Official Everybody Edits Forums

Do you think I could just leave this part blank and it'd be okay? We're just going to replace the whole thing with a header image anyway, right?

You are not logged in.

#1 2018-03-04 22:01:27, last edited by BuzzerBee (2018-03-05 16:38:55)

Nebula
Guest

ee invasion worth 100%

CONTENT WARNING: Contains swearing

#2 2018-03-04 22:02:26

Snowester
Member
From: Mars
Joined: 2017-05-31
Posts: 640

Re: ee invasion worth 100%

Relax, it's over 2500

Offline

#3 2018-03-04 22:06:42

TaskManager
Formerly maxi123
From: i really should update this
Joined: 2015-03-01
Posts: 9,465

Re: ee invasion worth 100%

you know what is the most ridiculous part of all of this?
the fact that a random account can create a world with a campaign tag and hacked plays count. like, how retarded the coding of this game is supposed to be to make things like play count and campaign status of a world adjustable from client?


i8SwC8p.png
signature by HG, profile picture by bluecloud, thank!!
previous signature by drstereos

Offline

#4 2018-03-04 22:14:14, last edited by The 135 Guy (2018-03-04 22:17:52)

The 135 Guy
Member
From: England, UK
Joined: 2015-08-04
Posts: 64

Re: ee invasion worth 100%

Even better is the fact that showpath 'fixed' this last year when it happened before. It appears only likes and favs are fixed, or the spammer decided to set them to 0.
Don't forget that these worlds are also featured, and appear in the featured tab.

...I was gonna include a screenshot of that, but it appears that this happened 2ewoDEB.png
EDIT: actually that's a bad example since it only shows featured, but now, it doesn't load whatsoever and I can't get another screenshot.


BZ8z2l1.png
QUiiw7V.png

Offline

#5 2018-03-04 22:17:40

LukeM
Member
From: England
Joined: 2016-06-03
Posts: 3,009
Website

Re: ee invasion worth 100%

TaskManager wrote:

you know what is the most ridiculous part of all of this?
the fact that a random account can create a world with a campaign tag and hacked plays count. like, how retarded the coding of this game is supposed to be to make things like play count and campaign status of a world adjustable from client?

Not sure about this, but it might be due to how PlayerIO handles room creation, which would mean it's out of EE's control apart from maybe some hacky fixes.

Offline

#6 2018-03-04 22:21:05

The 135 Guy
Member
From: England, UK
Joined: 2015-08-04
Posts: 64

Re: ee invasion worth 100%

LukeM wrote:
TaskManager wrote:

you know what is the most ridiculous part of all of this?
the fact that a random account can create a world with a campaign tag and hacked plays count. like, how retarded the coding of this game is supposed to be to make things like play count and campaign status of a world adjustable from client?

Not sure about this, but it might be due to how PlayerIO handles room creation, which would mean it's out of EE's control apart from maybe some hacky fixes.

Actually EE can very easily fix this by monitoring what packets are sent on room creation, and blocking it if it has completely incorrect data to the pIO tables.
I mean come on, 667 million likes and a featured campaign shouldn't be hard to detect.


BZ8z2l1.png
QUiiw7V.png

Offline

Wooted by:

#7 2018-03-04 22:28:56

Nebula
Guest

Re: ee invasion worth 100%

The 135 Guy wrote:
LukeM wrote:
TaskManager wrote:

you know what is the most ridiculous part of all of this?
the fact that a random account can create a world with a campaign tag and hacked plays count. like, how retarded the coding of this game is supposed to be to make things like play count and campaign status of a world adjustable from client?

Not sure about this, but it might be due to how PlayerIO handles room creation, which would mean it's out of EE's control apart from maybe some hacky fixes.

Actually EE can very easily fix this by monitoring what packets are sent on room creation, and blocking it if it has completely incorrect data to the pIO tables.
I mean come on, 667 million likes and a featured campaign shouldn't be hard to detect.

using 667hack concidence?

#8 2018-03-04 22:32:29

LukeM
Member
From: England
Joined: 2016-06-03
Posts: 3,009
Website

Re: ee invasion worth 100%

The 135 Guy wrote:
LukeM wrote:

Actually EE can very easily fix this by monitoring what packets are sent on room creation, and blocking it if it has completely incorrect data to the pIO tables.
I mean come on, 667 million likes and a featured campaign shouldn't be hard to detect.

