|
»
Are SOs automatically reconnected?
|
View:
New views
12 Messages
—
Rating Filter:
Alert me
|
 |
Are SOs automatically reconnected?
by Thomas Auge
::
Rate this Message:
Hello list,
I'm trying to figure out some unusual activity on my server. If I lose connection to the server while connected to a shared object, then reconnect the server, is the shared object automatically reconnected, too? This is flash. The background is the following: For a long time I didn't have any security for the actual messages being exchanged in my chat room. Now lately someone has started to inject RTMP packets (I have no clue how) into the data stream between server and chat applet. So I've started to sign the communication packets, so they could not be spoofed. As a result, the person has started to just copy packets, to spam things. Since both the messages and the signature contain the connection ID I've started to match the sent connection ID against the real one in onSharedObjectSend(). Now some warnings appear for spoofed messages, which COULD be a race condition on reconnect. If the client reconnects. It receives the new connection ID from the server and should not do anything before that. But if SOs would be automatically reconnected, some of the SO functions could fire with the old ID. This does sound unlikely, but some of the spoofing attempts come from an internal message type, which is triggered a lot through the SO and makes very little sense to mess with. ;) tl;dr: see second paragraph. ;) Thanks, Thomas _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org |
|
|
Re: Are SOs automatically reconnected?
by Walter Tak
::
Rate this Message:
How about incrementally numbering your outgoing messages and have the
receiving end (either server or client) ignore any messages with a number that already has been received ? > Hello list, > > I'm trying to figure out some unusual activity on my server. > > If I lose connection to the server while connected to a shared object, > then reconnect the server, is the shared object automatically reconnected, > too? This is flash. > > The background is the following: For a long time I didn't have any > security for the actual messages being exchanged in my chat room. Now > lately someone has started to inject RTMP packets (I have no clue how) > into the data stream between server and chat applet. > > So I've started to sign the communication packets, so they could not be > spoofed. As a result, the person has started to just copy packets, to spam > things. > > Since both the messages and the signature contain the connection ID I've > started to match the sent connection ID against the real one in > onSharedObjectSend(). > > Now some warnings appear for spoofed messages, which COULD be a race > condition on reconnect. If the client reconnects. It receives the > new connection ID from the server and should not do anything before that. > But if SOs would be automatically reconnected, some of the SO functions > could fire with the old ID. This does sound unlikely, but some of the > spoofing attempts come from an internal message type, which is triggered a > lot through the SO and makes very little sense to mess with. ;) > > tl;dr: see second paragraph. ;) > > Thanks, > > Thomas > > _______________________________________________ > Red5 mailing list > Red5@... > http://osflash.org/mailman/listinfo/red5_osflash.org > > > > -- > Internal Virus Database is out-of-date. > Checked by AVG. Version: 7.5.560 / Virus Database: 270.12.26/2116 - > Release Date: 15-05-09 06:16 > _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org |
|
|
Re: Are SOs automatically reconnected?
