00:02 < Nimda> DDNet Brazil went down!
00:03 <@deen> laxa: sure
00:03 < Nimda> DDNet Brazil went back online!
00:03 < laxa> :D
00:04 < laxa> Well, I have a girlfriend, and feel really good with her
00:04 < ddnet-commits> [ddnet] Learath2 opened pull request #137: Follow 3xx Redirects (DDRace64...pr_FollowRedirect) http://git.io/i0Iyow
00:04 <@deen> yay
00:05 <@deen> yay for laxa and the pull request*
00:05 < laxa> :D, thanks deen :)
00:05 < Learath2> gratz laxa
00:05 < laxa> if you have network problem
00:05 < laxa> maybe she can help you
00:05 < ddnet-commits> [ddnet] def- pushed 2 new commits to DDRace64: http://git.io/Qv15Bg
00:05 < ddnet-commits> ddnet/DDRace64 6b35447 Learath Lea: Follow 3xx Redirects
00:05 < ddnet-commits> ddnet/DDRace64 b6c07e4 Dennis Felsing: Merge pull request #137 from Learath2/pr_FollowRedirect...
00:05 <@deen> laxa: network problems?
00:05 < laxa> she is network engineer
00:05 <@deen> yes, give me free ddos protection
00:06 < laxa> hahaha
00:06 <@deen> big problem
00:06 <@deen> Learath2: so, the autoupdate also works?
00:06 < Learath2> dont merge that yet 
00:06 <@deen> ok =/
00:06 < Learath2> wasnt tested extensively
00:07 < Learath2> does probably work
00:07 < Learath2> but with the update.json on my server
00:07 < Learath2> and dont think it updates server executable either
00:07 <@deen> =/
00:07 <@deen> well, https download is great already, thanks
00:08 <@deen> finally i can connect to chilean servers without downloading map on GER before
00:08 < Learath2> but if you do have the time to fix the little problems and clean it up you can merge it 
00:08 <@deen> ah, what happens if the maps server is totally down
00:08 <@deen> ?
00:09 <@deen> (that happens rather often with my hoster)
00:09 < Learath2> it hits m_pMapdownloadTask.m_State == STATE_ERROR
00:09 < Learath2> then fallsback
00:09 <@deen> after how long?
00:10 < Learath2> at the next CClient::Update() after the header is received
00:10 <@deen> ok
00:11 <@deen> seems to take 1-2 seconds if the server doesn't respond at all
00:11 <@deen> that's ok
00:11 < Learath2> you could make it faster for non ddnet servers by checking the game type
00:12 < ddnet-commits> [ddnet] def- pushed 1 new commit to DDRace64: http://git.io/9lnE9g
00:12 < ddnet-commits> ddnet/DDRace64 7adc47a def: cl_ddnet_map_server -> cl_ddnet_maps_server
00:16 < Learath2> if you have time you should be able to merge autoupdate but i must go to sleep now
00:16 < Learath2> good nite
00:17 < eeeee> gj, nite
00:18 <@deen> good night
00:21 <@deen> Hm, I'm not sure how best to disable the http downloader, better you do it, Learath2 ^^
00:21 < ddnet-commits> [ddnet] def- pushed 1 new commit to DDRace64: http://git.io/pRvJ6A
00:21 < ddnet-commits> ddnet/DDRace64 3d686a2 def: Add an option to disable http map download (not working yet)
00:21 < ddnet-commits> [ddnet] def- pushed 1 new commit to DDRace64: http://git.io/aEYwAA
00:21 < ddnet-commits> ddnet/DDRace64 3b0a523 def: Typo
00:22 < Learath2> client.cpp:1555 putting all that in an if and else do the fallback i do in CClient::Update() should work 
00:22 <@deen> nice, thanks
00:26 < ddnet-commits> [ddnet] def- pushed 1 new commit to DDRace64: http://git.io/sF3R0w
00:26 < ddnet-commits> ddnet/DDRace64 3aa4a61 def: Make the option to disable http download work (thanks Learath2)
00:27 < Learath2> well ill prolly be on my phone for 10-15 more mins so if its not working
00:27 <@deen> i tested, looked fine
00:31 <@deen> when should we release the client with http download?
