DDraceNetwork - developer

Why bans so ineffective? If anyone list reports we can see some ppl that break rules over and over again. May be need to more variants to identify players, for more effective bans? HWID, IP, logpass (so, it's also stop faking other ppl nicknames) with mail, ban indicator into game files for repeating ban if it same client, but new others. I think it all divide all "crime" by zero If u really need to wait weeks after doing shit u think twice before doing this For example, i talked a little with some idiots. With BlockMark and Rety. Those category of shit players think identically: "I'll not be punished, i can do what i want. If i got baned I just avoid this, lol"

ddnet-maps

[ddnet-maps:master] 1 new commit

fa5d03a M Deadline 1, M Get The Gifts, M NUT Hardcore UNITED, M NUT_hardcore_race2, M NUT_race7, M Multeasymap, M Crimson, M Hardstyle 2, M mazepack - ddnet-maps

Ham5terzilla (Макс)

Why bans so ineffective? If anyone list reports we can see some ppl that break rules over and over again. May be need to more variants to identify players, for more effective bans? HWID, IP, logpass (so, it's also stop faking other ppl nicknames) with mail, ban indicator into game files for repeating ban if it same client, but new others. I think it all divide all "crime" by zero If u really need to wait weeks after doing shit u think twice before doing this For example, i talked a little with some idiots. With BlockMark and Rety. Those category of shit players think identically: "I'll not be punished, i can do what i want. If i got baned I just avoid this, lol"

HWID, IP, and some other type of bans are known to be very ineffective

ReiTW

HWID, IP, and some other type of bans are known to be very ineffective

could send drive serial or gpu uuid to server, not sure how much of a privacy concern that is though

No, we can't send those. DDNet is open source, anyone can change the client to send fake info

Fän

could send drive serial or gpu uuid to server, not sure how much of a privacy concern that is though

Better use an account system

Yes, but that only works if you make registering accounts hard, for example by having to pay

08:49

if people cared about their ingame name, we could nameban them already

deen

Yes, but that only works if you make registering accounts hard, for example by having to pay

Maintain a hidden branch with "anticheat"? This would totally destroy the purpose of backwards compatibility & open source though

deen

Yes, but that only works if you make registering accounts hard, for example by having to pay

Or rate-limit account creation per ip

Avolicious

Or rate-limit account creation per ip

that'd be equal to ip ban

08:50

not a solution

Most of those guys are using known proxy/vpn ranges

and would also destroy backwards compatibility.

How would it destroy backwards compatibility?

Avolicious

Most of those guys are using known proxy/vpn ranges

Do official servers not use getipintel.net or whatever it was called?

08:51

account system.

08:51

I don't see a way to implement an account system without a client update

KoG uses the account system for years now

yes, but you don't need one to join

Yeah, but you cant kick logged in members for example

Fän

Do official servers not use getipintel.net or whatever it was called?

We have a way to detect vpn ranges, but we don't disclose which one we use so botters can't test to find a vpn provider that is not detected.

Either way, getipintel is very decent.

deen

No, we can't send those. DDNet is open source, anyone can change the client to send fake info

+1

I think it possible to do register system using ddnet.tw, affecting only ddrace servers. Login in game once per day using log pass. And for register need to link email, with restriction one mail - one account and nickname, + ban services that provide 1 minute mail, + ban for registration multiple accounts from same ip, + ban for registration from VPN services. And change vote system a little. For example, only registered users can start vote for kick, + if target is unregistered user kick without vote.

09:44

"Once per day" I about don't need to relogin every time, just one login and u gaming all day, like in KoG

what about tempmails then

As ridiculous variants may be link phone number with verification, and seriously restrict unregistered users, but it's too complicated

phone numbers nowadays is useless

09:47

it can be easily bypassed

09:47

onoff app and done

I write about tempmails, 1min mails, etc, need to ban registration using that services

dunno if there's any existing online db to get domains used by 1min mails

Yes, much of this can still be bypassed separately, but the point is that the "terrorists" spend much more nerves and efforts to bypass the blockages.

09:51

Along with this, it will still not be so "cool" that it causes the slightest difficulty for ordinary players.

