exploit info, you can find the packet that matches by starting the server, then running strace against it until it crashes, then tailing the output file (4225 being an example pid here) strace -f -v -s 5000 -o server.strace.txt -xx -p 4225 Once the server crashes, strace should exit (ctrl+C out otherwise) and look at the last few lines before the segfault: tail server.strace.txt You should see something like the following: 649 gettimeofday({1250624185, 558633}, NULL) = 0 649 recvfrom(4, "\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\xc8\x59\x80\x52\x31\xc6\xf6\x95\xe6\x46\x57\x26\x07\xf7\xe5\x06\x37\x36\x07\x00\x03\x30\xc6\xf6\x95\xe6\x46\x57\x26\x07\xf7\xc6\x16\x46\x57\x06\x10\x03\x30\xc6\xf6\x05\x27\x57\x46\x96\x36\x46\x07\x10\x03\x30\xc6\xf6\x95\xe6\x46\x57\x26\x07\xf7\x25\x17\x46\x97\xf6\x06\x20\x03\x30\xc6\xf6\x45\x57\x16\xd6\x06\x40\x56\x66\x16\x56\xc7\x46\x07\x30\xc6\xf6\x35\xc6\x16\x36\x37\x07\x40\x56\x66\x16\x56\xc7\x46\x07\x50\xe6\x76\xc6\x96\x36\x87\x06\x10\x03\x30\xc6\xf6\x05\x27\x57\x46\x96\x36\x46\x77\x57\x16\x06\xf7\xe6\x36\x07\x10\x03\x30\xc6\xf6\xc5\x16\x76\x36\xf6\xd6\x06\x57\xe6\x36\x17\x46\x97\xf6\xe6\x06\x10\x03\x30\xc6\xf6\x15\x56\x47\xf7\x76\x57\x06\x37\x77\x97\x46\x37\x86\x06\x10\x03\x30\xc6\xf6\x15\x56\x47\xf7\x86\x56\xc6\x06\x07\x10\x03\x30\xc6\xf6\x35\x07\x57\x36\xf6\xd5\xf6\x46\x56\x06\x50\x03\x60\xf7\x96\x36\x56\xf6\xc5\xf6\xf6\x06\x27\x16\x36\xb6\x06\x00\x03\x30\xc6\xf6\x95\xe6\x46\x57\x26\x07\x07\x00\xe3\x02\x23\x03\x30\xc6\xf6\x36\x57\x36\x16\x06\x47\x97\xf6\xe6\x06\x00\x03\x30\xc6\xf6\xc5\x16\xe6\x76\x56\x17\x76\x56\x06\x50\xe6\x76\xc6\x96\x36\x87\x06\x40\x67\xf7\xe5\xf6\x36\x86\x16\x46\x07\x00\x03\x30\xc6\xf6\x55\x07\x47\x16\x46\x57\x26\x17\x46\x57\x06\x10\x03\x03\x03\x30\xc6\xf6\x35\xd6\x46\x26\x17\x46\x57\x06\x10\x03\x03\x03\x20\x17\x46\x57\x06\x20\x03\x03\x03\x03\x03\xe0\x16\xd6\x56\x06\x50\xe7\xe6\x16\xd6\x56\x46\x06\x10\x4a\xe6\x4a\xe6\x4a\xe6\x4a\xe6\x4a\xe6\x4a\xdc\x4a\xdc\x4a\xdc\x4a\xdc\x4a\xdc\x4a\xdc\x00\x00", 96016, 0, {sa_family=AF_INET, sin_port=htons(4966), sin_addr=inet_addr("12.34.56.78")}, [16]) = 372 649 --- SIGSEGV (Segmentation fault) @ 0 (0) --- 661 +++ killed by SIGSEGV +++ I just chose a little bit from the end of the received bad to match after verifying it was always the same data. Hopefully this is fixed soon though since it should be a super easy fix and this sort of hackery is far from optimal. ~Darren _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux