MOO-cows Mailing List Archive
On Thu, 18 Jul 1996, Richard Godard wrote:
Not just security holes.. Allowing players to call ;force_input on
themselves allows them to create a new kind of forkbomb, a hard to find
one. make a verb that calls force_input on yourself, calling that verb.
(Call force_input only once if you just want to see if it works, call it
twice or more if you want to see what happens to the server) You can't see
it in the forked list, and i don't think there is a way to kill the tasks
(yet ?) from within the server...
Said attack has been possible for years now with client programs.
If someone spams the server, @newt him, then type
; set_connection_option(who, "flush-command", ".flush")
; force_input(who, ".flush", 1)
(I'm not entirely sure about the set_connection_option, I don't use it much)
Lambdacore's latest $login has a flood-prevention service built in. If
you're concerned about un-logged-in users flooding, port it.
It's not particularly hard to find flooders either. You can keep a running
average of interval between commands through $do_command() and if this
interval drops below X threshold for Y amount of time, you boot the offender
and deal with him. I recommend only activating flood-detection when you
Also note that network buffers exist for both input and output. It's
possible to overflow your input buffer (and I have done this on a highly
lagged MOO) and the server will simply drop the excess input.
Subject Index |