09:53

Target is making ban really serious thing, not just "i change thing1 and thing2, and i go do shit again"

09:57

We just have "serial killers" and many of them are not very technical. It turns out that at the moment almost no effort needs to be made to bypass the blockage, which is why they continue to do all this.

09:57

(some Google translate, sorry)(some write self) (edited)

speaking of Mac, has anyone tried running DDNet on M1? How is the performance there?

as an additional measure, you can force to verify in Discord even during registration, and same, one ds - one reg.

the 1min mail thing won't work. I can generate emails with a custom domain all day long

10:04

there really is no good solution until you introduce $$$. Bc if it's free then it's trivial to do

10:04

imo

Whitelist emails? To only popular ones

its easy enough to make email with gmail

Anyway ->

Yes, much of this can still be bypassed separately, but the point is that the "terrorists" spend much more nerves and efforts to bypass the blockages.

Fän

Maintain a hidden branch with "anticheat"? This would totally destroy the purpose of backwards compatibility & open source though

I considered this but the several clients that do have these kinds of features are extremely easy to reverse engineer. I really dont want to be in this game of cat and mouse

aodq

speaking of Mac, has anyone tried running DDNet on M1? How is the performance there?

Fan tried, said it's fine iirc

that's good to know

Learath2

I considered this but the several clients that do have these kinds of features are extremely easy to reverse engineer. I really dont want to be in this game of cat and mouse

Depends on how you approach this

10:09

You could use Code Virtualizer and things like that to make it harder to reverse engineer.

10:09

But anyway, grabbing disk serial & gpu uuid, and sending it, encrypted with AES-256 or smiliar, will do very well

The OpenGL backend on M1 can be a bit odd bc it's really only tested against professional apps and bigger games

We could do accounts and require like an hour of proof of work to create a new one. If people invest in fpgas to create ddnet proof of work then we are fucked :D

even without obfuscation

Learath2

Fan tried, said it's fine iirc

Yep, it's good.

10:10

but I don't recommend using a touch pad for this game

10:10

lmao

or the magic mouse lol

10:10

what's the framerate like?

Fän

You could use Code Virtualizer and things like that to make it harder to reverse engineer.

Sacrificing tons of performance for a solution that will only stop people not commited to the task. Things like VTIL are getting better day after day

Learath2

Sacrificing tons of performance for a solution that will only stop people not commited to the task. Things like VTIL are getting better day after day

0% performance impact if done properly.

That sounds like fairy dust

You wouldn't run this in a loop 24/7.

10:11

You would only run the hwid routine when you connect to a server (edited)

10:11

that's it.

what's stopping anyone from changing the source code

aodq

what's stopping anyone from changing the source code

That's why it'd be a hidden branch. (edited)

then now you can't compile DDnet anymore?

You can, simply include the "hwid" module in your source code and you're all set

Well any part of the code that isn't virtualized makes it trivial to reverse. E.g. look at escape from tarkov

Learath2

Well any part of the code that isn't virtualized makes it trivial to reverse. E.g. look at escape from tarkov

Let's be real, barely anyone knows how to circumvent hwid checks in here.

They keep attacking the point where the game interfaces with battleye

and no one will bother to do so for something like ddnet.

10:13

BattlEye is totally different, and has a totally different player base.

10:13

Trust me that it'd prevent a LOT of ban evasion if done properly

10:13

and if this would become a thing, i'd be happy to assist

Fän

Let's be real, barely anyone knows how to circumvent hwid checks in here.

Well the guy that developed one of the most popular bots right now also sells bots for AAA games. So atleast one guy here that has that sort of reverse engineering skills

aodq

then now you can't compile DDnet anymore?