by Andy Shaules
::
Rate this Message:
> Now lately someone has started to inject RTMP packets (I have no clue how)
> into the data stream between server and chat applet. Using a sniffer, they are reading the name of the service calls, then connecting from some IDE like flexbuilder where they can quickly build an array of calls. The other problem is the 'someone'. It is time to connect real accounts with users on red5 to eliminate the 'someone' and turn it into an id/ip. Assuming you have some SQL, add a collumn for a session variable. Create a hash out of some random information, and store it in a db associated with the user who logs in. Give this hash to the user as a flash var. Your flash code must give this variable to red5. Red5 will reject any client without a valid hash in the db. Hash is not shared between users. Now when spam comes in, you have account identified with spammer, and other users can kick/ban. If you lose connection of the netconnection to the point that you get a netConnection.Closed status message, you must manually reconnect any shared object. ----- Original Message ----- From: "Thomas Auge" <auge@...> To: <red5@...> Sent: Saturday, July 04, 2009 5:19 AM Subject: [Red5] Are SOs automatically reconnected? > Hello list, > > I'm trying to figure out some unusual activity on my server. > > If I lose connection to the server while connected to a shared object, > then reconnect the server, is the shared object automatically reconnected, > too? This is flash. > > The background is the following: For a long time I didn't have any > security for the actual messages being exchanged in my chat room. Now > lately someone has started to inject RTMP packets (I have no clue how) > into the data stream between server and chat applet. > > So I've started to sign the communication packets, so they could not be > spoofed. As a result, the person has started to just copy packets, to spam > things. > > Since both the messages and the signature contain the connection ID I've > started to match the sent connection ID against the real one in > onSharedObjectSend(). > > Now some warnings appear for spoofed messages, which COULD be a race > condition on reconnect. If the client reconnects. It receives the > new connection ID from the server and should not do anything before that. > But if SOs would be automatically reconnected, some of the SO functions > could fire with the old ID. This does sound unlikely, but some of the > spoofing attempts come from an internal message type, which is triggered a > lot through the SO and makes very little sense to mess with. ;) > > tl;dr: see second paragraph. ;) > > Thanks, > > Thomas > > _______________________________________________ > Red5 mailing list > Red5@... > http://osflash.org/mailman/listinfo/red5_osflash.org > _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org |
|
|
Re: Are SOs automatically reconnected?
by Andy Shaules
::
Rate this Message:
Also, I suspect when the system is effective, there will be nothing left to do for him/her except write swf that spam the server with connection attempts, which may be your race condition. Implemeting shared object security, you can reject any connection that has not yet been verified by your system. Which may require you to re-write the client to wait for verification befor gaining shared objects. ----- Original Message ----- From: "Walter Tak" <walter@...> To: <red5@...> Sent: Saturday, July 04, 2009 6:03 AM Subject: Re: [Red5] Are SOs automatically reconnected? > How about incrementally numbering your outgoing messages and have the > receiving end (either server or client) ignore any messages with a number > that already has been received ? > >> Hello list, >> >> I'm trying to figure out some unusual activity on my server. >> >> If I lose connection to the server while connected to a shared object, >> then reconnect the server, is the shared object automatically >> reconnected, too? This is flash. >> >> The background is the following: For a long time I didn't have any >> security for the actual messages being exchanged in my chat room. Now >> lately someone has started to inject RTMP packets (I have no clue how) >> into the data stream between server and chat applet. >> >> So I've started to sign the communication packets, so they could not be >> spoofed. As a result, the person has started to just copy packets, to >> spam things. >> >> Since both the messages and the signature contain the connection ID I've >> started to match the sent connection ID against the real one in >> onSharedObjectSend(). >> >> Now some warnings appear for spoofed messages, which COULD be a race >> condition on reconnect. If the client reconnects. It receives the >> new connection ID from the server and should not do anything before that. >> But if SOs would be automatically reconnected, some of the SO functions >> could fire with the old ID. This does sound unlikely, but some of the >> spoofing attempts come from an internal message type, which is triggered >> a lot through the SO and makes very little sense to mess with. ;) >> >> tl;dr: see second paragraph. ;) >> >> Thanks, >> >> Thomas >> >> _______________________________________________ >> Red5 mailing list >> Red5@... >> http://osflash.org/mailman/listinfo/red5_osflash.org >> >> >> >> -- >> Internal Virus Database is out-of-date. >> Checked by AVG. Version: 7.5.560 / Virus Database: 270.12.26/2116 - >> Release Date: 15-05-09 06:16 >> > > > _______________________________________________ > Red5 mailing list > Red5@... > http://osflash.org/mailman/listinfo/red5_osflash.org > _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org |
|
|
Re: Are SOs automatically reconnected?
by Gavriloaie Eugen-Andrei
::
Rate this Message:
On Sat, Jul 4, 2009 at 8:13 PM, Andy Shaules <bowljoman@...> wrote:
Yeah, and where is the security? If I'm "man in the middle" I still can grab that hash... I suggest RTMPS
_______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org |
|
|
Re: Are SOs automatically reconnected?
