Nightwatch vpn/proxy detection

[Silentwings]

It seems that Nightwatch recently started banning people from the server if it thinks they are connecting using a vpn or proxy. In general I think kicking proxies/vpn/etc from the server by default is good idea. However:

It does not detect this reliably, how/why and exactly what it does seems to be completely undocumented, it provides no information to lobby moderators/admins (that I can find) and I'm told that its behaviour can only by changed by people with access to the "Zero-K Infrastructure" repository.

Speaking with my lobby moderators hat on, this is not good. I don't know what its success/failure rate is, but a small number of people have complained to me that they are incorrectly banned for this reason and there is apparently nothing I can do to help or unban them?

All I know about this comes from http://pastebin.com/PqgyVyuP

[gajop]

Well you had to go and ask questions! :D

[12:27 AM] Channel message: <Nightwatch> kicked <detrino> from the server (reason: Connection using proxy or VPN is not allowed! (You can ask for exception))
[12:27 AM] Channel message: <Nightwatch> kicked <ChanServ> from the server (reason: Connection using proxy or VPN is not allowed! (You can ask for exception))
[12:27 AM] Channel message: <Nightwatch> kicked <ChanServ> from the server (reason: Connection using proxy or VPN is not allowed! (You can ask for exception))
[12:27 AM] Channel message: <Nightwatch> kicked <GargantuaSauce> from the server (reason: Connection using proxy or VPN is not allowed! (You can ask for exception))
[12:27 AM] Channel message: <Nightwatch> kicked <MrBuild> from the server (reason: Connection using proxy or VPN is not allowed! (You can ask for exception))
[12:27 AM] Channel message: <Nightwatch> kicked <bluestone_irc> from the server (reason: Connection using proxy or VPN is not allowed! (You can ask for exception))
[12:27 AM] Channel message: <Nightwatch> kicked <Floris> from the server (reason: Connection using proxy or VPN is not allowed! (You can ask for exception))
[12:27 AM] Channel message: <Nightwatch> kicked <BrainDamage> from the server (reason: Connection using proxy or VPN is not allowed! (You can ask for exception))
[12:27 AM] Channel message: <Nightwatch> kicked <zwzsg[IRC]> from the server (reason: Connection using proxy or VPN is not allowed! (You can ask for exception))
[12:27 AM] Channel message: <Nightwatch> kicked <MrBuild> from the server (reason: Connection using proxy or VPN is not allowed! (You can ask for exception))
[12:27 AM] Channel message: <Nightwatch> kicked <GargantuaSauce> from the server (reason: Connection using proxy or VPN is not allowed! (You can ask for exception

[Silentwings]

That looks like a log of it kicking the entire IRC bridge.

edit: Yes, apparently just now someone used Nightwatch to ban the hosting company that hosts Spring.

[abma]

if this isn't fixed soon, we should remove nightwatch admin/mod rights (imo)

[abma]

hmm, isn't the vpn/proxy ban how it currently works overkill? hetzner clearly isn't a vpn provider, its a "normal" hosting company. maybe some vpn company rented some hetzner server and this is how it was "detected" as vpn.

what makes us sure, that the bans don't ban valid players / bots?

shouldn't we limit to ip bans and not subnet bans?

[Peet]

also isn't this sort of "ban" completely useless at targeting spam, given that disconnection occurs after nightwatch is informed of the user's login?

[Silentwings]

The lack of logs or docs, as well as the fact that it doesn't tell incorrectly banned people where to find help make it impossible to get info on why/how often it goes wrong, afaics.

I do think that its important to support "autohost control" bots, with some higher degree of access than normal bots- FORCEJOIN, GETINGAMETIME, etc. But imo it is overkill when such things issue kicks/bans/etc (automated or otherwise) across the entire lobbyserver in a way that lobby mods can't change or even see.

[Anarchid]

Hetzner is a hosting company that, amongst others, provides VPN services, while not providing normal ISP services (or, rather it hosts cheap VPS, which can be easily rolled into proxies).

It was not "misdetected": a smurf used it to grief in some ZK games, and as such it was thought safe to add Hetzner to whois-based blocked VPN list. The ban was shortly removed after discovering it was over the top.

Obviously, a lobby-server side whois-based VPN banlist implementation together with a protocol extension to allow such a banlist to be moderated by anyone with lobby mod privileges would likely be superior and less prone to failure. For instance, it could shoot people right *at* the time of their connection, not after.

Who is going to do it though?

[abma]

Who is going to do it though?

the person who added it to nightwatch should do this?!

edit: added more verbose kickuser message: https://github.com/spring/uberserver/co ... 508a050ecd

atm it looks for me it looks like overusage of bans. if we have to ban to many players sth. goes wrong here.

[Anarchid]

atm it looks for me it looks like overusage of bans. if we have to ban to many players sth. goes wrong here.

