TMW hacking problems

Got something on your mind about the project? This is the correct place for that.
Forum rules
This forum is for feature requests, content changes additions, anything not a Bug in the software.
Please report all bugs on the Support Forums
Kill3rZ
Novice
Novice
Posts: 200
Joined: 17 Jun 2009, 12:45

TMW hacking problems

Post by Kill3rZ » 17 Oct 2009, 11:43

In the last days there seems to be a problem in preventing annoying hacker attacks. It's not my problem what human conflicts brought this upon us but there actually are reasonable ways to prevent this kind of attack.

1. No IP should be allowed to have more than 10 characters on default. If I want new ones I have to delete old ones in order to create them. For large families who want all their members in the game (+ mules+joke characters with funny names), school computers etc. the administrators will be announced and they will increase the limit (within reason) or create the extra accounts needed to meet all the needs but *in special cases* not on default and not without limitations. Needless to say that this is a privilege that can be taken back if anyone makes abuse of it.
2. There is no reason why a single IP should be able to create more than 3 characters a day. For special cases see paragraph 1.
3. Make ban IP available to GMs. Create specific rules to forbid using that feature except for server defense.
4. Maybe you really do need more GMs. We already have a GM for events only. Maybe it's not a bad idea to have a team of GMs "for defense only" - all abusers will be demoted (or even banned) immediately with no warning.
5. Maybe you can find a way to make peace with the person(s) who do this? This is clearly more than a technical problem.


One more interesting thing about hacking the server. Somebody who will remain unnamed did a few VERY interesting drop parties lately. I am the proud owner of 387 druid tree branches o.O
User avatar
Uber_Kalimero
Peon
Peon
Posts: 11
Joined: 29 Dec 2008, 10:16
Location: The GARDEN

Re: TMW hacking problems

Post by Uber_Kalimero » 17 Oct 2009, 13:09

Well ... Humanity Failures ... as usual :
  • INTERNET :
    Efficient identification doesn't rely to IPs ...
  • CONFLICTS :
    Geeks are mostly deficient in psychology fields,
    Psychologists are generally bad into WANs and eNet protocols ...
Mixing the two abilities is a job (Software projects and Development teams Manager) poorly paid or considered those days.

~ Only Philosophy or Spirituality seem to be able to lead us to something better nowadays : learn them, use them
Image
Fruits and Vegetables are good for you : eat them ...
Ceros
Novice
Novice
Posts: 262
Joined: 17 Aug 2009, 17:03

Re: TMW hacking problems

Post by Ceros » 17 Oct 2009, 13:28

Kill3rZ wrote:Ban IPs points 1, 2, 3.
By utilizing internet anonymity programs like TOR, the attackers are not subject to IP ban (and the community has a dislike of IP bans in general - you can ban a city, university, etc with an IP ban. ( related article: http://kalsey.com/2004/02/why_ip_banning_is_useless/ )

Community has spoken saying they don't want GMs for anything more then detecting and banning those who bot, apparently. Kind of a step backward to now want GMs to be able to immediately ban with no warning.
Kill3rZ wrote:Make peace,not war!
And give in to terrorists !?!

Thank you for telling me about the weird drop parties. Now I know the market will be fucked up for the next week or so.
Image
Kill3rZ
Novice
Novice
Posts: 200
Joined: 17 Jun 2009, 12:45

Re: TMW hacking problems

Post by Kill3rZ » 17 Oct 2009, 13:52

I never said ban with no warning. I said temporary IP ban to instantly and efficiently stop the attack for a few minutes (till the attacker realizes his IP got banned, changes it, restarts the process, etc - which BTW can become too much hard work for him/her too after a while) instead of outnumbered banning, kicking and killing hacking accounts one by one which takes hours of hard work and doesn't even get the attack slower.

The demote/ban with no warning was for abusive GMs who use the ban IP feature for their whims. (if you actually decide to rely on more people to help against these attacks - that was the context where I inserted this suggestion)

Points 1 and 2 don't solve the problem which seems unsolvable until the attacker gets bored or makes peace with you, but they make the process slower and more difficult for the attacker.