by Sascha Sauren
::
Rate this Message:
Flash has no functionality to auto-RE-connect a netconnection.
you programmed the code to reconnect, you should know what it does. > Now lately someone > has started to inject RTMP packets (I have no clue how) thats easy, try by yourself using a socket in flash instead of "NetConnection", you will be able to emulate anything that doesent has access to protocol level (check protocoll headers for example) your client, a browser what you want. btw, thats the way the most "illegale" "bots" or even fake-senders for input datas (registration and stuff on forums) work. try java, c or anything else with a lil bit more power than flash and you can emulate also that. > So I've started to sign the communication packets, so they could not be > spoofed. As a result, the person has started to just copy packets, to spam > things. be happy, your spamer can not code well. > Now some warnings appear for spoofed messages, which COULD be a race > condition on reconnect. If the client reconnects. It receives the > new connection ID from the server and should not do anything before that. > But if SOs would be automatically reconnected some of the SO functions could fire with the old ID. You made SO with functions? how that goes? I guess you open a new NetConnection, you should treat it as it is, a new connection, you need to clean out informations/variables and reset flags. may try to make good clean code for server and client side and you wont receive warnings. About your Spamer, it will be a scriptkidy, no one else try´s to "hack" a chatsystem, get a layer or wait till he is sad, anything between is a waste of time. @ Andy, nice ideas, but worthless, why should someone coding its own client does not fake and respond what you send him? @ Eugen MITM isen´t needed, try wireshark to sniff, read out the datas needed, connect with your own made client, receive datas that id´s you respond to them, you think to complicated. if there is an unwished access to user accounts themself, find out if the problem exist in your system or on user side where the user (willing/knowing or not) gave the access datas away. greetz Sascha _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org |
|
|
Re: Are SOs automatically reconnected?
by Sascha Sauren
::
Rate this Message:
Bevore someone talks about flash policy files and sandbox, run flash
in a projrctor or use zinc... greetz _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org |
|
|
Re: Are SOs automatically reconnected?
by Jake Hilton-2
::
Rate this Message:
Or just use AIR.
Jake On Sat, Jul 4, 2009 at 12:09 PM, Sascha Sauren <sascha.sauren@...> wrote: Bevore someone talks about flash policy files and sandbox, run flash _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org |
|
|
Re: Are SOs automatically reconnected?
by Thomas Auge
::
Rate this Message:
Good idea. That'd close the last loophole of the client spamming one of
his own messages. (Though I do filter messages with identical signatures as the last one on the other clients, but spamming alternating messages would still work). > How about incrementally numbering your outgoing messages and have the > receiving end (either server or client) ignore any messages with a > number that already has been received ? > >> Hello list, >> >> I'm trying to figure out some unusual activity on my server. >> >> If I lose connection to the server while connected to a shared object, >> then reconnect the server, is the shared object automatically >> reconnected, too? This is flash. >> >> The background is the following: For a long time I didn't have any >> security for the actual messages being exchanged in my chat room. Now >> lately someone has started to inject RTMP packets (I have no clue how) >> into the data stream between server and chat applet. >> >> So I've started to sign the communication packets, so they could not >> be spoofed. As a result, the person has started to just copy packets, >> to spam things. >> >> Since both the messages and the signature contain the connection ID >> I've started to match the sent connection ID against the real one in >> onSharedObjectSend(). >> >> Now some warnings appear for spoofed messages, which COULD be a race >> condition on reconnect. If the client reconnects. It receives the >> new connection ID from the server and should not do anything before >> that. But if SOs would be automatically reconnected, some of the SO >> functions could fire with the old ID. This does sound unlikely, but >> some of the spoofing attempts come from an internal message type, >> which is triggered a lot through the SO and makes very little sense to >> mess with. ;) >> >> tl;dr: see second paragraph. ;) >> >> Thanks, >> >> Thomas >> >> _______________________________________________ >> Red5 mailing list >> Red5@... >> http://osflash.org/mailman/listinfo/red5_osflash.org >> >> >> >> -- >> Internal Virus Database is out-of-date. >> Checked by AVG. Version: 7.5.560 / Virus Database: 270.12.26/2116 - >> Release Date: 15-05-09 06:16 >> > > > _______________________________________________ > Red5 mailing list > Red5@... > http://osflash.org/mailman/listinfo/red5_osflash.org > _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org |
|
|
Re: Are SOs automatically reconnected?
