Jump to content
Sign in to follow this  
$able

Introducing Server-side Event Logging/Blocking

Recommended Posts

This is on a windows server btw. Ignore the linux/unixish commands. I just use a cygwin shell because it's easier to work with the log files. Anyway, here is a better example of a dbag flooding our server and being ignored by battleye. Same MaxSetDamagePerInterval and setdamage.txt are in place as in the previous post.

EDIT: I just checked the logs and this guy WAS kicked for set damage by battleye. But that doesn't change the fact that it took 9 seconds and 4500 violations before it took place. :/

First command shows how many set damage the guy did before he was eventually banned by dayz anti-hax.

$ zgrep Freddie *.gz | grep '1.000000' | wc -l

4592

This command show when it started.

$ zgrep Freddie *.gz | grep '1.000000' | head

setdamage.log.20121024_044015.gz:24.10.2012 04:19:06: Freddie (86.9.210.94:2304) 563cc824a0ec3e619f2f6328abfceac2 - #0 1.000000 27:743

setdamage.log.20121024_044015.gz:24.10.2012 04:19:06: Freddie (86.9.210.94:2304) 563cc824a0ec3e619f2f6328abfceac2 - #1 1.000000 27:743

setdamage.log.20121024_044015.gz:24.10.2012 04:19:06: Freddie (86.9.210.94:2304) 563cc824a0ec3e619f2f6328abfceac2 - #0 1.000000 27:743

setdamage.log.20121024_044015.gz:24.10.2012 04:19:06: Freddie (86.9.210.94:2304) 563cc824a0ec3e619f2f6328abfceac2 - #1 1.000000 27:743

setdamage.log.20121024_044015.gz:24.10.2012 04:19:06: Freddie (86.9.210.94:2304) 563cc824a0ec3e619f2f6328abfceac2 - #0 1.000000 27:743

setdamage.log.20121024_044015.gz:24.10.2012 04:19:06: Freddie (86.9.210.94:2304) 563cc824a0ec3e619f2f6328abfceac2 - #1 1.000000 27:743

setdamage.log.20121024_044015.gz:24.10.2012 04:19:06: Freddie (86.9.210.94:2304) 563cc824a0ec3e619f2f6328abfceac2 - #0 1.000000 27:743

setdamage.log.20121024_044015.gz:24.10.2012 04:19:06: Freddie (86.9.210.94:2304) 563cc824a0ec3e619f2f6328abfceac2 - #1 1.000000 27:743

setdamage.log.20121024_044015.gz:24.10.2012 04:19:06: Freddie (86.9.210.94:2304) 563cc824a0ec3e619f2f6328abfceac2 - #0 1.000000 27:743

setdamage.log.20121024_044015.gz:24.10.2012 04:19:06: Freddie (86.9.210.94:2304) 563cc824a0ec3e619f2f6328abfceac2 - #1 1.000000 27:743

This command shows how long it went on.

$ zgrep Freddie *.gz | grep '1.000000' | tail

setdamage.log.20121024_044015.gz:24.10.2012 04:19:16: Freddie (86.9.210.94:2304) 563cc824a0ec3e619f2f6328abfceac2 - #0 1.000000 27:743

setdamage.log.20121024_044015.gz:24.10.2012 04:19:16: Freddie (86.9.210.94:2304) 563cc824a0ec3e619f2f6328abfceac2 - #1 1.000000 27:743

setdamage.log.20121024_044015.gz:24.10.2012 04:19:16: Freddie (86.9.210.94:2304) 563cc824a0ec3e619f2f6328abfceac2 - #0 1.000000 27:743

setdamage.log.20121024_044015.gz:24.10.2012 04:19:16: Freddie (86.9.210.94:2304) 563cc824a0ec3e619f2f6328abfceac2 - #1 1.000000 27:743

setdamage.log.20121024_044015.gz:24.10.2012 04:19:16: Freddie (86.9.210.94:2304) 563cc824a0ec3e619f2f6328abfceac2 - #0 1.000000 27:743

setdamage.log.20121024_044015.gz:24.10.2012 04:19:16: Freddie (86.9.210.94:2304) 563cc824a0ec3e619f2f6328abfceac2 - #1 1.000000 27:743