Let's say you can simply download the hwid module .dll, and place it in the same folder as your ddnet build

10:14

should be very easy to implement

yeah that works for windows fine but for linux maybe not as well

aodq

yeah that works for windows fine but for linux maybe not as well

ship a linux module aswell

10:14

I don't quite get what stops you from just hooking the dlls calls. The dll just asks winapi for the information at the end of the day. This is why most modern anticheats are moving into the kernel and even requiring they be loaded up at startup

Learath2

I don't quite get what stops you from just hooking the dlls calls. The dll just asks winapi for the information at the end of the day. This is why most modern anticheats are moving into the kernel and even requiring they be loaded up at startup

having proper integrity checks. you can directly query the disk driver instead of using winAPIs

10:16

same for gpu uuid

10:16

Leave a few traces if the offending player has been banned, and it should prevent most offenders from joining back (temporarily)

10:16

you can always go even further in-depth

Anyway, lets not talk more about this here. Bot people watch this channel all the time

10:17

hi bot people

But in general we dont really love the idea of a closed source blob being required. All our proprietary integrations are also all optional if you notice, so you can run the game without any blobs right now

yes stallman is happy with us

Is he? We dont use gpl :P

With serious registration and serious limitation for registration it need to change a much more things. For account use mail and DS verification. And very serious restrict to: 1 ip = 1 account, 1 mail = 1 account, 1 DS = 1 account. If u already used any of this, u cannot register, in addition, ban registration using known VPN services and ban registration if used unknown mail service or if used known bad services, providing mail for 1 minute. And in game we just ban account, IP and HW. Imagine that, for bypass u need literally change everything. IP, mail, Discord, HW, ip cannot be known VPN, need to register/use new normal mail, etc. Yes, moms hacker kids still can bypass, but it significantly down repeating of rule-breaking.

lol please don't force users to register with discord

Still exist other measures

no

10:24

there are no other measures

10:24

tw is open source

10:24

u can spoof any measure

I about all listed, but not DS

10:25

Site is open source too?

what is DS

btw if i was forced to register email, and my own email didn't work bc it wasn't popular enough, I'd not bother. Though I might be the odd one out there

Ds - discord

what's stopping anyone from creating a new gmail account lol

It is already longer, than just change only ip

i only have 888 hours in the game, but so far I've only seen one guy evade bans anyway and he never disrupted anything anyway

10:29

when people get kicked I don't see them return. do you?

10:29

maybe this is a regional issue idk

And, i listed it much upper, we can do some fingerprint in client shadowly, only about ban info. If ban info detected, we ban all new things

10:30

Idk, in Russia we have mad guy's that everytime bypass restrictions and block all again and again

Ham5terzilla (Макс)

And, i listed it much upper, we can do some fingerprint in client shadowly, only about ban info. If ban info detected, we ban all new things

u can just recompile ddnet code with anything u want added

10:30

well i dont think theres a perfect solution

10:31

on my servers i have a better list of blocked providers + detection for bad inputs

10:31

and it works a littel better

Yes, but not all is super mega hackers

ive suggested some of these things to ddnet

10:31

they added a couple of them

10:31

but their tolerance towards false bans is very low

Good

so they arent gonna accept every strategy ive implemented for my servers

10:31

and thats fine lol

Anyway, cheaters is more rare in ru regions. Really common thing is idiots that bypass ban everytime, it's annoying.

Ham5terzilla (Макс)

Anyway, cheaters is more rare in ru regions. Really common thing is idiots that bypass ban everytime, it's annoying.

what XD

10:35

no they arent

10:35

i did a statistical analysis on my main server

10:35

it was a ger server

10:35

and i found that russian ips are roughly 3.7x more likely to be cheaters than german ips

In other news, our gear in germany is coming up by tuesday

I'll likely release the old mitigation code for DDNet here (the reconnecting in 3 seconds one), as this will be deprecated by then

I about ru ddrace servers, ddrace mode. May be fng more common cheat situation

tbh im not sure

10:36

i was talking about fng

I think cheating in fng do more profit for ego of cheaters

yes

10:37

its far easier to cheat at fng

10:37

~~theres a reason my banlist is 3.5k lines long~~

:D

10:38

Anyone can ddos server with just a giant attemtps to connect?

