Forum - DDraceNetwork

Some days ago i asked someone with a good knowledge of teeworlds and network packages to hack my teeworlds server. I wanted to know how save it is. I logged in F2 with the admin password before. Suddenly i saw in the logfile that i had executed the command "sv_rcon_password hello". But i never executed that command. A few seconds later the person logged in with the new admin password and stopped my server.


Now an explanation of the problem:

The internet works with so called "packages". Computers can send packages to IPs and can recieve packages. Unfortunately there is no way to see where the package comes from. The computer that sends the packet just writes his own IP in the package. But what will happen if you write the IP from another player in the package? Yes, your right. And this is called ip spoofing because the server will think the package comes from a player who hasn't actually send it.

So when i logged in with my admin password the server knew that my IP is allowed to execute for example "shutdown". When a hacker sends a packet that includes my IP and the command "shutdown" to the server, it will execute it.


I don't know much about this stuff and i don't know how complicated it will be to fix. But here's the way how it would work:

If I send a package to the server with my IP for example 10.10.10.10 and the command "shutdown" the server won't execute it immediately. It will first send a randomly generated code to the IP 10.10.10.10. When i get the code i'll just send it back to the server. Now the server knows that i sent the command "shutdown" because i got the code that the server sent to my IP. So the server will execute my command.

Because it takes some more time to send the package with the randomly generated code to the client and back to the server it would be bad for actions like move, hook or jump because it would increase the ping. But for important things like disconnect, F2 commands or chat messages it would be a great protection.


This should not be a "hacker guide" and of course only a few people have the knowledge to do what i described here. And people who have this knowledge usually don't use it for bad things. I just want you to know that some people if they know your IP address can disconnect you from every server. I would like to know your opinion about this topic.

DoNe

Console connection uses the TCP-protocol, therefor you also need to know the sequence number to spoof the packet else the server should reject the message. (In theory lol)

Concerning your suggestion, the server can also send a shared secret on authentification and the client uses it to hash the messages for example. Both approaches are possible but far from being secure(man-in-middle-attack). The question is what level of 'security' you want to achieve?

The server was actually spammed with different sequence numbers until the right one was found.
The security have not to be very high. But it should require more than one command to disconnect a player from a server. And your right it's way more efficient to generate a code one time for a player and use it as long as he is connectet. Or just use TCP it would make it harder then just send a package.

TCP isn't useful for the normal game messages (snapshots, etc), but 0.7 will (probably) have some token based system to prevent Ip-Spoofing (and other stuff, was also most likely the reason the tournament server shutdown so easily /: ). Not sure what can be done atm without breaking compatibility with tw netprotocol. Maybe you can do sth simple for ddnet-client-users only. (Llike sending a token for hashing)

I don't have enough knowledge to code it. And yes, ofcourse it would be only for ddnet-client and server.

BeaR wrote:Console connection uses the TCP-protocol, therefor you also need to know the sequence number to spoof the packet else the server should reject the message. (In theory lol)

If you are talking about the ingame remote console it actually uses an own protocol based on UDP (Yes, it has similarities to TCP (syn/ack)).

DoNe wrote:The server was actually spammed with different sequence numbers until the right one was found.

Note that the Source port of the client needs to be found aswell (port+seq = 6 bytes). So that would take about 0x100^(2+4) tries. I guess the weakness is somewhere else.

//edit: okay, the source port can be obtained using an own server since the client uses the same source port to request the server list
//edit2: also, the sequence number has the maximum at 1024

Alright, some kind of fix for this is in DDNet client 4.7.4. Try that out, DoNe.