TinyMUX 2.4: ATTACK
Last Update: May 2004
You should familiarize yourself with defensive procedures that serve to
thwart the effects of attacks. Don't wait until an attack is mounted
against your game to begin learning how to defend it against an
attacker. Practice for this eventuality now.
Player Creation:
----------------
If you are running an open game, it is possible for an automated script
to create players faster than you can can destroy them. Even if a group
of people are doing it manually, the odds are they can create player
objects faster than you can destroy them.
As a WIZARD, there are a few remedies available to you:
@disable logins
As #1, there are some additional remedies available to you:
@admin register_site=0/0
@aahear attack:
---------------
With MUX 2.2 and later, the @aahear exploit is no longer as useful to
attackers as it once was. This attack was usually mixed with other
forms of attack to obscure it.
@pemit/page attack:
-------------------
The combination of lwho() and @pemit can be used for spamming.
As a player, WIZARD, or #1, you can prevent being spammed by:
&CANPAGEME me=0
@lock/page me=CANPAGEME/1
@admin pemit_far_players=0 (the default)
Attack on the queue:
--------------------
Usually, putting lots of commands on the queue will drain an attackers
store of coins. However, if they happen to obtain the free_money power
(or WIZARD permissions...by which time you're toast anyway), then they
can attack the queue.
As a WIZARD or #1, there are a few remedies available to you:
@disable dequeueing
Attribute attack:
-----------------
The server will not allow more than a few thousand attributes per
object. This attack is no longer feasible.
Attribute Name Attack:
----------------------
Attribute names are different than the attribute values they name. By
default, mortals are not allowed to create more than 5000 new names per
hour. See 'wizhelp user_attrib_per_hour'. However, the site admin
still needs to keep an eye on attribute names as described below in
'General Server Hygiene'.
@Mail Attack:
-------------
Mortals are not allowed to send more than 50 @mails per hour. However,
the site admin still needs to keep an eye on the size of @mail. See
'wizhelp mail_per_hour'.
CPU Slaming:
------------
There are ways of consuming hours and days of CPU time with carefully
chosen softcode. The lag_limit configuration option controls the point
at which the server abbreviates its efforts. In some ways, this is
like hitting a Function Invocation Limit. One additional thing that
hitting a lag_limit does is @halt the offending code.
General server hygiene:
-----------------------
There are a few things you should do on a regular basis:
- Backups. Off-line backups. Don't expect much sympathy if you
can't put your hands on a good backup.
- Good backups. Manually verify that your backups are valid and
complete. Don't expect much sympathy if you can't put your hands
on a good backup. Did you put your backup on a ZIP disk? Can
you still read it? Do you smoke?
- Backup often. How much work are you willing to lose?
- Keep an eye on how much CPU and memory your server process is
consuming. Your memory usage will gradual increase and slowly
approach some number. If your memory usage suddenly goes above
this, something is wrong. If your CPU usage is not usually 0% or
on a busy game, less than 5% for awhile, Look for an attack in
progress. Get a 'feel' for what is normal for you game and be
sensitive to what might be abnormal.
ps ux -A
- Keep an eye on attribute names (Vattr names) with the following
command:
@list hashstats
The column you care about is the 'entries' column. This number will
always increase, however, stale names can be removed by #1 using the
@dbclean command. Run @dbclean approximately every 3 months.