Server App Security Ideas/Problem

[Dyndrilliac]

Ok. So, I'm making a program to act as a TCP Server for client verification. Now, the only scenario I have absolutely no idea how to go about handeling is a spam attack.

Now, here's what I mean by "spam attack". Multiple users make rapid connection requests causing several possible problems to arise: Buffer overflows, server lag, etc. I have a few ideas to help this already: A connection request queue, and a check to immediately refuse connections to IP's that are already connected or send multiple requests and ban them.

This however leaves the worst possible scenario: 100 people, each with 20 proxies and one broadband internet connection each send 21 concurrent connection requests and cycle this. Does anyone have any ideas for this? Also, I'm looking for ways for the program to handle it without user interaction so it requires as little manipulation as possible.

[MyndFyre]

A connection request queue, and a check to immediately refuse connections to IP's that are already connected or send multiple requests and ban them.

Not an answer to your original question, but given this information, I would get banned if my mom's computer was already online with you and I tried to get online from my computer.  We share the same public IP address.

[Dyndrilliac]

Well the server is being creating for a purpose that the probability of a single-user needing to be verified on 2 computers on the same connection at the same time is very, very, unlikely. Also, you would be banned regardless as multiple instances of the same verification key would get you, as well, unless you had two different keys.

[MyndFyre]

Well the server is being creating for a purpose that the probability of a single-user needing to be verified on 2 computers on the same connection at the same time is very, very, unlikely. Also, you would be banned regardless as multiple instances of the same verification key would get you, as well, unless you had two different keys.

Well -- so what if two people in a large company want to use your program (or whatever) from work?

In general I think it's a bad idea to auto-ban connections from the same IP.  It could easily be entirely different people - the entire Maricopa County internet from which our library gets online has one public IP address.  The entire Town of Gilbert internet from which I chat here has one public IP address.  Both are very wide-area networks and can encompass thousands of people.

[Dyndrilliac]

That situation is extremely unlikely. Let me tell you why.

The server application I'm creating is to verify legitimate, payed for copies of a game hack. Therefore, each person using it will have their own key, and most probably their own IP, and not be on two different computers using the hack at the same time on the same IP. The only situation I foresee a possible problem is if two people in the same household each buy a copy and use the same connection.

In the case of one service encompassing thousands of people under one IP, well then I'm afraid the risk of server attacks and defrauding the people for which I am writing the server application is too great.

[MyndFyre]

The server application I'm creating is to verify legitimate, payed for copies of a game hack.

The company(ies) that produce the game(s) you want to hack will be all over you like a fat kid is cake.

But that point aside...

What VB are you using?  With VB .NET, this would be a very easy-to-scale program.  It would certainly involve multithreading, but that isn't particularly difficult in VB .NET.

I'm somewhat ignorant of the way a socket's Listen (or equivalent) method works in VB6, but generally, if you're on VB .NET, the Listen method accepts a parameter that specifies how many pending incoming connection requests to queue (after which connection requests will be ignored, I believe) -- and you can choose to accept or block methods as they come in.  The standard way to manage these types of incoming connections is through a connection manager object that maintains state for an individual connection, and then to store the connection manager object inside of a collection.

[Dyndrilliac]

The company(ies) that produce the game(s) you want to hack will be all over you like a fat kid is cake.

I'm not producing the gamehack - just the verification system. As soon as I am payed for my work, my employers legal battles are no longer my concern. The only scenario I don't know how to handle is in my first post, everything else is pretty much done as far as release stability is concerned. I am using VB6, and the Listen method does not accept parameters(AFAIK), so I will have to create my own queue and connection manager objects.

[Hdx]

Simple, Use GettickCount in the ConnectionRequest() sub, and set it for say .5 seconds, and if there is a connection within .5 seconds of the last one, simply ignore it.
Or what you could do, Is set it up to use UDP, and then simplky ignore large packets(make a packet header specifing length) and the same idea with the GTC()
But anyways, bye.
~-~(HDX)~-~

[The-FooL]

I'm not producing the gamehack - just the verification system. As soon as I am payed for my work, my employers legal battles are no longer my concern. The only scenario I don't know how to handle is in my first post, everything else is pretty much done as far as release stability is concerned. I am using VB6, and the Listen method does not accept parameters(AFAIK), so I will have to create my own queue and connection manager objects.

Your getting paid to write a server app in VB6?

[Dyndrilliac]

Yes. However, I don't see how your post is relevant to the topic.

HDX: I don't see how that will serve my purposes, that seems like it would block rapid connection requests, not necessarilly rapid connection requests from a spammer. I need to maximize customers access to the server and minimalize spammers access to the server.

[Hdx]

Well then my only suggestions are use UDp, jsut cuz, umm it's fun, And Upon ConnectionRequest() (if your not using UDP) simply do a loop through your active winsocks, checking the RemoteHostIP() and if it's already present close the connection, Then when you revive the Key or w/e simply check if any other connections are using that key. Other then that, jsut use some fail-checks to stop buffer overflows, and as for multiple connections forma spammer, jsut make your program able to withstand atleast 1k every 5 seconds, and youll be fine. (It's easy to do)
~-~(HDX)~-~

[UserLoser.]

UDP has no connection requests, so that event is never fired

[Topaz]

Just force them to do login through a product key or auth key of some sort. If the attempts number over 10 or so, just block them from the server for 30 minutes.

[Dyndrilliac]

I already am forcing them to use an auth key.

My problem is from people lagging the server with tons of connection requests which the server will have to waste time checking to see if they can connect, and if not, refuse the connection. I was just wondering if anyone had any good ideas for that, but I suppose not.

[Adron]

My problem is from people lagging the server with tons of connection requests which the server will have to waste time checking to see if they can connect, and if not, refuse the connection. I was just wondering if anyone had any good ideas for that, but I suppose not.

One possible option would be to move the connection handling code into a high performance C/C++ application. That way you will be handling connections in the same language as the OS, which will obviously be faster. If the actual verification code isn't too big, you could consider moving that over as well.