[MUD-Dev] Re: Quick question re: SSL

sziisoft szii at sziisoft.com
Tue Feb 17 00:28:49 New Zealand Daylight Time 2004

From: "ceo" <ceo at grexengine.com>

> IIRC this is of the "Replay" type of attack - as an attacker, you
> observe the "magic number/token" that is a valid response to a
> server challenge, and then replay the same magic number the first
> time the server challenges you. Of course this is why most
> security protocols include the sender and receiver "addresses"
> inside whatever's encrypted, but my problem here is that I don't
> seem to have a notion of a client "address" which I can actually
> know/check for all clients :(.

> PS caches seem to fairly consistently use the extended
> (i.e. non-standard) HTTP headers to indicate the IP address they
> are routing on behalf of; I haven't checked *every* ISP of every
> player, but I may be able to use these extended headers to infer
> the same IP address for a client, no matter which proxy/cache they
> come via.

Hardware address.  Guaranteed unique per card unless someone
overrides it(which is very rare.)  You can set it up in the SSL as
the auth, then possibly allow that hwaddress(MAC address) in
conjunction with the rest of the security mechanism.  SSL keeps it
from being sniffed, but you run into the possibility of
memory-watchers/decompilation/etc on the client seeing that you're
using the hw address for handshake/auth.  ARP table lookups might be
another implementation.

Security through obsfucation, to a point.

If you're worried about replay attacks, you can break most of them
but staggering/randomizing the TCP sequence number.  If they've
recorded a sequence starting at 1 and your server says "for this
connection we're going to start at 12" then you'll break their
replays.  (and signal all kinds of warning systems.)

Again, easy to beat/hammer through if you know it's going on.
Anyone who'll be trying that kind of attack, though, will probably
have a real-time packet analyser/modification tool and this won't
fool them.

Periodic reauth?  Open up an SSL to your auth server ever "x"
minutes and randomize it.  Separate thread so as not to impact game
performance.  Replay attacks won't work because of the randomized

MUD-Dev mailing list
MUD-Dev at kanga.nu

More information about the MUD-Dev mailing list