Jump to content
Sign in to follow this  
PreedSwe

Hackers running wild, no way to stop them...

Recommended Posts

Up until network packets started being encrypted, we have logged ALL incoming packets to the game server to be able to catch hackers. To scan logfiles for function or classname etc to see who sent the hack commands to the server, worked flawlessly and we have been able to ban pretty much every single hacker.

What about the battleye script detection? That solution is not very good to be honest. It scans scripts on the client side, not what is actually executed and sent to the server. In order for that to work, you need to exactly know how the hack script looks, because(at least in our case) if we were to match for "setpos", "setdamage", "createvehicle", the logs would just fill up with legit commands that the mission uses, and it would be much much harder to find the hacker(since we wouldnt know WHEN he actually executed the hacks).

So, I ask would it be possible to somehow be able to log incoming network traffic to the game server port? Or for server admins to choose if they want the network packets encrypted or not?

The hackers have already hacked the packet encryption so right now they have the advantage.

Preed / Urban Life Community

Share this post


Link to post
Share on other sites

My advice is to make a private CIT ticket, or discuss it with $able (BE author) or Dwarden via PM/mail possible solutions.

Share this post


Link to post
Share on other sites

thats why anyone[esp BIS devs] stop discussing Arma2/Arma3 netflow-specific with various/miraclous so-called online entities["just pass-in-by"/"just asking for"-visitors], "working on server monitoring tools".

yes, dedicated and powerful IPS server can do that, for serious price :[

IPS w/DPI, heavily-tuned for Arma2 ? could skyrocketing gaming Arma2 online expenses way OFF

Share this post


Link to post
Share on other sites

Logging network traffic never was a very effective solution as most script hacks could not be detected that way.

Anyway, rest assured that the problem is known to me and BIS and we are working hard to find a lasting solution to it. In the meantime you might want to check out DayZ's current scripts.txt, which is quite elaborate (thanks to Dwarden ;)).

Share this post


Link to post
Share on other sites

Is there a way to prevent players bringing in their own scripts? BIS might implement this in a future patch...

Share this post


Link to post
Share on other sites
Is there a way to prevent players bringing in their own scripts? BIS might implement this in a future patch...

No, they inject their scripts directly in memory.

Share this post


Link to post
Share on other sites

$able: In order for a hack to work, it has to be sent to the server as a function. So if a hacker does something, it will be in the incoming network packets. Hackers cant inject scripts into the memory of the server now can they..

This is an example of when a hacker spawned a bunch of cows with DSHkM's on their backs. Right after he did that, I went to check the traffic logs and it was quite easy to catch this person. All I had to do was type in "cow" in our web-based log scan script. "mordor" would have worked too or anything else you could have identified through what the hacker did.

31.205.XX.XXX:2304 -> 176.9.76.77:2302 if (1 == 1) then { vehtype = "DSHkM_Mini_TriPod_TK_GUE_EP1"; _dir = getdir vehicle player;_pos = getPos vehicle player;_pos = [(_pos select 0),(_pos select 1),0];_veh = createVehicle [vehtype,[_pos select 0,_pos select 1,15], [], 0, 'FLY']; vojtec_team = createGroup West; vehicle player moveInGunner _veh; _veh lock true; "Cow01_EP1" createunit (getpos player select 0), (getpos player select 1), 50], vojtec_team,"vojtec_unit = this", 1.0, "PRIVATE"]; _veh attachTo [vojtec_unit,[0,1.3,2.4; vojtec_unit globalChat "We Ride For Mordor"; deleteGroup vojtec_team; };

The fact is that the hacks and their scripting code changes very often, and we don't have the time or access to go through all the hacks(some hacks have even been created specifically for our mission) to keep the scripts.txt up to date. So putting "vojtec_unit" in scripts.txt might have worked with that particular hack, but it wont work with newer ones. You can even type in your own script code directly in a textbox and execute it through processInitCommands. We would really need the ability to monitor functions sent from game clients to the server to effectively be able to catch hackers.

