Hi all,
We've been using SFS for 4 days now. I just notice that there's no built-in network security or data management. I suppose SFS want us to our own code for these issues. Is that right?
We've been under attack by many Hackers. So I just want to gather some thoughts on how we should do these in SFS.
1. Network Data Security
- I suppose we can send in random key every now and then. But that would slow things and require more traffic. Is there any way around this?
2. Data Lost
- How can we ensure that server and clients get all data that they need? Is there a built-in buffer that resend dropped messages? Or are we suppose to keep track of every message and resend them ourselves?
- How do we know that Server or Client didn't get the message? Do we have to wait 2 seconds for response, and resend the data?
3. Data Compression
- Suppose we compress all network message into one big file and sent them at a fixed interval. Would that work well with SFS? Terracotta? What's the best compression for this?
Data Security, Data Lost and Data Compression Issue
The first problem to solve with attacks is strengthening the client (which is easily decompile-able) and moving most of the game logic if not all on the server side.
The latter is particularly important because from your server code you can apply heavy data validation and get rid of many trivial and less trivial malicious requests.
We deal more in details this topic in the 2nd part of our "Building MMOs" article, check it here:
http://www.smartfoxserver.com/docs/docP ... mmo_p2.htm
(see 2nd section, "Securing Virtual Worlds")
Data delivery is guaranteed by TCP as you said, however the server might drop packets for very slow clients which would fill the server and make it "explode"
Again we deal with this topic in much more details in our docs:
http://www.smartfoxserver.com/docs/docP ... ooting.htm
(Section 2)
No this wouldn't make sense.
For the extension messages you can uses the JSON protocol or the Raw/String protocol which reduces data to the bare minimum.
Protocol compression will be available in the next major SFS
(release date still not know)
The latter is particularly important because from your server code you can apply heavy data validation and get rid of many trivial and less trivial malicious requests.
We deal more in details this topic in the 2nd part of our "Building MMOs" article, check it here:
http://www.smartfoxserver.com/docs/docP ... mmo_p2.htm
(see 2nd section, "Securing Virtual Worlds")
- How can we ensure that server and clients get all data that they need? Is there a built-in buffer that resend dropped messages? Or are we suppose to keep track of every message and resend them ourselves?
Data delivery is guaranteed by TCP as you said, however the server might drop packets for very slow clients which would fill the server and make it "explode"
Again we deal with this topic in much more details in our docs:
http://www.smartfoxserver.com/docs/docP ... ooting.htm
(Section 2)
- Suppose we compress all network message into one big file and sent them at a fixed interval. Would that work well with SFS? Terracotta? What's the best compression for this?
No this wouldn't make sense.
For the extension messages you can uses the JSON protocol or the Raw/String protocol which reduces data to the bare minimum.
Protocol compression will be available in the next major SFS
(release date still not know)
Arr, but I mean combining and compressing all the Raw Data Message into one big chunk. Since I suppose we should encrypt the data sent from both side anyway, wouldn't this help speed things up a bit? Or should we just send tiny bits of encrypted data whenever we need to.
Imagine a scenario when you have to constantly update 30 players in a scene. Shouldn't scenario 1 perform better or would hundreds of small packages fly faster?
Which one would work best with SFS regarding server loaded? One big update request or 30 tiny ones?
Imagine a scenario when you have to constantly update 30 players in a scene. Shouldn't scenario 1 perform better or would hundreds of small packages fly faster?
Which one would work best with SFS regarding server loaded? One big update request or 30 tiny ones?
Imagine a scenario when you have to constantly update 30 players in a scene. Shouldn't scenario 1 perform better or would hundreds of small packages fly faster?
1. each player is a different channel (socket) so you can't aggregate the messages of different recipients. Each message takes a different route.
2. the TCP does this for you behind the scenes (see the Nagle Algorithm) for lots of technical details.
Damn, that's something about TCP I didn't know. 
(or probably learned and forgot somewhere along the line)
So should we encrypt the data with random key then? Can Hacker intercept the data and refiring it a hundred times to reproduce the result? (Yes, trying to recheck and verify everything with server here, but I still don't trust those hackers...)
(or probably learned and forgot somewhere along the line)
So should we encrypt the data with random key then? Can Hacker intercept the data and refiring it a hundred times to reproduce the result? (Yes, trying to recheck and verify everything with server here, but I still don't trust those hackers...)
You can't encrypt data at the moment because SmartFoxServer does not speak a binary protocol. Additionally encryption is very taxing in terms of performance. Encrypting all messages would be an overkill unless you use a trivial encryption system, in which case you would save performance but you would defeat the initial purpose.
Finally SmartFoxServer uses persistent socket connections, so it's very difficult to hijack a User session. This represent a minor threat to the server security compared to the client side security and server side validation.
Finally SmartFoxServer uses persistent socket connections, so it's very difficult to hijack a User session. This represent a minor threat to the server security compared to the client side security and server side validation.
But hackers can still see the i/o network message though. Shouldn't we at least obscure the values?
How? How do you see the messages sorry? You have got to be able to install a trojan in the client computer to check what is going on between him and SFS.
And the trojan has to be sophisticated enough to know which port to monitor and what data to look for. Not necessarily an SFS server runs always on port 9339, if you put in on port 51736 how is the trojan going to find it?
By scanning the entire spectrum of TCP ports looking for some specific SFS-related data?
Unless the SFS-based game provides big money prizes I don't think the hacker in question would put such amount of effort into it.
How can we prevent them from refiring the same command a hundred times with outside software?
What you talk about is a Denial of Service attack which could hit any component of your network infrastructure not just SFS.
If you are concerned about these kind of hacking attempts you will ned to setup and properly configure a firewall.
Additionally SmartFoxServer provides an IP filter which prevents users from the same IP to connect multiple times.
Easiest way is to hack into the client and see all the i/o logic and order it to do something malicious. I know that's not SFS's fault. We do have serious hacker trying to hack our games. So, I need to know SFS can meet up with the security task. Just need to know how best to cope with this in SFS beside good server validation logic.
Other API use a ticketing method where every times client want to do something, they need to get a validation key from server. I guess this is not necessary with SFS right?
Other API use a ticketing method where every times client want to do something, they need to get a validation key from server. I guess this is not necessary with SFS right?
Impressive
Impressive this help me alot thanks for sharing such a great information
-------------------
kitchen units
-------------------
kitchen units
Return to “SmartFoxServer 1.x Discussions and Help”
Who is online
Users browsing this forum: No registered users and 76 guests