Yes: there is no cost to creating an account. Account creation can even be automated; and there were precedents of hundreds created within seconds with ensuing use for malicious purposes (sockpuppeted kickvotes of legitimate users; spam; griefing).

Add on top of that the liberal policy of a lot of VPS and VPN providers where you can get your money back after "burning" an IP.

What is your suggested course of action with regard to that?

[Silentwings]

Abuse inside autohosts via mass account creation is not a new idea and effective solutions already exist, without the flaws listed above. Naturally I am not claiming that anyone can make a 100% bullet-proof autohost, but autohosts can:
- restrict voting rights, rights to call votes, or give any other commands, or even join the battleroom, based on ingame time, player/spec/ingame status, or on anything else (including automated proxy/vpn detection).
- quite reliably auto-detect and quickly block chat/command spam.

Dealing with server-wide abuse via mass account creation & spam/ddos is less easy, but here I see no chance of effective solutions through autohosts/autohost-admin-bots. As far as I know no one is disputing the potential value of a server wide system where the lobbyserver mods and/or uberserver can ban vpns/proxies/ip-ranges from the server + give exceptions where needed.

[abma]

- restrict voting rights, rights to call votes, or give any other commands, or even join the battleroom, based on ingame time, player/spec/ingame status, or on anything else (including automated proxy/vpn detection).
- quite reliably auto-detect and quickly block chat/command spam.

+1. there seems no reliable way to check which ip ranges are blocked by a whois grep. ban by ip should be only done if there is no other way.

[PicassoCT]

Im beeing constantly kicked - nickname quicossa
Rerouted through a russian vpn server...

tracing route to spiegel.de [62.138.116.3]
ver a maximum of 30 hops:

1 128 ms 90 ms 74 ms 151.217.192.1

my first hop on the way out?

[Anarchid]

Code: Select all

inetnum:        151.217.0.0 - 151.217.255.255
netname:        TEMPORARY-CONGRESS-NET
descr:          Chaos Computer Club Veranstaltungsgesellschaft mbH
country:        DE
org:            ORG-CCCV23-RIPE
remarks:        Temporary assignment
remarks:        ===========================================
remarks:        Duration of assignment: 5 weeks
remarks:        ===========================================
remarks:        Start date: 01-12-2014
remarks:        End date: 05-01-2015
remarks:        ===========================================
remarks:        ===         _____ _  ____ _____         ===
remarks:        ===        |___ // |/ ___|___ /         ===
remarks:        ===          |_ \| | |     |_ \         ===
remarks:        ===         ___) | | |___ ___) |        ===
remarks:        ===        |____/|_|\____|____/         ===
remarks:        ===                                     ===
remarks:        ===  31st Chaos Communication Congress  ===
remarks:        === http://events.ccc.de/congress/2014/ ===
remarks:        ===     December 27th to 30th, 2014     ===
remarks:        ===========================================
remarks:        ===                                     ===
remarks:        === If you have trouble with users from ===
remarks:        ===    this netblock, please call our   ===
remarks:        ===                                     ===
remarks:        ===   ABUSE HOTLINE: +49 40 2318899981  ===
remarks:        ===                                     ===
remarks:        ===========================================
admin-c:        CCC-RIPE
tech-c:         CCC-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-END-MNT
mnt-lower:      RIPE-NCC-END-MNT
mnt-by:         CHAOS-MNT
mnt-routes:     CHAOS-MNT
mnt-domains:    CHAOS-MNT
source:         RIPE # Filtered

Nice :)

I've inflicted a VPN exception on your account. Do you think CCC should be removed from the block list?

[abma]

I'm more at the point that vpn blocks should be removed at all, or at least discussed in community about how to handle it.

[KingRaptor]

I'd be happy to see VPN blocking gone when it takes more than two minutes (currently it's like 15 seconds) to make a smurf account and get into lobby, and the process is not automatable.

Alternatively, even if the smurf does get into lobby, there should be methods to prevent damage:

- quite reliably auto-detect and quickly block chat/command spam.

Is this implemented yet?

[Silentwings]

If you mean (as I did) within auto-hosts, then yes it is implemented by SPADS but I don't know about Springie. If you mean server wide, each channel has a configurable (by founder + lobby mods) spam filter and iirc there also is a global limit on the rate of data per user account with auto-kick if violated.

[PicassoCT]

I get no kick out of champagne, not from rio or rien de va plue, but why do i get a kick still out of you?

[KingRaptor]

The attack type I'm concerned with here is one or more accounts sending a PM to everyone in lobby simultaneously (or talking in every channel, although that hasn't happened yet to my knowledge). Can the current anti-spam catch spam if it's spread out across multiple accounts?

[8611]

Create lots of accounts named xxx-1, xxx-2,...xxx-n and then you can spam n lines in chat.
(or n*2, not sure what the limit is currently)

To troll in battlerooms: Join a room with lots of accounts and now you can win every vote. (like kick other players as in http://zero-k.info/Forum/Thread/6514 )