Not taking a position here, but reading this made me lol

I also find the lag highly suspicious- it doesn't seem to be aimed at the worldserver in general- it seems to be targeting specific machines.

As far as I'm aware this server is (or was, last time I heard) a cluster of five servers that host various parts of the world. (and by world I mean; the world server, the zone servers, and potentially the login as well)

Some days I've been able to zone/talk/etc just fine- while people on Vent were bitching about "the lag"

This could be for a variety of reasons, but I think it's something like this.


Somehow if you can target a specific server and lag it so it can't talk to the world server you can duplicate an item. As in, either you can force a character not to save or a corpse not to save properly. All the different zones are located on different servers- so the whole world (all tells/whos/etc) can be up while certain other zones are getting hammered to shit. I've also noticed people claiming that login is down while other zones and the world server itself are functioning perfectly normally.

This leads to the other question, why are legitimate looking EQ packets flooding the server? Only a DDoSer with a knowledge or grasp of the EverQuest protocol would be able to craft such an attack, and the fucked up thing is- EQ is UDP for most things in-game. UDP is connectionless and easy to spoof. The attacker could potentially make it look like the entire internet is at some point attacking the server because there is no proper connection state handling in UDP like there is in TCP. So they could be doing it to harass, and again- they could be doing it to lag a zone out to get a very specific outcome.

It would probably be trivial if you had any experience with the EQEmu UDP protocol to send enough fake (and spoofed) data to the server to make it lock up at will, and they probably don't need more than 10-20 computers to accomplish this, as the spoofed packets probably trigger such cpu-heavy EQEmu functionality that the threads routinely deadlock.


A solution? some sort of firewall rule to drop all UDP packets not associated with an already logged-in account. I'm pretty sure the login process is partially TCP based. So the loginserver would have to add an exception to iptables each time someone logged in, and remove it when they left to allow only legitimate UDP packets through. Otherwise the attackers would have to guess the source addresses of other clients and that would be a bit more difficult and could potentially give them away.

Also, one last thing it could be is a mass brute-forcing attack. This loginserver doesn't have any means of locking out an IP address for too many or too frequent failed login attempts. There was a public EQEmu loginserver that I modified to do this- but we're still on the old, and very private EQEmu loginserver from the original days of the project.

I was in EC the other day on my 60 chanter.. selling shit, buying stuffery. For whatever reason decided to buy a batfang headband for a hell of a deal - 75 plat.

I went to do the transaction and the server was spiking hard. I was furiously clicking with my 75 plat to open the trade window and it would, but then open up showing i put 0 plat, so hit cancel. Then he would open up trade window like he had put an item in there but it was blank. Finally after a few minutes I completed the transaction and went on my way. I logged off about an hour and a half later.

Logged on the next day and had the extra 75 plat sitting on my cursor and the item in my inventory, and the guy said he too had the 75 plat in is inventory and the batfang headband on his cursor.

So.. it can happen. Imagine if i was boxing and just trading an AON and 500k between each other and happen to dupe that. Fungi, Donals BP, pick your poison. I hope we are monitoring high value trades between the same characters or something of that nature.

I hate to say it, because there are too many folks wearing tin foil hats around here already...

but, it does seem a little too much of a coincidence that this last wave of "ddos lag" started when ephi shut down platlord in the last round of bans. if platlord is recuperating his stock and this is his method of doing so, then the recent "ddos lag" seems to make a lot of sense.

You would think there would be a "created" date on items, if they can track the item id from person to person the ID had to start somewhere. I cant see it being too hard to look and see if 8 AoNs have been created in the last 3 weeks etc.

However, this might not be the case, not really sure what information the devs have available to them.

Unless these items are tracked client side to a point. Much like how it remembers the server you play on or even which char was seleceted last. I've been discussing this with a buddy since this started. It makes perfect sense.

Following what Bob said, and I'm not DBA, but...

Is it not possible to either add a created date for any item in a characters possession, or alternately create a difference log?

I'm certain the developers can run something analogous to "Select * from Characters where Items_in_inventory like (id of AoN or misc items here)" and compare it to the previous day, etc. This could be automated, until true functionality to stop duping could be added in.

Or hell, generate a GUID and assign one to every item every dropped, although maybe this is too resource intensive.

This is the best post of the thread, honestly- thank you for posting it. It could really explain this whole thing.

Player trades in zones when you lag the worldserver could really easily dupe items now that you mention it. Player profiles are saved on the worldserver I beleve, so this could very well be the cause of all of this.

Items aren't tracked client-side. If the ddos/lag is allowing for dupes, it's an issue of zone-to-database sync.

Does p99 use Queryserv?

I was told that there was an item dupe that makes the server unstable

Given things I'm told recently, it is really hard to sort the bull shit from what's real :P