Jump to content

AntiCheat Update Considerations


giKoN

Recommended Posts

Dear TFP, Dear Players, Dear Fans,

 

after heading one of the most popular 7 days to die servers for nearly 5 years I want to use this thread to hopefully get your attention on something which has recently become the ultimate game breaker for me.

 

This is not about any content that has been implemented into the game, about balancing, about PVP vs PVE. It is also not to discuss the direction the game is taking. 

 

This thread is to get your attention to focus on something which, unfortunately has not received any love in any of the recent updates: AntiCheat. 

 

Every server owner, if PVE or PVP knows, that anticheat is something they will have to add to the server through any of the great mods/managers out there: OC's ServerTools, Prism's CPM, Botman... But it is important to understand,  that each of those AntiCheat managers have to apply workarounds in order to detect hackers. E.g. god mode is detected through the buff "god". But of course every hacker knows he can just press escape, turn on fly mode and no collision to get same result without the buff. 

 

Why does this work? 

Assemblies are barely checked for their individual operations, while those operations mostly run client side only and the server does not get the necessary info in order to properly detect deviations. FlyMode is client side only, NoCollision is client side only. The worst part is, there are no back checks and the servers do not request updates to confirm states with clients.

 

I am writing this forum thread here now, after I have banned 15 accounts of the same hacker while having the maximum protection a server can have from server managers. By now, the hacker has buffed other players as he wished and caused bans against innocent players. Another server tonight has had its serveradmin.xml corrupted and emptied out. 

 

Thus, this is to get awareness that in it's current state, this game can only be hosted with a password protected instance. And for me, after hosting a server for typically 1-2k players each wipe, this is breaking my motivation to keep hosting a server at all.

 

I am aware that Multiplayer is not your current focus, that max players is set to 8, that what we are doing with our massive multiplayer servers is stretching what you support for this game. And in general, this is fine by me. Whatever my players don't like, I have the freedom to mod, to rebalance, to alter. But in terms of cheating, there are currently more ways to alter the game for the client than there are ways to counter act.

 

Thereby, I would kindly request you to consider implementing a long overdue update to AntiCheat measures or at least, implement further control variables for us, the developpers of anticheat measures, to counteract.

 

I hope not to have stepped on any toes and hope that any poster after me does not turn this thread into a @%$#show. In the end, despite different opinions we all are here for the same reason.

 

Best,
giK

Lands of Anarchy EU

 

Server to stop operations after more than 6 years of hosting.

 

Link to comment
Share on other sites

hello

 

i couldnt agree more @gikon is absolutely right: the threat hackers now have access to client side is destroying servers PVE AND PVP this should be #1 concern for the pimps to address.

 

hackers have figured out how to access commands to control a server client side and is such a threat they now have the ability to ban who ever they wish, corrupt current admin files and permissions. 

 

Ive playd this game over 19000 hours and never have i ever witnessed the threat from hackers being so great as it is now. 

 

Something needs to be done soon because i to dont know how much longer i can maintain our current server as long as this threat persists.

Link to comment
Share on other sites

1 hour ago, giKoN said:

 Another server tonight has had its serveradmin.xml corrupted and emptied out.

 

I have nothing to add or comment about the other stuff, but this is a different issue than EAC.

 

You really mean by that that the hacker changed the file serveradmin.xml on the servers disk, right?

 

I would guess this is not something you can do by circumventing EAC or getting admin rights in the game (or is it? Only a dev can answer conclusively but it would be very surprising that the server code has the ability to WRITE to the serveradmin file). For that you have to either

1) exploit a security bug in the server code or

2) brute force guess one of the server passwords.

 

In both cases updating EAC won't help. Second case is relatively easy to fix, reinstall machine to be sure and use better passwords.

 

Link to comment
Share on other sites

6 minutes ago, meganoth said:

I have nothing to add or comment about the other stuff, but this is a different issue than EAC.

 

You really mean by that that the hacker changed the file serveradmin.xml on the servers disk, right?

 

I would guess this is not something you can do by circumventing EAC or getting admin rights in the game (or is it? Only a dev can answer conclusively but it would be very surprising that the server code has the ability to WRITE to the serveradmin file). For that you have to either

1) exploit a security bug in the server code or

2) brute force guess one of the server passwords.

