Warning: composite reply to multiple posts. On Mon, Aug 06, 2007 at 12:19:37AM -0400, Bill Balcerski wrote: > Quozl had put some things on the todo list regarding this, namely some > sort of handshake between client and server, but this is really out of > my league to implement. The two items in PROJECTS are: - avoid sending SP_PSTATUS for newly logged in slots until after successful authentication. Prevents attack via username [because the username is not made visible to the other players]. Prevents pre-registration attacks. - avoid placing ship in game until successful client verification. [currently client verification happens just after ship begins flight] There is also the latent player registration feature that is not yet ready. It lacks scripting. Same kind of thing as various web sites; you register by providing your e-mail address, and a token is sent back to that address that lets you in. It could be trialled for clue games, and would have potential benefit of not requiring login. Speedy reconnect in case of bust. > First pulsar, then meeper, and now warped will all forced out of > operation by complaints (or criminal behavior) from a vocal few. This is nothing new. I've had complaints or potentially criminal behaviour from others on continuum. The vocal few need to be ignored sometimes. At one stage I had to ask someone from caltech.edu to stop logging in multiple times to get t-mode ... just to respond to some really noisy vocal few who were making my life miserable with their e-mails and in-game contacts. On Sun, Aug 05, 2007 at 11:33:19PM -0500, John R. Dennison wrote: > Perhaps you shouldn't have pissed off so many people over the > past few years by your behavior. Agreed. > It is completely evident that this is personal; no other servers have > been attacked except for yours. I'm not so sure. Continuum has experienced a possible denial of service attack in the past month or two, just that I haven't been as open about it as Bill has. Did some patching on it tonight. > Umm, pulsar was shut down by it's admin, [...] Agreed. > meeper was asked to stop hosting useless bot servers that > served no purpose. Agreed. On Sun, Aug 05, 2007 at 10:20:45PM -0700, ChronosWS wrote: > Man asks for help, you lay into him, blaming him for the attacks. > Nice. More could be said, but I'm not sure it would help. John is accurate though ... Bill has contributed some great patches, for vulnerabilities he discovered and made use of. ;-) > You could alter the server code so that slots are not assigned until > the player has authenticated, which is the way it should be anyhow. Yes, that's the essence of the registration system plus the two added items at head of PROJECTS. On Mon, Aug 06, 2007 at 01:27:26AM -0400, Mark Mielke wrote: > Whether he pissed people off or not - it seems rather rude (if not > criminal) to smack his server around. I can't speak for the criminal law in that country, but I imagine there's something that can be done, if it can be traced. On the other hand, running a vulnerable application is stupid, Cryo. ;-) > I would hope whoever was involved would find something more constructive > and mature to do with their talent and time. Like teasing in school, the only viable solution is to not respond. This whole thread will just make it worse. On Mon, Aug 06, 2007 at 02:50:00AM -0400, Zach wrote: > How does 1 person get control of thousands of unique IP addresses? That is a trivial technical problem. If you didn't believe it could be done, you really need to get out more. As a start, go read the Wikipedia article on Botnets. http://en.wikipedia.org/wiki/Botnet -- James Cameron mailto:quozl at us.netrek.org http://quozl.netrek.org/