I while ago, I noticed that Sony changed the manner in which the EQ client does portscans when it starts up. Of course, this got me thinking about how ShowEQ might be detected. While I wasn't able to find any evidence that Sony was actively trying to find ShowEQ users, it is possible to detect network cards that are running in promiscuous mode through several means. Thus, I decided to make some changes in my hardware setup to prevent any future problems, and figured that others in the ShowEQ community might find this useful.

Maybe this has be written about before, but I didn't find it, so here 'tis:

Install:
---------

1) get an old 10base-T ethernet card that has both an RJ-45 jack and an AUI port (looks like a joystick port) on the back.

(I use an ISA SMC-Ultra card, which is well supported under Linux; just about any 3Com or Intel cards are fine too).

2) get an AUI adapter.

(both of these are available from eBay and other sources for less than $10--I got mine for a total investment of $17, including shipping)

3) Cut pins number 3 and 10 out of the AUI adapter, using this (shitty, I know) ASCII diagram:

.....1........................8
....----------------------
....\.o.o.o.o.o.o.o.o./
.....\.o.o.o.o.o.o.o./
......-----------------
.......9.................15

4) Compile and install ShowEQ as normal on your ShowEQ machine (I use a dedicated Pentium-233, which works great with the FPS turned down to 5).

Explanation:
----------------

What we're doing here is cutting the transmit pins on the AUI transceiver. With this mod, the hardware in your ShowEQ box will lack the physical ability to transmit anything, which obviously precludes any possibility of it responding to portscans, sending your password, etc. More simply, your machine will be able to listen but not speak.

The reason that a transceiver is necessary is two-fold.

First, modern ethernet has a hardware-based 'heartbeat' feature that will notify your network driver when there is a network connection failure, such as an inability to transmit. In most cases, the OS/driver will then disable that network connection. However, older AUI-based technology lacks this feature, so your driver will happily continue to operate regardless of transmit ability.

Second, because we are modding only the AUI transceiver, and not the network card itself, its easy to reverse the mod when you want to communicate with the world. This way, when you want to download the new ShowEQ updates or whatever, you just unplug the network cable from the AUI port and plug it into the standard RJ-45 jack and restart the network service; no reboot is necessary. Download the updates, and then switch back to the AUI port.

Lastly, here is some additional information on this trick that I found useful:

http://www.zweknu.org/technical/index.rhtml?s=p%7C14&

Disclaimer:
--------------

While this will totally prevent Sony from detecting ShowEQ by any technical means, nothing can prevent detection though user stupidity. That means don't talk about ShowEQ, and don't act as though you have information that you shouldn't while in-game. Other than that, you will be home-free.

it is possible to detect network cards that are running in promiscuous mode through several means.

It's against the EULA to have NICs running in promiscuous mode? This one is new to me.

No, but it certainly could be considered suspicious on the typical home lan/cable modem setup. You could obviously come up with the usual "I was debugging my LAN" story, but I would rather not ever have to deal with that issue at all.

Plus, I suspect that some ShowEQ users would likely shoot themselves in the foot trying to use a story like that. I can easily see someone replying to a Sony e-mail with an explanation about how they were trying to figure out why [insert unrelated issue here] was causing blue-screens, and so they were running their nic in promiscuous mode, or providing some other inane explanation that would actually hurt their cause.

Its (well, kinda) a free country; run whatever you feel comfortable with. Personally, I don't want to be wondering about this-that and the other when I play, and so I run ShowEQ on a silent box.

I can easily see someone replying to a Sony e-mail with an explanation about how they were trying to figure out why [insert unrelated issue here] was causing blue-screens, and so they were running their nic in promiscuous mode, or providing some other inane explanation that would actually hurt their cause.

Why would you have to explain to Sony why one of your NICs would be in promiscuous mode? That's like explaining to the supermarket manager why you are wearing slippers at home while you consume the products you buy in the supermarket. It's non of their business how your home network is setup, and even if it was, in cases where someone can't get EQ to run, so for debugging reasons, they sure cannot in any way demand an explanation for why something is setup such way.