00:32 < eeeee> even compiles on mac, amazing
00:32 <@deen> eeeee: compiles and works as well?^^
00:32 < eeeee> cant test if works, udp filtered :/
00:32 < eeeee> oh wait, can prolly test via cell phone
00:36 < eeeee> yeah seems to work
00:37 < eeeee> not sure if we really need https for maps though (it has more latency compared to http)
00:38 <@deen> eeeee: yeah, i was wondering about that too
00:38 <@deen> any numbers on how much latency it can add?
00:39 < eeeee> could definitely use http if we had a real hash function instead of crc32, otherwise there is a remote possibility that kidz could somehow inject tcp packets that insert some dicks into map while still keeping the crc
00:39 <@deen> inject tcp packets?
00:39 < eeeee> yeah inject packets into http/tcp session
00:39 <@deen> don't think that's going to happen
00:40 <@deen> and especially work
00:40 < eeeee> its pretty hard but possible
00:41 < eeeee> but since you fuzzed the maps, at least code injection is unlikely so we can ignore that
00:41 <@deen> i fuzzed the maps and everything was full of segfaults^
00:41 <@deen> didn't investigate further
00:41 < eeeee> sounds legit
00:41 <@deen> only saw segfaults on read
00:41 <@deen> not write
00:46 < eeeee> oh shi
00:46 < eeeee> you're using some self-signed cert
00:46 <@deen> yes?
00:47 <@deen> what's wrong with that?
00:47 < eeeee> means i cannot download from browser
00:47 <@deen> oh, right
00:47 <@deen> i don't like regular CAs
00:48 < eeeee> well you could still get CA to sign your cert but hardcode it in client
00:49 <@deen> but then i can't change cert later if it turns out that my server got hacked
00:53 < eeeee> there are some revocation lists but not sure if they actually work. and for the client how is that different from just having self-signed?
00:53 <@deen> i just need to trust a single CA, not every single self-signed certificate
00:55 < eeeee> i still don't get it
00:55 < eeeee> say someone hacked your server and stole the cert
00:55 < eeeee> then uses it to mitm clients
00:55 <@deen> Right, that's still bad
00:55 < eeeee> what's the difference between CA signed cert and selfsigned
00:56 <@deen> at least they have to hack my server instead of asking some CA to sign it
00:56 < eeeee> but they can still ask some CA to sign it
00:56 <@deen> won't work in ddnet client then
00:56 <@deen> i hard-coded my CA
00:59 < eeeee> oic, you cannot get your CA signed by a real CA and cannot host multiple versions of cert (with different signatures) either
00:59 < eeeee> and X509 doesn't support multiple signatures in a single cert
01:00 < eeeee> :(
01:04 <@deen> alternatively we could also do http for maps
01:04 <@deen> and use regular http or https for updates
01:04 <@deen> i think openbsd's signify would be nice for signing
01:04 <@deen> would have the same purpose as having my own CA
01:05 <@deen> http://www.tedunangst.com/flak/post/signify
01:05 < eeeee> or make client connect to non-standard port
01:05 < eeeee> can host self-signed cert there
01:05 <@deen> yeah, or just another hostname
01:05 < eeeee> but a real cert on 443
01:05 < eeeee> another hostname won't work
01:05 < eeeee> has to be another port
01:05 <@deen> why?
01:06 < eeeee> ssl negotiation happens before you have a chance to transmit HOST: header
01:06 < eeeee> so hostname doesnt matter
01:06 <@deen> wait, what
01:06 <@deen> i can't have different ssl certificates on a single port on a server?
01:07 < eeeee> http://webcache.googleusercontent.com/search?q=cache:PQgwR3J42ccJ:https://wiki.apache.org/httpd/NameBasedSSLVHosts+&cd=1&hl=en&ct=clnk&gl=us
01:07 < eeeee> nope
01:07 <@deen> sigh
01:07 <@deen> idon't like ssl anyway
01:08 < eeeee> well there's http://en.wikipedia.org/wiki/Server_Name_Indication but i never tried it
01:08 < eeeee> not sure how many clients support that (and if our curl thing even supports that)
01:08 < eeeee> different ports are a safer bet
01:08 <@deen> terrible solution, not going to do that
01:08 <@deen> ssl is evil
01:09 < eeeee> why not, if it's hidden from the end user
01:09 <@deen> firewalls won't like it
01:10 <@deen> from the wiki article it sounds like every reasonable client should work
01:10 <@deen> only really old stuff doesn't
01:10 < eeeee> could try it then i guess
01:11 <@deen> I guess i'm using that
01:11 <@deen> since i have different certificates already
01:11 <@deen> but really don't want to look into it
01:13 < eeeee> on my computer http download of 200kb map takes 1.3s, https takes 1.8s
01:14 < eeeee> but i have ping 192ms, must be not as significant with lower ping
01:19 <@deen> significant enough for me
01:19 <@deen> any complaint about going to http?
