The Definitive Way To Prevent GM Detection

**monklett** · 06-11-2003, 11:11 PM

I while ago, I noticed that Sony changed the manner in which the EQ client does portscans when it starts up. Of course, this got me thinking about how ShowEQ might be detected. While I wasn't able to find any evidence that Sony was actively trying to find ShowEQ users, it is possible to detect network cards that are running in promiscuous mode through several means. Thus, I decided to make some changes in my hardware setup to prevent any future problems, and figured that others in the ShowEQ community might find this useful.

Maybe this has be written about before, but I didn't find it, so here 'tis:

Install:
---------

1) get an old 10base-T ethernet card that has both an RJ-45 jack and an AUI port (looks like a joystick port) on the back.

(I use an ISA SMC-Ultra card, which is well supported under Linux; just about any 3Com or Intel cards are fine too).

2) get an AUI adapter.

(both of these are available from eBay and other sources for less than $10--I got mine for a total investment of $17, including shipping)

3) Cut pins number 3 and 10 out of the AUI adapter, using this (shitty, I know) ASCII diagram:

.....1........................8
....----------------------
....\.o.o.o.o.o.o.o.o./
.....\.o.o.o.o.o.o.o./
......-----------------
.......9.................15

4) Compile and install ShowEQ as normal on your ShowEQ machine (I use a dedicated Pentium-233, which works great with the FPS turned down to 5).

Explanation:
----------------

What we're doing here is cutting the transmit pins on the AUI transceiver. With this mod, the hardware in your ShowEQ box will lack the physical ability to transmit anything, which obviously precludes any possibility of it responding to portscans, sending your password, etc. More simply, your machine will be able to listen but not speak.

The reason that a transceiver is necessary is two-fold.

First, modern ethernet has a hardware-based 'heartbeat' feature that will notify your network driver when there is a network connection failure, such as an inability to transmit. In most cases, the OS/driver will then disable that network connection. However, older AUI-based technology lacks this feature, so your driver will happily continue to operate regardless of transmit ability.

Second, because we are modding only the AUI transceiver, and not the network card itself, its easy to reverse the mod when you want to communicate with the world. This way, when you want to download the new ShowEQ updates or whatever, you just unplug the network cable from the AUI port and plug it into the standard RJ-45 jack and restart the network service; no reboot is necessary. Download the updates, and then switch back to the AUI port.

Lastly, here is some additional information on this trick that I found useful:

http://www.zweknu.org/technical/index.rhtml?s=p%7C14&

Disclaimer:
--------------

While this will totally prevent Sony from detecting ShowEQ by any technical means, nothing can prevent detection though user stupidity. That means don't talk about ShowEQ, and don't act as though you have information that you shouldn't while in-game. Other than that, you will be home-free.

**Mr. Suspicious** · 06-12-2003, 02:27 AM

it is possible to detect network cards that are running in promiscuous mode through several means.

It's against the EULA to have NICs running in promiscuous mode? This one is new to me.

**monklett** · 06-12-2003, 03:48 AM

No, but it certainly could be considered suspicious on the typical home lan/cable modem setup. You could obviously come up with the usual "I was debugging my LAN" story, but I would rather not ever have to deal with that issue at all.

Plus, I suspect that some ShowEQ users would likely shoot themselves in the foot trying to use a story like that. I can easily see someone replying to a Sony e-mail with an explanation about how they were trying to figure out why [insert unrelated issue here] was causing blue-screens, and so they were running their nic in promiscuous mode, or providing some other inane explanation that would actually hurt their cause.

Its (well, kinda) a free country; run whatever you feel comfortable with. Personally, I don't want to be wondering about this-that and the other when I play, and so I run ShowEQ on a silent box.

**Mr. Suspicious** · 06-12-2003, 05:56 AM

I can easily see someone replying to a Sony e-mail with an explanation about how they were trying to figure out why [insert unrelated issue here] was causing blue-screens, and so they were running their nic in promiscuous mode, or providing some other inane explanation that would actually hurt their cause.

Why would you have to explain to Sony why one of your NICs would be in promiscuous mode? That's like explaining to the supermarket manager why you are wearing slippers at home while you consume the products you buy in the supermarket. It's non of their business how your home network is setup, and even if it was, in cases where someone can't get EQ to run, so for debugging reasons, they sure cannot in any way demand an explanation for why something is setup such way.

But then again, they can ban you for "it being a monday and it rains". *shrug* Better start adjusting everyone's calander so it won't ever be monday again.

Your solution (while it works) only creates a false sence of security, false, because it isn't actually needed.

**Alfred** · 06-12-2003, 06:11 AM

It always amazes me the length to which people worry about this....

You know.. personally, a secret side of me hopes I'll get banned and then I'll have a good chunk of my life available for other things! No i'm not about to go announcing in game that I use Seq, but like I said, there is a side of me that wouldn't be all that put out by being banned. It is a love hate relationship.

