MM this doesn't look like what i had in mind during irc chat. Here is my analysis of problem (no implementation done yet): Problem: Metaserver currently down Reason: DOS attack (polluted server list?) Solution: Revise protocol Things to care about: - DOS resistance and prevent list pollution - Redundancy to avoid downtime and easiness of redundant node creation - Reliability of data - redundant node should be able to be hosted on any web enabled isp (no active script) Analysis of current metaserver behavior: Currently, when a public server starts, it registers to the metaserver, using a simple protocol. It provides a server address, a description and a name. After, it updates the metaserver on a regular basis to inform it about current number of players. The metaserver keep track of servers for about one day. This protocol is subjet to several limitations: - Somebody could register lots of fake servers (DOS) resulting in client having to download a huge list of servers. - Somebody could register a server, faking another server, to gather passwords. - If the server crash and re-register to metaserver, old entry is not deleted, resulting in pollution of list when a server is unstable. - The informations from metaserver can not be trusted in any way. - If metaserver crash, no client can see a list of servers - udp/ip used for registering make it easy to do impersonate ips (attacker potentially untrackable) The proposition i'll make to create a new handling for metaserver will address all those limitations. Prevention of fake servers and list pollution, limitations on DOS: The list of public servers is something quite static. Unless when used for testing purposes, if someone starts a public server this is for at least a few week. For this, i suggest the addition of server to the metaserver list be something needing manual metaserver admin intervention. The sourceforge bugtrack allows the creation of new named bugtrack lists. This is currently the case for RFE (request for enhancement). I suggest to create a new buglist named Server. This list will be used by server admins to request for the register of their server in the metaserver list. Metaserver admins would then check the validity of entry and process the registration. We could also perhaps configure this list to request user authentification by sourceforge. The request must contain the servername, the server ip address or dns address (dynamic dns should be tolerated), the server admin email address, a server public description. Redundancy: The list of servers would be made available in a serverlist file, available on the metaserver root node. This list file will be downloaded on a regular basis by mirror nodes. The client could connect either to the root node, either to a mirror node to grab the list of public servers Trust of metaserver datas. Because of replication between nodes, there should be a way to ensure the list has not been tampered (preventing someone to fake a server). The client should have a list a public keys corresponding to the keys of metaserver root node admins. The server list must always be signed by a root metaserver node admin, probably the one doing the manual update and client would check the signature of list before using it. DOS resistance: The client should be always shipped with an uptodate static list of metaservers and list of servers. If root metaserver node is down, meaning the list of metaservers can not be found, client use cached metaserver list to grab a mirror metaservers. If it can't connect to any metaserver, it uses the cached server list and diplay it to user. Overall client process: - get the metaserverlist from sf if possible and check signature. If anything fails, fallback to cached list. If cached list fail, fall back to static list - connect to a random metaserver in lsit and process a GET for the url listed in the metaserver list. If this fail, or signature check fails, process to another metaserver. - update cached metaserver list - if all metaservers fails, process with cached server list and if it fails, process with the static server list. - update cached server list - for each server in list, eventually connect to it and grab it's current statistics (number of players, uptime, aso) Replication process: This is quite easy, each mirror node just has, on a regular basis, to download a specific file from root node and publish it. This could be done on any linux box with a wget <root node> followed by an ftp <isp url>, the box executing the mirroring script does not have to be the one serving the files. (ie i can run a script twice a day on my dsl connected linux box to publish the mirrored file to http://users.skynet.be/tchize/server.list, i don not need my dsl linux box to be permanently connected (just twice a day). Drawbacks: metaserver does not keep anymore statical informations on server. Clients are supposed to gather such information themself (note this is a quite common behavior for first person shooter games) process of adding a new public server is a bit slow (wait for admin approval and then replication) Advantages: DOS resistant No single point of failure (isp's are quite difficult to DOS and even if all metaserver are under heavy load client can still rely on on cached datas) Server list can be trusted. Mirror can be put on most ISP (personal web spaces gracefully provided by provider) Le Vendredi 27 Mai 2005 06:16, Brendan Lally a écrit : > since the previous metaserver has shown itself to be unable to deal with an > attack, and since having a metaserver is a nice thing, I have over the last > few days been writing a distributed HTTP-based replacement. following a > design described on IRC by TechII and Tchize (among others). > > This system comprises of a series of metaservers and a metametaserver. > > The metaservers collect server information, and propagate it to the > metametaserver, and the metametaserver collates this and makes it available > to all the metaservers. > > The metametaserver is /only/ connected to by the metametaservers and can be > firewalled off from all but a small number of IP adresses. This will make > it hard to attack. > > The metaservers are vulnerable, but there are several (at least half a > dozen) and can be run on any webserver with php support (or even without, > I'll clarify below) > > As of now, the web-based scripts operate as they should, and most > show-stopper bugs appear to have been found. > > Metaservers can exist in two forms, what I call active and passive, active > webservers allow the game servers to add themselves, they require php. > > passive servers merely mirror the server list and metaserver list, any > webserver can support these. > > What is left is client and server support, plus maybe a few tweaks to > filelocking and bizzare character filtering. > > Before I start doing that though, I would like to be able to freeze the > server entry format. currently an entry looks like: > > cat2.dynu.ca 13327 1117165607 version 1023 1027 Crossfire Server > cat2 1.7.0CVS no description > > with two lines, the top line being the port, ip or hostname of the server, > (unix) time of the server entry and the protocol header. > > the second line contains information shown to the player, server name, > server version, and comment. > > The question is, are other fields needed, and if so what? (player maybe > could be one). > > the tracker item > http://sourceforge.net/tracker/index.php?func=detail&aid=1208250&group_id=1 > 3833&atid=313833 contains various files related to this. > > _______________________________________________ > crossfire mailing list > crossfire at metalforge.org > http://mailman.metalforge.org/mailman/listinfo/crossfire -- -- Tchize (David Delbecq) tchize at myrealbox.com Public PGP KEY FINGERPRINT: F4BC EF69 54CC F2B5 4621 8DAF 1C71 8E6B 5436 C17C Public PGP KEY location: http://wwwkeys.pgp.net/pgpnet/wwwkeys.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://shadowknight.real-time.com/pipermail/crossfire/attachments/20050527/1dd83250/attachment.pgp