Notice: Any messages purporting to come from this site telling you that your password has expired, or that you need to verify your details, confirm your email, resolve issues, making threats, or asking for money, are
spam. We do not email users with any such messages. If you have lost your password you can obtain a new one by using the
password reset link.
Due to spam on this forum, all posts now need moderator approval.
Entire forum
➜ SMAUG
➜ SMAUG coding
➜ IP spoofing
It is now over 60 days since the last post. This thread is closed.
Refresh page
Posted by
| Greven
Canada (835 posts) Bio
|
Date
| Fri 05 Nov 2004 04:35 AM (UTC) Amended on Fri 05 Nov 2004 07:42 AM (UTC) by Greven
|
Message
| I was wondering if anyone has by any chance got any advice on how to stop people from multiplay when they are spoofing ip's. Kinda screws up the ban code. I understand that there is something inheriently difficult in detecting this, but maybe someone knows a way to get around it.
|
Nobody ever expects the spanish inquisition!
darkwarriors.net:4848
http://darkwarriors.net | Top |
|
Posted by
| Rogel
USA (5 posts) Bio
|
Date
| Reply #1 on Fri 05 Nov 2004 06:49 AM (UTC) |
Message
| How do you know they are spoofing ips? Could it be that they are just proxying through something like SOCKS or connecting through a remote shell?
If they are connecting through a remote shell, then there is not much that you can really do besides for watching for collusion or maybe checking if the ip comes from a known shell host.
If they are proxying through SOCKS, you can always check to see if the connecting system is running SOCKS, since it commonly uses certain ports like 1080. However, if a SOCKS port can not be found or they are using some weird proxy protocol, then checking for collusion is probably the best method. |
Rogel's Intermud Laboratory: http://rogel.mudworld.org
Immortal University: http://www.mudworld.org/ImmU
Intermud Forum: http://www.intermud.org/forum/
OpenIMC Intermud Communication Network: http://www.openimc.org | Top |
|
Posted by
| Greven
Canada (835 posts) Bio
|
Date
| Reply #2 on Fri 05 Nov 2004 07:24 AM (UTC) Amended on Fri 05 Nov 2004 07:43 AM (UTC) by Greven
|
Message
| The person told us that he was spoofing. As for checking for collusion, is there somewhere that may have some information on this? I am severly inexperienced in network connections.
As I understand it, spoofing is changing the 13-20th bytes of an IP packet. I don't know if that can be detected within the confines of a mud code, but...
I don't know if this can be done, as I understand that this would cause problems with sending the information to the wrong place, though the host is only checked once and then allocated into a string, as I understand it. |
Nobody ever expects the spanish inquisition!
darkwarriors.net:4848
http://darkwarriors.net | Top |
|
Posted by
| Nick Gammon
Australia (23,133 posts) Bio
Forum Administrator |
Date
| Reply #3 on Sat 06 Nov 2004 08:32 PM (UTC) Amended on Sun 07 Nov 2004 06:04 AM (UTC) by Nick Gammon
|
Message
|
I don't quite see how someone can "spoof" an IP address in this context. Normally hosts respond by returning to the IP address in the packet header. If you spoof it (which you can if you try) the response goes to someone else.
The thing that is checked once is domain-name resolution, where an address like 1.2.3.4 gets translated into a name (like myhost.org).
Read http://www.grc.com/dos/drdos.htm, it is a rattling good yarn about attacks and spoofs.
I think on that page, or a nearby one
(http://www.grc.com/dos/grcdos.htm),
the fellow who wrote it, who runs a company that specialises in Internet security, admitted that if someone really wanted to "get him" they could (by using thousands of "zombie" PCs that they control through trojan horses and viruses) and that he couldn't stop them. Basically in the end he managed to find the person responsible and had to ask him nicely to stop. Read it and you'll see why.
I recommend you read both those pages, they are well laid out and fascinating.
I don't think you can do much about it. Even detecting people with the *same* IP address can fail with false positives. Say 100 people are behind a NAT router, they will all have the same IP address, but could actually be 100 different players, all sitting at different PCs.
|
- Nick Gammon
www.gammon.com.au, www.mushclient.com | Top |
|
Posted by
| USER007
(124 posts) Bio
|
Date
| Reply #4 on Sun 07 Nov 2004 02:50 AM (UTC) |
Message
| Wow. After reading those two pages now I'm kinda scared about the internet. :o | Top |
|
Posted by
| Gatewaysysop2
USA (146 posts) Bio
|
Date
| Reply #5 on Mon 08 Nov 2004 06:36 AM (UTC) |
Message
| Good reading Nick, thanks for the links. Anavel is right, this sorta thing does give you the creeps. :P |
"The world of men is dreaming, it has gone mad in its sleep, and a snake is strangling it, but it can't wake up." -D.H. Lawrence | Top |
|
The dates and times for posts above are shown in Universal Co-ordinated Time (UTC).
To show them in your local time you can join the forum, and then set the 'time correction' field in your profile to the number of hours difference between your location and UTC time.
21,885 views.
It is now over 60 days since the last post. This thread is closed.
Refresh page
top