 

In both cases updating EAC won't help. Second case is relatively easy to fix, reinstall machine to be sure and use better passwords.

 

You can as client already interact with serveradmin xml with basic commands, admin add, ban add etc.. You can thus also send a corrupt netpackage to alter the serveradmin.xml in a way that it gets corrupted and regenerated fresh without entries is my guess. This has not happened to me but to Grandpa Minion. 

 

And since I already heard in a discord about how we should be happy that the game gets so many copies sold to that guy, please keep in mind that it is also possible to spoof steam id's on entry. So while his steam id might have changed, i doubt he bought the game 15 times. (Family share is not possible on my server so thats not the case).

Link to comment
Share on other sites

57 minutes ago, giKoN said:

You can as client already interact with serveradmin xml with basic commands, admin add, ban add etc.. You can thus also send a corrupt netpackage to alter the serveradmin.xml in a way that it gets corrupted and regenerated fresh without entries is my guess. This has not happened to me but to Grandpa Minion. 

I just checked and to my surprise console commands in vanilla change someones status permanently, i.e. commands lead to serveradmin.xml being written. I take back everything I said previously.

 

It is a comfort feature, sure. But not something I would have done in TFPs place.

 

Naturally even a temporary privilege escalation on the server is serious.

 

You could make a bug report. Best would be to observe serveradmin.xml with a script so you can show exactly at what time the change happened and maybe the network traffic at that moment. But I don't know if the testers will accept a bug report from a heavily modified server.
 

57 minutes ago, giKoN said:

 

And since I already heard in a discord about how we should be happy that the game gets so many copies sold to that guy, please keep in mind that it is also possible to spoof steam id's on entry. So while his steam id might have changed, i doubt he bought the game 15 times. (Family share is not possible on my server so thats not the case).

Yeah well, some people make idiotic remarks when they have nothing else to say.

Link to comment
Share on other sites

I have thought of making a bug report. But if anything deserves a reply "works as intended" it is anything related to servers incapability to verify netpackages and client's status. 

 

player.IsSpectator is a good example. Due to the fact that invisibility of admisn needs to be pushed to other clients THROUGH the server, the servers have the ability to control for that attribute and ban accordingly. However, IsFlyMode is not reported to the server, IsDebugMode and IsCreativeMode dont exist, IsGodMode does nothing either. Those are just the easy examples.

 

Here a quote from a guy who has spent even way more time than me trying to find loopholes to provide anticheat on the good side:

 

Think about it, the server retains data given to it by the clients. If the clients can upload whatever the @%$# data they want and the pimps are not verifying the person uploading it which they dont, i was warned about that. Then they can technically inject data over the other clients

 

And to be clear: the serveradmin.xml is not my concern. This is just the tip on the iceberg while the fundamental issue is hidden below.

Link to comment
Share on other sites

I also agree there needs to be a better system in place to stop those that want to ruin fun for the 7 Days to Die players out there.  There are a lot of players that enjoy the online experience of the game. People like this ruin it for everyone else and cause servers to shutdown public access through whitelist only, passwords ect. This causes the player base to have a harder time joining a public server and a lot of times, losing interest in the game all together.

 

I remember when I first started playing this game back in 2013, I shutdown my server due to the overwhelming amount of hackers that would join at any given time. It was too much to handle. Now I use EAC and Botman to protect my server but it sounds like even that isn't enough against people that really want to ruin it for everyone.

 

If you guys need my assistance in anyway, don't be shy to reach out. I'm no where near as smart as the others in this thread when it comes to coding ect but I am willing to help out in other ways if need be.

banner-1.png

Link to comment
Share on other sites

@deadbolt Thats the thing alot of players dont understand. For years hackers have existed but server owners as your self has had at least an option made by the great modders in the community to help detect against the hackers. Alot of the server owners pve or pvp who have spent countless hours , pouring everything they have into their server to try and maintain a safe and fair place for their community to play is what keeps this game going.

 

This problem is in my opinion the #1 issue the pimps should focus on should be security atm. If they start to lose the massive communitys some of these server owners as yourself has built the game for sure is heading in the wrong direction.

 

I'm not sure there is much you or i can do to fix the problem as the issue has to be fixed by the devs. Allowing a hacker to overwrite data client side is not acceptable and puts every server out there at risk.