But then again, they can ban you for "it being a monday and it rains". *shrug* Better start adjusting everyone's calander so it won't ever be monday again.

Your solution (while it works) only creates a false sence of security, false, because it isn't actually needed.

It always amazes me the length to which people worry about this....



You know.. personally, a secret side of me hopes I'll get banned and then I'll have a good chunk of my life available for other things! No i'm not about to go announcing in game that I use Seq, but like I said, there is a side of me that wouldn't be all that put out by being banned. It is a love hate relationship.

You keep worrying about this and the black copters. I'm sure lots of people appreciate this and other ideas. ;)

Sony can ban you for whatever reason they want--that IS in the EULA. A weak or plain wrong explanation in response to a routine inquiry would be just the thing to set off a series of explanations that are best avoided.

Beyond that, there are security reasons why this is a good idea. Have you personally reviewed every single line of the source code that you just compiled for trojans or other security issues? No? Well, I can promise you that a silent box won't be transmitting your account information anytime soon, regardless of the code you're running.

Anyway, as I said: you run whatever you want, and I'll do the same.

Hopefully this information will provide those that prefer a more secure approach with a simple and effective means of achieving it.

And that is the whole point of this message board, right?

One problem with Sony attempting to find NICs in promiscuous mode. If you are on a Cable modem, a random scriptkiddie, 2 doors down from your house, might be using his 1337 5k1Lz.

What I'm saying is they would get so many false positives it would be a waste of time to attempt such a thing.

Then on the other hand, many people that use SEQ run it on their "firewall". In that case there is no need to run the NIC in promiscuous mode at all.

So not only would Sony get a flood of false positives, if they did manage to weed through all the noise, they still wouldn't get everyone using SEQ anyway.

If they really wanted to stop people using SEQ their time and money would be better spent rolling the packet structure and/or encryption every few days.

Oh well, good effort though monklett ;)

I noticed that Sony changed the manner in which the EQ client does portscans when it starts up
That's an interesting observation since they haven't done scans for at least 24 months and it was never a port scan, just a process scan.

While it's interesting from a technical point of view, I don't think there is too much worry about it in game. They are far more likely to ban you for your behavior than they are anything else.

Throx

So are they going to ban me for the LINUX box I have running snort on for intrusion detection?

Attached is an cut-down copy of a recent firewall log; 199.108.2.* resolves to eqworld-xx.989studios.com.

My quick-glance impression is that this is just eqgame.exe looking for a home for its connection (eq is all UDP after the initial connect, correct?), but I haven't gone any farther in looking at this. What I noticed was that I used to always get just one scan each time I started EQ; now, however, there are a variable number during each gaming session. Maybe EQ now restarts its connection periodically for some reason? Perhaps this is part of the fix for the recent can't-logon-for-20-mins-after-going-LD-problem?

Who knows.

And thats the point--I don't really want to have to dig into researching this, or parse traffic logs, or audit ShowEQ code or (more generally) fuck with this any more than is necessary to get and keep it working. And while I see the point of the general sentiment here of 'don't worry about it', what I wanted was to get ShowEQ working and KNOW that that there will never be any detection issues or password issues, or security issues, or really any issues at all. ;-)

Run whatever you're happy with. I'm happy with this.

They can't ban you for running another box in promiscious mode, they can ban you for whatever reason they want. Although, I doubt that "We can scan your network and see what other computers are there and what they are doing" is in the eula and they would have a hard time defending themselves if they did find a showeq box.

"You are running another box in promiscious mode, we think you are cheating. Why are you doing that?"

"You scanned my network? Invaded my privacy? Are you using the EQ client as a backdoor into my network? Why are YOU doing that?"

If you have a firewall how would they detect a NIC behind it running in promiscuous mode?

Do you even know what you are talking about?

Just how would Sony detect a card in PROMISC mode? I'd really like to hear this one.

