Advertisement

how to know most hack possiblities and find best way to handle them

Started by January 08, 2015 09:28 PM
39 comments, last by moeen k 9 years, 9 months ago

hello my friends.

im working on a mmo project and for better explanation its an mmo like clash or fruit craft or... its much simpler project than wow and even clash of clans but we are a little team. about 3 programers and one 2d artist.

im just now looking to how can i prevent mu game to be hacked easy. im just searchin now and see a simple networking system can be easily hacked with some simple hack softwares.

here i just say some examples and please give more information.

for example with a program like wireshark easily you can find what data your program is sending and after that you can change that. i think bway to face this kind of hack is encrypting.

next one is sql injection that i dont know really how does it work but i think its some kind of hack that they can change in your database.

or next one is ddos hack that send a lot of traffic to your server that it cant handle it.

a much more exprienced friend in networking said if you just do all security rules there will be just little group of people can hack you game. i want to know what are those important security rules.

i know i can find it in process of development but i want to know your advice.

thank you for helping

for example with a program like wireshark easily you can find what data your program is sending and after that you can change that. i think bway to face this kind of hack is encrypting.


No. Do not let the client send data that is faked. It's that easy. e.g., the client doesnt' say "I moved here" or "my health is now 1000" but rather it says "the user pressed Forward at time T" or "the user wants to use a healing potion." All of the actual game takes place on the server. The server handles user input and determines if it's valid; e.g. if a user doesn't have a healing potion then the UsePotion command will just fail, and if the user does have a potion, the server both awards the HP and removes the potion, ensuring that the user can't cheat item removal.

next one is sql injection that i dont know really how does it work but i think its some kind of hack that they can change in your database.


This one is really simple. Don't let the user send you SQL commands. Any parameters to a SQL command must be escaped. If you have a SQL command like:

execute("SELECT * FROM Users WHERE Id=" + command.id);

then potentially the user could send you the command "LoginAs(Id='0; DELETE FROM Users')" and your SQL can become:

execute("SELECT * FROM Users WHERE Id=" + "0; DELETE FROM Users");

The fix is to simply never, ever, ever just slap a string into your SQL query, but to always use the SQL escape utilities or preferably the prepared statement APIs to execute queries, e.g.:

$sql = prepare("SELECT * FROM Users WHERE Id=?");
execute($sql, command.id);

which would execute the equivalent of:

SELECT * FROM Users WHERE Id='0; DELETE FROM Users'

which is safe (it would look for a user with an Id column equal to a string, not execute the user-provided SQL).

or next one is ddos hack that send a lot of traffic to your server that it cant handle it.


You can't do much about that one. Build out your servers horizontally (have many servers sharing all the work, and do not have a single server doing all of the work, or even all of any single part of the work). High-powered (and expensive) data centers will provide monitoring and use TCP endpoint hardware that deals with this.

This is a place you can spend a lot of money, and spend a lot of time developing your network architecture. You ideally need a highly competent sysop.

Sean Middleditch – Game Systems Engineer – Join my team!

Advertisement


im just now looking to how can i prevent mu game to be hacked easy. im just searchin now and see a simple networking system can be easily hacked with some simple hack softwares.

...

a much more exprienced friend in networking said if you just do all security rules there will be just little group of people can hack you game. i want to know what are those important security rules.

Security is not a once-and-done thing.

There is no checklist that if you can mark them all down you've covered the core features.

Everything about your code is a potential attack vector. Every line of code can potentially be exploited.

Every asset in your game and data is a potential attack vector. Every asset can potentially be exploited.

Everything you communicate between games is a potential attack vector. Every message can potentially be exploited.

Even major systems discover new big flaws in mature code. There are many known exploits available on major systems, such as Valve's Steam Browser protocol, that allow bugs in any Steam-configured game to end up resulting in remote code execution. The reason they aren't fixed is that security analysis says it isn't worth the cost.

You need to figure out:

* What is valuable to attackers

* What is valuable to victims

* Attack vectors for those valuable things

* Ways to mitigate attacks

* Ways to detect attacks.

Many things are valuable. Service disruption through a DDOS attack is hard to stop. Encryption eliminates a very tiny number of potential exploits against unsuspecting victims but does nothing to stop an attacker who is legitimately connected. Protocol flaws exist in almost every game, but usually the impact is minimal so other than a service disruption attackers have little to gain.

I'm not aware of any short list that says "Do all this and you're basically fine." Instead I'm aware of online resources that daily provide new lists of exploits and attack vectors and potential vulnerabilities.

i think bway to face this kind of hack is encrypting.


That doesn't really work, because the data is available in the memory of the client, and it's easy to DLL inject or debug attach to a process, and change the data right in the process memory. Instead, you have to put all the important game rules on the server, and send player moves/commands from the client. Don't send "unit A moves to position X, Y" -- instead, send "unit A moves range R in direction D." Then verify that that unit has that much movement range, and that direction D is in fact clear to move on the server, and move the unit. Send back "Unit A is now at position X, Y." Do the same method for all other important actions that can change important game state.

next one is sql injection that i dont know really how does it work but i think its some kind of hack that they can change in your database.