And I don't suggest to let the terrorists win. I suggest that just like it is with friends, sometimes you get to chose your enemies too (at least which of them you chose to fight and how). But then again, what do I really know about this conflict?
User avatar
Uber_Kalimero
Peon
Peon
Posts: 11
Joined: 29 Dec 2008, 10:16
Location: The GARDEN

Re: TMW hacking problems

Post by Uber_Kalimero » 17 Oct 2009, 15:05

Kill3rZ wrote:I said temporary IP ban to instantly and efficiently stop the attack for a few minutes (till the attacker realizes his IP got banned, changes it, restarts the process, etc - which BTW can become too much hard work for him/her too after a while) instead of outnumbered banning, kicking and killing hacking accounts one by one which takes hours of hard work and doesn't even get the attack slower.
Automated cycling IPs can be easily obtained (e.g. by any manageable HW Switch) at no effort or trouble for the user ...
IP ban, even temporary, is really useless for the purpose you described (sorry).
Image
Fruits and Vegetables are good for you : eat them ...
GARRETTtheGREAT
Peon
Peon
Posts: 70
Joined: 06 Oct 2009, 00:27

Re: TMW hacking problems

Post by GARRETTtheGREAT » 17 Oct 2009, 16:39

I know I have a nonexistent post count, and I'm an uber n00b to TMW and this forum in general, but I have a good amount of programming experience and I think I have a suggestion that may end this sort of annoyance.

Upon account or character creation there will be a CAPTCHA. Presumably, these people have modified some part of the client, so the client program simply cannot create the CAPTCHA. For the same reason, the server cannot just tell the client the answer to the CAPTCHA and let the client create the image. But, if the server dynamically creates a CAPTCHA image, unique ID, and answer, then sends the image and ID to the client, any hacker would have an extremely hard time decoding an image into plain text and sending the correct response. If this were implemented, the hacker would have to manually type in every CAPTCHA every time, and I wouldn't think there would be a point to trying at all :D

We could also create a method of preventing CAPTCHA spam. A simple time based system would be fine. CAPTCHAs would be deleted from the database, in example, after 1 minute (if a user can't type 6 characters in 1 minute, they probably won't be playing TMW ^^). I also think a limit of 10 open CAPTCHAs per IP address should be implemented as well to control flooding the database.


I was there last night when this happened. It really sucks just to watch some jerk (I'd use more profane language if it were allowed :D) do this for grins while there's nothing I can do to stop it :(
Habari
Novice
Novice
Posts: 249
Joined: 25 Nov 2007, 17:04

Re: TMW hacking problems

Post by Habari » 17 Oct 2009, 16:52

Most People that form part of the attacks just want revenged cause they were banned by abusing the rules in the past
, so theirs nothing to negotiate , actually IP´s of the attackers should be reported to the police IHMO , so they do something about this.

To stop attacks from the technical point of view , i can see 4 options : (chose one)

OPTION A: limit the global amount of accounts there can be created on server per day.
ADVANTAGES: it`s a no-way round solution , it automatically cuts the new account creation.
DISADVANTAGES: New players would have to wait until tomorrow to have an account , perhaps losing interest on TMW.

OPTION B:Use a Email Confirmation - Recaptcha web interface to create accounts.
ADVANTAGES: easy to implement , you don't have to change the client , backwards comp-ability not an issue.
DISADVANTAGES: It may be an inconvenient for the user to have to exit the client , each time they want an account.

OPTION C: Control the people that have the right to owe an account , with checks , like it is being done now in IRC.
ADVANTAGES: We really control where the accounts go to.
DISADVANTAGES: Its a nuisance for someone that just wants to play a game.

OPTION D: Use an invitation system , each player of the community has a number of limited invitations (lets say 5) , and he can welcome into the game to new players , that need the invitation to create an account (Gmail used to have this system , on the first betas)
ADVANTAGES: TMW , would become even more familiar , and new players , would be of trust , and TMW population , would grow on a controlled basis.
DISADVANTAGES: 1. Lots of people maybe wouldn't be able to play 2. People could give away accounts irresponsibly.

I PREFER OPTION D ; OUT OF THE 4 , and this is how i will solve the 2 disadvantages it has:

1. Gm´s and Dev would have the right to unlimited invitations , any new player who didn't know anyone inside TMW , would be advised on the website - client News , to write an E-mail to a Dev - Gm stating why they want to play TMW , and would get an invitation after debate.

2. If someone commits abuse , the person who invited him into the game would get punished/banned for it , that way nobody will have the temptation to invite rogue friends into game , or to just post his invitation codes , into a rogue forum.
User avatar
Crush
TMW Adviser
TMW Adviser
Posts: 8046
Joined: 25 Aug 2005, 17:08
Location: Germany

Re: TMW hacking problems

Post by Crush » 17 Oct 2009, 16:54

Adding an additional step to the login procedure would break compatibility with older clients. Because of the latency of some of our software distribution paths (ubuntu software repository, for example) we can't do this.
  • former Manasource Programmer
  • former TMW Pixel artist
  • NOT a game master

Please do not send me any inquiries regarding player accounts on TMW.


