Now troll can use cheats? +other serious problems

[squiblez]

For months now I've been trying to combat this damn troll(I have a dedicated server that I run various instances of Zandronum on)

Lately I've had a Metroid Dreadnaught + Brutal Doom Starter pack server going and sometimes it's pretty fun, other times people who play are victimized by a troll who connects via VPN and can rapidly change his IP between bans, uses some kind of weird glitch to break the game at the end of each level and usually causes everyone to disconnect, and as of tonight I noticed he was able to engage noclip(saw the notifcation "mrsix is a cheater: No Clipping Mode ON" which was kind of disheartening after I went to the server and checked, sv_cheats was FALSE)

And just a few seconds later(less than a minute into the level) the intermission screen appeared, and every time anyone pressed E to ready-up, all we could hear was the demon pain sound playing before some other strange sounds started looping, and it would not continue to the next level, eventually disconnecting everyone(including me, connected to the server via LAN).

I've seen things extremely similar happen on other servers(I think someone else even made a post about it). This is getting out of hand and it's impossible for me to host any games or servers, which is extremely disappointing considering I've been working hard at making a DM map WAD for a few days and I was excited to put it out there. I've been viewing the logs on all of my servers quite frequently since this began, and it happens shortly after the server gets busy(2+ players) as if someone is watching for active games to harass.

To top it all off, he immediately impersonates another play, so kicking or banning him will do the same to the player he impersonates. And no matter how hard I try, banning all of his IPs doesn't seem possible, and ends up populating the ban list with legitimate players.

Something desperately needs to be done.

[Ru5tK1ng]

Sounds like he is using the delightful custom client to somehow use an injection exploit. I recall that there have been some measures to prevent this in 3.0, but I'm not 100% sure on that. So, we'll have to wait for a dev to comment on it.

[Combinebobnt]

https://github.com/AlexMax/zanproxy save your server

help where is 3.0

[Razgriz]

Can you supply a demo of this happening? Also which wad combinations are being targeted by this? Is it brutal doom + metroid dreadnaught only?

[Lollipop]

This seems to be a problem that has been increasing in severity lately. It would seem as if someone has a vendetta on this port for some reason, and wants to kill it by making the use of it a painful experience.

Maybe proxy connections should be disallowed by servers as a built in feature and as the standard setting? This could also come with a proxy IP whitelist, in case some players need to connect with a specific proxy IP for some reason, even though I can't figure out why that would be myself.

Also, injection exploits? Sounds quite bad to me, it seems strange to me that the scope of the usage reported here would be the maximum extent of its usage. If 3.0 counteracts this, then it should be put to use ASAP despite lack of testing. Using 2.0 while this problem persists could be a security issue for hosts, of course depending on the maximum potential of this injection exploit.

[Torr Samaho]

That sounds pretty bad. While 3.0 should take care of the impersonation problems, I'm not aware of any cheat injection exploits in 2.1.2, so there are no fixes for this in 3.0. As immediate action, you could change your server to the latest 3.0 beta build (we can make a new one soon as the last official one is already quite old) and see if these exploits are still possible in 3.0. If so, we need to investigate what exactly the troll is doing. In the worst case, you'll have to log all incoming client network packets and send them to us so that we can analyze what's going on.

[squiblez]

That sounds pretty bad. While 3.0 should take care of the impersonation problems, I'm not aware of any cheat injection exploits in 2.1.2, so there are no fixes for this in 3.0. As immediate action, you could change your server to the latest 3.0 beta build (we can make a new one soon as the last official one is already quite old) and see if these exploits are still possible in 3.0. If so, we need to investigate what exactly the troll is doing. In the worst case, you'll have to log all incoming client network packets and send them to us so that we can analyze what's going on.

I've had 3.0 suggested to me before but I've been reluctant to use it because it would make it harder for everyone else to join wouldn't it? requiring them to download and point Doomseeker to the 3.0 executable(which they'd have to change again to play on other servers) correct? Would kind of deter people from playing in the first place.

