Against bots

[Intrepid]

No its not imagine a connection controller(totally inside java dont need anything else)which called inside the loginserverthread where packet type is 3 if PlayerAuthResponse is authed

[macdonald12]

No not the login port

Heres the idea you login and on character login when you press ok it calls some check(gameguard,dual box or such)which is running on a different Socket if true ok go to the license screen and the server selection if false stay on login window

Gameguard is a fail, and dualbox has got nothing to do with bots. Your idea is flawed from the start because without modding the client you will not be able to differentiate between client or bot.

you dont get it.I dont said gameguard i dont know from where you get it.Dual box was just an example for what checks can be run there.I never said i want to find the difference from software side beetwen bot and client.

I tell it again maybe this time you understand it.Take for example l2net you need the servers port to connect right? what if the login procedure goes like this:open client type in login info if the client is authed a check runs in a connection controller on a different port so maybe the bot will fail because of incorrect port for character login(1 port for login, 1 port for the connection controller, 1 port for the gameserver)

I mentioned gameguard because you referred to it in your post...

As for your idea, it's very simple. If, with whatever server-side modifications you make, the client can still login, then so can any bot. Bots emulate the client, and if they do a good job at it, then packet-wise you will not be able to spot the difference. So as mentioned, without client modding you're getting nowhere.

[Vapulabe]

1) no port or crypto change will be a good protection against bots.
If the client can connect, well, the bot will be able to do it too. No wrapper, in-memory patcher or client alteration (*) won't be able to change this.

2) Nothing can beat a good GM
The GM has (should have ?) something that no program can have : intelligence.

3) Captcha's can be the best protection
The player should have some time to answer (at least 1 or 2 minutes) and several tries (2-3). Failure would result in ban.
Well, it may prevent people too stupid from playing on your server... but I'm not sure it'd be a bad thing... If they are THAT stupid, they'll probably hurt your community !!!

4) Even if you use 100% unbreakable crypto, you need to remind the 1st postulate of cryptography : the security of a cryptographic system is as good as the security of the weakest link.
Crypto works with banks because both ends know some information that nobody else knows... Private key for PK crypto, Own random value for shared secret generation, ...
Here, the client has to connect to the server and has to be on an insecure computer. This means that the weakst link is the client and that nothing may rely on client side... So crypto from client side is worthless... MPAA/RIAA/... have well understood it, that's why they are trying to lock everything consummer side (making the analog signals disappear, installing crypto from end to end, pushing for Treacherous Computing (TPM and such), ...

5) Dualboxing is not botting
But, unless it's several players using the same connexion, dualboxing is ruining the game balance... Some classes (buffer classes mostly) won't be really represented as "main characters" (they'll be relegated to alt which stay aside, casting their bunch of spell once every X).
But it also raises another problem : it means that one screen is "paged out"... People won't see the messages on it and so, won't be able to answer/react to GM on that windows... Which rules out the systematic ban if no answer which is the best way against bots...


The Community board idea looks like a nice idea... a textual question may also be a possibility but you have to take the culture/langage barrier in account... But litteral math is not enough (very easy to "simulate" on a bot point of view) Beware of the colors... there are many people who are color blind... And color names is also something which may be quite difficult for someone whose mother langage is different from the server's langage.

[Intrepid]

Thanks that answer was what i waiting for.Other question what about the security card used in l2jfree which shows a text box and if the player dont fill it cant login?

[macdonald12]

Again, that's just a bunch of packets the client supports and the server (now) knows how to handle. You can make an OOG bot do the exact same thing, while with IG bots it wouldn't even be necessary.

[Intrepid]

Again, that's just a bunch of packets the client supports and the server (now) knows how to handle. You can make an OOG bot do the exact same thing, while with IG bots it wouldn't even be necessary.

than i dont even bother to search for any software side stuff except the flood protections...botreport button and gms...thanks

[vmv]

Why don't you make some items with some condition (and to be droped on mobs).... like...if you have 75% hp you will be able to get the item...if not,then you are a bot or you are not interesting of our reward...and the item will stay on the ground until some gm will cross over....!
The bot has no intelligence to take the item under -75% hp from damage of mobs (if its auto loot will try to get it instantly),and that item will stay on the ground until some gm will come ..no ..?!?!

wondering....it hink that just one simple skill will stop the bots ....

