(Or what can go wrong)
(Real Case Study)
To begin with, this paper could be more like a practical guide than a theoretical one, describing what can go wrong, what are the differences from knowledge and experience and finally, help someone new to understand that security is not only about computers. It involves people, situations and numerous factors that we can’t fully control.
To begin with, this is a picture of the place of the “Crime” most of the computer used for the
server, are present.
The idea and early stages of development
It all began from an idea, passion for a game that I was playing for some time. Since the company that created the game announced that it will soon be p2p (Pay to play) I started searching for an alternate solution to play without having to pay for a game. I discovered the world of Private servers. This in a few words is the release of the official server files of the specific game (stolen of course) so that people can setup the server at their house and with some modifications to the Client files they would be able to make their home computers gateways for people to play that game.
At the beginning, I started playing at those servers and was glad I was able to enjoy my favourite game free of charge, but then, I started thinking “why not making my own server?” since many good private servers existed around but I didn’t fully like the settings of any of them. And then the whole story starts.
A good server needs money, and I understood that the moment I downloaded the server files. New ram was bought, and then some more, raising my ram to 1.5 Gigabytes total. 2 SATA hard drives were bought @ 1000 RPM to be able to make the game faster (Fast hard drives were needed for log making and processing and general speed of the game server it self.
Then came the web server part. Somehow people should be able to register in order to play the game, and be able to check their status, their ranking and be able to do more game required tasks from the web. As a web server, IIS was chosen as it was the best solution mentioned in the forums that period.
Finally, MSSQL personal edition 2000 was chosen for the database. No other solution could be chosen since the server had already a pre-made schema and many procedures that could not be transferred
to other databases easily.
So given all that (web server, database server, new machine and game server files) everything should be working correctly.
But it didn’t.
After spending 2 days trying to make a part working with everything else and after trying all different configurations, I came to the point of saying “I give up”. It was more than a relief as this whole server thing had become more like a headache than pleasure.
Days passed and finally the server I was playing to, closed. Well that’s when I said its time to work. And started reading about all the keywords that the “installation manual” had. Well I can admit that was the most creative week I have ever had in my computer career. DHCP, Dynamic ip, ODBC, System DSN, Port Forwarding, SQL Server operations and many more terms that until then seemed well not like “Greek to me” finally were part of my knowledge. As you can understand I finally did it, the server was online and waiting players to come and start playing. For the web page I used a ready-made template that I found from the forums. It had everything, from template to ranking. So I thought my days of worrying were over and my server was all ready. Well security is something I had never considered as an option, and as you can imagine I was a happy server owner without even a firewall. The happiness as you will soon see didn’t stay for too long.
Next step was promotion. That was an easy thing to accomplish since some servers closed that period and I had man people I know that played with me some time. So word of mouth was the best promoting solution for the time being. After 2 days I had more than 100 players ready to register and start playing.
That’s when the problems started.
Problems (what shouldn’t but did)
First of all I could never think that there are so many 13-15 years old that have so much free time to try to exploit everything on a server. And when I say everything, I mean it. Suddenly my system started malfunctioning. Accounts were deleted, some accounts went damn high (as those people were playing a year or so), some had administrative privileges, and system was keep crashing.
So suddenly the need of security came up.
- First step: Firewall
Only solution I could think at that time was to install a firewall. But as we already know, things in reality are much more different from theory. After installing it and changing settings like Stealth mode browsing and automatic detection of intruders and ip ban, I thought I was “stealth”. But again, this made “hacker’s” life more challenging. Not only successful hacking attempts stopped, but became more frequent and more catastrophic.
My next thought since firewall seemed securing my server but still having intrusions, was MSSQL. Since the database was the one that suffered the most from “hackers” that would be the answer to my problems. Reading help files and Microsoft forum posts, I closed all possible connections that could be made from the internet to SQL database, since it didn’t need any connection open to public because everything that needed it was local (both web server and game server). One step closest to a more
secure environment but still far from it. Successful attacks continued. The bad things were not the attacks because I could recover damn fast but the reputation of the server that was going down and the 5000 subscribed players that started to leave server.
