OOC threats outside the game – how do you handle them?

 
Post new topic   Reply to topic    mudlab.org Forum Index -> Administration
View previous topic :: View next topic  
Author Message
Molly O'Hara



Joined: 11 May 2005
Posts: 99
Location: Sweden

PostPosted: Fri Sep 29, 2006 12:12 pm    Post subject: OOC threats outside the game – how do you handle them? Reply with quote

I thought we might discuss policies and practice about dealing with ‘rogue’ players, who threaten - or actually damage - your Mud from a perspective outside the game, i.e. ddosing, server attacks or hacking the shell. I suppose many of us who run Muds have been in these situations one time or another, and it would be interesting to learn how other Administrators handle them.

For instance;
Let’s say you get a report from Player A, that Player B had threatened on AIM to ‘shut down the mud for good’ if he didn’t get what he wanted in an internal power struggle in the game.

To line up the problems:

1. You obviously cannot buckle under to the threat, even if it is real.
If we started to let players get their way by threats, we could just as well shut down the Mud ourselves.

2. No actual threat has been uttered to the Admin.
It’s all hearsay, but supported by a log, that looks convincing enough. Player B is known as a hothead and also has a reputation as a ‘hacker’. However, he could have been just venting, shooting off his mouth or bullshitting Player A – or Player A could be bullshitting the Admin.

3. Assuming the threat is real, could Player B actually do what he says he’ll do?
You may have taken all possible safety precautions, but even large companies with lots of money to put into data security seem to get attacked. So it might be possible, but would anyone really go through all this effort over an internal power struggle in a text mud, which they actually play and enjoy?

So, how would you deal with a situation like this?
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Author Message
KaVir



Joined: 11 May 2005
Posts: 565
Location: Munich

PostPosted: Fri Sep 29, 2006 1:08 pm    Post subject: Reply with quote

If I thought it was serious...I'd probably contact my mud hosting provider, letting them know about the threats and giving them the guys IP address. Then I'd ignore him.
Back to top
View user's profile Send private message Visit poster's website
Author Message
Molly O'Hara



Joined: 11 May 2005
Posts: 99
Location: Sweden

PostPosted: Fri Sep 29, 2006 4:20 pm    Post subject: Reply with quote

The thing is, if this guy really is 'serious', he'll have access to multiple IP addresses. So how would telling the Mud hosting provider about one of them help? He most likely wouldn't use that in any case. He's not stupid.

This is one reason why banning might not be a good idea in those cases either. A certain type of player would react by doing anything possible to get back in the Mud again. probably using another alias. At least as long as they use their 'normal' identity, you know who you are dealing with.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Author Message
Silverthorn



Joined: 01 Jun 2005
Posts: 12
Location: Waycross, Georgia, USA

PostPosted: Fri Sep 29, 2006 9:12 pm    Post subject: Reply with quote

As a mud hosting provider, I have designed a script daemon that actually listens to the ports for this kind of thing. It was designed originally to prevent ssh exploits, but has been modified for ping, mail and ftp attacks as well.

To give you an idea of this attacker's worst nightmare, the script sits in the background like a daemon and listens to all the open ports on the server. If someone attempts to send illegal data or attempts to brute-force a login to any running service, the script kicks in and adds the offender's IP address to the server's firewall table. To make it interesting, it adds it as a 'drop' rather than a 'reject', thus sending the inferior data to never-neverland. After a period of one hour, if the attacker is no longer doing the attack, the script kicks back in and removes the original offender's IP address from the tables, thus cleans up after itself.

We also have a hardware firewall only forwarding certain ports to the server as well, but at least the script makes sure that I haven't forgot anything and actually cleans up after itself if an attack does ever occur.

-- M
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
Author Message
Kelson



Joined: 18 May 2005
Posts: 71
Location: SC

PostPosted: Fri Sep 29, 2006 10:55 pm    Post subject: Reply with quote

Molly, telling the hosting company his IP doesn't do anything except give them advance notice (a flag for something like Snort). Since their business model centers around providing service, they will have invested money to combat threats from most script-kiddies (typical threatening players). More determined/skilled attackers may be able to access your files and/or disrupt your service. Deletion of files can be mitigated by periodic backups. Proliferation of source code can be mitigated by keeping the source code off the server (iirc, you have a development and a production server though, so you should already have that seperation - though if the code is kept on the provider, under a different account, it could still be stolen). Service disruption falls under the responsibility of your provider, so I wouldn't worry about that (besides possibly checking over your mud code to eliminate obvious vulnerabilities like buffer overflows during login...)

