General Discussion - The problem with bots and how to fix them... - Forum

" Bishop120 wrote: So as a coder, network engineer, and exploitation analyst I will try to give a brief run down of the some of the problems that GGG can/is experiencing with botters and why some strategies that people would think would work wont work and a few possible solutions that I would think about for fixing the problem. This thread is not aimed at getting GGG to fix the botter problem as I believe they are probably in a far better position to understand what the botters are doing compared to what I personally think they are doing. This is more aimed at the common gaming crowd and those with a basic knowledge of computers/networks/MMO game design. A common myth is that a lot of botters are people using a program to automate their personal account to make themselves "money". While there are bot programs available for download, as many people are accutely aware most of these are infested with virus/trojans/keyloggers. For the most part they work by cleaning out the attempted botters account and sometimes are used to compromise a computer for far more mailicious purposes than game currency. There are legitimate bot developers who sell their programs which are for most intents and purposes... safe. They are few but they do exist. Its an honest (mostly) business. Their effect on game economies are for the most part limited. They benefit a small crowd who usually in turn quit playing the game after it becomes to easy for them. The true problem of botters is the "gold sellers". The individuals who wish to turn in game money into real world money. In order to make a successfull business out of selling currency you need massive amounts of in game currency. This takes a much larger number of accounts than what a single person is usually willing to deal with hence why the individual botter mentioned above is listed as mostly limited. A common myth is that it is easy to ban these by IP address, country, or that banning accounts is the easiest way to deal with it. The truth is that its not and the reason for this is because of Virtual Private Networks (or VPNs) and Network Address Translation (NAT). With NAT a single IP address can be the access point for hundreds of computers. Additionally you have the case of Dynamic IP assignment. A single individual may not get the same IP everytime it registers on a network. If GGG blocked an IP it could potentially block tons of legitimate users. What makes it even more difficult is that VPNs add to the problem of the two previously mentioned issues by allowing people from all over the world to log into a single VPN network which then has a dynamically allocated exit point. So bottom line is that blocking by IP is very bad business for GGG and is mostly useless as VPNs circumvent this issue anyways. Another idea is that you can circumvent this by scanning a computer for a bot "program". This is also not a valid option. This will catch most of the first type of botter but almost none of the second type. The reason is that the second type of user.. the gold seller.. usually uses what is called a virtual machine... or in laymans terms.. a virtual computer within a computer. Often times gold sellers will have dozens if not hundreds of computers each running a handful of virtual machines all logged into VPNs. In this way you cannot stop any single device by IP or by scanning the machine for code. When you scan you are limited to the virtual machine which can be operated by its own bot program. What can be done is that a small number of machines are busy creating accounts and storing the accounts to a database which is then accessed by the bot machines to ensure constant availibility of accounts for the virtual machines. If a single vitual machine or account is detected then the bot machine merely creates a new virtual machine and logs into a different account. So how do we stop this? Well there are a few ideas. Solution one is to look at an individual machines ID or fingerprint if you will. The hardware ID. The software ID of a machine is easily hidden by virtual machine... but the hardware ID is something that is translated even through the virtual machine. If you begin to ban accounts based upon machine fingerprints you can stop the core system which is running the virtual machines which ends up in banning accounts by the dozens. Basically your client reports the machine ID anytime you log in with your account. If GGG bans an account due to "botting" they then also ban any account found to be using the machine fingerprint.. this essentially sets it so that computer can never be used to play PoE again as all accounts which are logged into and register that machine ID get auto banned as well. This has worked extremely well for many other games but is a little extensive on the coding side and there