Packet Exploits

[SIM]

Anyone succeed to run silkroad modules behind linux (router/proxy).
A network scheme like this http://i.imgur.com/QgjEoYG.png

If this is possible we can filter packets using iptables.

[MentaL]

[Molten]

Iptables would be "okay" for packet flooding. Although, most exploiters are using the 1-packet-kill style, which crashes your server using 1 packet with a system opcode or an invalid opcode.

[SIM]

you can also read packet data in iptables
for example we already knew that a bad packet has always have ABDCEF1234567890 on his entire data, then we can filter it like this.
iptables -A INPUT ! -s 127.0.0.1 -p tcp --dport 15779 -m string --hex-string '|ABDCEF1234567890|' --algo bm -j REJECT --reject-with tcp-reset

The problem is if the actual packet data is dynamic >.<

[Jangan]

Efficiency is a major issue mate.

Basic formula: High Security -> Low Performance -> High Hardware Requirements

The idea of Recieving packets -> Validation [For Bad Packets] + Encryption & Decryption -> Sending is difficult to accomplish, not difficult to code, but difficult to get it to a flawless stage.

It will effect performance a lot...

In theory its possible, but finding the right people to code an efficient "gateway" program is a difficult task.

[tschulian]

Its easy to get a solution for paketfiltering.
But its even more hard to get a solution which is able to handle 2-10k connections the same time.
You need a high performed router - its almost impossible to handle this via software.

I developed a tool for exploit protection. tested it on a friends server with about 700-1200 players - works well, but tooks alot of CPU load.