Server leaking ips (fB's Weekly)

[FrostBeule]

Well, I get some conflicting information. Some say it doesn't matter if p2p is enabled and you can still get the ips (the person didn't specify how though). Would be good to be able to confirm it somehow. Also, my host says xmlrpc was never allowed for remote hosts, so that wasn't the method used.

[TMarc]

using the debug version of the Maniaplanet game client, you can see the other players IPs in the log file.
and with netstat or better: wireshark, you can even see all connected instances.

Disabling P2P on the server most probably only disables skin and model exchange, but likely not the data transfer which is necessary to show the opponents positions between the game clients.

[FrostBeule]

What about if the players themselves disable p2p in their settings, will that have any affect, or is it still possible to see them? Also, even if they can see the ips, can they also see which login/nick is linked to which ip? Because these attacks were very precise and aimed towards certain players only.

[undef.de]

What about if the players themselves disable p2p in their settings, will that have any affect, or is it still possible to see them? Also, even if they can see the ips, can they also see which login/nick is linked to which ip? Because these attacks were very precise and aimed towards certain players only.

It doesn't matter who is disabling P2p, because the dedicated server sends the position of each player to each player (or better the server says to the game client of each player where to send the positions to... the IP from each other player).

So it's very easy to catch the IP from every player which is connected on the same server with Wire Shark or similar tools.

EDIT: Yes, you can find out which IP is connected to which login, but that's harder because the XML communication from the dedicated server is obscured.

[FrostBeule]

In that case, it sounds like unless these position exchanges are made hidden (by Nadeo i guess - if it's even possible), there's no way for me to protect the players or myself from being attacked, and thus it's rip in pieces for my race :/

i assume i'd only be able to host events that are played on private servers, but maybe there's a way for someone to penetrate that as well?

[undef.de]

As long as the communication between the dedicated server and the clients (and the clients between the clients = P2P) is unencrypted, everyone who is on the same dedicated server can see IPs and logins.

But if you separate the server where the players are on a match, from the server where the spectators are watching (relay), then the "attacker" can only see the IP from the match server and the players on the relay server.

Hmmm... i'm unsure if that is working as i wrote it, someone should test this.

EDIT: The match server has to be protected by password to make sure only good players are on it.

[FrostBeule]

Well I guess I'll just have to hope they will encrypt that communication (if it's even possible to do). I have to say it would be nice if they prioritized a solution to this problem, seeing as my race is arguably the most popular event in the game and a lot of people enjoy driving in it. But oh well, I'll just have to live with it if nothing is done.

Having the server protected by a password only does so much. It would still be next to impossible to control who is on the server if I'm hosting a big event with a lot of participants. So it's not really a solution anyway.

I guess as long as the events aren't too big this is never going to be a huge problem for TrackMania. But I think my event grew to such a level that it automatically became an issue (as it is an issue in many other more popular games).

I think if Nadeo want the game and the community to grow and the events to become more popular, this is something they should look into. But again, not even sure it's possible to do anything about it (maybe someone from Nadeo could answer that?).

[oiram456]

(maybe someone from Nadeo could answer that?).

That is what i was thinking from the beginning of this thread, please Nadeo, just answer and tell us your thoughts on this case. Do you have a solution? Will you make it possible to protect ip´s? This is a serious case imo

[TMarc]

Besides this, even if the communication is encrypted, this does not hide the IPs.
A brute force attack on all IPs connected would still be harmful.
I think there is no real technical possiblity to make it 100% secure.
Only the IP where the attack comes from could be detected, but also this is not 100% sure.

There should be a competition mode for both server and clients, where each client only connects to the server.
If permitted, the clients could send avatar, emblem, skin and car model to the server, which would distribute them to the other players in the competition.
Once all players are synchronized with the server, and every player's game client has eventually downloaded the necessary data (items, skins, models, mods, etc.) the game could start with warmup.
This means the server would be loaded much more, in the beginning.
Regarding feasibility and possible implementation change, here we definitely need an official answer.

[w1lla]

See a pm i sent Frostbeule. It might contain some interesting stuff.