are a few work arounds.. but few.. Another option is to charge for the account. If the account gets banned before it can recoup its costs then the gold seller is out money. This does not work for GGGs purposes because GGG and PoE thrive because of the F2P strategy. If you had to pay its no longer F2P... its pay 2 play and people would quit in droves. But there is an idea that I have which is close to this which I believe could be used. Instead of paying to play.. you pay for the right to trade. The game is free to play all you want but unless you pay say a small one time fee or possibly a small monthly fee you can never trade your items/currency. This essentially a middle ground compared to above but still one that I doubt that GGG would use. Tho it is something that I personally would consider doing. As I said before I did not write this to suggest to GGG on how to fix the problem but to sorta educate my fellow gamers as to why GGG is haveing a difficult time coping with botters. Please feel free to post some of your ideas below and I would be willing to give my explanation of why it is or is not a good idea and if its not a good idea why/how botters would probably circumvent it (in broad enough terms that any good botter is probably already doing it but not specific enough to tell someone how to do it themselves). --Bishop-- I have been thinking about your post and this video kind of sums up my argument http://www.youtube.com/watch?feature=player_detailpage&v=5GgflscOmW8#t=11s	Posted by Nezekan#5599 on May 16, 2013, 1:46:35 PM Quote this Post
Just want to point out that IP ban is pointless. Many people (>95 % of people in my country) are with service providers that provide dynamic IP addresses. Hence every time you restart router, your IP changes.	Posted by Mordread#1431 on May 16, 2013, 1:54:09 PM Quote this Post
Its not so easy to get around being caught virtualizing.. heres a quick run down of how you can catch two of the most common virtualization software suites for example.. Both Virtual PC and VMWare allow you to install "add-in"s to accelerate emulation, allow drag-n-drop from your real desktop to your virtual desktop, and allow file sharing between your real machine and the virtual machine. In order to accomplish this task, a communication mechanism between the virtual machine software and the virtual machine itself must exist. This sort of interfacing is called a "backdoor interfacing", since, using a special/undocumented mechanism, certain commands can be carried and interpreted in a different manner (by the virtual machine software) unlike having them interpreted by the real machine. How to detect Virtual PC As you may already know, every machine has a defined set of instructions commonly referred to as Instruction Set Architecture (ISA). When an invalid instruction (that is not present in the ISA) is encountered, the machine raises an exception of the type "Invalid Opcode". The software can either handle the exception (using the usual try/catch mechanism), let the operating system handle the exception, or crash the machine in worst cases. Virtual PC uses a bunch of invalid instructions to allow the interfacing between the virtual machine and the Virtual PC software. Here's what happens when Virtual PC's virtual machine wants to talk with Virtual PC: The program sets exception handlers (try/catch blocks). Set needed parameters before calling the VM software. Issue a special "Invalid Opcode" instruction. VM software will recognize this invalid opcode and act accordingly, causing no exception if VPC was present, and an exception if VPC isn't present. The program's "catch" block will handle the exception and examine the returned parameters for the presence/absence of VM software. In short, Virtual PC uses the "Invalid Opcode" mechanism as a backdoor. Detecting VMWare.. The Intel x86 provides two instructions to allow you to carry I/O operations, these instructions are the "IN" and "OUT" instructions. These two instructions are privileged instructions and cannot be used in a user-mode (while in protected mode) process unless the necessary privileges are enabled, so using them in normal cases will cause an exception of the type: "EXCEPTION_PRIV_INSTRUCTION". VMWare uses the "IN" instruction to read from a special port. This port does not effectively exist, however when VMWare is present, that port will be the interface between the virtual machine and VMWare. So now that you have detected that your in a VM what do you do? The CPU of the virtual machines’ host computer is one of the few components that is not virtualized, and therefore any CPU characteristics obtained from within a VM will be taken from the ‘real’ CPU. The “CPU Info” is based on multiple CPU related properties (CPU name, manufacturer/ vendor, model, family, stepping, UUID...etc) and the probability of multiple machines having