 

 

Link to comment
Share on other sites

@giKoN I promise this is not some attempt to discredit you, like I said before, I know with 100% certainty that it is you mod that has exposed the admin console to any player in the server and not just in a little way, they have full access to everything an admin could do. See attached for proof.

image.png.36b3e442ce87ff9beb7dd86fa41d2a97.png

 

Link to comment
Share on other sites

@giKoN thats not me altering netpackages, id like to think that EAC would catch something like that, but that would be something that would be an issue as well as this that EAC should be catching. I am pretty sure whoever is wiping out the servers and avoiding bans and cheating as of recently, is using this exact hole that your mod has exposed.

Link to comment
Share on other sites

19 hours ago, Grandpa Minion said:

@deadbolt Thats the thing alot of players dont understand. For years hackers have existed but server owners as your self has had at least an option made by the great modders in the community to help detect against the hackers. Alot of the server owners pve or pvp who have spent countless hours , pouring everything they have into their server to try and maintain a safe and fair place for their community to play is what keeps this game going.

 

This problem is in my opinion the #1 issue the pimps should focus on should be security atm. If they start to lose the massive communitys some of these server owners as yourself has built the game for sure is heading in the wrong direction.

 

I'm not sure there is much you or i can do to fix the problem as the issue has to be fixed by the devs. Allowing a hacker to overwrite data client side is not acceptable and puts every server out there at risk.

 

 

For sure, when I ran this game back in the day it wouldn't be uncommon to get a dozen hackers a day in your server flying around in God mode and just causing absolute havoc on the server and all of it's players. Luckily, we now have EAC and server managers to help prevent those issues but from what @giKoNis saying it's not enough as there are ways to bypass these issues.

Link to comment
Share on other sites

Mod sent through PM to you @Roland. The mod is currently still under retained testing by 3 servers and thus not published open source. It is aimed to become merged into ServerTools to be part of the open source.

 

More generally in discussions today it was confirmed that the main issue is the handling of NetPackages of any kind. There is no need to ultimately narrow it down to my mod given that every client is able to use a far broader variety of netpackages to alter.

 

In July already I was warned by a Chinese Admin (at least I hope his main focus when going through the code actually was to protect his server) with following statement:

 

spacer.png

 

There is no verification of netpackages being valid, no verification of permission level and no verification if netpackages sender steam ids match entity ids from as far as I am aware of. 

 

@Prisma501 has verified on vanilla servers how clients can run any command as they wish by altering netpackages on a server they have no permission level granting them such access. In the irony of his case, it was enough to alter the "access denied" package sent by the server to the client, alter it, and have it run whatever the client wants to run. This, either through injection at the client itself with required EAC bypass or through using a proxy to alter the package before it reaches the game.

 

Given that vanilla has no checks for debug mode, spectator mode, creative mode and several others, this strips servers naked. 

 

 

 

 

Link to comment
Share on other sites

Since the operating system is able to change any packet in flight, checking for steam id would not be enough anyway. Since the steam id isn't a secret, anyone can find out what the steam id is of a server manager and replace the own steam-id with that of the admin in any package that sends a console command.

 

So the server has to either make sure that such commands are sent from an IP matching the steam-id or there must be a secret token present in such a command packet that identifies the player as the right one.

Link to comment
Share on other sites

45 minutes ago, meganoth said:

Since the operating system is able to change any packet in flight, checking for steam id would not be enough anyway. Since the steam id isn't a secret, anyone can find out what the steam id is of a server manager and replace the own steam-id with that of the admin in any package that sends a console command.

 

So the server has to either make sure that such commands are sent from an IP matching the steam-id or there must be a secret token present in such a command packet that identifies the player as the right one.

It matters for the validity of outgoing packages from the clients. From what I understand (and I would love if more experienced coders would actually take their stance here), clients can send netpackages with spoofed entitiy ids and the server runs operations based on the entitiy id with no verification if it's from the steam id the package originated from.

 

In one example, a player was hit by another player and in return the attacker was banned for godmode. The returning netpackage from damage/health calculations seem to have been tempered with in order to apply god mode bufs on other clients. Given that the buff is our only indication that a client has debug mode - this is what most managers ban for.