setdamage.log.20121024_044015.gz:24.10.2012 04:19:16: Freddie (86.9.210.94:2304) 563cc824a0ec3e619f2f6328abfceac2 - #0 1.000000 27:743

setdamage.log.20121024_044015.gz:24.10.2012 04:19:16: Freddie (86.9.210.94:2304) 563cc824a0ec3e619f2f6328abfceac2 - #1 1.000000 27:743

setdamage.log.20121024_044015.gz:24.10.2012 04:19:16: Freddie (86.9.210.94:2304) 563cc824a0ec3e619f2f6328abfceac2 - #0 1.000000 27:743

setdamage.log.20121024_044015.gz:24.10.2012 04:19:16: Freddie (86.9.210.94:2304) 563cc824a0ec3e619f2f6328abfceac2 - #1 1.000000 27:743

Edited by Hohlraum

Share this post


Link to post
Share on other sites
EDIT: I just checked the logs and this guy WAS kicked for set damage by battleye. But that doesn't change the fact that it took 9 seconds and 4500 violations before it took place. :/

Thanks for confirming that BE actually kicked him. Anyway, that shows you how the server is stalling (i.e. not executing the main server frame) due to such a flood attack. I will see if I can force the kick earlier in the future.

Share this post


Link to post
Share on other sites

Anyone have any ideas how to prevent this new debug monitor replacement from being injected into the server? It was called Mr Mc Epicness. Always have the newest filters running from the DCBL.

Share this post


Link to post
Share on other sites
Anyone have any ideas how to prevent this new debug monitor replacement from being injected into the server? It was called Mr Mc Epicness. Always have the newest filters running from the DCBL.

You mean like Monky Monitor? Yeah, that's pretty bad

If you click F12 while the Monky Monitor is on, you get teleported and you die! How can they do this?

Share this post


Link to post
Share on other sites

What's the new "dayz_logDamage" that's spamming the publicvariable.log?

Sometimes it shows multiple names, is that when people are in combat together now?

01.11.2012 06:22:32: Colby (IP) GUID - #0 "dayz_logDamage" = ["Colby","Tim",1.385]

01.11.2012 06:22:32: Colby (IP) GUID - #0 "dayz_logDamage" = ["Colby","Tim",1.03049]

01.11.2012 06:22:32: Colby (IP) GUID - #0 "dayz_logDamage" = ["Colby","Tim",1.13709]

01.11.2012 06:22:32: Colby (IP) GUID - #0 "dayz_logDamage" = ["Colby","Tim",3.27479]

01.11.2012 06:22:32: Colby (IP) GUID - #0 "dayz_logDamage" = ["Colby","Tim",0.101046]

01.11.2012 06:22:34: Colby (IP) GUID - #0 "dayz_logDamage" = ["Colby","Tim",1.38673]

01.11.2012 06:22:34: Colby (IP) GUID - #0 "dayz_logDamage" = ["Colby","Tim",1.98367]

01.11.2012 06:22:34: Colby (IP) GUID - #0 "dayz_logDamage" = ["Colby","Tim",1.19589]

01.11.2012 06:22:34: Colby (IP) GUID - #0 "dayz_logDamage" = ["Colby","Tim",2.75311]

01.11.2012 06:22:34: Colby (IP) GUID - #0 "dayz_logDamage" = ["Colby","Tim",0.132196]

01.11.2012 06:22:34: Colby (IP) GUID - #7 "dayzDeath" = ["35774209",0,<NULL-object>,"86533638","Colby"]

---------- Post added at 20:07 ---------- Previous post was at 18:50 ----------

Or, more importantly, the scripts.log is growing rapidly.

More than 5MB in a few hours.

This is being spammed almost constantly by every player int he server:

_cmpt = toArray (_x);

_cmpt set [0,20];

_cmpt set [1,toArray ("-") select 0]"

01.11.2012 04:04:35: PlayerName (IP) GUID - #177 "le,_x] call object_getHit;

_part = "PartGeneric";

Share this post


Link to post
Share on other sites

That's a DayZ issue...... Why don't you just fix it yourself?

1 "toArray" !"_cmpt = toArray (_x);" !"_cmpt set [1,toArray (\"-\") select 0]"

As server admin, you really should learn how to write and edit the scripts.txt

Share this post


Link to post
Share on other sites

Rather than just comment it out, I wanted to learn WHY it's doing it.

