Luigi Auriemma

why make this app public ? it got to be heaven for script kids just do download and use this tool.
just hope that other devlopers make their games secure for this kind of lame attacks..

everything I do is public, included my proof-of-concepts and moreover for a type of bug ("fake players") which has been deeply researched and focused by me:

http://aluigi.org/fakep.txt

the good old fable of the "script kids"... do you know that today the most used program for compromising remote applications (cms and other web applications, practically the majority of internet attacks) is a web browser like Internet Explorer, Firefox and Opera?
Yeah just tools for script kiddies... blah

players_per_ip limitations are solutions taken more seriously today so seems just yes.

What I don't understand is, if these "attacks" are so "lame" (the idea behind the "fake players bug" is very simple and banal so I think this is the "lame" about you refer) why you are so worried?

oops..stepped on some toes..

well off cource im a crybaby that dont know cmd and yes been victim of it.

understand that all ur work is public and i respect that, just that the only tool i heard of is this q3fill and i spent some time to know what this is about as it infact happend to me. and then i found ur site and wips this noob that dont know cmd could flood servers (read my). guess that off all servers that got this shit happend to them most "script-kids" uses ur tool.

its in the nature of a online game that u accept incoming request but from legit request. and its in gaming nature that u gonna piss some 14year old player that know somewhat (google +cmd) then the uses this tool. not deeper understanding of ur work just they feel big (in my eyes that lame). but if u wanna help them give them a easier way to spoof ip so admins cant ban them?

well dont wanna be a dick and blame all evil on u :)

Sethioz:

well theres a u every where... of cource they care the developers, they do this work for the love of the game and enjoy that people play and like their game. but problem is that u have to make compremises between thinking security vs gameplay. time spent for solving ip_limit could been a nice new feature (simplyfied i guess).

script kiddies have ever existed and will continue to exist forever even if you write informations and stuff not for them or with other purposes, so the best way is just to ignore them, luckily the losers will remain losers for all the life so who cares.

You can't burn all the books of the world only because exist some people that apply in a bad way the information contained in them... I think this is something logical that any "normal" person already know so it's not needed that I repeat this.

sincerely I have not understood this question or sarcasm or anything else you had in mind

hard to ignore when they fill my 50 slot server that cost $80/month from my own wallet. and using a GSP its hard to make fw changes or things like that so i can only hope the developers of the mod makes updates to help protect. bit frustrating not to have any way of preventing this.
but still think there is a big step off showing the problem and make a public download that makes it very easy to use this bug.

I'm 100% with the "full disclosure", no secrets and no lies

YES! finally a topic on luigi's forum i can argue about :D


really?


well he does have a point, there is no actual point in filling a server other than not allowing some one to join...

sethioz, holy hell man, calm down lol


lol, that's a lame line :P

oh boy, you've never played JK2 1.02... if you play that, you might understand this guy does have a point in some way... noobs on there don't know how anything works, all they do is press a button and if it crashes they are happy

so uh person, what game is your server being "attacked" ?

... jk3 and jk2 v1.02 are totally different... jk2 v1.02 and 1.04 are also very different.
what do u mean if they dont understand? all they need to do is press a bind that is preset by someone else

ok agreed.



no offence but whats ur age?


ur asuming that the game developers are stupid, ofcource they can fix it when they aware and with good loggin u can still make a patch. there are numerous teoretichal hack in the loop but not all choose to make a application that uses this and make it public. but i do respect alugis coment "I'm 100% with the "full disclosure", no secrets and no lies" then i think i know where he is coming from.

and i play WET 6h everyday for past 4 years...

if you talk about Enemy Territory (so not RTCW which is dead), it's one of the most supported closed source games based on the Quake 3 engine.
There are various fixes made just by the community like the combinedfixes.lua only to make an example and there are various open discussions about all the problems affecting the game and their solutions:

http://bani.anime.net/banimod/forums/viewforum.php?f=13

But I'm not in the community so, theorically, you should be already aware of all these informations moreover if you have a server.

im aware but not for jaymod (yet).

Sethioz i really stopped after last post to read ur posts so dont bother

Jaymod seems well documented and has various options but, except for sv_reconnectlimit and sv_maxPing (which could be used to limit the fake players attack) I have not seen an player per IP limitation... bad, moreover considering that it's closed source and it's last version has been released one year ago.
There is a recent nightly build but I Imagine you have already tested it.

If you can't limit the fake players vulnerability using the pre-existent options of Jaymod (or a combination of them) you should contact the developers of the mod through their forum or via mail.

I have a additional question and thought i use this thread again.

What whould be required for a "script-kidd" (sorry could not resist my self) to fake the IP when using our tool. I remember i read something about that but being a bit lazy (and wanted to keep the disscussion on forum). I hope that you find time for this question.

depends by the game and its protocol, in quake 3 is not possible to spoof the ip addresses because it's used a challenge response mechanism, if in the "connect" packet you don't send the exact number received after your "getchallenge" query the server doesn't allow you to join

guess WET will do the same so i can at least be certain that the ip i see is the one they acutaly using.

obviously I referred to the quake 3 engine, so yes, WET too.

if you are curious the function which handles the challenge-response parameter is SV_GetChallenge in code\server\sv_client.c.
it uses a buffer of 1024 entries and each one of them is assigned to a client IP address which has done the request.

the usage of 1024 entries assures also the elimitation of possible theorical bugs (that naturally I tested, but without success just for this reason) like sending at least MAX_CHALLENGES getchallenge requests for filling the array and avoiding other clients to join in the time elapsed between their getchallenge and the connect.

my 2 cents. my clan was subject to the fake players bug on our bf1942 server. we researched for a about a week until we figured out a way to stop it. all you have to do is google luigi's name to see that all he is doing is telling the guys that are making millions off of us gamers to fix your shit. just goes to show you that these big name gaming labels just care about money instead of a good product. how many times have you said "fix your shit" to a game because of hackers or something else; however, these million dollar machines like EA games do nothing to fix the holes.

i can honestly say that researching about all of this made me just a tad smarter about what is going on out there. i dont agree with making the stuff public, but its not for me to say. this is luigi's work and he can make the stuff public if he wants. you have to figure out ways to stop it. there are ways to stop the attack. anyway, just my opinion.