Link to comment
Share on other sites

Good evening I am Arwen admin of a pvp server for 18 months now and I had to face the threat of hackers to put a password on the server to protect the players (4 backups in two days). The hacker SpookTheStream I have had him countless times and I believe in all his nicknames lol. These hackers become a plague for 7-day-old players. I have more than 8000 hours of play over 7 days and I admit that at the moment I no longer want to play. So I can only applaud Gik's post and give it my full support.
cordially

 

Good evening I am Arwen admin of a pvp server for 18 months now and I had to face the threat of hackers to put a password on the server to protect the players (4 backups in two days). The hacker SpookTheStream I have had him countless times and I believe in all his nicknames lol. These hackers become a plague for 7-day-old players. I have more than 8000 hours of play over 7 days and I admit that at the moment I no longer want to play. So I can only applaud Gik's post and give it my full support.
cordially

 

Link to comment
Share on other sites

2 hours ago, meganoth said:

Since the operating system is able to change any packet in flight, checking for steam id would not be enough anyway. Since the steam id isn't a secret, anyone can find out what the steam id is of a server manager and replace the own steam-id with that of the admin in any package that sends a console command.

 

So the server has to either make sure that such commands are sent from an IP matching the steam-id or there must be a secret token present in such a command packet that identifies the player as the right one.

I recall running into this a lot in a16.

Link to comment
Share on other sites

19 hours ago, arwen294 said:

Good evening I am Arwen admin of a pvp server for 18 months now and I had to face the threat of hackers to put a password on the server to protect the players (4 backups in two days). The hacker SpookTheStream I have had him countless times and I believe in all his nicknames lol. These hackers become a plague for 7-day-old players. I have more than 8000 hours of play over 7 days and I admit that at the moment I no longer want to play. So I can only applaud Gik's post and give it my full support.
cordially

 

Good evening I am Arwen admin of a pvp server for 18 months now and I had to face the threat of hackers to put a password on the server to protect the players (4 backups in two days). The hacker SpookTheStream I have had him countless times and I believe in all his nicknames lol. These hackers become a plague for 7-day-old players. I have more than 8000 hours of play over 7 days and I admit that at the moment I no longer want to play. So I can only applaud Gik's post and give it my full support.
cordially

 

@arwen294 Thanks for dedicating 18 months of your life managing this game on the pvp side giving many players a place to play. Hang in there man i know the last couple days it has been verified this hack effects pve, pvp, modded, and unmodded servers. Thats huge for a couple of reasons but mainly it is now known the hack effects not just "pvp" servers but all servers. This gives me alot of hope that the fun pimps will take good hard look at this and and resolve the issue very quickly.

Link to comment
Share on other sites

For as long as botman blocks all Proxies I can imagine the exposure to the blatant hackers was reduced. 
 

if however clean IPs or from botman not listed Proxies are altering packages you won’t know until they decide to do something obvious - and then you won’t know if it’s bypassing EAC (theres no EAC heartbeat checks), cheap public hack which will get banned within days or if it’s altering packages passing through. The info is retained within the client.
 

Prisma has done the proof of concept on vanilla, he would be able to tell a lot more about the responses the servers get but unfortunately, well , you know.


Just keep on mind that most of the predictable packages can be altered to execute on client. This is something which also makes Anticheat tools like Botman or ServerTools potential delivery services - particularly due to their open source. This does explicitly also includes my X-Ray Bot.

 

Server will only be able to verify some of the packages to some extent - this explicitly the packages which clients can use to spoof entity ids or buff other players. However this will require injecting into each of those to compare entity id  for validity against steam ids / ips of sender. Hopefully not causing much performance loss.

 

Link to comment
Share on other sites

The botman mod is currently not open source.  In any case if I am made aware of incidents for which I have logs (a bot connected to the server), I can investigate and code ways to block abuse.  I am not too worried if they can do that,  I can counter it.

Link to comment
Share on other sites

I personally run 3 servers that have encountered thousands of unique players, and I have never seen this happen. 
I would love to see some evidence? This seems like an extremely trivial issue, which can be easily fixed with a simple script (if the issue even exists in the first place, that is.)

Link to comment
Share on other sites

@Smegzor

 

try making your server send this to a client and check if you find the server getting a response against it:

_cInfo.SendPackage(new NetPackageConsoleCmdClient().Setup("dm", true));

 

This should be an easy proxy without altering client dll. In the end, it should be the same result. 

 

Regarding closed source I really would like to say something but in the interest of this topic i refrain from doing so.

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...