|
»
« Return to Thread: Are SOs automatically reconnected?
Re: Are SOs automatically reconnected?
by Thomas Auge
::
Rate this Message:
Good idea. That'd close the last loophole of the client spamming one of
his own messages. (Though I do filter messages with identical signatures
as the last one on the other clients, but spamming alternating messages
would still work).
> How about incrementally numbering your outgoing messages and have the
> receiving end (either server or client) ignore any messages with a
> number that already has been received ?
>
>> Hello list,
>>
>> I'm trying to figure out some unusual activity on my server.
>>
>> If I lose connection to the server while connected to a shared object,
>> then reconnect the server, is the shared object automatically
>> reconnected, too? This is flash.
>>
>> The background is the following: For a long time I didn't have any
>> security for the actual messages being exchanged in my chat room. Now
>> lately someone has started to inject RTMP packets (I have no clue how)
>> into the data stream between server and chat applet.
>>
>> So I've started to sign the communication packets, so they could not
>> be spoofed. As a result, the person has started to just copy packets,
>> to spam things.
>>
>> Since both the messages and the signature contain the connection ID
>> I've started to match the sent connection ID against the real one in
>> onSharedObjectSend().
>>
>> Now some warnings appear for spoofed messages, which COULD be a race
>> condition on reconnect. If the client reconnects. It receives the
>> new connection ID from the server and should not do anything before
>> that. But if SOs would be automatically reconnected, some of the SO
>> functions could fire with the old ID. This does sound unlikely, but
>> some of the spoofing attempts come from an internal message type,
>> which is triggered a lot through the SO and makes very little sense to
>> mess with. ;)
>>
>> tl;dr: see second paragraph. ;)
>>
>> Thanks,
>>
>> Thomas
>>
>> _______________________________________________
>> Red5 mailing list
>> Red5@...
>> http://osflash.org/mailman/listinfo/red5_osflash.org
>>
>>
>>
>> --
>> Internal Virus Database is out-of-date.
>> Checked by AVG. Version: 7.5.560 / Virus Database: 270.12.26/2116 -
>> Release Date: 15-05-09 06:16
>>
>
>
> _______________________________________________
> Red5 mailing list
> Red5@...
> http://osflash.org/mailman/listinfo/red5_osflash.org
>
_______________________________________________
Red5 mailing list
Red5@...
http://osflash.org/mailman/listinfo/red5_osflash.org
his own messages. (Though I do filter messages with identical signatures
as the last one on the other clients, but spamming alternating messages
would still work).
> How about incrementally numbering your outgoing messages and have the
> receiving end (either server or client) ignore any messages with a
> number that already has been received ?
>
>> Hello list,
>>
>> I'm trying to figure out some unusual activity on my server.
>>
>> If I lose connection to the server while connected to a shared object,
>> then reconnect the server, is the shared object automatically
>> reconnected, too? This is flash.
>>
>> The background is the following: For a long time I didn't have any
>> security for the actual messages being exchanged in my chat room. Now
>> lately someone has started to inject RTMP packets (I have no clue how)
>> into the data stream between server and chat applet.
>>
>> So I've started to sign the communication packets, so they could not
>> be spoofed. As a result, the person has started to just copy packets,
>> to spam things.
>>
>> Since both the messages and the signature contain the connection ID
>> I've started to match the sent connection ID against the real one in
>> onSharedObjectSend().
>>
>> Now some warnings appear for spoofed messages, which COULD be a race
>> condition on reconnect. If the client reconnects. It receives the
>> new connection ID from the server and should not do anything before
>> that. But if SOs would be automatically reconnected, some of the SO
>> functions could fire with the old ID. This does sound unlikely, but
>> some of the spoofing attempts come from an internal message type,
>> which is triggered a lot through the SO and makes very little sense to
>> mess with. ;)
>>
>> tl;dr: see second paragraph. ;)
>>
>> Thanks,
>>
>> Thomas
>>
>> _______________________________________________
>> Red5 mailing list
>> Red5@...
>> http://osflash.org/mailman/listinfo/red5_osflash.org
>>
>>
>>
>> --
>> Internal Virus Database is out-of-date.
>> Checked by AVG. Version: 7.5.560 / Virus Database: 270.12.26/2116 -
>> Release Date: 15-05-09 06:16
>>
>
>
> _______________________________________________
> Red5 mailing list
> Red5@...
> http://osflash.org/mailman/listinfo/red5_osflash.org
>
_______________________________________________
Red5 mailing list
Red5@...
http://osflash.org/mailman/listinfo/red5_osflash.org
« Return to Thread: Are SOs automatically reconnected?
| Free embeddable forum powered by Nabble | Forum Help |
