Last weeks, the spread of csdos.pl, a perl script that aimed to take down Counter Strike 1.6 server, is on rise. One of my servers is suffered from this attack and force me to take an action to prevent them. The solutions is using iptables with string match support. I found an example of iptables rule on the net, but it doesn’t work for the current version of Linux kernel.
After several trial and error, here is the final result of the rule:
/sbin/iptables -A INPUT -p udp --dport 27015:27020 -m string --algo kmp --string "f0ef8a36258af1bb64ed866538c9db76" -j LOG /sbin/iptables -A INPUT -p udp --dport 27015:27020 -m string --algo kmp --string "f0ef8a36258af1bb64ed866538c9db76" -j DROP
This rule will prevent somebody send the exploit to ports 27015 to 27020. Or, another approach is your server is behind the router and able to drop certain string like mikrotik, just insert the rule to drop the magic string f0ef8a36258af1bb64ed866538c9db76 as described on this forum.