01:22 < eeeee> for maps should be fine
01:23 < eeeee> also there's a bunch of stuff you can optimize for tls
01:24 < eeeee> there are some tutorials on the internet but they all assume you have a real cert, not sure if applies to self-signed or SNI setup
01:26 < eeeee> they even have a website about it https://istlsfastyet.com/ ^^
02:31 <@deen> eeeee: since GER doesn't seem to get any attacks anymore, i guess you can shut GER2 down
02:52 < eeeee> deen: but it's free if it doesn't consume any traffic. maybe we can just sv_register 0 it and write some script to get it back if GER goes down?
02:55 <@deen> sure
02:55 <@deen> I've disabled the servers already
02:55 <@deen> i can restart them with 1 click
02:56 <@deen> it has some problems though
02:56 < eeeee> like what
02:56 <@deen> you can't save on GER2 and load on GER
02:56 <@deen> or the other way around
02:57 < eeeee> well that's inconvinient but hardly a critical feature
02:57 < eeeee> hopefully someone will take a look at save/load code and figure out how to fix the exploit
02:58 <@deen> i did take a look
02:58 <@deen> it's impossible to fix
02:58 < eeeee> impossibru!
02:58 <@deen> with the database model we use
02:58 < eeeee> how so
02:58 <@deen> you save on GER
02:58 <@deen> then you go on USA and GER at the same time
02:58 <@deen> and load on both at the same time
02:59 <@deen> now you can save twice
02:59 <@deen> and have duplicated your savegame, which should normally never happen
02:59 <@deen> the problem is that we don't have 1 central database
02:59 < eeeee> but can't we like use a sql transaction for loading?
02:59 < eeeee> yeah okay
02:59 <@deen> but a separate database on each server
02:59 <@deen> and they have some weird cyclic replication
03:00 <@deen> i don't like the database model at all
03:00 <@deen> but don't know how to do it properly
03:00 <@deen> for regular records it didn't matter and everything was good
03:00 <@deen> but saves don't really work with it
03:00 < eeeee> can't you just discard the record time if you seen that a save was loaded more than once?
03:01 <@deen> what record time?
03:01 <@deen> ah
03:01 <@deen> so if they save again, i have to remember their old saves too or what?
03:01 <@deen> also note that sometimes a server gets ddosed, then the cyclic replication gets broken and the other server doesn't hear about the double load for hours
03:02 <@deen> lots of time to cheat records
03:02 < eeeee> could have some kind of a unique run_id which persists through all saves/loads
03:02 < eeeee> hmm no
03:03 < eeeee> cheated records could be deleted postfactum
03:03 <@deen> yeah, that might work
03:03 <@deen> but so complicated^^
03:04 < eeeee> so yeah i think you only have to keep track of all the loads
03:04 <@deen> how do you tell the difference between legal saves?
03:04 < eeeee> if you see several loads for the same save, you delete the record
03:05 < eeeee> what legal saves?
03:05 <@deen> well, but they can be allowed loads
03:05 <@deen> like saving again, and loading later
03:05 <@deen> so you also have to remember the times at whcih they played
03:05 < eeeee> if you save again then that's gonna be a different save
03:05 <@deen> to check if they overlapped
03:05 < eeeee> each save needs unique id
03:06 <@deen> then it's cheatable again
03:06 <@deen> or do you also want the run_id?
