Hi guys, im desperated, im coming here to see if someone can help me.

I have basic knowledge of Linux.... if you tell me how to do it, ill find the way.

What's going on:

Battlefield 2 server being attacked by packets that creates infinite loop, then when a player disconnects, server crash.

The packets seems to be always the same.....

Attacker Script: http://aluigi.altervista.org/poc/bf2loop.zip

Script in action:

I need to find a way to block these 4 packets (i think theyre 4 for what i tested) with IP TABLES.

Please! Please help me!

Thanks a lot!


EDIT: There seem to be other different replies, maybe 1 different but no more.... maybe you can find something useful in the script.

If anything, I would make the script capture the IP address and add an iptables rule to block my IP address. Unless you don't want to do it this way....

Thanks but true is that the script is the attacker, not something in the server.

Anyway, i don't know how to make a rule to identify it and block it... how would you identify such packets?

Thanks a lot.

This vulnerability was disclosed a long time ago. As http://aluigi.altervista.org/adv/bf2loop-adv.txt indicates a (mcrsft-only) patch was released and the text refers to another patch as well. If you run your BF2 server on mcrsft then first patch. If that doesn't (completely) mitigate things see if the other patch works. Only if you run your BF2 server on Linux I suggest capturing UDP packets with tcpdump. Once you have packets you could create an iptables rule.