Here is a piece of server code (in PHP) which can be SQL injected:

$result = db_query("SELECT * FROM customers WHERE customer_id=$_POST[customer]"); // VERY BAD
Here is the same code without the possibility of SQL injection:

$result = db_query("SELECT * FROM customers WHERE customer_id=:cid", ['cid'=>$_POST['customer']]); // BETTER
The difference is that the user could change the output of db_query in case 1 by sending a "customer" named something like "0 OR 1 = 1" which would return all the customers. For another illustration: http://xkcd.com/327/

or next one is ddos hack that send a lot of traffic to your server that it cant handle it.


The three defenses against DDoS are:
1. Don't piss of anyone or seem like a target (doesn't work in the long term.)
2. Don't be so dependent on uptime that a DDoS is a real problem (communicate to your players on Facebook, and hope they go away after a while.)
3. Contract with a DDoS prevention company like CloudFront or Neustar or Verisign or whatever. When the DDoS hits, work with them and follow their instructions. (Ideally, try the procedure once before you're attacked, so you know it works :-)

a much more exprienced friend in networking said if you just do all security rules there will be just little group of people can hack you game


Sadly, that small group, if it doesn't like you (or has economic incentive) will create a hack script that anyone can download (or buy) and hack your game.

Put rules on the server. Write safe server-side code. Subscribe to vulnerability mailing lists (like CERT.) Patch all your servers (and client libraries you use) as soon as there is a vulnerability (not next week, not next day, as soon as!) Write good server logs; keep the logs for a reasonable amount of time. Keep netflow logs for attack analysis. Go through the logs at some regular interval, and look for new patterns you haven't seen before. Set up good server monitoring and warning systems. Keep good connections with your community, and listen to them when they complain about cheaters and hacks and broken behavior -- sometimes they're right, othertimes they aren't. Keep good backups. Run databases with time delayed replication slaves. Buy external penetration testing services. Configure a firewall well to only allow in (and out) the data you *know* that your service needs (use white-listing, not black-listing.)

The set of good operational practices goes on and on (and on.) If this is ACTUALLY the biggest problem for you, hiring an experienced operations manager is likely a smart move for you. Chances are, your CURRENT biggest problem is likely that "we don't yet have a game that's fun enough that people would care." After you solve that, your biggest problem will be "nobody knows about us, and buying advertising is so expensive, and all the app stores have a million apps that are ranked higher than us, so nobody knows that they want to play our game." After that, your biggest problem might be "oh, our payment and customer service system is all wrong and doesn't actually make it easy for users to give us money (and take care of the cases where that fails for some reason.)" After THAT you probably actually need to start thinking about managing all your infrastructure for real. Unless you are really, really, REALLY sure that you'll actually get all the way there, spending too much work on the operational aspects now is probably wasted.

Meanwhile, making sure that all commands are executed and validated on the server, is something you should do up front -- it's the same cost to write it server-side or client-side, but doing it server-side is "right" and doing it client-side is very hard to "fix" later.
enum Bool { True, False, FileNotFound };

The reason why most multiplayer games are easily hackable is because they follow this basic design:

Take a single player game, duct tape on some networking code and make a server that basically echos everything the client tells it to other clients.

Wow is this way for player movement and other stuff. They have warden spyware installed on all windows clients but this does nothing since "hackers" can just break warden.

Chinese gold farmers basically reverse engineered the entire protocol and made headless clients so that they could run hundreds of clients per machine on the cloud for gold farming bots. This is also how they made the giant 3d signs from levitating level 1 characters. They use accounts they stole from phishing websites to run the bots on (ie: people who used the same email and password on the gold selling website that they use to log into battle.net with!).

Despite blizzard being the most aggressive against botters and hackers, WoW is still probably the most hacked online game as hacking WoW is big business.

Age of Conan was this way for everything. Hackers developed a tool after they realized that the server did not check targets, so any amount of damage or any spell could be targeted at anything. They made a video of them torturing the GM by repeatedly giving the GM 9 billion fall damage and moving items from inventory.

Darkfall Online was pretty much in the same boat as AOC. There was even one video of a hacker ruining a siege by stealing a boat, lifting it in the air 50 feet, and flying away with the ship leaving an entire guild in the water speechless.

So what can we learn from this?

The client should do nothing. Nothing! Nothing except take the data the server gives it and put that on the screen. Like literally the physics has to run on the server.

Why do games not do this? Because its hard. It's easier to just have the client do all of the work and have the server basically bounce updates to all of the other clients in range.

Running a physics sim for all connected players requires a ton of CPU. Putting everything on the client is cheaper.

As others have said, just about everything you have coded can be a potential attack vector.