03:06 < eeeee> huh? no
03:06 < eeeee> only save_id
03:06 < eeeee> you /save (to save_id=1)
03:06 <@deen> ok, you load on USA and GER and quickly save again
03:06 < eeeee> if you /load the server records you loaded save_id 1
03:07 < eeeee> if you /load again on another server you'd still load save_id 1 (the most current one)
03:07 <@deen> i don't get it
03:07 < eeeee> okay, you start playing and issue /save on GER
03:08 < eeeee> row on GER db gets created with save_id=1
03:08 < eeeee> then it gets replicated to USA
03:08 < eeeee> so you connect a second client to USA and then issue /load on GER and USA at the same time
03:09 < eeeee> at that moment a LOAD event row gets inserted into GER, saying that you loaded save_id=1
03:09 < eeeee> same thing happens on USA
03:09 < eeeee> note that at this point you cannot detect the cheat yet
03:10 < eeeee> but eventually the USA event will replicate to GER and vice versa
03:10 < eeeee> and your cron job will start seeing two loads for a single save (originating from different servers)
03:10 <@deen> but it may be too late already when it replicates, and they saved again already
03:11 < eeeee> it doesn't matter if they saved again or not
03:11 <@deen> and you don't know under what save theysaved
03:11 < eeeee> or you mean you cannot tie the record to the save?
03:11 <@deen> they can have multiple regular saves inbetween the cheated save and the record
03:11 < eeeee> yeah in that case i guess we'll also need run_id
03:12 <@deen> any number of regular saves
03:12 <@deen> anyway, sounds really complicated
03:12 < eeeee> how's that complicated
03:12 < eeeee> just generate random run_id in server and save/load it
03:13 <@deen> i don't know, when i make features that are 20 times smaller i add 20 bugs already
03:13 <@deen> don't think i'd get this working realiably :P
03:14 < eeeee> the only changes to the server you have to make are run_id and tracking the loads
03:14 < eeeee> everything else goes into cron job which is harder to fuck up
03:15 <@deen> no idea how the cronjob would work
03:15 <@deen> would need to record every single load that was ever done?
03:15 <@deen> possibly forever
03:15 <@deen> and scan them all periodically
03:16 < eeeee> expire the saves after a month. problem solved :)
03:16 <@deen> sounds like we're making more problems, not solving them
03:16 <@deen> :P
03:16 < eeeee> but not being able to legitimately load cross-server is a bigger problem, isnt it
03:16 <@deen> i don't know
03:16 <@deen> if people complain, I'll just disable saves altogether
03:17 < eeeee> lol
03:17 <@deen> you can transfer your save to another server
03:17 <@deen> most people never heard of saves anyway
03:17 <@deen> maybe 10-20 people use them
03:18 < eeeee> we should do "save and quit" diablo-style
03:18 <@deen> would allow cheats
03:18 <@deen> team 0 is not allowed to save
03:18 < eeeee> (twas a joke)
03:18 < eeeee> ^^
03:19 <@deen> oh, and even worse, people could destroy others' saves
03:19 <@deen> and the other people wouldn't even notice immediately
03:20 <@deen> after a week all your new records get deleted, great
03:21 < eeeee> wait but don't you have to know some kind of a code to use /save /load ?
03:21 <@deen> you do
03:21 < eeeee> i thought it works like timeout protection
03:21 <@deen> but most use the same code every time
03:21 <@deen> and when you play with someone they usually tell you their code
03:22 <@deen> would take them some time to discover that they can do that
03:22 < eeeee> uh
03:22 <@deen> but I knew from the start about the save/load problem, and they also found out after a few months
03:22 < eeeee> i wonder if we should just use a central db then
03:22 <@deen> yeah, the database model is the problem
03:23 <@deen> but i'm not planning to change it
03:23 < eeeee> why not?
03:23 <@deen> didn't find anything good
03:23 <@deen> so complicated, much can break
03:24 < eeeee> lets just put it in the cloud
03:24 <@deen> no idea what "cloud" means
03:24 < eeeee> cloud is omnipotent
03:24 < eeeee> a solution to everything
03:25 < eeeee> srsly though, e.g. amazon provides some mysql hosting
03:26 < eeeee> should be ddos resistant and 99.9999
03:26 < eeeee> % available
03:26 <@deen> would not work from many locations
03:26 < eeeee> why?
03:26 <@deen> sometimes there is no connection out from chile
03:26 <@deen> or china
03:26 < eeeee> hmm okay
03:27 <@deen> or if we add iran it would be down for hours
03:27 <@deen> that's why i decentralized the database
04:22 < Nimda> DDNet CHN went down!
04:23 < Nimda> DDNet CHN went back online!
12:05 < laxadedi> deen: any reaction to the topic ?