After some more investigation it finally became obvious that either web server or database server were responsible for the attacks so dataserver was my problem. The actual problem was that people were able to inject to the dataserver packets that they had that stats and this in-game money for example and dataserver took it for granted as it was coming from the Game server it self. Using firewall again, I
closed every connection from the internet to dataserver too, as I did with database. Results were amazing, hacking attempts were stopped. And with pleasure I wiped the server once more (deleted all account and start registration from the beginning) and assured players that this was the last one.
Wondering what happened?
All seemed to be working correctly, more than 2000 people re-registered for the server. Until again one sunny day, all accounts were gone, people at forums were cursing heavens and chaos was dominant. Server closed for “maintenance”. Didn’t have much time and had many things to do. The bad thing was that I didn’t know exactly what needed to be done. Everything I could imagine I already have implemented it. After numerous hours of searching Google (Google and internet are two identical terms as it seems) I came up with two words: SQL Injection. It seemed that after closing all ports that didn’t need to be open and closing all SQL and dataserver ports, “hackers” started to exploit the site it self.
SQL Injection is an exploit where someone in a field of the web page, can insert whole queries (nested ones together with the normal ones that pass the fields themselves to the database) so it executes both. That way, if someone knew the structure of the database (that was known to all) he could with not much effort to modify delete and update everything at my database. Well this had to stop.
So, it was time for me to learn PHP since I heard it was better than ASP and more secure. Downloaded documentation and help files and started learning. Template was made fast and then the time for code came. Within a week, registration was ready. It might seem slow but if registration was ready and carefully written, all other pages could be done easily by changing the SQL statement. (Well not that easy but much easier than
writing them from scratch). Many people helped with the creation of the new page, mostly with ideas that were developed. After a month all the pages together with SQL Injection protection (filters that could understand if the user input was normal one or wanted to modify the contents of the database)
Wiped server again, promised people that that would be the last one (don’t know why but they always believed me even though I have made up to 12 wipes until now) and started server again.
Outcome was perfect! 99% of the known hacks for the server were not working, people could not change their level, could not get levels for free, could not wipe the whole character table. Even Administrators from other private servers, came in-game to ask me what I did to create that security.
Well, even with that security established, maintaining and controlling a server is not about computer security only. And many more issues needed to be solved.
Special Issue: Mother
Since computer security was at a very good level, it was time to start thinking about uptime. Since many servers could not compete to the security issues, they started advertising that they are 24/7. At least that’s what they advertised. Except security needed to accomplish that, many other factors helped in order to prevent me from that goal. First and more important was my mother (external factors). To understand that, you have to see my room. The most untidy thing someone can have. Full of things thrown here and there. So, my mother prefers to clean it herself than telling me to do it every single time she sees me. That created one big problem. Since my mother and technology haven’t met together, while cleaning the room she pressed keys that she shouldn’t, she put her hands where she shouldn’t (open computer cases), she removed cables while cleaning the floor and many more.
For that, there were 2 options. Either prevent access to it (witch is out of the question since I hate cockroaches) or train the personnel together with some arrangements that had to be made.
To start with, all computer cases were closed, towers with lock in front were bought so I can at least be sure that she would not be able to reboot the machine, cables were grouped together and lifted up from the floor and I trained her not to touch keyboard mouse and everything that it was green and had pins. So training those who are involved with the server even physically is a must if we want the results to be good.
Special Issue: Availability
As you can already understand, server was taking all my time when I was at home. But what could be done to ensure uptime when I was not at home? First of all a script had to be made so that when Windows start, all 8 servers needed for the Game server to operate will start. Then, changes were made to the start page so when someone tries to access the main page, it will check from what type of browser he/she tries to
access it so it redirects him to the right page. By that I made a very simple page that had the name of the server as title and the people connected at that type. After that, by enabling gprs, I was able to check when I was not at home, if server was up and running. If not, a call was made and my father (who had a key to open the front panel of the tower) rebooted it and it automatically started operating again. Someone has to be at the server place or at least near enough so he can do even simple functions in order for server to work again
after a crash or failure.
With that solution, I could go on summer vacations (thank god).
Special Issue: Acts of God
By that I mean all things that we can’t control and can happen any time, any place. As an example, power failures that started occurring frequently at autumn this year when Electricity Company faced many problems. Since I couldn’t change that, and power failures lasted not more than five minutes, ups was bought to ensure a better uptime and a much better protection of server’s hardware.