You keep worrying about this and the black copters. I'm sure lots of people appreciate this and other ideas.

**monklett** · 06-12-2003, 06:50 AM

Sony can ban you for whatever reason they want--that IS in the EULA. A weak or plain wrong explanation in response to a routine inquiry would be just the thing to set off a series of explanations that are best avoided.

Beyond that, there are security reasons why this is a good idea. Have you personally reviewed every single line of the source code that you just compiled for trojans or other security issues? No? Well, I can promise you that a silent box won't be transmitting your account information anytime soon, regardless of the code you're running.

Anyway, as I said: you run whatever you want, and I'll do the same.

Hopefully this information will provide those that prefer a more secure approach with a simple and effective means of achieving it.

And that is the whole point of this message board, right?

**S_B_R** · 06-12-2003, 08:30 AM

One problem with Sony attempting to find NICs in promiscuous mode. If you are on a Cable modem, a random scriptkiddie, 2 doors down from your house, might be using his 1337 5k1Lz.

What I'm saying is they would get so many false positives it would be a waste of time to attempt such a thing.

Then on the other hand, many people that use SEQ run it on their "firewall". In that case there is no need to run the NIC in promiscuous mode at all.

So not only would Sony get a flood of false positives, if they did manage to weed through all the noise, they still wouldn't get everyone using SEQ anyway.

If they really wanted to stop people using SEQ their time and money would be better spent rolling the packet structure and/or encryption every few days.

Oh well, good effort though monklett

**throx** · 06-12-2003, 08:53 AM

I noticed that Sony changed the manner in which the EQ client does portscans when it starts up

That's an interesting observation since they haven't done scans for at least 24 months and it was never a port scan, just a process scan.

While it's interesting from a technical point of view, I don't think there is too much worry about it in game. They are far more likely to ban you for your behavior than they are anything else.

Throx

**sabek** · 06-12-2003, 09:40 AM

So are they going to ban me for the LINUX box I have running snort on for intrusion detection?

**monklett** · 06-12-2003, 10:12 AM

Attached is an cut-down copy of a recent firewall log; 199.108.2.* resolves to eqworld-xx.989studios.com.

My quick-glance impression is that this is just eqgame.exe looking for a home for its connection (eq is all UDP after the initial connect, correct?), but I haven't gone any farther in looking at this. What I noticed was that I used to always get just one scan each time I started EQ; now, however, there are a variable number during each gaming session. Maybe EQ now restarts its connection periodically for some reason? Perhaps this is part of the fix for the recent can't-logon-for-20-mins-after-going-LD-problem?

Who knows.

And thats the point--I don't really want to have to dig into researching this, or parse traffic logs, or audit ShowEQ code or (more generally) fuck with this any more than is necessary to get and keep it working. And while I see the point of the general sentiment here of 'don't worry about it', what I wanted was to get ShowEQ working and KNOW that that there will never be any detection issues or password issues, or security issues, or really any issues at all. ;-)

Run whatever you're happy with. I'm happy with this.

**Rhonwyn** · 06-12-2003, 11:16 AM

They can't ban you for running another box in promiscious mode, they can ban you for whatever reason they want. Although, I doubt that "We can scan your network and see what other computers are there and what they are doing" is in the eula and they would have a hard time defending themselves if they did find a showeq box.

"You are running another box in promiscious mode, we think you are cheating. Why are you doing that?"

"You scanned my network? Invaded my privacy? Are you using the EQ client as a backdoor into my network? Why are YOU doing that?"

**Zoolander** · 06-12-2003, 03:16 PM

If you have a firewall how would they detect a NIC behind it running in promiscuous mode?

**tristanbfg** · 06-12-2003, 03:43 PM

Do you even know what you are talking about?

Just how would Sony detect a card in PROMISC mode? I'd really like to hear this one.

**Cryonic** · 06-12-2003, 06:18 PM

Simple Google Query:

http://www.securityfriday.com/promis...tection_01.pdf

http://www.google.com/search?hl=en&i...=Google+Search

**maggotboy** · 06-12-2003, 06:46 PM

I had a quick read through one of the documents discussing various sniffing techniques. All the techniques for detecting a NIC in promiscuous mode had one thing in common ...

They all had to send a malformed packet to a specific target to determine whether or not that specific target was in promiscuous mode.

Assuming that's the case for all detection techniques, it would be ridiculous for Verant to attempt to send malformed packets across an entire class C subnet every time EQ is run. I run behind a router, so if I was really paranoid I'd just put my ShowEQ box on a different class B subnet and be done with the silliness.

Maggotboy

Thread: The Definitive Way To Prevent GM Detection

Thread Tools

Rate This Thread

Display

The Definitive Way To Prevent GM Detection

Promisc Mode...

Thread Information

Users Browsing this Thread

Posting Permissions