Code: Select all
01:49:43.277412 IP (tos 0x28, ttl 61, id 32425, offset 0, flags [none], proto UDP (17), length 53)
186.182.110.156.20385 > 74.91.127.xx.xxxxx: UDP, payload 25
0x0000: 4528 0035 7ea9 0000 3d11 0be3 bab6 6e9c E(.5~...=.....n.
0x0010: 4a5b 7f56 4fa1 6984 0021 94c8 ffff ffff J[.VO.i..!......
0x0020: 5453 6f75 7263 6520 456e 6769 6e65 2051 TSource.Engine.Q
0x0030: 7565 7279 00 uery.
01:49:43.277459 IP (tos 0x28, ttl 32, id 63877, offset 0, flags [none], proto UDP (17), length 53)
186.18.56.242.24573 > 74.91.127.xx.xxxxx: UDP, payload 25
0x0000: 4528 0035 f985 0000 2011 e454 ba12 38f2 E(.5.......T..8.
0x0010: 4a5b 7f56 5ffd 6984 0021 baba ffff ffff J[.V_.i..!......
0x0020: 5453 6f75 7263 6520 456e 6769 6e65 2051 TSource.Engine.Q
0x0030: 7565 7279 00 uery.
01:49:43.277466 IP (tos 0x28, ttl 54, id 5278, offset 0, flags [none], proto UDP (17), length 53)
186.143.192.186.25446 > 74.91.127.xx.xxxxx: UDP, payload 25
0x0000: 4528 0035 149e 0000 3611 2af7 ba8f c0ba E(.5....6.*.....
0x0010: 4a5b 7f56 6366 6984 0021 2f0c ffff ffff J[.Vcfi..!/.....
0x0020: 5453 6f75 7263 6520 456e 6769 6e65 2051 TSource.Engine.Q
0x0030: 7565 7279 00 uery.
01:49:43.277469 IP (tos 0x0, ttl 233, id 25187, offset 0, flags [none], proto UDP (17), length 53)
186.150.42.68.25284 > 74.91.127.xx.xxxxx: UDP, payload 25
0x0000: 4500 0035 6263 0000 e911 c0c8 ba96 2a44 E..5bc........*D
0x0010: 4a5b 7f56 62c4 6984 0021 c61d ffff ffff J[.Vb.i..!......
0x0020: 5453 6f75 7263 6520 456e 6769 6e65 2051 TSource.Engine.Q
iptables -I INPUT -p udp -m u32 --u32 "26&0xFFFF=0xfeff" -j DROP
iptables -I INPUT -p udp -m u32 --u32 "24&0xffff=0x0000" -j DROP
or
block udp in firewall nfo
of this length/range: 53
with bpf applying these tests: ip[28:4]=0xffffffff and ip[32]=0x54