VPN/Proxy detection API

[xDefcon]

Hello, I'm the owner of the API that is used here https://github.com/RaidMax/IW4M-Admin/blob/18e30b22c664237412edeba6bc1c76490ff7f353/Plugins/ScriptPlugins/VPNDetection.js#L28

I've noticed this because a user that was trying to play BO2 was getting kicked because my API detected his address as a VPN. I don't know how he got my email but he contacted me to report this problem.

I don't know if who wrote this code contacted me to report that he was going to use the API in this script but if you want to do so please consider doing the following:

• Add a custom User-Agent header when making the requests (something of your choice like "IW4M-Admin")
• Provide a way for the server owners or players to report a false-positive detection to avoid problems like the one that happened before.

The first point is something I highly recommend because it's the only way I have to distinguish the incoming traffic from my API and avoid blocking it. Another reason is that during DDoS attacks that may occur, Cloudflare will block all incoming requests without a User-Agent header.

I've developed the API originally for a SinusBot script and lately I see many people using it also for other things (Minecraft, websites, Valve games, etc.). I only want to inform you that as long as someone asks me for using it I'm pretty fine with it and I ask to add at least a User-Agent for the reasons written above.

I also wanted to point out that the API has an hourly limit built-in that limits the requests each IP address can make without an API key. A key is something I give to many TeamSpeak servers that are large enough that they need more requests. Unfortunately I'm extraneous to this project so I don't know how BO2 and MW3 servers works, if they are privately managed or whatever, but i'm glad to know if there's something that I can do for the rate limit.

[Emosewaj]

Hello, I work as part of the support team of the Black Ops 2 and Modern Warfare 3 client in question, as well as for another client that also commonly sees this tool used. I was also the person that directed the user to your homepage ( https://xdefcon.com/ ), where your E-Mail address is publicly linked. Please note that I am not the person who created IW4mAdmin, nor a contributor to its code.

Firstly, thank you for reaching out to us. Your API has been incredibly helpful for the past years in stopping cheaters from using VPNs to circumvent IP bans.

---

I hope to be able to provide some extra information/context with this:

I also wanted to point out that the API has an hourly limit built-in that limits the requests each IP address can make without an API key.

A single MW2/MW3/BO2 server usually has a maximum capacity of 18 players, IPs are checked upon connecting to them, so for small-scale server hosters, this limit will most likely never be an issue, but for larger communities that host several tens of servers it might become one. From what I've seen over at this repository, it should already be fairly easy to contact you for a key.

I don't know how BO2 and MW3 servers works, if they are privately managed or whatever

The communities all self-host their servers (and IW4mAdmin instances), and there are no quasi-official servers hosted by the project developers.

[Ayymoss]

@xDefcon I believe I reported a few FPs to you directly on Discord or Email (not sure) but you may have been busy and never got around to it.

This was the Issue Tracker for implementation: https://github.com/RaidMax/IW4M-Admin/issues/25

Search for my name or Email (from around 2018) you should be able to find the issues I raised with you directly for FPs.

Note: I do remember asking you directly in 2018 if we could use it for IW4MAdmin and you didn't have an issue. Should be in the same email thread as above... I'm struggling to find our email/discord/etc threads anyway honestly, it was so long ago now. Hoping you have better luck.

EDIT: Nevermind, it wasn't Discord/Email, it was on Twitter, check your DMs from "@TheAmos123", you can see our past conversation regards to IW4MAdmin and the use of your API, and my questions about false positives.

[xDefcon]

@xDefcon I believe I reported a few FPs to you directly on Discord or Email (not sure) but you may have been busy and never got around to it.

This was the Issue Tracker for implementation: #25

Search for my name or Email (from around 2018) you should be able to find the issues I raised with you directly for FPs.

If it was Discord it's highly possible that I ignored it because it's hard for me to keep track of every message I recieve. I can't find any email matching "Amos" or "MrAmos123".

