Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 13:06

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 21 posts ] 
Author Message
 Post subject: The point?
PostPosted: 20 Oct 2008 15:14 

Joined: 20 Oct 2008 15:12
Posts: 7
why make this app public ? it got to be heaven for script kids just do download and use this tool.
just hope that other devlopers make their games secure for this kind of lame attacks..


Top
 Profile  
 
 
 Post subject: Re: The point?
PostPosted: 20 Oct 2008 15:52 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
Quote:
why make this app public ?
everything I do is public, included my proof-of-concepts and moreover for a type of bug ("fake players") which has been deeply researched and focused by me:

http://aluigi.org/fakep.txt

Quote:
it got to be heaven for script kids just do download and use this tool.
the good old fable of the "script kids"... do you know that today the most used program for compromising remote applications (cms and other web applications, practically the majority of internet attacks) is a web browser like Internet Explorer, Firefox and Opera?
Yeah just tools for script kiddies... blah

Quote:
just hope that other devlopers make their games secure for this kind of lame attacks..
players_per_ip limitations are solutions taken more seriously today so seems just yes.

What I don't understand is, if these "attacks" are so "lame" (the idea behind the "fake players bug" is very simple and banal so I think this is the "lame" about you refer) why you are so worried?


Top
 Profile  
 
 Post subject: Re: The point?
PostPosted: 20 Oct 2008 16:36 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
indeed. whats the point of this topic ? ..just another "hater" who has been "victim" of such tools and then comes to whine..whaa whaa ... dont release such things.
Quote:
it got to be heaven for script kids

i think that you are one of those...because u have no skills. otherwise you wouldn't whine, but make anti-fake player tools :)
also if you would take your head out of whereever it is, you would see that a LOT of ppl don't even know how to use cmd (tht includes you i think). so how can they use it, if they can't even use cmd.

Quote:
hope that other devlopers make their games secure for this kind of lame attacks..

developers don't give a shit about it. they really don't care if somebody has a problem like this. as Luigi referred to ip limit...i don't think they will ever do this, because there's LOTS of gaming clubs (or places) and there's like 50 ppl behind one ip. so i don't think so. unless developers are total IDIOTS. ..which they unfortunetly are lately. take kaspersky labs for example (not a game developer). only got one response when reporting a problem.

Quote:
why make this app public ?

so ppl like YOU can whine :) lol


Top
 Profile  
 
 Post subject: Re: The point?
PostPosted: 20 Oct 2008 20:55 

Joined: 20 Oct 2008 15:12
Posts: 7
oops..stepped on some toes..

well off cource im a crybaby that dont know cmd and yes been victim of it.

understand that all ur work is public and i respect that, just that the only tool i heard of is this q3fill and i spent some time to know what this is about as it infact happend to me. and then i found ur site and wips this noob that dont know cmd could flood servers (read my). guess that off all servers that got this shit happend to them most "script-kids" uses ur tool.

its in the nature of a online game that u accept incoming request but from legit request. and its in gaming nature that u gonna piss some 14year old player that know somewhat (google +cmd) then the uses this tool. not deeper understanding of ur work just they feel big (in my eyes that lame). but if u wanna help them give them a easier way to spoof ip so admins cant ban them?

well dont wanna be a dick and blame all evil on u :)

Sethioz:

well theres a u every where... of cource they care the developers, they do this work for the love of the game and enjoy that people play and like their game. but problem is that u have to make compremises between thinking security vs gameplay. time spent for solving ip_limit could been a nice new feature (simplyfied i guess).


Top
 Profile  
 
 Post subject: Re: The point?
PostPosted: 20 Oct 2008 22:09 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
Quote:
guess that off all servers that got this shit happend to them most "script-kids" uses ur tool.
script kiddies have ever existed and will continue to exist forever even if you write informations and stuff not for them or with other purposes, so the best way is just to ignore them, luckily the losers will remain losers for all the life so who cares.

You can't burn all the books of the world only because exist some people that apply in a bad way the information contained in them... I think this is something logical that any "normal" person already know so it's not needed that I repeat this.

Quote:
but if u wanna help them give them a easier way to spoof ip so admins cant ban them?
sincerely I have not understood this question or sarcasm or anything else you had in mind


Top
 Profile  
 
 Post subject: Re: The point?
PostPosted: 21 Oct 2008 06:40 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
like whtever, but i never had those problems, because i am not an idiotic admin who is like "OMFG DONT USE THIS WEAPON, YOU NOOOB" ..." OMG NO STAGGERING OR I BAN YOU" ..etc. This kind of acting from admin results in a flood, crash ...etc.

i agree that some dumb idiots come to spam your server with some messages and then get even more mad because you ban them, but those kind of ppl only do bla bla bla and never actually get to crashing, because they simply too dumb.