[Vapulabe]

Well, there are still one way that *could* help finding bots... It's about the same idea that waht is done for spam...

You need a bunch of criteria and use them to compute a "bot probability". For example :

- if name is garbage
- if it always plays solo
- if it always play with the same group of players
- if it keeps silent (no interraction with other players)
- if it always hunt in same zone
- if it delevel often
- if it always trade out items/adena to same players
- if it never uses soul/spirit shots (on server where those are available at merchants)
- if it always cast the same spells in the same order
- do not complain if forced to immobility/teleported somewhere else/...
...

None of these criteria is enough to say that it's a bot... Some players behave like one or two of these... But if many criteria are met, there are good chances that it's a bot. The more criteria, the better.

You may even add a bayesian-like training system. That way, you (GM) will have to train on both bots and real players to improve end result. YThe more bot, the more accurate your "filter" will be...

[poltomb]

Vapulabe, you bring a tear to my eye :'-) Finally someone who truly understands what I have been trying (and failing) to say. You were able to put into words exactly what I was having trouble with. And great input on using Bayesian probability, but not many people are going to understand what exactly that is. I <3 Probability and Statistics!

[NoGeRa]

Just be careful and have police gms. =/

[Szponiasty]

Vapulabe, you bring a tear to my eye :'-) Finally someone who truly understands what I have been trying (and failing) to say. You were able to put into words exactly what I was having trouble with. And great input on using Bayesian probability, but not many people are going to understand what exactly that is. I <3 Probability and Statistics!

I had similar idea when started to work on mine antibot. But in the middle of work I've discovered a way to solve this much easier. And what I was making to be antibot, changed a little and now, with all the data it collects every day, it's pretty good working antifeed security. PPl by the day have less and less ways of going around it on olimpiad or sieges Still some issues to be solved thou, but not that important right now.

[IiIJacKIiI]

Vapulabe, you bring a tear to my eye :'-) Finally someone who truly understands what I have been trying (and failing) to say. You were able to put into words exactly what I was having trouble with. And great input on using Bayesian probability, but not many people are going to understand what exactly that is. I <3 Probability and Statistics!

I had similar idea when started to work on mine antibot. But in the middle of work I've discovered a way to solve this much easier. And what I was making to be antibot, changed a little and now, with all the data it collects every day, it's pretty good working antifeed security. PPl by the day have less and less ways of going around it on olimpiad or sieges Still some issues to be solved thou, but not that important right now.

Can you share your work ? thanks

[frankpo]

Hi all, i have an idea that could be work fine.
Is possible to make appear a timed dialog box like (the party invitation) that prompt the user at login if he is a bot or not.
I think that the bot cannot accept this message so, if no answer to the message the server kick this player. And if the player accept the message, he can play.

Well im very interested on protect my server against bots.
It's only an idea.

^^

EDIT: Another possibility can be to make appear a window, like the npc chat window, that prompt the user to resolve a simple math problem, like 1+3=, and a text box to enter the result.
I think that it's possible to implement with a script.
Only other idea.

Sorry for my bad english ^^

What do you think?

[ZaKaX]

Personally, I think you didn't...think much ;o) That's like... super uber easy to bypass, pointless.

[Szponiasty]

Personally, I think you didn't...think much ;o) That's like... super uber easy to bypass, pointless.

Not that easy Ofc assuming that it will be non-standarised solution. I've found few cool packets in epilogue client, to display messages/htmls in totally nonstandard windows, that none "textmode" bot is able to display in a way, that player could read and answer even simplest question

btw, when you flood client with few hundred gg queries, one after another, l2net is getting disconnected (and normal epi. client works ok). not too profesional way of dealing with it, but also not that bad at all. im going to check it on live server, to see will it not lag/crash/etc with 200+ online.