Although in all reality I've used it before(LAN with some friends). I guess for now I need to try it and just see if anyone plays.

Can you supply a demo of this happening? Also which wad combinations are being targeted by this? Is it brutal doom + metroid dreadnaught only?

Unfortunately I don't have a demo, and he seems to primarily target the BD Starter Pack + Metroid server, because shortly after another server of mine had a few people(including myself) on it, I kept a NoMachine connection open on my laptop to watch for weird traffic or problems(usually you can tell when a player is a troll because they login as Player and swap nicknames very quickly) and nothing even remotely suspicious happened.

https://github.com/AlexMax/zanproxy save your server

Thanks I'll give that a shot.

[Torr Samaho]

I've had 3.0 suggested to me before but I've been reluctant to use it because it would make it harder for everyone else to join wouldn't it?

Yes, the automatic testing feature has to be enabled in the launcher, but that should just take a few clicks and is available in both Doomseeker and Doom Explorer.

[grrfield]

i tried the solution from AlexMax, but i get the following:

zandronum logs:

Code: Select all

Connect (v2.1.2): 71.83.197.219:15210
twitchy has connected.

Later on he changes name to "Dinamo" and starts trolling

My zanproxy log has the following line though:

Code: Select all

2017/01/31 22:49:51 71.83.197.219 is greater than or equal to MinScore, added to banlist. (1.000000 >= 1.000000)

and indeed, checking the banlist.txt:

Code: Select all

71.83.197.219:You have been banned on suspicion of proxy use.  If you believe this is in error, please contact the administrators.

but he did not get removed from my server by zandronum. What went wrong?

[mifu]

Can i ask if this happened on any of the TSPG servers? And if so, do you remember the port number or host name?

[grrfield]

Mifu,

Was this question destined for me?

I had problem posting my message the first time, because i got "bad format error" or something like it. I had to reproduce my post but forgot to repeat an essential part, like describing the situation at hand.

Well, in either case. I'm running a "cluster" of four zandronum-servers on a raspberry pi3 (really?, yeah really - does it work? depends on the wads). It is unrelated to TSPG.
Question: do they use "zanproxy" on TSPG-servers?

[mifu]

Nah it was not, it was for the OP. but thats ok, we have the same problem also which we are trying to work out. Also it does however it seems to not work half of the time because of how many request the zanproxy checks out since tspg can get alot of traffic. We are still working things out.

[grrfield]

mifu,

Does not seem that zanproxy is missing requests (see my example). The ban just gets not executed. I dunno zilch about the internals of Zandronum nor zanproxy though.
Should zanproxy be executing the ban, or should Zandronum do it, based on the information in the banlist.txt. Imho Zandronum is not refreshing its banlist automatically,so it fails to execute the ban. I can be totally wrong ofc, since I lack knowledge about zan and linux in general.

[Dark-Assassin]

Make sure your server's banlist is the same one that zanproxy prints to

[grrfield]

Thank you for the suggestion. That could indeed have been possibility, but i checked it. Anyway i have another problem with the banlist.txt. When i add a ban through console, the ban gets effectively added to the file. If i look at the banlist, there is a blank line between the last line and the ban i just added:


ban1
ban 2

ban just added


When i shutdown "a" server and i start a new one, the server seems to get stuck when parsing the banlist.txt file. It just keeps hanging there forever.
Consequently, i shut down this server, cause not working. Next I remove the blank line:


ban 1
ban2
ban just added


I restart the server and voila, everything is working like it should be. Strange thing is that i never heard anyone complaining about this...This worries me though, since the server is not able to reparse the information in the banlist.txt afterwards, resulting in zanproxy not working. That is ofc just my impression.

[squiblez]

Can i ask if this happened on any of the TSPG servers? And if so, do you remember the port number or host name?

I don't recall the specific servers I've seen it happen on(around 20 or so?) over the last few months, but I'm going to be keeping a closer eye on things and have started recording demos on every play session. If anything happens I'll let you know.