12:06 < laxadedi> How could they ddos non-stop all ddnet servers for few days ?
12:07 < laxadedi> And the guy is saying there is a rat on this channel \o/
12:19 < coffee> NOO YOU FOUND ME
12:34 <@deen> Anyone want to fix windows compilation problems again? https://github.com/def-/ddnet/issues/138
12:35 <@deen> not like anything i say on this channel is secret
12:38 <@deen> great, can't read the topic because someone edited the shit out of it^^
13:05 < laxadedi> Oh, I thought that was you that edited the topic deen
13:12 <@deen> i was sleeping
13:12 <@deen> http://forum.ddnet.tw/viewtopic.php?f=6&t=944&p=8871#p8871
13:12 <@deen> there's my response
13:20 < Nimda> DDNet GER2 went down!
13:38 < coffee> deen: simple fix for msvc : http://pastebin.com/fp9vVESQ
13:42 < Nimda> DDNet CHN went down!
13:43 < Nimda> DDNet CHN went back online!
13:45 <@deen> coffee: thanks!
13:46 < ddnet-commits> [ddnet] def- pushed 1 new commit to DDRace64: http://git.io/aWPaTA
13:46 < ddnet-commits> ddnet/DDRace64 c65458c def: Fix compilation on MSVC (by coffee) (fixes #138)
13:51 < coffee> But I can't compile the client from msvc
13:51 <@deen> huh?
13:51 < coffee> Because of link considerations
13:51 < coffee> this fix is okay, but there is a problem next
13:52 < coffee> I have to change something in bam.lua
13:53 <@deen> because ofthe new curl stuff?
13:55 < coffee> no, something different
14:13 < Nimda> DDNet CHN went down!
14:14 < Nimda> DDNet CHN went back online!
14:27 < coffee> nono i'm wrong deen everything is okay :D
14:34 <@deen> great =)
15:12 < Learath2> deen: oh noez what are we going to do about all this inside information leaking from this channel
15:12 < coffee> It's a war.
15:13 < coffee> We could crypt our msgs :p
15:13 < Learath2> this is just annoying :P
15:13 < Learath2> I love how that guy and his 3 imaginary friends declared war on ddnet
15:14 < Learath2> and the fact that one of them is a cyber defense guy :P
16:43 < Nimda> DDNet Brazil went down!
16:43 < Nimda> Server was removed : DDNet GER2!
16:44 < Nimda> DDNet Brazil went back online!
17:23 < Nimda> DDNet RUS went down!
17:24 < Nimda> DDNet RUS went back online!
18:40 <@deen> attack on GER
18:42 < ochristi> suckers :(
18:43 <@deen> looks like they're using their client for the attack now after all
19:03 <@deen> hm, not sure how to block this
19:03 <@deen> they block all slots, but never connect fully
19:08 <@deen> and then they spam small packets, making the kernel take full 3 cpus to route them
19:12 <@deen> interesting that they can do that much damage with 4 MB/s
19:14 <@deen> at least it only affects the 1 blocker server so far
19:16 <@heinrich5991> deen: have you posted it on your forums already?
19:17 <@deen> what?
19:17 <@deen> i don't post about how people attack usually
19:17 <@deen> I'm trying to implement a fix for it
19:17 <@deen> similar to what eeeee suggested
19:21 <@heinrich5991> well, that there is a rogue client might be of people's interest
19:21 <@heinrich5991> afk
20:11 < eeeee> deen: huh why you downed ger2?
20:12 <@deen> eeeee: we talked about this yesterday, didn't we?
20:15 < eeeee> oh but i thought ger is under attack atm
20:18 <@deen> only the block server lags a bit
20:19 <@deen> not a big ddos attack
20:19 <@deen> just 100K packets/s on the block server
20:22 <@EastByte> hmm
21:03 < eeeee> okay nvm then
21:39 < Nimda> DDNet GER went down!
21:39 < Nimda> New server detected : DDNet GER2!
21:46 <@deen> GER is not down, ddos protection just blocking stuff^^
21:46 <@deen> but might be going down soon
21:46 <@deen> they're directly targetting the servers now
21:47 < Muttley> hello
21:47 <@deen> hi
21:47 < Muttley> deen, could we add a NL server to the list ?
