BaseJKA Security Fix

Description
[quote]This patch supposedly prevents various types of attacks on JKA servers. The attacks in question are Denial Of Service, buffer overflow, "fake players". As a bonus, the patch also corrects the inherent terrible-ness of JKA's built-in logging system with various enhancements to server logs.

Sounds good, doesn't it? Well, I'm going to keep this short, because otherwise I might end up circumventing FileFront's Acceptable Use Policy, and being fired and possibly sued is never a good thing.

Let me just say that I found one inherent flaw with this. It only tends to work against these attacks when they are generated by the various utilities scattered around the internet.

When using such a utility (which the author kindly - albeit unintentionally - provided me with for testing purposes), the patch worked like a dream on blocking Denial Of Service attacks. It was only semi-successful with the fake players - I managed to flood JA+, Lugormod and Makermod servers to the point of them having hardware crashes, yet JAE was tight as a button. (I didn't try ClanMod, so if anyone would like to test it for me and post the results in the comments, it would be appreciated - just let your server provider know that you're going to attempt a flood attack first so that they don't cut your service!)

(I've never had a buffer overflow error in my life, and wouldn't know how to replicate it even if I tried, since baseJKA automatically caps off command strings at a reasonable limit below the crash-point level.)

However, when not using a utility - i.e. carrying out manual attacks - there was really no change in the effects between when this patch was installed and when it wasn't. I still managed to thrash the servers* the same way I could even if the patch hadn't been installed, but I believe that's probably because unlike a program, humans are dynamic - we don't follow a pre-set subroutine and therefore we're less predictable, and thus the patch can't really block us because it doesn't know what to expect, therefore since it doesn't know what to expect it doesn't know how to react.

So, as a general rule, against someone who really knows what they're doing, the effects of this security fix will be limited. However, since that kind of "hacker" is generally working at security software companies earning a six-figure salary rather than sitting at home crashing game servers, all you have to worry about are the little Matrix-era haxor kiddies who make up stories about "hackin' mainframes and shizzle" when they tell their friends about how they downloaded an Eminem MP3 - and against that kind of person, this patch will do a very nice job of securing your server.

Server owners, this patch may just do you a few favours, so it's a very useful add-on to have in your defensive arsenal.

Oh, and as a side note, if any of you are one of the haxor kiddies I described above, then please do society a favour, and take the blue pill. >_>

~ Kouen


* I would just like to add as a postscript, that I would never do such a thing for any reasons other than purely scientific or technological ones.[/quote]There are various changes in this 1.1 update, and rather than speculating on them despite having little knowledge in this department, I'll just list them for server enthusiasts to mull over themselves:
[list][*]The help page is now automatically displayed only on the very first connection, as opposed to connections when you are carried over from a previous map, or at the end of a duel turn.
[*]Names such as "**Spamzor" are automatically converted to "*Spamzor", so a display bug, causing chat lines from such a player to be displayed in both the chat box and the server broadcast line, cannot be exploited anymore.
[*]Fixed a false positive in my bot detection scheme: bots were detected as a fake player attack ; although this had no real consequence, it was a source of confusion in the logs
[*]Logs now differentiate connections from bots and from real players.
[*]Messages from the dedicated server have been made slightly more visible: the tag is now [SERVER], with colors. I would have liked to do the same with the /svsay command, but it can't be altered, as it is hard coded into jampded instead of jampgame. Go figure...
[*]The IP is now logged each time somebody changes their names.
[*]Added the /(t)ime client command, displaying the local time of the server
[*]Added cvar ga_doNotAllowDualKataSpin, default 0, preventing anyone in a dual kata from spinning like a madman. (slightly buggy, as the screen seems to vibrate when moving the mouse, but it works.)
[*]Added cvar ga_nameLengthLimit: names will be truncated not to exceed that length. Note that color escape sequences, such as ^1, are not counted.
[*]Some ga_* cvars are now marked as serverinfo (external tools can read them).
[*]Added the /info client command and ga_serverInfo cvar. /info displays the contents of the cvar. Admins can put rules, etc in there, and any player can read it anytime.
[*]Anti model/color change spam/lag: any player can now freely change their info only 50 times per map (unless they reconnect of course). After that, they need to wait for three full seconds between each change. This should not inconvenience any legitimate player, and protects everyone on the server from the lag which can be created by fast and furious sustained userinfo change.
[*]Added another log file, ga_ConnectLog.txt, listing every connection and full userinfo, and nothing but that, which is now created by the server.
[*]The logs now use real time.[/list]Make sure to check out the rest of the read-me for more features and more details on these updates. Also keep in mind that this mod is meant to be used with baseJA and does not promise protection with other server-side mods.

This also includes source code for those interested!

~Inyri