Luigi is right about it. script kiddies will always be out there...and will always be. and try to understand..if Luigi wouldn't write those tools, then somebody else would. why they don't now ? because there is no need...you have to be idiot to write an existing tool. for example if there is q3fill, then nobody else writes it, because it already exists, but if Luigi wouldn't have had wrote it .. then somebody else would have. ..besides a script kiddie is too dumb to use those tools.

now here's a lil thing that should make you think:
you (your server) was a victim of q3fill (or some other fp tool) right ?! ..now you searched and found this tool. so you knew what is the problem, but what if it would be a private tool ? ..then it would take you ages to figure out whts going on.


Top
 Profile  
 
 Post subject: Re: The point?
PostPosted: 21 Oct 2008 08:31 

Joined: 20 Oct 2008 15:12
Posts: 7
Quote:
script kiddies have ever existed and will continue to exist forever even if you write informations and stuff not for them or with other purposes, so the best way is just to ignore them, luckily the losers will remain losers for all the life so who cares.


hard to ignore when they fill my 50 slot server that cost $80/month from my own wallet. and using a GSP its hard to make fw changes or things like that so i can only hope the developers of the mod makes updates to help protect. bit frustrating not to have any way of preventing this.
but still think there is a big step off showing the problem and make a public download that makes it very easy to use this bug.


Top
 Profile  
 
 Post subject: Re: The point?
PostPosted: 21 Oct 2008 12:47 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
I'm 100% with the "full disclosure", no secrets and no lies


Top
 Profile  
 
 Post subject: Re: The point?
PostPosted: 21 Oct 2008 20:57 

Joined: 05 Oct 2007 01:20
Posts: 402
Location: Florida
YES! finally a topic on luigi's forum i can argue about :D

aluigi wrote:
do you know that today the most used program for compromising remote applications (cms and other web applications, practically the majority of internet attacks) is a web browser like Internet Explorer, Firefox and Opera?
Yeah just tools for script kiddies... blah

really?

aluigi wrote:
What I don't understand is, if these "attacks" are so "lame" (the idea behind the "fake players bug" is very simple and banal so I think this is the "lame" about you refer) why you are so worried?

well he does have a point, there is no actual point in filling a server other than not allowing some one to join...

sethioz, holy hell man, calm down lol

ShowerStalker wrote:
oops..stepped on some toes..

lol, that's a lame line :P

Sethioz wrote:
like whtever, but i never had those problems, because i am not an idiotic admin who is like "OMFG DONT USE THIS WEAPON, YOU NOOOB" ..." OMG NO STAGGERING OR I BAN YOU" ..etc. This kind of acting from admin results in a flood, crash ...etc.
i agree that some dumb idiots come to spam your server with some messages and then get even more mad because you ban them, but those kind of ppl only do bla bla bla and never actually get to crashing, because they simply too dumb.
oh boy, you've never played JK2 1.02... if you play that, you might understand this guy does have a point in some way... noobs on there don't know how anything works, all they do is press a button and if it crashes they are happy

so uh person, what game is your server being "attacked" ?


Top
 Profile  
 
 Post subject: Re: The point?
PostPosted: 21 Oct 2008 23:23 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
Quote:
oh boy, you've never played JK2 1.02... if you play that, you might understand this guy does have a point in some way... noobs on there don't know how anything works, all they do is press a button and if it crashes they are happy

I have. actually Jedi Academy JK3 i guess then. i made the fly hack there :)
if they dont understand, then how comes they crash something ? and i would be happy too when some dumb server crashes.. one where admins are blind and dumb.

btw evan you missed the point. he asked whats the point of publishing it, not whts the point of making it. avp2 master server will go down soon, but im still ONLY one who knows how to crash servers. so when i go start crashing them..then there is NOTHING they can do about it. if i would let it out .. they would patch it in week or less. and yes ..in past i got mad on few servers and kept them down for week or so. Maybe Luigi is not so "Evil" hehe and thats why he publishes tools, so admins at least have chance to protect themselves.


Top
 Profile  
 
 Post subject: Re: The point?
PostPosted: 22 Oct 2008 23:50 

Joined: 05 Oct 2007 01:20
Posts: 402
Location: Florida
... jk3 and jk2 v1.02 are totally different... jk2 v1.02 and 1.04 are also very different.
what do u mean if they dont understand? all they need to do is press a bind that is preset by someone else


Top
 Profile  
 
 Post subject: Re: The point?
PostPosted: 27 Oct 2008 22:38 

Joined: 20 Oct 2008 15:12
Posts: 7
Quote:
lol, that's a lame line :P


ok agreed.

Quote:
and i would be happy too when some dumb server crashes.. one where admins are blind and dumb.


no offence but whats ur age?

Quote:
but im still ONLY one who knows how to crash servers. so when i go start crashing them..then there is NOTHING they can do about it

ur asuming that the game developers are stupid, ofcource they can fix it when they aware and with good loggin u can still make a patch. there are numerous teoretichal hack in the loop but not all choose to make a application that uses this and make it public. but i do respect alugis coment "I'm 100% with the "full disclosure", no secrets and no lies" then i think i know where he is coming from.

and i play WET 6h everyday for past 4 years...


