Table of Contents

Shortnote

In a hypergrid context, banning users is more difficult than on standalone grid because users may connect from different locations, use different viewers, have different IPs and use different network cards. The following guide offers a supplement to the user-contributed guide, that is able to track users more in-depth.

Case Example

We have had a situation with an agent named Jaine Mariolack that visited our grids and started the usual grieving bullshit: rezzing physical balls, littering allover the place, etc...

So, we opened the OpenSim.log file to find out more information about the user. The agent connect string in the logs was the following:

2013-02-24 06:05:08,657 INFO  - OpenSim.Services.HypergridService.GatekeeperService [GATEKEEPER SERVICE]: Login request for Jaine.Mariolack @virtualrealmsgrid.com @ http://virtualrealmsgrid.com:8002/ (0a009e79-7c56-11e2-b122-000c76240986) at VIBE using viewer Imprudence 1.3.2.0, channel Imprudence, IP 109.117.158.2, Mac d6812bb4d7625027d53c2e9715410caf, Id0 dd76693a887c545f4d65c2ff2da3a4d7 Teleport Flags 0

Looking up the IP address, it fell in the range of Vodafone IP addresses, looking it up yielded:

inetnum:        109.116.0.0 - 109.117.255.255
netname:        VODAFONE-IT
descr:          IP addresses assigned to VF-IT mobile users
country:        IT
admin-c:        VI745-RIPE
tech-c:         VI745-RIPE
status:         ASSIGNED PA
mnt-by:         VODAFONE-IT-MNT
source:         RIPE # Filtered

which is apparently a classic spammer case that uses a CDMA network in order to receive an IP every time in order to avoid bans. Thus, banning the IP address would be no good.

Indeed, we tracked down the IP addresses for this agent:

opensim@HornedOwl:~/os/bin$ cat OpenSim.log  | grep 'Login request' | grep 'Jaine Mariolack' | awk -F ',' '{ print $4 }'
 IP 109.112.128.89
 IP 109.112.80.6
 IP 109.112.80.6
 IP 109.117.158.2

MAC Addresses

Since the IP changes, the username may change, that leaves us with a possible MAC address ban. The problem is that the viewer sends a hashed version of the MAC address instead of the plain address.

Indeed, looking inllstartup.cpp of a V1.x viewer, we find the following logic:

    char hashed_mac_string[MD5HEX_STR_SIZE];    /* Flawfinder: ignore */
    LLMD5 hashed_mac;
    hashed_mac.update( gMACAddress, MAC_ADDRESS_BYTES );
    hashed_mac.finalize();
    hashed_mac.hex_digest(hashed_mac_string);

which uses a hexdigest algorithm to hide the MAC address.

This is a problem, since the regular iptables package on Linux cannot filter out hashed MAC addresses.

However, this leaves us with the option of using the ipt_string matcher.

What the Viewer Sends

We performed a test in order to see what happens when a viewer connects to OpenSim and found the following XML / REST format.

First we listen to a port:

nc -l 9000

and we connect to the machine using a viewer. The resulting output is the following:

POST / HTTP/1.1
Host: 192.168.2.9:9000
Accept: */*
Accept-Encoding: deflate, gzip
Content-Type: text/xml
Content-Length: 1905
Expect: 100-continue
 
<?xml version="1.0"?><methodCall><methodName>login_to_simulator</methodName><params><param><value><struct><member><name>first</name><value><string>Kira</string></value></member><member><name>last</name><value><string>Komarov</string></value></member><member><name>passwd</name><value><string>$1$0113b43f53411d223b56ba3cc250a9a1</string></value></member><member><name>start</name><value><string>last</string></value></member><member><name>version</name><value><string>Imprudence 1.4.0 Experimental 2010.10.23 / Second Life 1.23.5.136262</string></value></member><member><name>channel</name><value><string>Imprudence</string></value></member><member><name>platform</name><value><string>Mac</string></value></member><member><name>mac</name><value><string>7736ec1cc78c0f055addef6ac6506728</string></value></member><member><name>id0</name><value><string>52f6ecd06f322b6ee19f6aa2ffde3797</string></value></member><member><name>last_exec_event</name><value><int>0</int></value></member><member><name>options</name><value><array><data><value><string>inventory-root</string></value><value><string>inventory-skeleton</string></value><value><string>inventory-lib-root</string></value><value><string>inventory-lib-owner</string></value><value><string>inventory-skel-lib</string></value><value><string>initial-outfit</string></value><value><string>gestures</string></value><value><string>event_categories</string></value><value><string>event_notifications</string></value><value><string>classified_categories</string></value><value><string>adult_compliant</string></value><value><string>buddy-list</string></value><value><string>ui-config</string></value><value><string>map-server-url</string></value><value><string>tutorial_setting</string></value><value><string>login-flags</string></value><value><string>global-textures</string></value></data></array></value></member></struct></value></param></params></methodCall>

Which, aside from the password hash, gives us the following interesting XML nibble:

<string>Mac</string>
...
<string>7736ec1cc78c0f055addef6ac6506728</string>

Which is the hashed MAC address that the viewer is sending.

Banning on the Network Layer

Now going back to Jaine Mariolack, we can search the log for the MAC address:

opensim@HornedOwl:~/os/bin$ cat OpenSim.log  | grep 'Login request' | grep 'Jaine.Mariolack' | awk -F ',' '{ print $5 }' | sort -u
 Mac d6812bb4d7625027d53c2e9715410caf

Now that we know what the viewer is sending, we can use ipt_string match to detect the MAC address and ban the agent:

iptables -A INPUT -m string --string 'd6812bb4d7625027d53c2e9715410caf' --algo bm -p tcp --dport 9000 -j DROP

Not only that, but we can ban the user as well:

iptables -A INPUT -m string --string 'Jaine' --algo bm -m string --string 'Mariolack' --algo bm -p tcp --dport 9000 -j DROP

The result is that the viewer is not able to connect and will timout on the Login screen:

Defeating the Ban

This ban can be defeated by changing the MAC address of the network card or, more easily, by modifying the viewer to send a random hex string every time it connects.