by Thomas Auge
::
Rate this Message:
> Using a sniffer, they are reading the name of the service calls, then
> connecting from some IDE like flexbuilder where they can quickly build > an array of calls. I need to check out flexbuilder - so far I thought it was an IDE similar to regular Flash? Thing is, they are connecting the actual client. The client is encryptend (= obscured to the point no decompiler can handle it :) and without a decompiled client it's pretty much impossible to spoof the challenge/response handshake for the autorization. Then while they are connecting, they are adding RTMP packets. I don't know if it's injected in the same connection or if they are actually opening a new one. But why connect with the regular client first then? Also the server does check the referer the client is including. I know that this is no security at all on a professional level, but we are talking about hurt egos with some google talents here. I doubt they can snoop and resend packets or even build their own RTMP connect with arbitrary parameters. They must be using some sort of tool for it, and if it runs in the flash client, at least the referer cannot be spoofed, can it? > The other problem is the 'someone'. It is time to connect real accounts > with users on red5 to eliminate the 'someone' and turn it into an id/ip. Can't do that. Some versions of the chat are completely open without a login. There is just a ban mechanism, which checks IP, a fingerprint, and stuff like that. But that's a manual process not tied to an account or such. > Assuming you have some SQL, add a collumn for a session variable. Create > a hash out of some random information, and store it in a db associated > with the user who logs in. > > Give this hash to the user as a flash var. Your flash code must give > this variable to red5. Red5 will reject any client without a valid hash > in the db. Hash is not shared between users. That's something to consider. Though the database is on a different machine, but since they are on the same network, the delay should be neglectable. > If you lose connection of the netconnection to the point that you get a > netConnection.Closed status message, you must manually reconnect any > shared object. Hm, then this can't be an accident. Thanks! :) > ----- Original Message ----- From: "Thomas Auge" <auge@...> > To: <red5@...> > Sent: Saturday, July 04, 2009 5:19 AM > Subject: [Red5] Are SOs automatically reconnected? > > >> Hello list, >> >> I'm trying to figure out some unusual activity on my server. >> >> If I lose connection to the server while connected to a shared object, >> then reconnect the server, is the shared object automatically >> reconnected, too? This is flash. >> >> The background is the following: For a long time I didn't have any >> security for the actual messages being exchanged in my chat room. Now >> lately someone has started to inject RTMP packets (I have no clue how) >> into the data stream between server and chat applet. >> >> So I've started to sign the communication packets, so they could not >> be spoofed. As a result, the person has started to just copy packets, >> to spam things. >> >> Since both the messages and the signature contain the connection ID >> I've started to match the sent connection ID against the real one in >> onSharedObjectSend(). >> >> Now some warnings appear for spoofed messages, which COULD be a race >> condition on reconnect. If the client reconnects. It receives the >> new connection ID from the server and should not do anything before >> that. But if SOs would be automatically reconnected, some of the SO >> functions could fire with the old ID. This does sound unlikely, but >> some of the spoofing attempts come from an internal message type, >> which is triggered a lot through the SO and makes very little sense to >> mess with. ;) >> >> tl;dr: see second paragraph. ;) >> >> Thanks, >> >> Thomas >> >> _______________________________________________ >> Red5 mailing list >> Red5@... >> http://osflash.org/mailman/listinfo/red5_osflash.org >> > > > _______________________________________________ > Red5 mailing list > Red5@... > http://osflash.org/mailman/listinfo/red5_osflash.org > _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org |
|
|
Re: Are SOs automatically reconnected?