Top
 Profile  
 
 Post subject: Re: The point?
PostPosted: 27 Oct 2008 22:58 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
if you talk about Enemy Territory (so not RTCW which is dead), it's one of the most supported closed source games based on the Quake 3 engine.
There are various fixes made just by the community like the combinedfixes.lua only to make an example and there are various open discussions about all the problems affecting the game and their solutions:

http://bani.anime.net/banimod/forums/viewforum.php?f=13

But I'm not in the community so, theorically, you should be already aware of all these informations moreover if you have a server.


Top
 Profile  
 
 Post subject: Re: The point?
PostPosted: 27 Oct 2008 22:59 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
Quote:
no offence but whats ur age?

no offence, but are you blind or retarded or both ? i have lots of videos on youtube and on my site...but i guess you too blind to see or too dumb to look.

Quote:
ur asuming that the game developers are stupid, ofcource they can fix it when they aware and with good loggin u can still make a patch. there are numerous teoretichal hack in the loop but not all choose to make a application that uses this and make it public. but i do respect alugis coment "I'm 100% with the "full disclosure", no secrets and no lies" then i think i know where he is coming from.

and i play WET 6h everyday for past 4 years...

im not assuming. i said admins are dumb and stupid. developers just don't care. do you always turn everything upside down ? first you should read and then post, not other way around.

there is big difference when i say that game server admins are dumb and stupid and that game developers don't care. They only fix bugs that are caused by themselves (some game function ..etc), but not exploits. well sometimes they do, but on 99% of cases they dont.


Top
 Profile  
 
 Post subject: Re: The point?
PostPosted: 27 Oct 2008 23:57 

Joined: 20 Oct 2008 15:12
Posts: 7
im aware but not for jaymod (yet).

Sethioz i really stopped after last post to read ur posts so dont bother


Top
 Profile  
 
 Post subject: Re: The point?
PostPosted: 28 Oct 2008 01:10 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
Jaymod seems well documented and has various options but, except for sv_reconnectlimit and sv_maxPing (which could be used to limit the fake players attack) I have not seen an player per IP limitation... bad, moreover considering that it's closed source and it's last version has been released one year ago.
There is a recent nightly build but I Imagine you have already tested it.

If you can't limit the fake players vulnerability using the pre-existent options of Jaymod (or a combination of them) you should contact the developers of the mod through their forum or via mail.


Top
 Profile  
 
 Post subject: Re: The point?
PostPosted: 18 Nov 2008 10:57 

Joined: 20 Oct 2008 15:12
Posts: 7
I have a additional question and thought i use this thread again.

What whould be required for a "script-kidd" (sorry could not resist my self) to fake the IP when using our tool. I remember i read something about that but being a bit lazy (and wanted to keep the disscussion on forum). I hope that you find time for this question.


Top
 Profile  
 
 Post subject: Re: The point?
PostPosted: 18 Nov 2008 12:23 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
depends by the game and its protocol, in quake 3 is not possible to spoof the ip addresses because it's used a challenge response mechanism, if in the "connect" packet you don't send the exact number received after your "getchallenge" query the server doesn't allow you to join


Top
 Profile  
 
 Post subject: Re: The point?
PostPosted: 18 Nov 2008 13:01 

Joined: 20 Oct 2008 15:12
Posts: 7
guess WET will do the same so i can at least be certain that the ip i see is the one they acutaly using.


Top
 Profile  
 
 Post subject: Re: The point?
PostPosted: 18 Nov 2008 15:00 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
obviously I referred to the quake 3 engine, so yes, WET too.

if you are curious the function which handles the challenge-response parameter is SV_GetChallenge in code\server\sv_client.c.
it uses a buffer of 1024 entries and each one of them is assigned to a client IP address which has done the request.

the usage of 1024 entries assures also the elimitation of possible theorical bugs (that naturally I tested, but without success just for this reason) like sending at least MAX_CHALLENGES getchallenge requests for filling the array and avoiding other clients to join in the time elapsed between their getchallenge and the connect.


Top
 Profile  
 
 Post subject: Re: The point?
PostPosted: 21 Nov 2008 20:45 

Joined: 22 May 2008 23:57
Posts: 7
my 2 cents. my clan was subject to the fake players bug on our bf1942 server. we researched for a about a week until we figured out a way to stop it. all you have to do is google luigi's name to see that all he is doing is telling the guys that are making millions off of us gamers to fix your shit. just goes to show you that these big name gaming labels just care about money instead of a good product. how many times have you said "fix your shit" to a game because of hackers or something else; however, these million dollar machines like EA games do nothing to fix the holes.

i can honestly say that researching about all of this made me just a tad smarter about what is going on out there. i dont agree with making the stuff public, but its not for me to say. this is luigi's work and he can make the stuff public if he wants. you have to figure out ways to stop it. there are ways to stop the attack. anyway, just my opinion.


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 21 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: