Possible for a stronger ban system?

[kyle95wm]

I know we have a ban system of sorts right now for the DWC server but I was wondering if it could be made stronger by adding more identifiers to it because ever since we added acct create the ban system is just so easy to break. Perhaps a combination of IP+MAC+SN+userID+gsbrcd or anything along the lines of that would be effective however I'm not quite sure what else we could possibly ban

[AdmiralCurtiss]

I still don't quite see why we even need a ban system, but if you really need to, why not just ban by MAC + Game ID?

[AdmiralCurtiss]

Relevant: https://github.com/polaris-/dwc_network_server_emulator/commit/bf4f925d545c3786e658ff6d8c5e96d98da3ba64#commitcomment-10924393

[kyle95wm]

because that's one identifier. Why not ban by MAC+GAME ID+SN (probably not do-able since the DS doesn't have such a thing) and then userID (we already ban by that) then it would make the ban system a little stronger (more steps to bypass) but I do agree for a start perhaps bans should be MAC based but someone else should provide their input on this. @SMTDDR for example was in the process of making the initial ban system we use today and we both agreed that anything can be bypassed, but at least if we add more identifiers to ban by then it would slow the hackers down a little bit. I hope what I'm suggesting/saying makes sense

Now that we're on the subject of bans, I remember mentioning in https://github.com/polaris-/dwc_network_server_emulator/issues/115 about temporary bans. The idea is to click the "temp ban" button which will temporarily ban a person/console for an x amount of time. To be honest most of the people I ban are banned forever but I'm wondering if theres a practical use. For example if someone doesn't do anything really horrible (just some subtle hacking or maybe trolling) then they'd receive a temporary ban. It's just an idea and I don't expect for it to be implemented.

by the way do you happen to hang out on IRC? I drop by there sometimes but nobody is really there half the time.

[AdmiralCurtiss]

So wait, what exactly do you want to ban?

A combination of parameters? That would mean that all parameters would have to match the ban record for the connection request to be rejected. Means, we ban a MAC [00:11:22:33:44:55] + UserID [100], and both of those have to match to be rejected. Someone with MAC [00:11:22:33:44:55] but UserID [321] would still go in, as would someone with MAC [AA:BB:CC:DD:EE:FF] but UserID [100].

Or any of a set of parameters? That means that anyone with a MAC of [00:11:22:33:44:55] gets rejected, regardless of UserID, and anyone with UserID [100] gets rejected regardless of MAC.

The former seems more sensible to me to prevent false matches, but of course that also means that adding more parameters makes the system easier to circumvent. Your phrasing of "it would make the ban system a little stronger (more steps to bypass)" implies you mean the latter, though? I would not recommend that, unless we actually have unchangeable and fully unique identifiers, which I don't believe we do.

Either way, don't count on me actually implementing that, I'm not really interested in banning people.

[kyle95wm]

@AdmiralCurtiss fair enough I suppose although I should ask, is it possible to return any of the 2 standard error code (20101 and 20110) to banned users? I already gave it a shot but failed. @polaris- was telling me that most of that stuff should be done in the profiles server but I lack python so I wouldn't know what I was doing. Im asking if it can possibly be done so that banned users get an error code instantly while the rest of us don't.

I already know where that line is for the 2 error codes in the qr server FYI.

[ghost]

Send 20102 to the banned users, just like in the past in official servers.

[kyle95wm]

@Starlight-129 there was already a commit for error code 61020 but we need to figure out how to change the error number

[kyle95wm]

Okay so I managed to print the MAC address, console serial number and console friend codes to the admin page. Only thing I need to work out now is how ti implement this in a way where it won't affect DS users. In fact I plan on banning both MAC and BSSID for DS users but not sure how to go about this.

[kyle95wm]

https://github.com/polaris-/dwc_network_server_emulator/pull/145

[ghost]

I made a custom test server in local, and banned one of my DS. At the moment the ban system only ban WFC ID. To unban you have just to erase profile and reconnect again. We need a ban system that can ban Mac Adress for DS users.

[kyle95wm]

I was considering banning a combination of userID, gameID and MAC and the minimum since both 2 consoles have those 3 parameters and won't cause problems. However another thing we could ban for DS is BSSID. As @AdmiralCurtiss said either we ban all of those (only checks for the recorded MAC at the time) or we check if other identifiers are banned regardless of what the others may be (if for example the DS user tries bypassing the BSSID ban by joining a different network their MAC would still be banned)

[kyle95wm]

Okay so I've settled on banning a combination of MAC+GameID+UserID (but I need rot figure out how the server will keep said player banned even if 1 out of the 2 parameters are changed for example if someone deletes their wifi config on DS their userID changes to a new one so no matter how many times they delete their config they'll always be MAC banned)

Forgive my obsession on the whole banning thing but I'd like to see ALTWFC eventually get a good ban system at some point to make it more difficult (especially for DS users) to bypass. There is 1 more parameter worth noting and that is the bssid for DS profiles. Even if the banned player manages to get a new DS or hide their identity then anything on their wifi network will be banned from connecting. However there is no "bssid" parameter on the Wii so we're going to be looking at problems

Now back to what i was saying about MAC address bans, The MAC address values are stored in nas_logins but the ban check is written to check for the users table instead of nas_logins. Can anyone give me a few pointers on how to possibly implement this? All I need to do is add this info to the ban logic and we're set. Everything else (adding the table to the admin page to show the MAC of each user/profile) is done

[ghost]

I tested the new ban system on my NDS, there are something to improve : The NDS is just banned by IP adress, a banned user just have to spoof the IP to reconnect again. NDS need to be banned by Mac Adress too.

At the moment the NDS mac adress can't be spoofed easily : https://www.google.fr/search?q=NDS+Mac+Adress+Spoofer&ie=utf-8&oe=utf-8&gws_rd=cr&ei=q6lIVdqXB8n9UIrhgbgG

[ghost]

At the moment there's still no way to kick a disturbing player, so the user can continue to hack and will banned only the next connection...

[ghost]

When you click on the button "ban" in the admin page, the player should be kicked instantly from the server if connected.

[ghost]

I made some test, and it's confirmed : When playing, the game send constantly keepalive request to the gamespy_profile_server

If the gamespy_profile_server is down during gameplay, the game will show immediatly the error 91010.

Conclusion : If you kick a player from that server, the concerned player will imediately kicked with error 91010.

[SMTDDR]

Hmm, that is actually true. Never thought of that. At least for TvC, the GSprofileServer is a constant open connection for the entire time the game is online. If that connection breaks, the game goes offline within a few seconds. GSprofileServer already has the ipaddr, but does it ever see the gamecd/gameid? If so we can store it in the self.session object.

Then after this line of code we could query the banned table and close the socket. https://github.com/polaris-/dwc_network_server_emulator/blob/master/gamespy_profile_server.py#L157

EDIT: I'm actually pretty sure GSprofileServer at least sees the gsbrcd or the uniquenick which has the gsbrcd as part of its value. And the gsbrcd has the gameid/gamecd as part of its value. This is totally doable.

[ghost]

"At least for TvC, the GSprofileServer is a constant open connection for the entire time the game is online. If that connection breaks, the game goes offline within a few seconds"

That's that for all NDS/Wii games, i'm sure.

[kyle95wm]

Sounds interesting.

There's only so much SMTDDR and I can do for a ban system. Writing code to watch changes in IP+MAC is just a lot of work.

The only thing I can think of is somehow split the Wii's and DS's up into their own tables but that means even more code. So DS's have their own banned table with MAC's and their respective games.

[SMTDDR]

It's actually not too bad. I don't have an example network packet in front of me right now, but I suspect this is easily done and universal for all games. It's only a few lines extra after the command is assembled to get gsrbcd: https://github.com/polaris-/dwc_network_server_emulator/blob/master/gamespy_profile_server.py#L172

If I'm wrong about the packet though, then ....I'm wrong :p

[SMTDDR]

If nobody else does it, I'll try to throw together a PR for this within the next few days.

[kyle95wm]

I assume you want me to test on your server?

[SMTDDR]

Yup, at some point I'll will ping ya on IRC or twitter. If I really have to I can find my TvC game and test with it.... but.... meh, I'd rather not. :)

[kyle95wm]

I'll probably be on IRC most days and evenings and late nights. Just let me know when and I'll be on

[SMTDDR]

https://github.com/polaris-/dwc_network_server_emulator/pull/160