It would be ideal to be able to catch the hackers before they run a hack on the server, but as it stands, the most foolproof way to catch them 100% of the time, is to do it right after they have sent the script commands to the server, they can never get around that.

@BasileyOne: This has nothing to do with server monitoring tools.. The tools are already there(tcpdump, ngrep, or any other packet sniffer). It is about the packets now being scrambled. The hackers have already found a solution around that so whats the point? I am just asking for an ability to unscramble the packets on serverside to be able to log it to catch hackers. A simple config option would be sufficient. scrambletraffic=yes/no..

The fact of the matter is that we have had more problems with hackers since packets started being scrambled than before, and by alot.

/ Preed of Urban Life Community

Share this post


Link to post
Share on other sites

PreedSwe, everything you said is true of course. What I meant is that you could pretty much only detect vehicle spawns and remote code execution that way. A hacker doesn't need either to wreak havoc (e.g. via "setPos" or "setDamage" being executed locally) on a server though. As I said, we are working on much better solutions.

But again, check out DayZ's latest scripts.txt. It contains many scans that detect script hacks without knowing specific unique strings.

Share this post


Link to post
Share on other sites

@$sable, is BE checking to see if script.txt is actually there and has not been tampered with? I recently read that admins that want to be able to run scripts on their own servers that are connected to the hive are messing with the script.txt and therefor are able to execute scripts without being detected.

I also posted this on on the DayZ forum but I guess this is a better to get some answers:

I've been wondering how Battleye actually works and what it actually does to prevent scripts being injected into DayZ/Arma 2.

As I understand it, Battleye starts when you join a game and while you are playing it does the following:

1. Scans your memory for software that is questionable.

2. Arma 2 calls BE and tells it that the user activated a script, BE sends the script to the server and then the server analyses the script based on a blacklist, determine if it's legit or not.

Once you disconnects it unloads the battleye .dll.

So, my questions is, why doesn't battleye scan the server logs? All scripts that are executed are logged even though battleye is bypassed, right? (the server gets the script from the user without battleye being the middle man or something like that?)

There must be some way to create a simple algorithm that scans the server log files and globally bans users that execute scripts, so even if users are able to bypass the battleye client they can't bypass the battleye that is on the server.

I might be completely off here but it got me wondering and if someone with a better understanding could enlighten me that would be great.

I also was wondering why battleye does not ask the server for the players information and then compares it to the players that are connected to the battleye server, that way if someone has bypassed the battleye client it would not match the number of players on the server with the number of players with battleye running.

This might be a stupid question, but would it be possible to disable scripts on the server? Like adding an option to the server.cfg that enables/disables scripts being executed.

Share this post


Link to post
Share on other sites
Logging network traffic never was a very effective solution as most script hacks could not be detected that way.

For me and a few other non-DayZ server owners, it was the only effective solution because the hackers constantly came up with new scripts, and if the person searching the packet logs knew what they were doing, 99% of hackers could indeed be detected and banned that way. While running the Takistan Life: Revolution server, I banned over 100 hackers using packet logs, and there were only two cases (2!) of a hacker who we couldn't catch. I believe that I could have caught them too if I had a more nuanced knowledge of Arma scripts and what exactly they were doing.

you could pretty much only detect vehicle spawns and remote code execution that way. A hacker doesn't need either to wreak havoc

True, but that is how the vast majority of havoc was wreaked.

Anyway, rest assured that the problem is known to me and BIS and we are working hard to find a lasting solution to it. In the meantime you might want to check out DayZ's current scripts.txt, which is quite elaborate (thanks to Dwarden ;)).

Thank you for that. I really look forward to being able to actively scan packet logs again though; it didn't just let us keep pace with hackers, able to catch them immediately when they had new ideas - it also let admins on non-DayZ servers, where teamplay is enforced, to look at the history of the game in progress and catch griefers, teamkillers etc. by seeing who had particular weapons, who drove particular vehicles etc.

Edited by Zumbi

Share this post


Link to post
Share on other sites
Do Battlefield and other games suffer the same amount of hacking?