The only way to know what is a risk is to monitor your game, 24/7, and create intrusion detection systems and anti-hacking systems. At the very simplest level you would do well to look for multis (people registering multiple accounts for the purpose of griefing, abuse etc) and to look for abnormal patterns of traffic (e.g. brute force attempts, chat spamming, farming bots etc).

There are many good books on the subject of what you need to look out for to handle griefing/hacking in an online game, but a big part of this is having the support team and customer services people there to handle it.

You will find that most abuse gets reported, as most of your players are there to have fun, not abuse the system, and those that abuse are ruining that fun for them. However, if there is nobody to easily report the abuse to, or if the abuse goes un-actioned for a long period of time, they will lose face and go somewhere else where the developers and team are more responsive. This is where a lot of the money goes in keeping an MMO running - not in development or hosting, but in customer-facing friendly faces, moderators, etc. These people should not really be players of the game, as they should be impartial, and there should always be some available whilst the game is in operation - think similar to IRC Operators on IRC.

I deal with this in various guises as the administrator of an IRC network and in the past when creating a web game, and it is what kills a project, as a death by a thousand cuts. Unless you have deep pockets or vast numbers of volounteers that are averse to sleeping, it can be the biggest problem you will ever face.

Good luck!

Edit: Just found the book that helped me a lot with this in development of one of my web games: The book is "Developing Online Games: An insiders guide" by Jessica Mulligan and Bridgette Patrovsky. There is no programming at all in this book, and it centres on how to develop these games from a project management perspective - this is very useful and highly recommended.

Advertisement

Another thing to keep in mind is what technology you use, including what language you are creating your game in. For example, higher-level languages are typically free from buffer overflow/underflow issues which are some of the most common and effective ways to "hack" software, either to steal information, bring down servers or in the worst case execute code remotely.

In other other hand, high level languages (such as PHP) often make it easy to execute code as strings and/or include additional code which can be very dangerous (though such languages are commonly executed in sandboxed environments reducing the effectiveness somewhat). High-level languages also commonly perform automatic/implicit type casting among it's variables, and/or making it impossible to enforce specific types, making it easier to make misstakes like the SQL injection samples above.

Another thing to keep in mind is what technology you use, including what language you are creating your game in. For example, higher-level languages are typically free from buffer overflow/underflow issues which are some of the most common and effective ways to "hack" software, either to steal information, bring down servers or in the worst case execute code remotely.

It is very easy to get lulled into the false sense of security that "i am immune from stack overflows, buffer overflows, pointer abuse and null dereferences because i use scripting language X". In reality, the scripting language interpreter or virtual machine (in the case of java) is usually written in C or C++ and has its own vulnerabilities, and if you don't keep up to date with patches and updates, then these vulnerabilities can be exploited from within the scripting language, getting around all the perceived security you think you might have had.

It is very easy to fall behind on updates too, because on windows, most things that arent part of windows itself dont have automatic updates, and at least on linux most updates have to be triggered manually to stop them from breaking the system (e.g. apt-get update && apt-get upgrade).

This is where any big game which has money behind it has an IT Manager and several IT Technicians monitoring the servers, plus at least one IT security person.


Another thing to keep in mind is what technology you use, including what language you are creating your game in. For example, higher-level languages are typically free from buffer overflow/underflow issues which are some of the most common and effective ways to "hack" software, either to steal information, bring down servers or in the worst case execute code remotely.

This made me giggle in an evil way. Example:


http://www.symantec.com/security_response/vulnerability.jsp?bid=60659

Risk

High

Date Discovered June 18, 2013
Description

Oracle Java SE is prone to a buffer-overflow vulnerability in Java Runtime Environment. An attacker can exploit this issue to execute arbitrary code in the context of the current user. This vulnerability affects the following supported versions: 7 Update 21 , 6 Update 45 , 5.0 Update 45


and create intrusion detection systems

IDS won't help alot here. Your game protocol is custom so off-the-shelf pattern matching of packets by an IDS won't work. It will let you know if someone tries to brute force SSH your server though.

In fact, most online game hacking simply uses the facilities built in to the game protocol itself. They simply inject code into the client binary or build their own binary to send traffic to the server that looks legit and indistinguishable from normal traffic.

I suppose it depends in your view.

My view is that if you have no pointers, you cannot accidentally dereference them or point them straight to hell. It means you cannot introduce that kind of bugs. The Java error you linked is a typical C/C++ problem which couldn't have happend in code written in say C#/Java (well, there are always exceptions ofcourse).

Platforms like .NET are designed in such a way that many problems cannot happen in the first place, while many others can be caught and handled in safe and secure ways. I wouldn't be the slightest surprised if we saw a production quality derivate of Singularity (OS by Microsoft written in C#) for servers sometime soon for this very reason. It has so much better potential to be secure.

Writing safe and secure code indeed doesn't save you from problems in your platforms/OS/hardware though, you still need updates, firewalls, anti malware systems and whatnot, I completely agree on that part, but you should still do what you can on your end, in your code.

This topic is closed to new replies.

Advertisement