Simple Google Query:

http://www.securityfriday.com/promiscuous_detection_01.pdf

http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=method+detect+promiscuous+NIC&btnG=Google+Search

I had a quick read through one of the documents discussing various sniffing techniques. All the techniques for detecting a NIC in promiscuous mode had one thing in common ...

They all had to send a malformed packet to a specific target to determine whether or not that specific target was in promiscuous mode.

Assuming that's the case for all detection techniques, it would be ridiculous for Verant to attempt to send malformed packets across an entire class C subnet every time EQ is run. I run behind a router, so if I was really paranoid I'd just put my ShowEQ box on a different class B subnet and be done with the silliness.

Maggotboy

It should be possible to construct an IPTables rule that would function the same way the hardware filter does....

If you have a firewall how would they detect a NIC behind it running in promiscuous mode?

They would put the detection features in the EQ client, which is behind the firewall.

In fact, they would probably do this anyway, since it would place the processing burden on the client machine, allowing them far greater detection capacity; why overload your server if you don't have to?



Assuming that's the case for all detection techniques...

Don't assume.

The common method involves bursting the LAN with a flood of packets while timing the response time from each NIC; promiscous cards will take much longer to respond. My understanding is that this method can be made to work with well-formed packets, although I haven't personally tested it.



...it would be ridiculous for Verant to attempt to send malformed packets across an entire class C subnet every time EQ is run. I run behind a router, so if I was really paranoid I'd just put my ShowEQ box on a different class B subnet and be done with the silliness.


You're right (and the same would apply to flooding, even with legit packets); that would be a more elegant solution. S_B_R's suggestion of using IPTables would also work, and is (IMO) an even better solution.

However, my point was simply this: here is a simple, cheap, easily-achievable way for even non-technical ShowEQ users to be absolutely sure that they won't run into problems down the road, regardless of whether they may be detection problems, password problems, or general security problems (ShowEQ only runs as root, unless you want to further complicate your setup).

Thanks to the flexibility of Linux, all of these aims can also be done with software (hell, you could just remove all the transmit code from the nic driver source), but those aren't solutions that are cheap, easy, fast, and reliable for non-technical users.

Again, run what ever you're happy with.

Monklett has posted some good info here. No, it's not necessary to do, and yes it is being paranoid, but come on, give the guy a break.

Monklett says here's a way to further hinder detection, alot of others say, it's not needed. Cool.

Does anyone believe that what Monk is suggesting is BAD information? Unnecessary maybe, but truely, it's not bad. Following his advice isn't going to make it easier for SOE to detect (not that they are or are going to) NICs in Promiscuous Mode, and on the surface really does remove ALL doubt (not that there is much to begin with).

I agree it's unnecessary, but it's not worthless information either.

--Raistlin

of course.. the other thing that takes far longer to reply to packets is a slow computer. my 486DX50 for example with an original NE1000.

i thought that the method of detecting promisc. interfaces was a before/after comparison affair (or comparing comparable machines). with unknown devices on the network there is no baseline "how fast should it respond". if you had a magic "detect promisc." routine it would also pickup any hubs with ip addresses, bridging firewalls (my favorite), IDSs etc etc - and wouldn't get SEQ running on routers.

and besides which.. everquest doing this would be.. a touch visible and provoke an absolute storm of protest.. not to mention it would be blocked by half the windows firewalls..

This guy's not paranoid is he? Personally I won't be messing with my hardware because im scared someone might find out theres a chance that possibly there could be a NIC on my lan thats uhhh sniffin stuff. Its just silly, call it good info if you want, but then again, dont fix what aint broke.

Sony would much rather have my $13 bux a month then ban me cause they "think" im running showeq.

Don't worry so much man, take it easy once in a while.

Originally posted by Raistlin
Monklett has posted some good info here. No, it's not necessary to do, and yes it is being paranoid, but come on, give the guy a break.

Monklett says here's a way to further hinder detection, alot of others say, it's not needed. Cool.

Does anyone believe that what Monk is suggesting is BAD information? Unnecessary maybe, but truely, it's not bad. Following his advice isn't going to make it easier for SOE to detect (not that they are or are going to) NICs in Promiscuous Mode, and on the surface really does remove ALL doubt (not that there is much to begin with).