Special Issue: Script Kiddies
After all that were done, what was better to do than eliminating script kiddies? Some people because they wanted to get many levels in no time, used an application that was running on the background and when they hit something, that application sent the same message x times so it was like that player hit the monsters many times at the same time instead of one. That was creating a serious problem to server since one “Hit Hacker” used the same bandwidth with almost ten players did at the same time. As a result two to three hit hackers were enough to create lag to the whole server. And of course destroy server economy and balance.
To solve that, I downloaded that application and a packet sniffer-logger. Since the application multiplied hits, after numerous tests from other computers I understood what packets were sent from a “normal” player and what from hit hacker, so I made some “Rules” to the packet sniffer in order to be able to
find their ip, delete their character and ip-ban them.
fame, comes trouble
After all this reading and time spent, I can say that the server was the safest it can be. Don’t forget that nothing is “unbreakable”. For example, after all the changes, many people tried to “hack” it but not succeeded, so they made a post at a hack forum with title XXX Server is unbreakable. Results were: about ten
posts, yes nothing could be done any suggestions? And the 11th post was the passwords of my Admin and the 3 game masters. I was informed very fast about that (public relations help a lot in security) and changed them, e-mailing the poster asking for what backdoor he used to enter. He helped.
After some time server become famous about his uptime, security and Events that my Game masters did with players, so many people came to play to my server. It was ranked 3rd private server worldwide for that game for some time. Trouble was that my DSL could only hold 60 people at the same time only so server was always full and started complaining.
One of the players in my server worked at an internet cafe in Romania and was responsible about
it’s server and internet security, so after knowing him for some time, I offered him the opportunity to transfer some of Server’s workload to the internet cafe that had a much better internet connection. Since all the people at that internet cafe were playing at my server he accepted and not only that, but his boss paid me to do the installation. So still I had control of everything and could hold 250-300 players at the same time. But that created another problem. What would happen if the guy from there started to “distort” the server files that he had there for his in-game benefit? Answer was a page at the web server that copied the last backup before an incident and transferred that backup to my ftp so I can ip-ban him from using my database and continuing to server the users from my home. Hopefully that didn’t happen and i still can say he’s my favourite ****** (Censored) :P.
Server became full even with the better speed but as the title says, more trouble came. Many server owners (that were loosing subscribers) and many people that wanted better stats in-game, started to attack me with Distributed DOS attacks. At the beginning I was unable to do something since they were using proxy servers and many computers but tracing every time the source of the dos attacks I made a list from the most common ip’s that attacked and ip-banned them from firewall. That helped a lot since dos attacks were much “softer” and server could stand them.
Having a server that people other than you use, is a great responsibility. It has to be updated frequently; many new options and enhancements have to be added to keep the players-customers (depending on the situation) happy, and secure. The last part is also the most important and the most difficult. Because no-matter what product or service someone offers, no matter the price or the benefits from using it, having the web server let’s say hacked very frequently, will unfortunately lead to extinction. People have patience, but the more they pay for something the more professional they expect it to be and more secure.
The benefits from having a server are many, depending on what the server owner aims for. At least for me, server has helped me gain knowledge that otherwise I would never have heard of if I didn’t have this server. PHP, Database queries, database administration and web server administration, together with security are some of them. A server except from all that can bring money too. Sources of income can be many, from sales of a specific product or service through it or even if it’s free, targeted advertising can pay a lot of money. At least that’s what I preferred in my situation. I don’t like the idea of pay to play.
What I will never forget about all this experience, even when the server sometime closes, is the interactivity with the players and the different people I’ve met, and the debug state of many things that I have implemented. To explain my self, it was an awesome experience when I made the first draft of the new PHP page that from the 30.000 of the registered users, a great proportion when I announced the beta, went immediately and started testing the web page about bugs so that they can inform me about them at forum. 1000 are better than one after all. I am sure that this dropped the time that the page needed for debugging of every single problem a page can have to one fifth. Even if someone seeks profits through the creation of a server, knowledge gained and experience would pay much more in long-terms and make him more confident about what someone can accomplish and knowing what he/she can do.
Warning: No Hamsters Were Harmed for the Creation of This Article!