That's what I mean by hacky fixes. If PlayerIO doesn't have some room creation validation feature built in then there may not be an easy way to see whether the data matches the saved info other than adding some 'this doesn't seem right' checks, which people could just bypass by having less likes.

Offline

#9 2018-03-04 23:37:54

Tomahawk
Forum Mod
From: UK
Joined: 2015-02-18
Posts: 2,851

Re: ee invasion worth 100%

I thought the serverside could detect bot connections.


One bot to rule them all, one bot to find them. One bot to bring them all... and with this cliché blind them.

Offline

#10 2018-03-04 23:40:40

TaskManager
Formerly maxi123
From: i really should update this
Joined: 2015-03-01
Posts: 9,465

Re: ee invasion worth 100%

Tomahawk wrote:

I thought the serverside could detect bot connections.

it is impossible to perfectly detect any bot connections


i8SwC8p.png
signature by HG, profile picture by bluecloud, thank!!
previous signature by drstereos

Offline

#11 2018-03-04 23:56:59

LukeM
Member
From: England
Joined: 2016-06-03
Posts: 3,009
Website

Re: ee invasion worth 100%

Tomahawk wrote:

I thought the serverside could detect bot connections.

They could currently, but as soon as a check is put in place, people will find ways around it. Other games have had huge problems when trying to detect bots, as as soon as they find a way to do it, the botters change their bots so that it doesn't work anymore. I guess this is why so many games wait to ban people all at once, as they know that their method of detection will only work once, so they might as well ban as many people as possible before they can find ways around it.

Offline

#12 2018-03-05 00:06:41, last edited by XxAtillaxX (2018-03-05 00:55:16)

XxAtillaxX
Member
Joined: 2015-11-28
Posts: 4,202

Re: ee invasion worth 100%

Tomahawk wrote:

I thought the serverside could detect bot connections.

In theory, it's impossible. In practice, well, people are too incompetent to emulate.

[quote=TaskManager wrote:

you know what is the most ridiculous part of all of this?
the fact that a random account can create a world with a campaign tag and hacked plays count. like, how retarded the coding of this game is supposed to be to make things like play count and campaign status of a world adjustable from client?

LukeM wrote:

Not sure about this, but it might be due to how PlayerIO handles room creation, which would mean it's out of EE's control apart from maybe some hacky fixes.

It's very much possible to resolve through forcing those properties to be set server-sided. It's not complicated whatsoever, and the only excuse is laziness coupled with negligence, as it rarely occurs.

In addition, it's very much possible to prevent lobby spam like this as well, including automation involving IP evasion, with two relatively simple techniques.
1. You should force every user to join a single room, based on a random generated string, on a certain room type. They should have a token generated for them, and promptly disconnect them.

You can check the validity of the token by simply decrypting it server-sided. The only requirement is to specify an expiration date, which would effectively prevent it from being used to create rooms en-masse. The benefit is that you now have a decent way of logging the attempts without resorting to ugly, horrible BigDB hacks. Voila.

2. To prevent IP evasion from effectively rendering the above useless, force untrustworthy (i.e. new) registered users to fill out a captcha when they attempt to create new rooms. Optimally, you should have a flag set by moderators during a raid when this is to be enforced, as it's useless and irritating to newcomers otherwise. It's enough to degrade the attack to bearable levels, and eliminate speedy automated attacks.

It's been too long without a solution, and John hadn't figured it out within several weeks. I think it's worth implementing rather than resorting to IP-bans, as these children typically have no lives, and as amusingly terrible they are at launching attacks, the underlying issue should be resolved rather than relying on the patience of the staff to deter the inevitable nuisances.

It'd quite possibly break a few bots in the process, but they can easily update their software. It isn't complicated to implement.
You join a certain room based on a random generated string (prevents another attack I'm not going to bother diving into) and you obtain a token. When you CreateJoinRoom or whatever, you specify the token in the Dictionary<string, string> joinData most people set to null.