Thanks for your informative reply.

Share this post


Link to post
Share on other sites

It is doing that because the new version of DayZ has

//change "HitPart" to " - Part" rather than complicated string replace
_cmpt = toArray (_x);
_cmpt set [0,20];
_cmpt set [1,toArray ("-") select 0];
_cmpt set [2,20];
_cmpt = toString _cmpt;

in dayz_code.pbo\compile\fn_selfActions.sqf as part of the new vehicle fixing code and the scripts.txt you are using was obviously made for a previous version of DayZ.

Share this post


Link to post
Share on other sites

server side BE filters got fresh air with more info logged and more filters , you need OA beta 98866 or newer

new Linux server ftp://downloads.bistudio.com/arma2.com/update/a2oa-server-1.62.98874.tar.bz2

http://forums.bistudio.com/showthread.php?142401-ARMA-2-OA-beta-build-98886-(1-62-MP-compatible-build-post-1-62-release)

next to the new setVariable.txt and setVariableVal.txt and also AddBackpackCargo.txt

there is more additional informations available in existing logs

and new BE settings e.g.

MaxAddBackpackCargoPerInterval 10 1

MaxAddMagazineCargoPerInterval 48 1

MaxAddWeaponCargoPerInterval 10 1

all in use e.g. for DayZ

https://code.google.com/p/dayz-community-banlist/source/browse/filters

good hunt...

Edited by Dwarden

Share this post


Link to post
Share on other sites

Have you guys ($able etc.) explored the possibility of enabling regular expressions in filters? Something like the following (perl style) regex that would log all BIS variables:

1 /^BIS[\w]+$/

Or this, which would only allow variables called myVar followed by between one and three numbers (for example myVar504):

5 !=/^myVar[\d]{1,3}$/

I think this could make the system more powerful, but obviously checking against regular expressions would eat some more performance. Has this even been considered as a possible feature?

Share this post


Link to post
Share on other sites
Have you guys ($able etc.) explored the possibility of enabling regular expressions in filters?

[...]

Has this even been considered as a possible feature?

Yes, it has been considered already. I hopefully will be able to add it at some point in the future.

Share this post


Link to post
Share on other sites

What does the new attachto.txt do and does it require a specific arma 2 beta?

Share this post


Link to post
Share on other sites
What does the new attachto.txt do and does it require a specific arma 2 beta?

http://community.bistudio.com/wiki/attachTo - exploited for teleporting. It's supported in the latest beta versions, I can't remember since which one exactly, sorry.

Support for two more files allowing admins to block remote control scripts will be added tomorrow. I will also finally update the first post with all available features.

Share this post


Link to post
Share on other sites

So what kinda stuff should people NOT be attaching to? Looking at how it's logging I've seen known hackers attaching to Camo1_DZ, Sniper1_DZ and Survivor2_DZ what were they doing?

Share this post


Link to post
Share on other sites

Does DZ use attachTo itself at all?

Share this post


Link to post
Share on other sites
;2259873']Does DZ use attachTo itself at all?

Lots of entries from people who I know aren't cheating. Crossbow bolts appear to use it for sure.

Share this post


Link to post
Share on other sites

Drag function uses attachTo in DZ

For some reason "#beclient players" command doesn't work reliable now.

Share this post


Link to post
Share on other sites

can we PLEASE have all the info consolidated in a wiki and/or the original post? As much as the new changes are good the info is certainly lacking on a lot of these filters.

Share this post


Link to post
Share on other sites

yes, would be nice if someone could sum up all the latest information in one post

Share this post


Link to post
Share on other sites

Honestly we need concise, aggregated documentation on how these filters work. I'm getting seriously fed up of having to trawl through random forum posts to find (or most cases - not find) the info I need. People have better things to do with their lives then spend time testing random shit with arma 2 servers because there is no doco on anything.

You guys need to up your game - a lot.

Share this post


Link to post
Share on other sites

Sadly I have to agree with cm.

Getting totally lost on the filters. Is there any recent documents available?

Share this post


Link to post
Share on other sites

what you want explained CM ? I already answered all what's needed and provide PoC how dot it which works for Dayz, I start to feel you expected unreal things

Share this post


Link to post
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×