by Thomas Auge
::
Rate this Message:
> try java, c or anything else with a lil bit more power than flash and
> you can emulate also that. I refuse to believe someone is emulating the whole protocol on a socket level. It's a fricking chat! :-) >> So I've started to sign the communication packets, so they could not be >> spoofed. As a result, the person has started to just copy packets, to spam >> things. > > be happy, your spamer can not code well. Nah. He can't spoof the signature. He'd have to send at least one packet with the correct sender address, which would give him away. ;) > You made SO with functions? how that goes? Uh? so["newMessage"] = Delegate.create(this, chatMessage); How else do you use SOs? :P > I guess you open a new NetConnection, you should treat it as it is, a > new connection, > you need to clean out informations/variables and reset flags. I do. I just did not clear the SOs, because I figured they'd die with the connection. (Which it seems they really do.) > may try to make good clean code for server and client side and you > wont receive warnings. This chat was my first flash project. Until I discovered red5 I also avoided Java like a disease. Now the project is a serious mess with a few thousand people using it. Can't go back and start over now. :-) > About your Spamer, it will be a scriptkidy, no one else try´s to > "hack" a chatsystem, > get a layer or wait till he is sad, anything between is a waste of time. It's two people we banned, because they are serious assholes. They are very persistent, but shouldn't be smart enough to pull something like that off. I guess they hired some help. ;) (Yes, they would hire someone for this. They are ... unusual people.) > @ Andy, nice ideas, but worthless, why should someone coding its own > client does not fake and respond what you send him? He'd have to use a valid hash and he will only know "his" hash. So spoofing one would only work through brute force, which is kinda noisy. ;) > @ Eugen MITM isen´t needed, try wireshark to sniff, read out the datas > needed, connect with your own made client, receive datas that id´s you > respond to them, you think to complicated. tcpdump? ngrep? ;) > if there is an unwished access to user accounts themself, find out if > the problem exist in your system or on user side where the user > (willing/knowing or not) gave the access datas away. It has to work without accounts. That's one of the biggest concerns. I think that chat has the most sophisticated chatroom ban system on the internet. hehe :) Thomas _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org |
|
|
Re: Are SOs automatically reconnected?
by Sascha Sauren
::
Rate this Message:
>
> I refuse to believe someone is emulating the whole protocol on a socket > level. It's a fricking chat! :-) > first, you dont realy need that... not for that your spamer does, i made several bots for browsergames only doing post get http requests simoulating the browser, also some things i programmed as shoutcast module for a flash based mp3 and webradio player uses this technique... and about the other stuff... but better believe... msn chat WAS was a chatsystem using an active x controll and was using low ping irc servers as backend... msn chatsystem closed somehow 5 or 6 years ago, the chat controll (ocx) is still in use by several ppl... there are several approaches of groups that may are not less than 150 ppl that uses this chatsystem those made several PHP servers that emulate the ASP (MSNW) network the chatcontroll needs aswell... and rewrote IRC server to work for this active x client :) ~~~~~ and there are still mIRC scripts allowing ppl to flood those chatservers made for only this ocx client... if you find those some of this networks, try to ping the whole room with about 12 pings in a 1.45-1.65 second intervall with 3 clients simulatounsily and the all clients in chat will disconnected from server because the responses are flooding then:) .... annother funkey things had been unkickable nicknames that where existing in 2002 in msn chats for about 7 month. i remember a site where unkickable nicknames had been available for about 4 month had over 200.000 unique clicks per month at that time:), btw. it was my site;) AND yes it is just a chat... you forget how much it is important to a 14 y old boy to be "the king"... and uhm for truth... when i remember right it was very funny to join a chatroom with a name and account that is banned right after you got banned by a system admin from allmighty microsoft chat systems:D... thatfor i said, anything between a lawyer and do nothing special then implementiing ususal security is waste of time... also... yet it is a spamer may scriptkiddy only, what if it will be a viagra seller, make your breasts bigger, hello iam linette pls sms me for just about.... guy ;) those guys uses often chatsystems:) but its your chat... i wouldent like to manage one, ppl have a ugly behaviour in chats:) most of them _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org |
| Free embeddable forum powered by Nabble | Forum Help |
