Thursday, September 13, 2012

Mongoose is hailing you! warps into the sector.

I've been studying the potential for spoofing attacks against helpers and scripts. The vector for a spoofing attack is any context where player-entered text is displayed to other players. Naïve scripts can be fooled by things like Fedcomm messages or beacon text, but detecting spoofs is relatively simple as long as the player has ANSI on. I have found no instance where a spoof cannot be detected either by its preceding context or the ANSI codes it contains. In fact, I know of only one prompt that cannot be positively identified by its ANSI codes alone.

But everything falls apart with ANSI off. Some spoofs can still be identified by their preceding context, but there is one class of messages where player-entered text appears as the first thing on a line without any predictable preceding context. These are messages like "Mongoose warps into the sector.", and they can spoof any prompt under 41 characters in length. For example, is that "[Pause]" really a pause, or is it the beginning of "[Pause] warps into the sector."? A real prompt lacks a trailing newline character, so without additional knowledge of the protocol there is no way to know if more text is on the way.

But there is still hope in additional knowledge of the protocol. If problematic messages like "[Pause] is hailing you!" are written to the network in a single write, then for all practical purposes it is guaranteed that they will be transmitted in a single packet. The minimum IPv4 MTU is 68 bytes (and in practice is usually much larger) so any message beginning with a spoof name would be guaranteed to have at least a few bytes of trailing context received with it. A "[Pause]" received by itself could then be safely treated as a real pause, as could all other spoofable prompts.

I've asked John Pritchett to determine whether this is the case. If it's not, then I have a few other ideas up my sleeve.

No comments:

Post a Comment