You might have heard a certain rumor about me. This rumor is completely false. You might also have heard the other rumor about me. This rumor is 100% accurate.
User avatar
Jaxad0127
TMW Adviser
TMW Adviser
Posts: 4209
Joined: 01 Nov 2007, 18:35
Location: Internet

Re: TMW hacking problems

Post by Jaxad0127 » 17 Oct 2009, 16:57

We can always provide binaries ourselves.

OptionA is doable. Only allow X accounts to be made in Y time. We can also kick (ban?) characters from the server that spawn and don't move within Z time.
Image
GARRETTtheGREAT
Peon
Peon
Posts: 70
Joined: 06 Oct 2009, 00:27

Re: TMW hacking problems

Post by GARRETTtheGREAT » 17 Oct 2009, 17:06

Habari wrote:Most People that form part of the attacks just want revenged cause they were banned by abusing the rules in the past
, so theirs nothing to negotiate , actually IP´s of the attackers should be reported to the police IHMO , so they do something about this.

To stop attacks from the technical point of view , i can see 4 options : (chose one)

OPTION A: limit the global amount of accounts there can be created on server per day.
ADVANTAGES: it`s a no-way round solution , it automatically cuts the new account creation.
DISADVANTAGES: New players would have to wait until tomorrow to have an account , perhaps losing interest on TMW.

OPTION B:Use a Email Confirmation - Recaptcha web interface to create accounts.
ADVANTAGES: easy to implement , you don't have to change the client , backwards comp-ability not an issue.
DISADVANTAGES: It may be an inconvenient for the user to have to exit the client , each time they want an account.

OPTION C: Control the people that have the right to owe an account , with checks , like it is being done now in IRC.
ADVANTAGES: We really control where the accounts go to.
DISADVANTAGES: Its a nuisance for someone that just wants to play a game.

OPTION D: Use an invitation system , each player of the community has a number of limited invitations (lets say 5) , and he can welcome into the game to new players , that need the invitation to create an account (Gmail used to have this system , on the first betas)
ADVANTAGES: TMW , would become even more familiar , and new players , would be of trust , and TMW population , would grow on a controlled basis.
DISADVANTAGES: 1. Lots of people maybe wouldn't be able to play 2. People could give away accounts irresponsibly.

I PREFER OPTION D ; OUT OF THE 4 , and this is how i will solve the 2 disadvantages it has:

1. Gm´s and Dev would have the right to unlimited invitations , any new player who didn't know anyone inside TMW , would be advised on the website - client News , to write an E-mail to a Dev - Gm stating why they want to play TMW , and would get an invitation after debate.

2. If someone commits abuse , the person who invited him into the game would get punished/banned for it , that way nobody will have the temptation to invite rogue friends into game , or to just post his invitation codes , into a rogue forum.
A. This is a very simple solution and should work easily enough. The problem would be if the hacker made the limit of new characters at 12:01am. The rest of the 24 hour period, no one could make another character. They could do this every day.

B. I agree with this one 75% :) The problem is not everyone has an email address.

C. I think there are a lot of ways around this in IRC, so I don't think it will solve the problem 100% in TMW

D. I think that would kill the number of new players joining TMW. It is, after all, a MMORPG, and not just an ORPG :)

@Crush I agree 100%. I run Ubuntu and the repo has 0.28 in there right now, so 0.30 would be a long time in the coming. But, it's not hard to get the most current version of TMW running. also this: http://forums.themanaworld.org/viewtopi ... 66&start=0

@jaxad0127 I like the idea of kicking (banning) new chars that are idle after creation. A simple hacker workaround is to make them move one step in any direction. Then there's no way the server can distinguish between a legit and illegitimate char. If we make it so the char has to move 1000 steps in the first hour, that might be possible, but a more sophisticated attack would defeat this as well.
Kill3rZ
Novice
Novice
Posts: 200
Joined: 17 Jun 2009, 12:45

Re: TMW hacking problems

Post by Kill3rZ » 17 Oct 2009, 17:44

Please don't add a disconnect-if-idle feature. Sometimes people just wait for each other while doing something else. It's pretty annoying to have to move the sprite every 5 minutes to avoid a kick. Besides, a bot can also be programmed to move a few squares (or as many as needed) every 3 minutes

Limited account-creations per day would be an awesome idea... unless we are attacked daily. In that case we'll never ever have new people in here again because the attacker will just use up all the new-char slots making it impossible for real new people to join.

