Warning: composite reply to multiple posts.

On Mon, Aug 06, 2007 at 12:19:37AM -0400, Bill Balcerski wrote:
> Quozl had put some things on the todo list regarding this, namely some
> sort of handshake between client and server, but this is really out of
> my league to implement.

The two items in PROJECTS are:

- avoid sending SP_PSTATUS for newly logged in slots until after
  successful authentication.  Prevents attack via username [because the
  username is not made visible to the other players].  Prevents
  pre-registration attacks.

- avoid placing ship in game until successful client verification.
  [currently client verification happens just after ship begins flight]

There is also the latent player registration feature that is not yet
ready.  It lacks scripting.  Same kind of thing as various web sites;
you register by providing your e-mail address, and a token is sent back
to that address that lets you in.  It could be trialled for clue games,
and would have potential benefit of not requiring login.  Speedy
reconnect in case of bust.

> First pulsar, then meeper, and now warped will all forced out of
> operation by complaints (or criminal behavior) from a vocal few.

This is nothing new.  I've had complaints or potentially criminal
behaviour from others on continuum.  The vocal few need to be ignored
sometimes.  At one stage I had to ask someone from caltech.edu to stop
logging in multiple times to get t-mode ... just to respond to some
really noisy vocal few who were making my life miserable with their
e-mails and in-game contacts.

On Sun, Aug 05, 2007 at 11:33:19PM -0500, John R. Dennison wrote:
> 	Perhaps you shouldn't have pissed off so many people over the
> 	past few years by your behavior.

Agreed.

> It is completely evident that this is personal; no other servers have
> been attacked except for yours.

I'm not so sure.  Continuum has experienced a possible denial of service
attack in the past month or two, just that I haven't been as open about
it as Bill has.  Did some patching on it tonight.

> 	Umm, pulsar was shut down by it's admin, [...]

Agreed.

> 	meeper was asked to stop hosting useless bot servers that
> 	served no purpose.

Agreed.

On Sun, Aug 05, 2007 at 10:20:45PM -0700, ChronosWS wrote:
> Man asks for help, you lay into him, blaming him for the attacks.
> Nice.

More could be said, but I'm not sure it would help.  John is accurate
though ... Bill has contributed some great patches, for vulnerabilities
he discovered and made use of.  ;-)

> You could alter the server code so that slots are not assigned until
> the player has authenticated, which is the way it should be anyhow.

Yes, that's the essence of the registration system plus the two added
items at head of PROJECTS.

On Mon, Aug 06, 2007 at 01:27:26AM -0400, Mark Mielke wrote:
> Whether he pissed people off or not - it seems rather rude (if not 
> criminal) to smack his server around.

I can't speak for the criminal law in that country, but I imagine
there's something that can be done, if it can be traced.

On the other hand, running a vulnerable application is stupid, Cryo.
;-)

> I would hope whoever was involved would find something more constructive 
> and mature to do with their talent and time.

Like teasing in school, the only viable solution is to not respond.
This whole thread will just make it worse.

On Mon, Aug 06, 2007 at 02:50:00AM -0400, Zach wrote:
> How does 1 person get control of thousands of unique IP addresses?

That is a trivial technical problem.  If you didn't believe it could be
done, you really need to get out more.  As a start, go read the
Wikipedia article on Botnets.

http://en.wikipedia.org/wiki/Botnet

-- 
James Cameron    mailto:quozl at us.netrek.org     http://quozl.netrek.org/