I agree it's unnecessary, but it's not worthless information either.

--Raistlin

I agree, it's very good information, and I gave him a "good effort" in my first post. :D Plus it's got me looking more indepth into IPTables, which I've been meaning to do for quite some time.

So Thanks again Monklett, good topic for discussion ya got going here ;)

Yes I agree...

that it is good information in general, simply because... if you don't know everything about linux this can be a sure fire way to make certain someone won't be able to use a a trojan / back door program on your PC. Possibly you left your ftp daemon running with a stupid login password. Who knows...

What I still think is comical, is the way everyone (correction: some of you) thinks of EQ as 'the man' that is out to get you. Be as paranoid as you want, it provides me with amusement. I can point at you guys and say.. "see.. there are people like that in the world that freak out over a game..."

Good security is all about balancing the effort of securing versus the risks.

In this case, the mod that I recommended takes about 30 seconds to accomplish; you just cut a couple of pins on the AUI adapter. The rest of the install is the same as it would otherwise be. Its even reversable in about 5 seconds; you just switch the network cable to another port.

On the other hand, there is no authoritative information on Sony's efforts to track ShowEQ usage, and it is possible to detect promiscuous NICs on a LAN. While there is much anecdotal evidence that Sony doesn't care, etc., the point remains that we simply don't KNOW. Things could also change in the future, and I'm fairly sure that Sony wouldn't be sending out a press release if it changes countermeasures.

EQ has also been the focus of several security attempts, including a trojan UI mod that attempted to highjack passwords and at least one series of forged Sony customer service communications; these facts clearly indicate that EQ is of interest to crackers. Furthermore, ShowEQ is typically compiled straight out of CVS, is recompiled comparitively often, and frequently relies on custom ad-hoc patches. All of these facts make it an reletively easy target for a trojan attempt.

Personally, I think that 30 seconds with a pair of wire cutters in exchange for being able to prevent all these possibilities from ever being issues is a good deal, but you should run whatever you feel comfortable with.

Hm I don't care a damn about SEQ, but this is a nice idea to hide a IDS :)

SEQ is not the only cause a NIC runs in P-Mode... not sure but i think most of the time minimum one NIC here in my Lan runs in P-Mode ;) ... and i dont think SoE wants to bann all who do troubleshooting ... i.e. i had a problem with channels and a NAT router some time ago and i only got it fixed with packet tracing ...

2cp

of course, someone who does this and makes their nic undetectable could well feel so safe and secure that they forget not to hare across the zone to a rare.

GMs don't snoop networks, they watch players and wait for players petitioning tracking by non-trackers. so personally i find the thread title about as misleading as possible.

tams

SOE scanning your network is also against federal laws, the EULA only grants them to scan the EQ folder and the space that it is taking up in RAM. anything outside of that is legally offlimits. but if you dont want to be detected, dont make a B-Line for a freshly poped rare mob or use SEQ with a druid alt so you atleast can act like you were using real tracking skill.

Which federal law is that?

last i checked it wasnt legal for someone or some company to go snooping around private networks, i know if i went snooping around the SOE network and they traced it to me id get a visit from the FBI.

They would have to change the EULA to be able to scan stuff. I had a quick look and there's nothing in there at the moment that looks like it would allow them to do this. Of course, changing the EULA is trivial for them.

This all misses the point. Sony's not going to ban you for having a card on your network in promisc. mode. There's just too many perfectly valid reasons for doing so and banning innocent paying customers isn't a good way to run a business. Realistically, you'll see them banning all Magelo users (for sniffing memory) before you see them scanning for Linux boxes.

The *real* definitive way to not get banned for SEQ is to *never* act on the information you've received from it. That's what gets you banned - zoning into Kael and saying "/gu Hey guys, SoRZ is up!".

So you're saying it's against a federal law you can't quite remember the name of?

It's a 2 month old thread let it go already/again...


;)