What about a bot check in the game, right after log in? A NPC showing you a distorted image of a code right after you log in first time and asking you to type in the code? This wouldn't change the login window or compatibility with older clients, I think, but would it be technically possible in the phase the game is in? I think so: the shape of the letters made ... I lack the terminology... just like old drawings in ancient DOS computers. A drawing made from keyboard characters. Distorted enough to fool a bot, but readable for a human. You can add a 1 minute timer for inserting the code and auto-kick on time-out.
User avatar
Jaxad0127
TMW Adviser
TMW Adviser
Posts: 4209
Joined: 01 Nov 2007, 18:35
Location: Internet

Re: TMW hacking problems

Post by Jaxad0127 » 17 Oct 2009, 19:05

Kill3rZ wrote:Please don't add a disconnect-if-idle feature. Sometimes people just wait for each other while doing something else. It's pretty annoying to have to move the sprite every 5 minutes to avoid a kick. Besides, a bot can also be programmed to move a few squares (or as many as needed) every 3 minutes
It'll only apply if you don't move after logging on. If you do, no idle kick.
Kill3rZ wrote:Limited account-creations per day would be an awesome idea... unless we are attacked daily. In that case we'll never ever have new people in here again because the attacker will just use up all the new-char slots making it impossible for real new people to join.
Not really. X per day would. X per Y time wouldn't (Y being less than a day). Like 1 account per 10 seconds.
Kill3rZ wrote:What about a bot check in the game, right after log in? A NPC showing you a distorted image of a code right after you log in first time and asking you to type in the code? This wouldn't change the login window or compatibility with older clients, I think, but would it be technically possible in the phase the game is in? I think so: the shape of the letters made ... I lack the terminology... just like old drawings in ancient DOS computers. A drawing made from keyboard characters. Distorted enough to fool a bot, but readable for a human. You can add a 1 minute timer for inserting the code and auto-kick on time-out.
Still requires client update.
Image
melkior
Novice
Novice
Posts: 320
Joined: 28 Dec 2008, 16:57

Re: TMW hacking problems

Post by melkior » 17 Oct 2009, 20:12

jaxad0127 wrote: It'll only apply if you don't move after logging on. If you do, no idle kick.
Does speaking/emoting count as "moving"?
GARRETTtheGREAT
Peon
Peon
Posts: 70
Joined: 06 Oct 2009, 00:27

Re: TMW hacking problems

Post by GARRETTtheGREAT » 18 Oct 2009, 03:20

I think a CAPTCHA or any other bot check after logging in is not as effective because we then have all three servers tied up; account, character, and map. If we can stop it at character, we'll save just a little more. I don't think account is too good an idea because users would be annoyed to have to type a CAPTCHA every time they want to play.

I think the X creations per Y time is a good idea, but I can't think of a happy medium. If you do it on a large scale (100 accounts per day, in example) the attacker could stop anyone from ever registering again. If on a short scale (1 account every 10 seconds) the attacker could create 360 chars per hour. Even something in between (10 accounts per hour) the attacker could exploit to block new accounts from being created.

Well, I just had a strange, but possibly viable idea :D

What if new chars are born into "purgatory," eg. a map that has no entrance and one exit. It would have no geographic location on the global map, or at least no reachable location. In this stage they must accomplish some basic task, simple as moving, saying something, whatever. If they don't accomplish it in a period of lets say 5 minutes, they are autokicked. It could even tie into the story as some sort of dream sequence, explaining a little what TMW is. Chars could be born into the cave that holds the mana seed, slightly modified to be a small area with no exit. They hear it calling their name (npc message pops up on screen) so they go over to investigate. They touch the seed, some storyline ensues, then they are born into what is now the birth point. I'm not sure if this is possible, but in this scenario, it would be nice to see no other chars but yourself, as it's supposed to be a dream, but if that's not possible, I don't see any harm :D
Kill3rZ
Novice
Novice
Posts: 200
Joined: 17 Jun 2009, 12:45

Re: TMW hacking problems

Post by Kill3rZ » 18 Oct 2009, 11:13

My solution was much simpler: 1 npc waiting at the birth place asking every newborn to insert the code and kicking the newborn if he fails to do so in 1 minute. And it still seems to require client update (lack of compatibility with older clients).
Post Reply