Ham5terzilla (Макс)

With serious registration and serious limitation for registration it need to change a much more things. For account use mail and DS verification. And very serious restrict to: 1 ip = 1 account, 1 mail = 1 account, 1 DS = 1 account. If u already used any of this, u cannot register, in addition, ban registration using known VPN services and ban registration if used unknown mail service or if used known bad services, providing mail for 1 minute. And in game we just ban account, IP and HW. Imagine that, for bypass u need literally change everything. IP, mail, Discord, HW, ip cannot be known VPN, need to register/use new normal mail, etc. Yes, moms hacker kids still can bypass, but it significantly down repeating of rule-breaking.

and i mostly just use iprange bans instead of this fwiw

Ham5terzilla (Макс)

Anyone can ddos server with just a giant attemtps to connect?

depends on ur defn of giant but in general yes

10:38

most tw dos attacks involve connect or info requests

10:38

most are spoofed with either random or player ips

I just thinked about "oh, u need to check about guy bot in ban list, and other things"

oh no

10:39

my servers skip the info and the first handshake packet when checking banlist

10:39

to show banned players the discord link + to protect a little bit against dos

10:40

it only shows them the link on the second stage of the handshake

10:40

once they send back a correct packet with a token

Hmm

Ham5terzilla (Макс)

Anyone can ddos server with just a giant attemtps to connect?

that's why we made a filter that will block both query floods, and other traffic

10:40

just dealing with capacity issues in frankfurt atm

10:40

which will be solved by tuesday (edited)

and yes fan servers are better protected than mine, lol

which means we'll also be able to utilize our newer ddnet filters

10:41

that are pretty much transparent.

against dos at least (edited)

Fun fact

they're also a lot more complex, probably the biggest filter I've made so far (except for FiveM)

10:41

Most games use one single protocol, not 4 (edited)

noby

and yes fan servers are better protected than mine, lol

Pretty much, only issue we're seeing in Frankfurt is limited capacity at the moment

i host on a $5 vps so

10:42

lol

Eh, there's a difference between multi-k$ equipment and a $5 VPS I guess

ofc

10:43

id hope so at least

So, in ru regions we have a problem, that in most cases we have just agressive and unstoppable (i about ban ignoring) ppl, that not cheaters.

Still waiting for our Threadripper 3995X in Dallas with an additional 200Gbps in capacity to come up too, filtering is still running on a 3900x there, which does suffice due to the nature of XDP being very great performance-wise

Fän

Still waiting for our Threadripper 3995X in Dallas with an additional 200Gbps in capacity to come up too, filtering is still running on a 3900x there, which does suffice due to the nature of XDP being very great performance-wise

o__o

Hah

10:44

Strong

Ham5terzilla (Макс)

So, in ru regions we have a problem, that in most cases we have just agressive and unstoppable (i about ban ignoring) ppl, that not cheaters.

on my servers i use rangebans to deal with such players, thers a system to correlate names to ips and it lets me easily find which ranges i can ban

10:44

i dont think ddnet is willing to do this

10:44

but its one option

10:45

i also have a system to ban providers

Who knows, we're potentially gonna have 2.5Tbps in capacity by the end of year (globally), if things go as planned.

10:45

"globally" being an anycasted network

nice

Fän

You can, simply include the "hwid" module in your source code and you're all set

Or making the module optional for self compiling, just disallowing account registrations on the Server side

11:15

btw, could custom servers use these identifications like gpu nr or so too?

Fän

In other news, our gear in germany is coming up by tuesday

I'll likely release the old mitigation code for DDNet here (the reconnecting in 3 seconds one), as this will be deprecated by then

Nice!

noby

on my servers i use rangebans to deal with such players, thers a system to correlate names to ips and it lets me easily find which ranges i can ban

can you show me that? then i dont have to waste vpn requests when i have the network address of a bad ip cached

fokkonaut

btw, could custom servers use these identifications like gpu nr or so too?

If you compile your own ddnet client, and distribute it, sure

wym?

11:23

I mean, my Server for example

11:23

So I can identify banned people too

fokkonaut

can you show me that? then i dont have to waste vpn requests when i have the network address of a bad ip cached

u live in EU

11:28

the whois system is probably illegal for u

11:28

(u can add vpn caching without this btw)

I do have vpn caching already

11:29

But i think caching the network address of a vpn ip is more effective

wdym network address

like the network that ip is in