HACKhalo2
Newbie
Posts: 22
|
|
« on: January 10, 2012, 06:45:10 PM » |
|
After theorizing about a couple things, I came across a problem in the connect screen that may allow a user to spam IP to find a user without buying IP's from the software dealer.
Now, this theory is biased on a couple of assumptions, since I have no clue how the connect screen works:
1.) IP's (biased on the IPv4 format HP uses) has about 232, or 4.294.967.296, possible addresses. Using desktops or laptops within the last 3-5 years, that number of Alpha-only addresses will take about 10-30 minutes to fully rotate that list.
2.) The Connect screen doesn't dock AP points for using it. This can be exploited by a program (Greasemonkey or Tampermonkey) that generates a random IP address and places it in the connect textarea when a injected button is pressed. I don't have a proof of concept program to show how this works, but if I had a domain host, I could write one together to show you what I mean since I need PHP and SQL.
Now, given this information, one with an above-average computer (at least 4 core without hyperthreading, 2+ gigs of RAM, and at least a GPU that supports some sort of process offloading, like OpenCL) can generate enough IP's to find someone without using the software dealer in a short amount of time.
My proposed solution: When using the connect screen, if someone get's five (5) failed attempts in five (5) minutes, the system should restrict connects and bounces for either:
A.) an amount of AP or B.) IP's currently in the users IP database.
This would prevent many current and future abusers, if a catch like this isn't already in place.
Thank you, --Hh2
|
|
|
Logged
|
|
|
|
WolfDoc
|
|
« Reply #1 on: January 10, 2012, 09:53:27 PM » |
|
seriously? IM NOT CHEATING LOL No offense but glad to know GNU looking for exploits
|
|
« Last Edit: January 10, 2012, 09:56:03 PM by WolfDoc »
|
Logged
|
|
|
|
s3lphctr1
Newbie
Posts: 19
|
|
« Reply #2 on: January 10, 2012, 10:01:00 PM » |
|
Im all for tightening up the server dont get me wrong, but wouldnt that lock you out if your cracking multiple ips and they reset ip during the crack. You know you get the ip does not exist message. Which i seem to get a lot these days.
|
|
|
Logged
|
|
|
|
WolfDoc
|
|
« Reply #3 on: January 10, 2012, 10:03:51 PM » |
|
same thing when ur doing decrypts and someone beats u out of them...
|
|
|
Logged
|
|
|
|
HACKhalo2
Newbie
Posts: 22
|
|
« Reply #4 on: January 10, 2012, 10:11:49 PM » |
|
No offence WolfDoc, this wasn't because of you. I was just bored and randomly inputting IP's when I started thinking about this and how it can be exploited.
Secondly, since I'm not the brightest cookie, I assumed that it's has been or is currently being used this way.
Now, if I was pointing fingers, I would. You should know this WolfDoc, from the conversation we had. I came out and said I thought you were cheating before and I was wrong. If I thought you were cheating using something like this, I would of called you out on it. This is just my ADD mind going on a tangent.
Now, if we can please not assume that everyone from GNU is on a witchhunt for WolfDoc, that'll make tensions easier for everyone
|
|
|
Logged
|
|
|
|
WolfDoc
|
|
« Reply #5 on: January 10, 2012, 10:18:25 PM » |
|
well if it didnt seem like some where i wouldnt be so paranoid!! lol
|
|
|
Logged
|
|
|
|
HACKhalo2
Newbie
Posts: 22
|
|
« Reply #6 on: January 10, 2012, 10:20:30 PM » |
|
Im all for tightening up the server dont get me wrong, but wouldnt that lock you out if your cracking multiple ips and they reset ip during the crack. You know you get the ip does not exist message. Which i seem to get a lot these days.
Not if your using the link to try and connect. This is just for using the connect screen and inputting the IP's in the textarea to try and connect to an IP.
|
|
|
Logged
|
|
|
|
WolfDoc
|
|
« Reply #7 on: January 10, 2012, 10:26:32 PM » |
|
well get emi to implement this so it can be ruled out by GNU if im using it or not..
|
|
|
Logged
|
|
|
|
siremi
|
|
« Reply #8 on: January 11, 2012, 10:41:48 AM » |
|
Well, I've asked people not to try and guess IP's using the connect window, I can log connection requests and if I see too many tries from a player in a short time can auto send a bot warning, put a bot flag up or something on him etc...
Or we can put a timer on it that will only allow a connection request every 3 seconds... this would mean you would also have to wait 3 seconds between bounce nodes too.
Please comment, we'll see...
|
|
|
Logged
|
|
|
|
norill
|
|
« Reply #9 on: January 11, 2012, 11:47:24 AM » |
|
sending 4.294.967.296 requests would either take years or get you a flood ban. there are easier ways to get ips. Not if your using the link to try and connect. This is just for using the connect screen and inputting the IP's in the textarea to try and connect to an IP.
whats the point of securing one way to connect and leaving the other unsecured? someone would just use links instead of forms to exploit this
|
|
|
Logged
|
|
|
|
HACKhalo2
Newbie
Posts: 22
|
|
« Reply #10 on: January 11, 2012, 01:21:05 PM » |
|
sending 4.294.967.296 requests would either take years or get you a flood ban. there are easier ways to get ips. Not if your using the link to try and connect. This is just for using the connect screen and inputting the IP's in the textarea to try and connect to an IP.
whats the point of securing one way to connect and leaving the other unsecured? someone would just use links instead of forms to exploit this The point is that IP's do change, and the links become invalid. It like what s3lphctr1 said: Im all for tightening up the server dont get me wrong, but wouldnt that lock you out if your cracking multiple ips and they reset ip during the crack. You know you get the ip does not exist message. Which i seem to get a lot these days.
If your following links that the game generated, it shouldn't lock you out because you keep hitting the IP doesn't exist message, because it did before. The exception to that is if you hit the same link multiple times in a row, since I'm pretty sure that is not something most people do. This is just to tighten down any form of automation that can use the connect screen.
|
|
|
Logged
|
|
|
|
norill
|
|
« Reply #11 on: January 11, 2012, 05:51:02 PM » |
|
dont you understand? anyone can generate links, not only game. you can visit 4.294.967.296 links instead of submitting 4.294.967.296 forms, which would bypass your restrictions
|
|
|
Logged
|
|
|
|
siremi
|
|
« Reply #12 on: January 11, 2012, 11:44:03 PM » |
|
It's a good idea to temporary restrict access if you provide a non-existing IP 5x times in the last 5 minutes... It would simply say you need to wait x min x seconds before trying to connect again and could be like a fail-safe against bots and penalty, I mean not many players can fail 5x times because you're usually clicking links in the IP Db...
The restriction will be on all connecting / bouncing and counting failed attempts will only count for providing non-existent IPs.
I'll check this out.
|
|
« Last Edit: January 11, 2012, 11:47:03 PM by siremi »
|
Logged
|
|
|
|
Clovis
Newbie
Posts: 16
|
|
« Reply #13 on: January 12, 2012, 12:05:29 AM » |
|
well a problem that might come up then with the five failed in five minutes. i just click select all and click bounce, so if i have 5 servers in a row that i dont have admin access to wouldnt that cause the issue? or is it only with ip's not valid?
|
|
|
Logged
|
|
|
|
s3lphctr1
Newbie
Posts: 19
|
|
« Reply #14 on: January 12, 2012, 01:28:55 AM » |
|
Im assuming that would only be for invalid ips.
|
|
|
Logged
|
|
|
|
|