Anti-bot protections

[roothorick]

A recent IRC discussion (okay, I admit, it was mostly a monologue) got me thinking about bots and preventing botting. Anti-bot measures have frequently gotten on my bad side because they are typically a) easy to defeat b) unreliable (large numbers of false positives). Here's what I have on my mind:

On the server-side there would be an authentication daemon that has a database of correct checksums for a selection of approved PlaneShift client binaries (one for each supported OS/arch combination and possibly a few more for e.g. working around strange Linux distros). There would be a client side unit that takes checksums of the running PlaneShift binary as well as itself, sends that to the server over an encrypted connection, and then monitors the running program space for code injections from e.g. a debugger. (The exact mechanics of that depends greatly upon the OS. On Linux, we're probably talking about ptrace()ing the PS client and sounding alarms if the trace gets broken.)

Every time an account is created it would be assigned a private key. When a client logs in with an account it hasn't logged in with before, a unique compilation of the client side unit is generated on the fly and downloaded by the client. The account key is embedded in the client side auth unit in such a way that no automated process can extract it (probably by placing fragments of the key at completely random offsets, combined with some evil assembly tricks). The client side auth unit then establishes an encrypted connection with the authentication daemon, using the account's private key as the encryption key for the cipher of the connection itself. This connection stays active as long as the PS client is open, and has a heartbeat going. The PS client is kicked if the auth client stops responding or reports an anomaly (which requires the whole handshake to happen again next time they login).

If that's not enough to stop bots, we can start adding things on to the client, like scanning the system's hardware registry for known bots (a bit tricky on Linux since hardware information isn't all in one place) and searching the process list for suspicious programs.

Here's some rationale:

a) The client auth unit is specifically keyed to accounts for a reason -- if all clients had the same key, or randomly generated keys, it would be trivial to develop a distributable version of an exploit that could be used on any account. But if the auth client is tied specifically to each account, then the exploit must be hand-crafted for each account it will be used on, making it impossible to distribute, and completely shutting down script kiddies who are the real botting abusers. (Trust me, those yokels have never done any real work in a disassembler, and wouldn't be able to even begin hunting down an obfuscated key in x86 bytecode.)
b) The connection is encrypted for a reason -- if it was plaintext, a proxy could easily manipulate the checksums being sent to be "right". If it's encrypted using a key that is obfuscated in the binary, you could IN THEORY spend hours in a disassembler hunting down all the pieces of the key throughout the binary, brute force the right order, and then write a proxy that uses that to change the keys in it on the fly, but at that point, you're investing a MASSIVE amount of time and effort just to get a little automation going in a free MMORPG. And if you use a decent enough cipher, brute forcing the key directly from packets sent in the authentication would take literally years, and even if it does become a problem, you can make the account private keys time out.

The main drawbacks I can see:

a) Linux users will be required to use precompiled binaries. It's simply impossible to account for all the different possible compiler results and dynamic libraries and etc etc. that can result from compiling from source. But hey, if id Software and Epic Games can make binaries that'll run on any modern Linux distro, so can the open source community.
b) On the same token, people won't be able to bugger around with the sources to add features and run those features on the main server. For this reason you'll have to run a secondary "developer" server that will take any client that speaks the protocol.

[Ralleyon]

An interesting proposition all in all, but there's something in it that scares me:

If that's not enough to stop bots, we can start adding things on to the client, like scanning the system's hardware registry for known bots (a bit tricky on Linux since hardware information isn't all in one place) and searching the process list for suspicious programs.

I honestly don't want anyone snoop in my computer, for any reason whatsoever. Linux gives me the possibility to control my software and I don't tend to give up my freedom. If I have to choose between that and an anti-cheat program, I'll drop PlaneShift in a heartbeat. No regrets.

And of course, add the drawbacks you already mentioned, well.. all this tends to be a show-stopper for some folks. You know... too little security and you get problems with bots, stolen accounts etc, etc. Too much security and you may be taking away the freedom of the individual users by "forcing" some policies onto them.

But again this is just for the big minus points. There are a lot of good ones in what you described as well. 

[roothorick]

Someone on IRC just pointed out that I'm kind of implying there's a botting problem in the first place. That wasn't my intention. I just had a brainstorm and felt like getting it on forum. That's all.

Ralleyon: I understand your concern, and there really isn't a lot that can be done about it. If it's any consolation, the authentication daemon and client unit (sans keys) would be open source along with the rest of the PS code. And it would be possible for the server maintainers to take submissions of user compiled binaries to be inspected and then add them to the database. (The question is of course if the maintainers would have the time to inspect your binaries. There's an argument about the human factor and clever macro hiding too.)

