Basically certain experienced Lua developers dig through the net.Receive and net.Send functions to find any way to flood the server which halts it completely, and crashing it shortly after.
The amount of addons I have had to fix containing these exploits is ridiculous and have only been able to find out which addons they were because it would throw a million script errors in the console which would lead me to the addon and line number of what they're exploiting (Which is usually something like local data = net.ReadTable()).
I have multiple problems, firstly, there are some exploits they have found which do not throw errors into the console that point me in the direction of the addon and effectively just kill the server with no trace of what it was, I am looking for a way to log ALL net related functions so I can find out whenever a net message is sent from the client to the server, I know it will be spammy but I can just toggle it on whenever I need, OR a way to limit someone spamming these net functions.
The second issue I have is that if and when I do find an exploit that they literally just flood with random data, how can I put a limit on the data being flooded inside the function itself?
I have no idea how there's not more threads about this issue, surely it effects almost every major server out there that has (poorly?) coded addons that allow their net functions to be flooded.
I've also read that people claim that there's no way to flood the net functions to crash the server, this is simply not true and we've been dealing with this for months.
You can detour net.Incoming serverside to see when the messages arrive from the client, or detour net.SendToServer clientside to see when messages are sent out, though the latter is not guaranteed to work if the client has the original version of the function stored somewhere. A reference to net.Incoming for engine calls may be stored somewhere in the registry, as well, but I don't recall.
Wrapper around net.Incoming to prevent clients from spamming bad..
Open up your favorite editor that can search through all files in a directory and look at every net.Receive function that the server handles. Inspect every one and think to yourself "If a player calls this net message out of the blue with any parameters they want, what will happen".If the answer is anything other than "Nothing because the server verifies whats going on" then you should fix it.
There are a lot of threads (most are pretty recent) on this and there are examples on how to limit the amount of data being sent by a player & with that information you can log any data you wanted if you so wished
If you're lost and you don't know what to look for then go to a cheating forum and look at the exploits people post and try to learn from that. The net library tutorial also has an example of an unsecured net message Net Library Usage
If possible could you provide a link to these threads about limiting the amount of data being sent, I've tried the one code_gs linked awhile ago but it completely broke the net.Receive functions for some reason.
Yea sure here is a thread you made 6 months ago where people gave you some good info Exploit Prevention Help
You shouldn't worry about limiting the data that users can send first. You should worry about the exploits people are using to halt your server. While limiting user data can definitely help, it wont stop people from messing with your server if there is a larger underlying issue
Sorry, you need to Log In to post a reply to this thread.
