[mohaa] More MOHAA fixes...

Andrew H andrew_jh at cox.net
Tue Jul 27 14:00:26 EDT 2004


Ryan C. Gordon wrote:

>On Mon, 2004-07-26 at 19:28, Fredrick Ludden wrote:
>  
>
>>How does this "fake player slot crap" work?  We had a bunch of hooligans try
>>to enter the server apparently all using the same IP.  They were
>>unsuccessful since we banned the IP.  Anyone care to explain what they were
>>trying to do and what vulnerability this exploits?
>>    
>>
>
>(forgive the rambling in this long email...)
>
>It's a well-documented hack that works with several games (quake and
>unreal based)...basically you fill the server with fake players, because
>these games trust that you are really trying to join as soon as you send
>a small handshake, and then, since UDP is stateless, can't assume that
>you aren't really there until you timeout (since you otherwise might
>just be lagging really bad). So they make, say, 16 connections with a
>dummy program, which prevents others from joining since the server is
>now "full" with people that are in the process of "joining". Then you
>just have it start over every 30 seconds, to keep it full as the
>original dummy connections time out and drop off. End result: for a
>small amount of bandwidth you can deny entrance to anyone on a server
>that is actually empty.
>
>It's not an easy problem to solve, since it tends to be more about the
>entire network infrastructure of a game and less about simple program
>logic fixes. For now, you should ban by IP and hope they don't own a
>subnet of zombies.
>
>My understanding is Spearhead validates your CD key before it'll let you
>join the server, which probably solves the problem (or limits you to one
>dummy connection unless you've stolen/generated a bunch of valid keys),
>but I could be totally wrong about this.
>
>It's probably safe to assume that 3+ simultaneous connections from the
>same IP is such an attack, especially if the player name changes...most
>DSL/cable modems aren't going to have 3 people behind one NAT'd router.
>Yes, there are exceptions to this rule, but it should definitely send up
>a warning flag. Building in a new cvar that limits simultaneous
>connection attempts from the same IP would probably be the quickest fix
>(i.e. - ignore further "connect" packets from an IP when a connection
>from that IP is pending), but it's not perfect, and still doesn't stop a
>zombie subnet DoS. Then again...not much does.
>
>I don't know what other Quake-based games are doing to solve this. If
>anyone knows of a game that is explicitly INvulnerable to this attack,
>please let me know.
>
>Thoughts on a solution (specifically, a simple solution, since none of
>my MOHAA work is financed at this point) are welcome.
>
>--ryan.
>
>
>
>
>  
>
Not to eavesdrop but me and my friend have lan parties allot. And we 
decide to join servers sometimes and theirs normally 3-4 of us and were 
behind a NAT on a Cable ISP.



More information about the Mohaa mailing list