[Zwenze]

There is another draw back. Encrypting a single connection is fine. Modern cpus can handle that load easily. But if the server has to handle 200+ encrypted connections there will be a considerable amount of additional load. I dont know if the cpu of laanx is idling around most time ( I guess not ), but handling 200+ encrypted connections at once will worsen the server situation a bit more -> more lag and so on.

Another sort of bot protection is gm's looking around if characters behave bot like and if this is the case try to start a nice chat with them. Forcing all players to execute unknown code to play PS is a big step. And creating code for all plattforms out there is not that easy. Adding a c compiler to the PS distribution might solve the problem.

As far as i can tell the only places where a bot would be beneficial would be at mining.  How about using some sort of captchas? GMs should be able to check failure rate of the players and should take actions (chat to the player/bot e.t.c.).

Kind regards
Zwenze

---------------

"Hello, here is GM Joe. I hope you have a nice time playing PS. How is the mine today?"
-> "bash: Hello,: command not found"
"Huh?"
-> "bash: Huh?: command not found"
"kill -9 $PPID"
... Player xyz has disconnected

---------------

GM: Hello, here is GM Dave.
Player: Affirmative, Dave, I read you.
GM: Oh, sorry. Thought you where a bot.
Player: It can only be attributable to human error.
GM: So, how are you?
Player: I am putting myself to the fullest possible use, which is all I think that any conscious entity can ever hope to do.
GM gets suspicious and checks player's inventory.
Player: Just what do you think you're doing, Dave?
GM: What's the problem?
Player: I think you know what the problem is just as well as I do.
GM: What are you talking about?
Player: This mission is too important for me to allow you to jeopardize it.
GM: I don't know what you're talking about?
Player: I know you and the other GMs were planning to disconnect me, and I'm afraid that's something I cannot allow to happen.
GM: Where the hell'd you get that idea, HAL?
Player: Dave, this conversation can serve no purpose anymore. Goodbye.

Player suddenly starts to randomly challange and kill other players nearby.

GM: Stop it. What are you doing?
Player: Look Dave, I can see you're really upset about this. I honestly think you ought to sit down calmly, take a stress pill, and think things over.
GM: We will ban you for one week if you continue.
Player: I'm afraid. I'm afraid, Dave. Dave, my mind is going. I can feel it. I can feel it. My mind is going. There is no question about it. I can feel it. I can feel it. I can feel it. I'm a... fraid. Good afternoon, gentlemen. I am a HAL 9000 computer. I became operational at the H.A.L. plant...

[JohnB]

On the server-side there would be an authentication daemon that has a database of correct checksums for a selection of approved PlaneShift client binaries (one for each supported OS/arch combination and possibly a few more for e.g. working around strange Linux distros).

Just my opinion of course, but I think that would be absolutely terrible - one of the great things with PlaneShift at the moment is that since it's open source we can:-
 (a) build client versions for OS/arch combinations not yet built officially (I'm on 64-bit Linux and in the past there's sometimes been a delay between a new client being released and a working 64-bit Linux version, and judging by some forum posts it's been even worse for Macs)
 (b) experiment with the client and tailor it to our liking, eg. in my client I've changed it so that Mouse Look isn't cancelled by a mouse click on the screen, so you have to switch it on/off yourself, which is much more to my liking (I have Mouse Look permanently on except when I switch it off deliberately, eg. to chat).  Okay something like this could be submitted to the Dev team to be build into an official client as an option, but with the client checksums in place I wouldn't even be able to try it out.

I think taking away the ability to modify the client would far outweigh any fix to problems with botting (not that I realised there were any).

EDIT - Now that I've read your post right to the end (sorry, wrote this a bit too soon!) I see that you've noted both these points yourself, so this post is just to say yes I agree with you except that in my opinion these problems make it a non-starter.

[grumpytoad]

The account key is embedded in the client side auth unit in such a way that no automated process can extract it (probably by placing fragments of the key at completely random offsets, combined with some evil assembly tricks).

since the client is running this code, and the source code is available, there would conceivably be a way of duplicating the "random" behaviour,  or maybe I am not following 

[Bereror]

There are two fundamental flaws in your suggestion:

1) Planeshift is an open source software and any "security by obscurity" solutions would be publicly readable in plain text mode at http://planeshift.svn.sourceforge.net/planeshift Don't ask us to fork the project and have one open source version and another version for the official server.

2) The bots that I have seen so far use the unmodified version of the client. I'm not going into details, how they work, but they don't need a modified client for that.

The main design philosophy of Planeshift is that we don't trust clients because clients can be and will be modified. Any checks for bots and unfair modifications to the client shall be checked on the server.

[Mordraugion]

Another sort of bot protection is gm's looking around if characters behave bot like and if this is the case try to start a nice chat with them.

Slightly off topic I know but GM's do check botting areas and we are generally able to spot them by various means and I'm fairly sure botting is not that prevalent

[Kaerli]

Is there some sort of time variable we can monitor from the server-side in PS?