tchize wrote: > MM this doesn't look like what i had in mind during irc chat. Here is my > analysis of problem (no implementation done yet): A few notes. > > > Problem: > Metaserver currently down > Reason: > DOS attack (polluted server list?) My understanding is a flood of client requests trying to get data from the metaserver. Unknown if this is broken clients or something else. That said, the current metaserver implementation isn't that good (one change I made was to not send metaserver info to someone that connected in last minute or so). However other things could be done, like also putting a small sleep in the sending of data. > - Somebody could register lots of fake servers (DOS) resulting in client > having to download a huge list of servers. Correct. > - Somebody could register a server, faking another server, to gather > passwords. Yes - that could be improved by having the metaserver verify the hostname provided against IP. The problem here is that DNS lookups can be a slow operation, so can't be done in the very simple script used now. And if a threaded/forked call is done, you then have to sort out data consistency and file locking. > - If the server crash and re-register to metaserver, old entry is not deleted, > resulting in pollution of list when a server is unstable. Not true. Metaserver has no idea when it gets the UDP packet from the server if that server has restarted or if it is one of the periodic updates. It looks through the entries it has, and if it finds a matching one, updates it. The problem has been people running servers on dynamic ip adresses. It is the IP address the server uses to match for duplicates. So what happens is someone is running the server on a server that gets it via DHCP, and that server is restarting or whatever with new IP addresses, so you get a flood from that. One change was to reduce the timeout of servers we haven't get info from from 1 day to something like 60 minutes (even that is actually a bit long - if we haven't gotten data, unlikely server is up) > - The informations from metaserver can not be trusted in any way. > - If metaserver crash, no client can see a list of servers > - udp/ip used for registering make it easy to do impersonate ips (attacker > potentially untrackable) all true. > > Overall client process: > - get the metaserverlist from sf if possible and check signature. If anything > fails, fallback to cached list. If cached list fail, fall back to static list Note that this would seem to put a single point of failure on SF being up. It often is, but doesn't always seem to be the case. However, looking at the proposal, I have a few questions/thoughts. Since it seems that server admins will need to notify the metaserver admin to be listed, and it seems that some amount of the dynamic data currently listed won't be as up to date (due to timing, or perhaps not being included), it seems that this isn't that far away from just having a static HTML page that someone updates that is then replicated. Which of course isn't really what the metaserver is about. Just a thought - has anyone looked at what other games do (nettrek I think would be one example) - presumably, some games have already put a lot of thought into this - it could be simpler to just grab there server and client code and go from there.