HerculesWS / Hercules

Hercules is a collaborative software development project revolving around the creation of a robust massively multiplayer online role playing game (MMORPG) server package. Written in C, the program is very versatile and provides NPCs, warps and modifications. The project is jointly managed by a group of volunteers located around the world as well as a tremendous community providing QA and support. Hercules is a continuation of the original Athena project.
http://herc.ws
GNU General Public License v3.0
900 stars 758 forks source link

Why not add mac adress address support? #1734

Open Likeeit opened 7 years ago

Likeeit commented 7 years ago

We all know of such need in the emulator and how important that would be. Here's the question: Why not add mac adress address support? NOTE: This was implemented here in Brazil, in an emulator that is fork of Hercules. https://github.com/brAthena/brAthena/commit/d1ebe6dd5424bd92ec6bbd0e1b9ff033105f80f7

Helianthella commented 7 years ago

Mac addresses can very easily be changed, and nothing prevents a player from intercepting the packet in transit to change the mac address that is sent to the server.

It is IMPOSSIBLE to truly fingerprint a user. No matter what data you collect (ie IP address, email address, user agent) it can ALWAYS be manipulated. The only way would be to require the user to send you a copy of their birth certificate (but even this can be forged).

Many websites and applications use alternative means but they're not perfect either. Let's say you require a user to have a cellphone and you send them a confirmation sms... well there's services that can provide you with free phone numbers (ie magic jack, fongo, hushed).

Some try to discourage bad actors by requiring a small payment (ie less than $10), so large-scale exploit would become costly, but this only deters, it doesn't prevent.

Some use time as a restriction, like requiring your account is at least X days old to do action Y. This is also problematic because the player could just set up a bunch of accounts, set them aside for a month, then use them. This only slows them down.

No matter what you do you will ALWAYS need to manually police your users.


https://en.wikipedia.org/wiki/MAC_spoofing https://en.wikipedia.org/wiki/IP_address_spoofing https://en.wikipedia.org/wiki/Internet_censorship_circumvention

sagunkho commented 7 years ago

If it is part of the login packet from the client, it should be handled by the server. But as @mekolat says, it is impossible to truly fingerprint a user.

Likeeit commented 7 years ago

Sirs, I believe you have misunderstood. What was said in the text above is true, but this should not be taken only to the MAC, but rather to the whole system. Every system is mocking, however good it may be, people may find it not, but they just do not know how to do it. The intention of adding the MAC, is to have one more option to 'defend' the abusers.

Helianthella commented 7 years ago

IMO the mac address does not provide any additional protection, and opens the door to bad scripting practices that relies on user-submitted data (the packet can be forged) as a "security" measure

Asheraf commented 7 years ago

Also gravity client does not support mac address so this should be kept as a custom mod

On 16 May 2017 15:00, "mekolat" notifications@github.com wrote:

IMO the mac address does not provide any additional protection, and opens the door to bad scripting practices that relies on user-submitted data (the packet can be forged) as a "security" measure

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/HerculesWS/Hercules/issues/1734#issuecomment-301791568, or mute the thread https://github.com/notifications/unsubscribe-auth/ANocx9WQOZUcR59xo36Ueav6Wu0krGT9ks5r6awIgaJpZM4Nahti .

Likeeit commented 7 years ago

One option would be to add the MAC as an additional means of protection, where it would not have to be active by default, would be at the discretion of each player to use or not if he wanted to.

Helianthella commented 7 years ago

It offers absolutely ZERO protection

4144 commented 7 years ago

@mekolat in ro world most protections works like this. they "protecting" and "obfuscating" things in client. From other side this kind of protections can stop noobs.

About mac address. In hercules exists SSO like packet with mac address, but mac field here unused. And i not sure is any client can send this packet or not.

MishimaHaruna commented 7 years ago

@4144 The client can send the 0x0825 login packet (PACKET_ID_CA_SSO_LOGIN_REQ). I believe it's the main packet that kRO uses to log in, and the client sends it when using a korean langtype and isn't modified to re-introduce the legacy login screen. I believe the MAC field is set to zero in many cases though (or at least, it is when the client is run through wine - I don't have a windows machine equipped with a Ragnarok client to see how it behaves there). This makes the MAC field even more useless than it normally would.

dastgirp commented 7 years ago

status shouldn't be wontfix maybe?

kRO records the MacAddress if we use kRO client to login and we don't even save the mac for 0x0825 packet

MishimaHaruna commented 7 years ago

I don't believe the MAC address is of any use, but okay, since the field exists there, we can accept pull requests that handle it.

The reasons why I won't waste time on it unless a pull request comes are (summarized from the above):