- Kelson
Back to top
View user's profile Send private message Send e-mail AIM Address
Author Message
Kelson



Joined: 18 May 2005
Posts: 71
Location: SC

PostPosted: Fri Sep 29, 2006 10:58 pm    Post subject: Reply with quote

Silverthorn wrote:
As a mud hosting provider, I have designed a script daemon that actually listens to the ports for this kind of thing. It was designed originally to prevent ssh exploits, but has been modified for ping, mail and ftp attacks as well.


During the Symantec hackfest I participated in over the summer, one of the enclaves ran a similar script to quickly eliminate the red team address space. That never really stopped me, just a comment. As a mud admin, my greatest concern would be vulnerabilities inherent from the mud itself, not the provider (as I tried to indicate above - though a Nessus scan never hurts).
Back to top
View user's profile Send private message Send e-mail AIM Address
Author Message
KaVir



Joined: 11 May 2005
Posts: 565
Location: Munich

PostPosted: Fri Sep 29, 2006 11:59 pm    Post subject: Reply with quote

Molly O'Hara wrote:
The thing is, if this guy really is 'serious', he'll have access to multiple IP addresses. So how would telling the Mud hosting provider about one of them help? He most likely wouldn't use that in any case. He's not stupid.


If he makes public threats about what he's going to do, then the chances are that he is pretty stupid.

But as Kelson pointed out, it's really just to give my hosting company advance notice about a potential problem. I know they already have measures in place to deal with such people, but I find it doesn't hurt to let them know if I'm expecting trouble.
Back to top
View user's profile Send private message Visit poster's website
Author Message
Skol



Joined: 07 Jun 2006
Posts: 4
Location: Oregon

PostPosted: Tue Oct 03, 2006 2:44 am    Post subject: Reply with quote

Molly, Talk to Dale at Wolfpaw.

We went through this on Ansalon (and on the other Ansalon) when we were on Protollix (and the other Ansalon on Wolfpaw). Dale has developed very secure ways to deal with them effectively, it wasn't fun though let me tell you.

There is a thread on TMC called Script Kiddies which deals with a large-scale attack of this very nature on both my mud and Jen's Ansalon.

Ps. I forgot to write back, Ad deadlines have been insane, I've moved the page and we do want to be listed on the site if it's still open.

Best of luck with the toolshed threatening DDOS, it's no fun to deal with.
Back to top
View user's profile Send private message Visit poster's website
Author Message
Zephen



Joined: 15 Mar 2006
Posts: 7

PostPosted: Wed Oct 04, 2006 11:28 pm    Post subject: Reply with quote

The situation Molly has posed is quite the tricky predictament.

On the one hand, you've got some real turmoil for the host and your MUD, but on the other hand there is the point of pushing the envelope. Next thing you know anytime they have any problem whatsoever the hint is dropped out.

Kelson mentioned a good method for reducing hacking exposure in storing the code on a seperate, relatively unknown server whilst the MUD itself with executables and needed files is on the main server. The person mentioning the scripts might be able to deter or prevent some of the more amateurish script kiddies, but as Kelson mentioned, it's really no deterrance to someone that *really* wants to take you down.

A few years back I infiltrated a group of script kiddies who were threatening to take down a MUD I quite enjoyed playing and got a real feel for what they did. Some would just use trojaned windows boxes through an IRC channel using scripts that were freely available online. True script kiddies you could say. But others actually hand code their own custom interfaces with all sorts of old vulnerabilities that are out there. A recent report I recall reading stated that the problem with computer security these days aren't the zero-day exploits, but the several year old ones that people have forgotten all about. A lot of boxes are used this way.

There's a couple kinds of DDOS (although someone more pedantic may have other terms for them) and both are rather bothersome. One works by overloading the line, the other by completely overpowering it. Tempting someone that actually has the bandwidth to overpower your line wouldn't be too good, because that can cost you rather insane bandwidth bills. Thankfully, that's a bit less likely than the average MUD player might have.


It's really a hard judgement call to make. I haven't had to deal with the issue on my own MUD, and when I dealt with for another I was thankfully an "unbiased party". I manually removed the exploits from each of their hacked boxes while they went away for a few days. They came back and assumed the boxes had just been discovered was all. They were corporate machines.

There's really no wrong way to make the call here, and as you've said it's a bit of a balance. My own method would have to depend on the reasoning behind the threats and any other information I could gather. Politely hearing them out alone might be enough to end the tension, even if you do disagree with them in the end. Then again, if it is purely a power grab, it may just be best to ignore them or make the game less pleasant for them so they leave. Being outright hostile is likely unwise, but in my experience people generally won't attack unless otherwise provoked.


Good luck.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    mudlab.org Forum Index -> Administration All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB © 2001, 2002 phpBB Group
BBTech Template by © 2003-04 MDesign