identical CPU signatures is low. In this way its fairly safe to say that banning based upon a particular CPU UUID is a safe bet. Now another option I posit is to look at trade values. Its not to difficult for GGG to assign items a currency value similar to how gold trader and currency value sites do. Plug in a small fudge factor and then its easy for GGG to detect trades that are made which are extremely unbalanced. (someone recieving 10-15 exalts for nothing)... There are downsides that I would say each flagged transaction would need to be reviewed hence man hours. This is something we would want to avoid. Now what about limiting the number of currency that a single account (not toon) can have? This can stop gold sellers which usually stockpile by the ton. This is somethign I believe should be easy for GGG to do... look for toons which have far to much currency and perform a small investigation. Since these accoutns usually dont work alone (usually bots come in groups to get the bonus from high IIQ and IIR) it would be easy to catch large swathes with minimal research. Hueristically catching groups of more than 3 or 4 which have been running together for 4-5+ hours would also be a good place for them to find bots. Very few people play groups that long that much. I would even say that compared to most MMOs this game has a very large solitary crowd. Again.. these last two ideas require man hours. Of course I would say that there is enough people playing this game who hate botters for GGG to be able to afford a few "bot hunters" that are paid with premium content. Anyways... good to see such a healthy discussion going on here. --Bishop-- IGN: DeathIsMyBestFriend, Illirianah	Posted by Bishop120#1027 on May 16, 2013, 4:57:09 PM Quote this Post
I like your idea of the UUID on the CPU as an identifier. Drop the account, and drop the UUID from the "playable" list. Sure they can go create another account, but would it be feasible to change out the CPU everytime they are caught. I would also like to throw in that just because they are F2P, doesn't mean they couldn't have a P2P league that we could choose to be in(similar to private leagues, but open to anyone who pays).	Posted by mister_melon#7394 on May 16, 2013, 5:21:42 PM Quote this Post
" I like your idea of the UUID on the CPU as an identifier. You can't trust anything under the user's control. DLL injection intercepts the OS call for the CPUID and inserts a fake one. Or just patch that part of the client out. It's under your full control, mon. You could get the casual botters, but not the professionals. No way. These sorts of threads: Ground Hog Day.	Posted by Courageous#0687 on May 16, 2013, 5:28:03 PM Quote this Post
Hmm, interesting. Can a DLL intercept a hardware call from another DLL without being identified. If so, yea, pointless, but if not, add to the mix a warden type program that monitors for such activity and I think we would be in business. I think the expectations of completely removing any possibility of botting is a tad high, as you can never eliminate the determined. Making it impractical for the knowledgeable should suffice. " Courageous wrote: " I like your idea of the UUID on the CPU as an identifier. You can't trust anything under the user's control. DLL injection intercepts the OS call for the CPUID and inserts a fake one. Or just patch that part of the client out. It's under your full control, mon. You could get the casual botters, but not the professionals. No way. These sorts of threads: Ground Hog Day.	Posted by mister_melon#7394 on May 16, 2013, 5:42:43 PM Quote this Post
The ultimate escalation of all this is the game manufacturer in effect makes a root kit, and tries to use it as enforcement. At that point, you realize your customers also have their own nuclear weapons, of a sort. You can look to past nuclear exchanges on the subject if you wish. Did not end well. So anyway. We have Blizzard, a Fortune 500 company reporting roughly 4.7B in revenue annually (2011 report), and a full arsenal of corporate assets to bring at this particular problem, and their software that you cite, called "Warden." In your opinion, do Blizzard games have bots?	Posted by Courageous#0687 on May 16, 2013, 5:50:21 PM Quote this Post
No, of course not {/sarcasm} I believe I said warden like program. The old warden of D2 time frame looked for specific applications, not a modified DLL signature/checksum. If its an OS library used to interface with the hardware, It should be pretty safe to say that the signature is well known. Any alteration to that DLL(or the game code itself) should be pretty easy to identify. " Courageous wrote: The ultimate escalation of all this is the game manufacturer in effect makes a root kit, and tries to use it as enforcement. At that point, you realize your customers also have their own nuclear weapons, of a sort. You can look to past nuclear exchanges on the subject if you wish. Did not end well. So anyway. We have Blizzard, a Fortune 500 company reporting roughly 4.7B in revenue annually (2011 report), and a full arsenal of corporate assets to bring at this particular problem, and their software that you cite, called "Warden." In your opinion, do Blizzard games have bots?	Posted by mister_melon#7394 on May 16, 2013, 5:57:28 PM Quote this Post