21:47 < Muttley> ger is under attack and the rest is high latency
21:47 <@deen> GER2 is low latency
21:47 < Muttley> ger2 >
21:48 < Muttley> ?
21:48 <@deen> and i don't have a server in netherlands
21:48 < Muttley> i only see ger
21:48 < Muttley> i do
21:48 <@deen> search for GER2
21:48 < Muttley> 0 players...
21:48 <@deen> oh, now GER2 ddos too
21:48 <@deen> eeeee: what will amazon do?
21:50 <@deen> eeeee: hm, totally unusable in ddos
21:50 <@deen> Muttley: your server has ddos protection?
21:50 <@deen> i have a few offers for servers, but without ddos protection nothing will work
21:50 < Muttley> ddos protection is nowhere... only if the uplinks are 100gbit plus all the way
21:51 < Muttley> uplinks will always clutter
21:51 <@deen> yeah, but we need 40 gbit/s ddos protection
21:51 <@deen> otherwise your server is down in a minute
21:51 < Muttley> why that much ;-) that much ddos 
21:51 < Muttley> ?
21:51 <@deen> yes
21:51 < Muttley> players ddosing for fun ?
21:51 < Nimda> DDNet GER2 went down!
21:52 <@deen> Muttley: not sure why
21:52 < Learath2> .how are they getting together a 40 gbit ddos anyways ???
21:52 < Muttley> that isnt hard Learath2 
21:53 < Muttley> we have 2x 10GBit at our side
21:53 <@deen> Learath2: pay 5 € and you're good?
21:53 < Muttley> bundle 4 of those providers and you are done
21:53 < Learath2> oh well i forgot you can pay for a botnet 
21:53 < Muttley> bundle 200 servers around the world and you have a small botnet
21:54 <@deen> Learath2: they do just that
21:54 <@deen> Learath2: found their realname email addresses in multiple botnet database dumps
21:54 < Nimda> DDNet GER2 went back online!
21:55 <@deen> so, EC2 doesn't look good against attacks
21:55 < Learath2> dont think anything short of getting arrested will stop this as we just cant put together the money for a proper ddos protected server
21:56 < Learath2> as noone gets arrested for ddos we'll just have to live with it ? :P
21:57 < Learath2> try sending mails to their parents they are probably little kids
21:57 <@deen> eeeee: hm, since you're paying for traffic, maybe you should shut the server down =/
21:57 <@deen> you're getting 100-200 mbit/s all the time now
22:05 < eeeee> deen: 100-200 mbits of incoming?
22:06 <@deen> eeeee: yeah, in the start it was way more
22:06 <@deen> now it seems to be gone again
22:07 < eeeee> i'm only paying for outgoing :P
22:07 <@deen> ok
22:07 <@deen> sometimes they can use the game server to trigger outgoing traffic too though
22:08 < Nimda> DDNet GER went back online!
22:09 < eeeee> i have alerts on that, can always bring it down if it becomes an issue
22:10 <@deen> ok, good
22:16 < Nimda> DDNet GER went down!
22:17 <@deen> now GER is really down
22:18 < eeeee> sounds like a time for GER2!
22:52 <@deen> ahaha, my students
22:52  * eeeee grabs popcorn
22:52 <@deen> they were supposed to solve an exercise in Java
22:52 <@deen> but we forgot to write "in Java" on the problem
22:52 <@deen> so now I have 1 solution in Java, 1 in C and another in Clojure
22:54 < eeeee> what, not even Scala?
22:54 < eeeee> :D
22:55 <@heinrich5991> :)
22:56 < eeeee> well and they can always just write a java program that invokes some hardcoded binary constant (contents of which were compiled from C or sth)
22:58 <@deen> Really weird that it doesn't say anything about the language on the problem...
22:58 <@deen> after we just did Haskell and Prolog I wouldn't have guessed Java myself
23:01 < eeeee> good thing that you do so many languages
23:02 < eeeee> after starting working full-time i never cbf to learn anything completely new as it has no short-term gain
23:04 <@deen> yeah, I'm also glad we still have this course at university
23:04 <@deen> it's even obligatory for every computer science student
23:05 <@deen> some higher-ups are trying to get rid of it though, because why do you need anything other than Java?
23:07 <@heinrich5991> java is teh enterprise PL
23:17 <@deen> exactly
23:32 < Muttley> ....