BF1942 Help needed

TheGeezer · **Joined:** 21 May 2008 19:50 **Posts:** 3

Hi,

The gaming clan I belong to run a BF1942 server and we have been often getting "server full" when people tried to join.
after a bit of resarch I found this site and it seem we might be suffering from a DOS fake player attack.

Question is, Is there anyway to prevent this attack?

thanks

TheGeezer

aluigi · **Posted:** 21 May 2008 22:07

yes it's the fake players attack (bf1942fp / bf2fp).
The only way to "limit" it a bit is through the banning of the IP of the attacker but naturally it's enough for him to use a socks solution (or spoofing since if I'm not in error there is no challenge for each connection) to bypass the limitation.
The fake players attack doesn't have a real patch or work-around, only the games which use centralized authentication are not affected by this type of attack.

Sethioz · **Posted:** 22 May 2008 13:17

if im correct you can't actually limit anything, because when you play you make a lot of connections too. maybe some kind of a custom patch that doesn't allow more than like 2 join packets per 1 min.

also if im correct then fake player tools use new source port every time it sends player (otherwise it doesnt work), but if u r playing then your game (client) uses only one source port...maybe 2, but not more.
so maybe its possible to make some patch/filter that bans ip if it makes connection from more than 3 ports in 1 min.
in theory it should work. what you think Luigi ?

but what i also suggest is .. find out WHY is ppl doing it. maybe you are being bad admin .. and whine on ppl and ban them without reason (ban when they beat admins for example). i used to crash, flood, hack ..etc servers too when i got booted.

TheGeezer · **Joined:** 21 May 2008 19:50 **Posts:** 3

People do get kicked and banned sometimes when they disrupt the other players, But to cry and use DOS tools to ruin it for other players after is just sad.

blackshirts · **Joined:** 22 May 2008 23:57 **Posts:** 7

There is one player that, when he is kicked or banned, he runs the fake player bug. We have had success by using a tool called NetworkActiv PIAFCTM to capture the attackers IP address. Then we ban his IP addresses through the BF1942 Remote Manager. All of his IP addresses have been out of Asia, mostly Beijing and China. Proxies. This works and has been tested by us. So far, these are the ip addresses he has used, just ban these in your Remote Manager.

admin.addAddressToBanList 218.234.21.33 Perm
admin.addAddressToBanList 217.12.202.108 Perm
admin.addAddressToBanList 61.175.219.230 Perm
admin.addAddressToBanList 221.174.22.7 Perm
admin.addAddressToBanList 202.105.182.87 Perm
admin.addAddressToBanList 221.12.147.80 Perm
admin.addAddressToBanList 218.56.97.177 Perm
admin.addAddressToBanList 222.221.6.144 Perm
admin.addAddressToBanList 60.21.161.73 Perm
admin.addAddressToBanList 59.107.72.72 Perm
admin.addAddressToBanList 60.190.79.24 Perm

I hope this helps you guys out.

TheGeezer · **Joined:** 21 May 2008 19:50 **Posts:** 3

Thanks for the info :-)
will pass it on to my clan leaders

Sethioz · **Posted:** 23 May 2008 12:12

if he/she uses proxy servers then you may as well give up by banning. theres thousands of proxy servers...even more. you can try to ban whole ISP for test. it will ofcourse ban everybody who uses this ISP, but if you keep it on for month or so .. he may give it up and think tht u patched it or something.

blackshirts · **Joined:** 22 May 2008 23:57 **Posts:** 7

I wished there was a way to ban all of Asia through remote manager. This particular player has been a thorn to every server he plays in. He goes in and does everything he can possible do to disrupt gameplay and get kicked. It is an EA conspiracy. EA pays Luigi to come up with stuff to ruin old games, so everyone moves on, lol.

aluigi · **Posted:** 23 May 2008 19:10

Uhmmm this is not a bad idea for a possible job, I will ask EA if for them it's ok 8-)

Sethioz · **Posted:** 23 May 2008 23:45

well hey .. i did that for fun :)
kick = crash/flood. ..or something like that.
in avp2 they never got me lol. i either crashed, flooded or lagged server. they tried to ban my ip or just kick me if i joined...also tried to patch server, but they had no luck.
they said they will ban my cd-key ..etc, but well its just talk. they actually said that sierra will ban cd-key.

whole point of this is that prolly about 50% of avp2 players moved on into newer games. not really in topic, but if you do ask EA about it. .let us know lol :D my guess is tht they don't even bother to answer like always..

SomaFM · **Joined:** 16 Aug 2007 06:25 **Posts:** 367

Sadly, all of the BF series games (1942, 2, 2142) are plagued with this bug... and EA fails to address the problem. It will probably never be fixed. A simple solution on their end would be to not reserve slots for connecting players until they have passed cd-key authentication. This way, server admins can ban by cd-key hash. And if a player wants to flood, they would need multiple cd-keys that are not server-banned. If they attempt to use a cd-key that is already connecting, they get the normal "cd-key in use" error.

