The Hacker Project - a free online game

After theorizing about a couple things, I came across a problem in the connect screen that may allow a user to spam IP to find a user without buying IP's from the software dealer.

Now, this theory is biased on a couple of assumptions, since I have no clue how the connect screen works:

1.) IP's (biased on the IPv4 format HP uses) has about 2³², or 4.294.967.296, possible addresses. Using desktops or laptops within the last 3-5 years, that number of Alpha-only addresses will take about 10-30 minutes to fully rotate that list.

2.) The Connect screen doesn't dock AP points for using it. This can be exploited by a program (Greasemonkey or Tampermonkey) that generates a random IP address and places it in the connect textarea when a injected button is pressed. I don't have a proof of concept program to show how this works, but if I had a domain host, I could write one together to show you what I mean since I need PHP and SQL.

Now, given this information, one with an above-average computer (at least 4 core without hyperthreading, 2+ gigs of RAM, and at least a GPU that supports some sort of process offloading, like OpenCL) can generate enough IP's to find someone without using the software dealer in a short amount of time.

My proposed solution:
When using the connect screen, if someone get's five (5) failed attempts in five (5) minutes, the system should restrict connects and bounces for either:

A.) an amount of AP or
B.) IP's currently in the users IP database.

This would prevent many current and future abusers, if a catch like this isn't already in place.

Thank you,
--Hh2

seriously? IM NOT CHEATING LOL

No offense but glad to know GNU looking for exploits :)

Im all for tightening up the server dont get me wrong, but wouldnt that lock you out if your cracking multiple ips and they reset ip during the crack. You know you get the ip does not exist message. Which i seem to get a lot these days.

same thing when ur doing decrypts and someone beats u out of them...

No offence WolfDoc, this wasn't because of you. I was just bored and randomly inputting IP's when I started thinking about this and how it can be exploited.

Secondly, since I'm not the brightest cookie, I assumed that it's has been or is currently being used this way.

Now, if I was pointing fingers, I would. You should know this WolfDoc, from the conversation we had. I came out and said I thought you were cheating before and I was wrong. If I thought you were cheating using something like this, I would of called you out on it. This is just my ADD mind going on a tangent.

Now, if we can please not assume that everyone from GNU is on a witchhunt for WolfDoc, that'll make tensions easier for everyone

well if it didnt seem like some where i wouldnt be so paranoid!! lol

Not if your using the link to try and connect. This is just for using the connect screen and inputting the IP's in the textarea to try and connect to an IP.

well get emi to implement this so it can be ruled out by GNU if im using it or not..

Well, I've asked people not to try and guess IP's using the connect window, I can log connection requests and if I see too many tries from a player in a short time can auto send a bot warning, put a bot flag up or something on him etc...

Or we can put a timer on it that will only allow a connection request every 3 seconds... this would mean you would also have to wait 3 seconds between bounce nodes too.

Please comment, we'll see...

sending 4.294.967.296 requests would either take years or get you a flood ban. there are easier ways to get ips.whats the point of securing one way to connect and leaving the other unsecured? someone would just use links instead of forms to exploit this

The point is that IP's do change, and the links become invalid. It like what s3lphctr1 said:
 
If your following links that the game generated, it shouldn't lock you out because you keep hitting the IP doesn't exist message, because it did before. The exception to that is if you hit the same link multiple times in a row, since I'm pretty sure that is not something most people do. This is just to tighten down any form of automation that can use the connect screen.

dont you understand? anyone can generate links, not only game. you can visit 4.294.967.296 links instead of submitting 4.294.967.296 forms, which would bypass your restrictions

It's a good idea to temporary restrict access if you provide a non-existing IP 5x times in the last 5 minutes... It would simply say you need to wait x min x seconds before trying to connect again and could be like a fail-safe against bots and penalty, I mean not many players can fail 5x times because you're usually clicking links in the IP Db...

The restriction will be on all connecting / bouncing and counting failed attempts will only count for providing non-existent IPs.

I'll check this out.

well a problem that might come up then with the five failed in five minutes. i just click select all and click bounce, so if i have 5 servers in a row that i dont have admin access to wouldnt that cause the issue? or is it only with ip's not valid?

Im assuming that would only be for invalid ips.

I would like to remind you about internet delay. So your minutes will probably become weeks :-)

If I you make 4 requests per sec, it'll take 3,98 weeks :-)

could this be used IRL?
does this mean that there is no such thing as true privacy because hackers can get your ip so easily?
I am now extremely paranoid about being attacked this way
The Internet is evil.

I use proxy IPs for everything already, but now I don't see the point if my real IP is freely available
I use the Tor network and then bounce through a few IPs that I got from proxy.org just to make sure