|
|
|
|
#1
07-22-2013, 09:11 PM
|
|||
|
A serious post about duping
Before we begin I have no solid proof that the "DDOS" lag we are getting is in actuality a group of people duping items using crashed zones.
I also want to acknowledge that I am an inflammatory personality and most of my threads turn into a TMO V FE thread or whatever, this is something I would like to avoid. To begin, Sirken admitted during my interview that the server has an unfixed dupe and he is closely monitoring it, I believe that there is another dupe out there and it involves crashing the zones to duplicate high end items. The reasons I think this lag is a dupe are as follows. 1. A new RMT website has sprung up recently giving rock bottoms prices of plat(I won't link any RMT websites in this post but a simple google search can confirm) 2. A slew of very high end items have currently been put up for sale, Example 1. http://www.project1999.org/forums/se...archid=2342871 Here is EIGHT AoNs being sold by Eight seperate sellers since the beginning of July Example 2. http://www.project1999.org/forums/se...archid=2342874 Here are SIX Thex daggers sold in the same time period by different sellers, some are selling both Thex daggers and AoNs. This does not include the high end items being auctioned in the tunnel as well as the influx of characters seen using AoNs as of late. AoNs are specifically very rare items. Here is TMO's entire history of AoN on our website. [You must be logged in to view images. Log in or Register.] Everyone of those AoN's can be accounted for not a single one has hit the guild bank nor has anyone gone 24 hours with out being rewarded to a member of the guild. Now multiple guilds have slain Cazic Thule and multiple guilds have collected AoNs over the years, IB comes to mind. Most of these AoNs can be accounted for on there respective players or sold over a year ago. 3. This is where you have to imagine with me a bit, Rogean* mentioned that the information being sent to the server that is causing the lag is instead of normal "junk" information that a DDOS uses is actually corrupted EVERQUEST information being shot into the server at a high rate. I am not a computer person whatsoever but this everquest information being sent may be some sort of program or exploit used to duplicate an item. 4. Lets return to the items being duplicated for a moment, Every auction for an AoN/Thex is looking for High end accounts and/or Large sums of platinum. This what I think they are doing. If they duped Fungi tunics or Heiro Cloaks they could effectively stay under the radar as these items sell for a decent amount and are very common. The fact that they are some of the most expensive items in the game tells me that. A.They can only do this for a limited time only and need to make as much plat as possible. B.They know that the increased lag will draw the attention of the server/staff who will fix said exploit. C. They are dumb I think these people are very smart people and laundering these items who will in all probability being taken away by staff, In exchange for items they can sell quicker to the mass via RMT sites. Selling an AoN for $500 i doubt many people would spend that but, turning it into 500k PP or an uber account then selling the plat piecemeal or the account at a "loss" seems like a better solution. So in summery I don't think this is a TMO,FE,IB,whomever DDOSing the server because they are angry nor do I think the people who are doing this are in ANY of the top guilds. It's not because of anger it's not because of banned accounts(zipzop is part of this he was a distraction that we all ate up) This is money pure and simple. This will not stop unless the exploit is fixed or if people wise up and stop buying platinum from these people. Thank you all for reading. *I think Rogean mentioned it in one of my chats but it may of been Sirken or someone else, I'll leave the asterisk there until I can confirm. | ||
|
|
|||
|
#6
07-22-2013, 10:03 PM
|
|||
|
I also find the lag highly suspicious- it doesn't seem to be aimed at the worldserver in general- it seems to be targeting specific machines.
As far as I'm aware this server is (or was, last time I heard) a cluster of five servers that host various parts of the world. (and by world I mean; the world server, the zone servers, and potentially the login as well) Some days I've been able to zone/talk/etc just fine- while people on Vent were bitching about "the lag" This could be for a variety of reasons, but I think it's something like this. Somehow if you can target a specific server and lag it so it can't talk to the world server you can duplicate an item. As in, either you can force a character not to save or a corpse not to save properly. All the different zones are located on different servers- so the whole world (all tells/whos/etc) can be up while certain other zones are getting hammered to shit. I've also noticed people claiming that login is down while other zones and the world server itself are functioning perfectly normally. This leads to the other question, why are legitimate looking EQ packets flooding the server? Only a DDoSer with a knowledge or grasp of the EverQuest protocol would be able to craft such an attack, and the fucked up thing is- EQ is UDP for most things in-game. UDP is connectionless and easy to spoof. The attacker could potentially make it look like the entire internet is at some point attacking the server because there is no proper connection state handling in UDP like there is in TCP. So they could be doing it to harass, and again- they could be doing it to lag a zone out to get a very specific outcome. It would probably be trivial if you had any experience with the EQEmu UDP protocol to send enough fake (and spoofed) data to the server to make it lock up at will, and they probably don't need more than 10-20 computers to accomplish this, as the spoofed packets probably trigger such cpu-heavy EQEmu functionality that the threads routinely deadlock. A solution? some sort of firewall rule to drop all UDP packets not associated with an already logged-in account. I'm pretty sure the login process is partially TCP based. So the loginserver would have to add an exception to iptables each time someone logged in, and remove it when they left to allow only legitimate UDP packets through. Otherwise the attackers would have to guess the source addresses of other clients and that would be a bit more difficult and could potentially give them away. Also, one last thing it could be is a mass brute-forcing attack. This loginserver doesn't have any means of locking out an IP address for too many or too frequent failed login attempts. There was a public EQEmu loginserver that I modified to do this- but we're still on the old, and very private EQEmu loginserver from the original days of the project.
__________________
 Part of me says I can't keep drinking like this. The other part of me says, "Don't listen to that guy. He's drunk" | ||
|
|
|||
 |
|
|
Hybrid Mode