Of course, if EA does this then the community is going to complain and ask why they don't fix other glitches (crashes to desktop, unbalanced jets, getting inside of walls, etc.). I think they know that the games are plagued with a lot of bugs, but they just want to move on and forget about it, making more money with new projects. Because in reality, they aren't making much money anymore on the older BF games, so why bother to fix it? I doubt they even care. It will be interesting to see if DOS join attacks are still possible in BF:Heroes :)

To answer your question, you're going to need to just ban the IP addresses. To detect flooding, open up a packet scanner like Wireshark and filter the traffic so it only shows inbound to your server's port. Look for repetitive udp join-packets from the same IP (usually the data size is are about 13 bytes for 1942). If possible, contact the ISP (usually there is an abuse email and/or phone number in their whois info) and provide them with packet scanning logs of the DOS attack. Also, if you are able to manage some type of access list, you can look for common IP addresses in the same subnet and ban the entire subnet. I know Sethioz said you are potentially denying legitimate clients, but I would rather have that happen than have a server that nobody can join :)

aluigi · **Posted:** 24 May 2008 11:48

A game with cdkey verification, so theorically not vulnerable to the fake players attack, which instead is affected by this attack is really a shame.
And I highly doubt EA will allow the filling of the player slot after the cdkey authentication since it requires deep modification to the core of the engine... so any new game based on this engine will be probably vulnerable at 99%.

Sethioz · **Posted:** 24 May 2008 15:38

Quote:

To detect flooding, open up a packet scanner like Wireshark and filter the traffic so it only shows inbound to your server's port

actually its better to use commview. you can set special rules there. for example capture only ''join'' packets and nothing else. you can also make it capture only flooding, like set it to capture only when join packet occurs more than x many times (where x is number of times it have to occur). ofc assuming that server is running in pc/server where you have direct or remote access to the desktop.
btw commview actually allows remote monitoring too (ive never used it, but you can remotly monitor other pc/server once you set things up there)

oh and about game companys..they never do anything, because they simply can't bother with this stuff. they support game for .. maybe year, by fixing bugs by themselves with updates. as far as i know they never even bothered to check any reported bug (goes for all game companys, they never even reply)

SomaFM · **Joined:** 16 Aug 2007 06:25 **Posts:** 367

Sethioz wrote:

actually its better to use commview. you can set special rules there. for example capture only ''join'' packets and nothing else. you can also make it capture only flooding, like set it to capture only when join packet occurs more than x many times (where x is number of times it have to occur). ofc assuming that server is running in pc/server where you have direct or remote access to the desktop.
btw commview actually allows remote monitoring too (ive never used it, but you can remotly monitor other pc/server once you set things up there)

You can set up special rules, or filters, in wireshark too. For example:

(ip.dst eq 192.168.1.2) and (udp.port eq 16567) and (data.data eq ab:12:cd:34)

Where IP.DST is the ip address of the server, in my case a local address considering I am behind NAT. UDP.Port is the port of the server. Data.data is the hexidecimal representation of the join packet.

And then just watch for the same IP trying to join multiple times. Typically at this point it will be very easy to spot a flood attack. Legitimate clients aren't going to connect more than once per second (because of them having to click through server full messages, etc.). During a flood, you are probably going to see about 10+ join packets a second.

Wireshark can be set up for remote access too: http://www.pawelko.net/linux/17-Rpcapd- ... lwireshark

Or you can just use VNC if that becomes a hassle.

Last but not least, all this is done with free, open source software :). I'm a bit of a wireshark fanboy, but it is a very nice program... and very customizable. But if CommView does what you need it to do, that is cool too.

Sethioz · **Posted:** 25 May 2008 15:41

lil bit out of topic, but about wireshark and commview.
commview is really the best packet editor available if u ask me. ive used most of the packet editors available and none of them can do wht cv can.
for example you can edit rules while it captures. simply add or remove or edit them, without even stopping capture.
allows you to set capture per process (also maps packets to processes).
it also has alerts, which can be used as an trigger. for example if you get 10 join packets in row .. it can alert you..with sound, message..etc or even send an alert to an e-mail. it can also be used to launch other applications. for example you can use macromaker to setup a simple ip ban.
like when you trigger a macro it will ban specific ip in server and then make a trigger in commview. so it automatically bans flooder (u need to use copy-paste on ip if u make macro). you can also use alarms to stop/start logging for packets (in case u r not around pc).

ofcourse wirewhark can get the flooder info too, but cv just has more options and also very easy to use.

Luigi Auriemma

BF1942 Help needed