" account345s wrote: " aimladen wrote: Completely untrue, you've made it obvious you have never really botted on games and I'm not one to lie, I've botted on many games for many years, this not being one of them. RS, WoW, the list goes on. Regarding these scenes, almost every bot is legitimate besides the bots one would find in 'google' typically, which is simply not using common sense and would apply across the board to programs, not just bots. The effect on game economies is not limited either, for instance RuneScape which has been around for 12 years has never been able to put a stop to botters which plague the game and actually destroyed the economy completely. 99% of Gold Sellers either achieve their income from buying & re-selling or simply botting, typically it's botting since buying & re-selling is more of a niche and there are better ways of achieving income using that method. Consider this a botters manifesto, I've profited over $40,000 from botting. I don't plan on botting on this game since that was something I did while trying to get through college for extra income. lol, you must be delusional if it brought you 40g's... maybe over 10 years that took you to finish that collage and a botter that profits never buys a bot, you make it yourself (if you can buy it that means anyone can- you won't profit $$ from it) You are not so bright are you? There were a bunch of ppl(check youtube for some videos) who botted and made 10k $ in the first week of the d3 RMAH. Thats 7 days.	Posted by Zhatan#4250 on May 16, 2013, 6:16:04 PM Quote this Post
Dealing with botters is for the most part dealing with gold sellers. As I said before in a game like this the botters that run on singles accounts that are for personal use are I believe the "small fries" of the botter problem. I do not believe that they have a significant impact on game economy. Its only when its scaled up to the level of gold sellers that they become an issue. In this case 1 computer run by a gold seller is the equivalent of 10-12 single personal users.. and everyone knows that some of these gold sellers run in the neighborhood of 20+ servers easily. As far as stoping them as said before its not a matter of making the one perfect catchall program/method. Its more of the shotgun approach.. the combination of many techniques each catching, flagging, and banning them to the point of making it not a feasible business for the gold sellers. Eve Online is a good example of what can happen with the shotgun approach. Gold sellers quickly stopped selling Eve "ISK" when their botter programs started getting caught and accounts banned in droves. Unholy Rage they called it. GGG could follow a similar implementation... catch the accounts and flag them.. then when you have a valid signature down ban thousands of bot accounts at once and push out a scanner that looks for that signature (what ever it may be.. UUIDs, background programs, memory injections..). This forces an arms war.. bot developers try to outsmart the signature... GGG trys to catch/ban the bot accounts. The trick is to not let the bot developer know that you have their signature... this can be accomplished a variety of ways... ban letters with misdirection for the reason of the ban, delaying the ban for 24-36 hours after being flagged so that botter has no idea what exactly the've done to get caught. I've personally always favored the "time bomb" currency. Currency has a shelf life for usage. If not used within 4-5 days the currency expires and is deleted. Game term wise this would be a good way to start a currency "sink" which flushes currency and forces it to be used by true gamers. Currency would be good to trade for a short while but would be kept from stockpiling. In addition currency near the end of its shelf life would be less valuable as people would actually have to use it and could not keep it around to be used as further currency. This would make it extremely difficult for gold sellers to make a profit as bots would likely not be able to keep their supply high enough especially if combined with a decent ban policy. Once you can drive the gold sellers away from your game botters becomes pretty much a maintenance issue... you just need to be aware of them and catch any mass usage before the gold sellers can start up a profitable business again. --Bishop-- IGN: DeathIsMyBestFriend, Illirianah	Posted by Bishop120#1027 on May 17, 2013, 12:19:04 AM Quote this Post