Last I heard BF3 was getting hit hard, though it's been awhile so they may have fixed that. Regardless, that isn't a fair comparison as BF and most other games are not nearly as open and customizable as the ArmA series.

Share this post


Link to post
Share on other sites
Last I heard BF3 was getting hit hard, though it's been awhile so they may have fixed that. Regardless, that isn't a fair comparison as BF and most other games are not nearly as open and customizable as the ArmA series.

Precisely. I'm not trying to make excuses here, but if you think that this is solely BE's fault you are missing something. Believe me, I'm working as hard as I possibly could.

Share this post


Link to post
Share on other sites

Take your time and ban all the hackers for life !!!

Share this post


Link to post
Share on other sites

if the community puts all confirmed hackers to BIS im pretty sure they will do something about it anyway, but proper evidence of this must be given I believe, they ban them from all BE products and its good bye Charlie Brown.

The more we work together on this and give $able information the better we can combat this problem :)

Share this post


Link to post
Share on other sites
Last I heard BF3 was getting hit hard, though it's been awhile so they may have fixed that. Regardless, that isn't a fair comparison as BF and most other games are not nearly as open and customizable as the ArmA series.

Hello there

BF3 was teaming with hacks and exploiters whatever you want to call em. They pretty much ruined a little fun game.

Rgds

LoK

Share this post


Link to post
Share on other sites
Take your time and ban all the hackers for life !!!

why SO serious ?

why you didn't trace them back to RL, grab some firearms and bang some brains then ?

point is: unless there was robust way to ensure gaming environment consistency, there always any or another way of exploiting or cheating.

p.s.

please post you favorite "they cheated in Arma2. now they all died ! mwhahahaha !"-videos on Youtube.

*grabs some pop-corn*

Share this post


Link to post
Share on other sites

It's not just the hackers, it's the team killers and general game disruption, people destroying all the vehicles, others who shoot anyone not in their squad, I would suggest locking your servers and only giving out the PW to people you know on TS or people who can answer some Arma 2 trivia questions, till summer is over. They will get bored and move on.

Share this post


Link to post
Share on other sites

well its mixed stuff.

as some gamemodes, game mods and gameservers quickly become "asshole simulators", just like one over-promoted semi-official modification become[insisted not be "spammed" against by BIS personel here in PM's], while other servers remain strictly based around team-based gameplay, co-operation and tactic/strategy.

so, "in short" its nothing new and same in past days/games.

p.s.

just recently saw Gunny kicked/banned one of such kiddos after anyongly-persistent stream of tk's and disruption/offenses under "for being asshole" by BEConsole.

Edited by BasileyOne

Share this post


Link to post
Share on other sites
Logging network traffic never was a very effective solution as most script hacks could not be detected that way.

shenanigans

http://forums.bistudio.com/showthread.php?138544-HELP-hacker-destroying-all-units-at-once-Combined-Ops-warfare&p=2204617#post2204617

http://forums.bistudio.com/showthread.php?137868-ARMA-2-OA-beta-build-95417-(1-62-MP-build)&p=2200489#post2200489

can we get an answer?

Edited by Imago
please

Share this post


Link to post
Share on other sites

§9) Do not cross-post

Do not post duplicate threads in more than one forum simply to get an answer quicker or to draw more attention to your post.

Maybe re-read the Forum rules.

Share this post


Link to post
Share on other sites

thanks myke

and yes $able this is looking much better, thank you as well.

the trifecta is almost complete.

Share this post


Link to post
Share on other sites

I hope you guys are successful in detecting and stopping those hackers and that it will result in a global ban for them. The public vanilla servers are a nightmare now. Those hackers are even advertising on the tube and making money of the hacks.

Share this post


Link to post
Share on other sites

Yes, I too am fed up of having my games ruined. I work full time and have 3 kids, I get very little spare time, and if I am playing a game and Im 1 hour in and a hacker ruins it, its upsetting.

I hope more time and energy is budgeted on this issue.

Ahmed.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×