EDIT: You could do the token handling within the Lobby roomtype instead, as long as the latter attack vector is resolved. I PMed Mega Lamb about it not very long ago, as I did with NVD when he was owner. It's entirely up to them to have Player.IO address that vulnerability directly rather than attempting to implement hack-y workarounds for what should be an obvious solution.


signature.png
*u stinky*

Offline

Wooted by: (4)

#13 2018-03-05 00:35:08

LukeM
Member
From: England
Joined: 2016-06-03
Posts: 3,009
Website

Re: ee invasion worth 100%

^ (Can't quote, I'm on my phone)

I can't comment on the first solution as I've never used PlayerIO server side so I don't know what they have control over and what they don't

As for the first part of the second solution, how would you know whether or not the user should be given a token though? If I'm understanding this correctly then wouldn't it just push the problem one step back? You would yet again be left with the only solution being storing temporary data using BigDB wouldn't you?

The Captcha idea sounds like it should be a fairly foolproof way to prevent this problem though, although I would suggest that it should just be in place all the time (at least as a guest or when creating an open world) as it might not be the best idea to rely on a moderator being online and spotting the problem before it's too late.

Offline

#14 2018-03-05 00:48:23, last edited by XxAtillaxX (2018-03-05 00:50:59)

XxAtillaxX
Member
Joined: 2015-11-28
Posts: 4,202

Re: ee invasion worth 100%

LukeM wrote:

As for the first part of the second solution, how would you know whether or not the user should be given a token though? If I'm understanding this correctly then wouldn't it just push the problem one step back? You would yet again be left with the only solution being storing temporary data using BigDB wouldn't you?

The interstitial room would essentially log the requests for tokens, and would be able to effectively rate-limit them accordingly. If they don't have a valid token, they can't create rooms.

It's temporary storage for those requests per established connection, although it's entirely feasible to restrict abuse by storing the latest token generated in BigDB for that specific player (or on a per-IP basis.)

LukeM wrote:

although I would suggest that it should just be in place all the time (at least as a guest or when creating an open world) as it might not be the best idea to rely on a moderator being online and spotting the problem before it's too late.

You could.

I don't think it's a huge issue with catching the first instance of abuse, as long as moderator is online at the time. It's the repetitive and incessant attacks that are really annoying and could be dealt with.

I'd argue that it's likely a worse solution to force it by default for guests for normal worlds - it's rather annoying for newcomers and you could subject them to the rate limiting previously mentioned.
I suppose it's debatable, and depends on how much of a concern you place on preventing initial attacks in comparison to subsequent attacks.
I personally think it'd potentially detract from newcomer experience too much to be worthwhile having set as a default.


signature.png
*u stinky*

Offline

Wooted by:

#15 2018-03-05 01:14:27, last edited by LukeM (2018-03-05 01:28:51)

LukeM
Member
From: England
Joined: 2016-06-03
Posts: 3,009
Website

Re: ee invasion worth 100%

XxAtillaxX wrote:

The interstitial room would essentially log the requests for tokens, and would be able to effectively rate-limit them accordingly. If they don't have a valid token, they can't create rooms.
It's temporary storage for those requests per established connection, although it's entirely feasible to restrict abuse by storing the latest token generated in BigDB for that specific player (or on a per-IP basis.)

So the room would stay open while the player is online?
I'm not sure about this, but that sounds like it might be difficult to control from what I've heard about how rooms are treated (I should really look this up so I'm not just relying on rumours and common sense //forums.everybodyedits.com/img/smilies/tongue)

Edit: About the Captchas:
Well I guess it wouldn't need to be enforced when joining worlds that are already open as I don't think this could be used to do any damage, and it shouldn't need to be enforced for campaigns / featured worlds as there are only a small number of them, so even if they are all open at once it shouldn't be too much of a problem. I guess that just leaves joining worlds using a link, joining through a world portal, and creating open worlds. The first and third shouldn't be too much of a problem, as you wouldn't need to do them too often, but the second may be, although if it's not Captchad then it could potentially allow people to completely bypass the protection...

Offline

LukeM1520208867697847

Board footer

Powered by FluxBB

[ Started around 1735373249.775 - Generated in 0.065 seconds, 12 queries executed - Memory usage: 1.68 MiB (Peak: 1.9 MiB) ]