For the false-positives: I usually receive an average of 4 false-positive reports each month, which is something like the 0.00001% of the addresses that are checked every month. Please use my email to report them, I believe it is the best way to handle this as the low amount of reports instead of creating a dedicated endpoint to query an update for a specific address/block, which may be used for malicious/unwanted purposes as well.

I've checked Twitter: everything is fine but I didn't tell Amos to use a custom User-Agent when making requests, please do for the reasons written in the first post 👍

[RaidMax]

Thanks for writing. As @MrAmos123 wrote, this integration was implemented some time ago and appears to have been "approved".

Add a custom User-Agent header when making the requests (something of your choice like "IW4M-Admin")

This can be done easily. Although I would prefer something that identifies the individual instance as there is no global IW4MAdmin instance, but rather individual private run instances. Will most likely be something like IW4MAdmin-<InstanceGuid>

Provide a way for the server owners or players to report a false-positive detection to avoid problems like the one that happened before.

This software is provided as-is and integration with 3rd party APIs such as yours is at their own risk and discretion. I am not sure why they contacted you, as I have clearly stated in the readme and source code how to whitelist people locally and override the response from your API. In a system such as yours false positives are always going to be an issue, and I find dealing with it locally is faster and more efficient than putting the burden on the maintainer of the API. False negatives are where I would raise an issue with the maintainer of any API such as yours.

[xDefcon]

This can be done easily. Although I would prefer something that identifies the individual instance as there is no global IW4MAdmin instance, but rather individual private run instances. Will most likely be something like IW4MAdmin-<InstanceGuid>

This will be even better, I guess the InstanceGuid is something randomly generated that has no link to any sensitive information so it should be fine. All I need is a non null/empty User-Agent header with some reference to this project, it can be whatever you prefer.

I find dealing with it locally is faster and more efficient than putting the burden on the maintainer of the API. False negatives are where I would raise an issue with the maintainer of any API such as yours.

I find it easier too, the thing I recommend is to give the ability to edit the kick/ban message and tell owners to mention their email/discord to let the users report directly to them. I don't know if this is possible or already present.

[Emosewaj]

and I find dealing with it locally is faster and more efficient than putting the burden on the maintainer of the API

While generally correct, this means that every server will have to locally whitelist the player in question, meaning the player in question will have to individually contact the owner/administrators of every server they would like to play on, which I find is the exact opposite of fast or efficient.

[Ayymoss]

While generally correct, this means that every server will have to locally whitelist the player in question, meaning the player in question will have to individually contact the owner/administrators of every server they would like to play on, which I find is the exact opposite of fast or efficient.

The problem is if one or a few people are managing the API whitelist for every single server that leaves room for abuse (not saying xDefcon will abuse it, just saying one person or group having a "global whitelist" power may lead to abuse), or mistake. That said, asking xDefcon to manage all of Call of Duty's IP FPs is a job in itself and would be unfair to expect him to manage each and every single potential FP.

[RaidMax]

While generally correct, this means that every server will have to locally whitelist the player in question, meaning the player in question will have to individually contact the owner/administrators of every server they would like to play on, which I find is the exact opposite of fast or efficient.

Unfortunately that's the price to pay when you decentralize a system. It's the same way that each server must ban a cheating client rather than a global list. IW4MAdmin is designed for the individual server owner, not the individual client. Unfortunate for the client but a necessary evil to combat cheaters.

I find it easier too, the thing I recommend is to give the ability to edit the kick/ban message and tell owners to mention their email/discord to let the users report directly to them. I don't know if this is possible or already present.

Yep this already exists. I provide the documentation and tools necessary to properly address the situation but most server owners in the CoD community have no idea what they're doing and it's almost pure luck that they're able to get a server up and running haha. I can probably make it a bit more explicit though to help users caught in the crossfire.

[RaidMax]

Addressed with 3b459ac and f8530b0