station.com Sign In / Change User Join Free Why Join?
   
Search the Knowledge Base Games Community Store My Account Help

Security Alert/Hack Attempts

The EverQuest for the Macintosh servers and their networks are access-controlled, secured, and monitored systems. It is not likely that they will ever be used as a launchpad for hack attempts across the Internet. The two most common causes for an alert on your firewall system are false alarms because of the type of networking that our games utilize, or because of packets where the source IP address was spoofed.

The EverQuest for the Macintosh game uses a high rate of UDP packets to pass game movement and change data between the client (your Mac) and our servers. ICMP is used as a control protocol for the UDP data when the client or server disconnect or when a character zones and timing isn't perfectly synchronized. Traffic can be on any UDP port greater than 1024, and during the course of the game a client Mac will regularly connect to different servers and different ports. When zones are restarted, they will often come up on different ports than they were previously on.

The EverQuest for the Macintosh game is also very aggressive when attempting to recover from connectivity problems. During times of poor connectivity (e.g. ISP congestion, route flapping, backbone circuit outage), the EQ clients and servers will retransmit packets at an increasing packet rate for up to 30 seconds. At the 10th or 20th second, this rate can be quite high and may appear to be a traffic flood.

Most personal firewall software (e.g. NetBarrier, DoorStop, Norton Personal Firewall) may cause a false alarm, reporting valid EQMac traffic as hacking attempts in certain conditions. This false alarm may be caused by the high rate of packets, and early disconnect situations (where our servers think you've disconnected from a zone before your Mac can process that change, and vice-versa). The most common false alarms are:

  • "Default Block Bla Trojan" also simply called "UDP port scans": but your logs only show traffic from one port >1024 on our server to one port >1024 on your Mac. This is *NOT* a true fingerprint of a port scan. A true port scan will often hit many ports (e.g. port 1 through port 65534), or known sensitive ports (e.g. 7, 9, 13, 53, 111, 123, 137, 161, 2049, 13373 etc.) This usually happens when your computer closes or crashes the game application or when you zone and there are still unacknowledged packets in the server's queue.
  • "Default Block Remote Grab" also called "Inbound TCP connection" and usually referencing a 'vdolive' service or port 7000: Our patchers for EverQuest, and Tanarus are TCP servers running on port 7000. When you start one of our games that uses a patcher, your client Mac will make a connection to one of our many patchers at port 7090, and our patchers will send updates back to you from port 7090. In order to optimize the patching process, we are using load-balancing network hardware, and have distributed the patchers among different geographic locations. As an artifact of that optimization, there are times when you patching client will complete the process, but a few more packets keep coming back from the patching servers.
  • UDP packet storm/flood: EverQuest uses a highly optimized retransmit scheme to recover from lost UDP packets. During times of Internet connectivity problems between your Mac and our servers, there may be a high rate of retransmitted small UDP packets until the communication session recovers, some times for up to 30 seconds. There is also an unlikely event that will cause UDP packets to continue to come in from the old zone for up to 10 seconds.
  • ICMP Unreachable storm/flood: An ICMP message will be generated for each UDP packet that cannot be received by the server or client. Due to the high rate of UDP packets, following any port change or brief connectivity outage there might be a high rate of ICMP Unreachable packets for up to 30 seconds.

Some possible scenarios where these conditions might occur:

  • Your upstream ISP has a circuit down for a few seconds while you're playing EverQuest, during which time your computer might disconnect from the game. When the outage is restored, your computer will receive a flood of retransmitted packets for a few seconds. At that time, your firewall software doesn't expected those packets, since your computer has disconnected from the game, but our game servers haven't processed your disconnect yet, so they are still sending you traffic. This scenario can be even worse if your Mac is behind a NAT device, because the ICMP messages that will notify our server of your disconnect do not NAT properly.
  • Somebody else on the Internet is attempting to probe or attack our EQ servers, and is doing so with a forged source address, and the address they used happens to be yours. In this case, malicious packets come in to our network, our firewalls or servers respond, but the packets are sent back to you, the true user of the IP address the packets appeared to come from. Unfortunately, in this case, it's nearly impossible to determine where the forged packets are coming from.
  • You just connected to the Internet via dial-up, PPPoE, or other method where you get your IP address dynamically. If someone using the same ISP as you was playing EverQuest when they lost their Internet connection, and you connected within 30 seconds of that, you might have gotten their IP address. Since it can take up to 30 seconds until our servers mark an abrupt disconnect like that as a client out of game, you might be getting some of the residual packets that were intended for the previous user of that IP address.

In all of these cases, hacking attempt alerts from your firewall software aren't anything to worry about -- chances are it was either a hiccup in the game or the network, or somebody trying to attack *us*, and not you.

If you have considered the above scenarios, and still believe you were subjected to an attack, please send any details (logfile output, etc.) to eqtech@station.sony.com.

Glossary of Terms used in this document

>1024: "greater than 1024" - port numbers in the range 1024 thru 65535. During an IP communication session, 2 hosts (e.g. your client Mac and our Server) send packets to each other specifying source and destination IP addresses and port numbers. This is how the packets get to the right program running on your computer as well as on our servers.

DHCP: Dynamic Hosts Configuration Protocol - this is a standard way for a computer to attach to the network and ask for IP address and other relevant settings in order to properly communicate on that network. Commonly used on office environments, cablemodem connections, and DSL services.

Host: any device (e.g. computer, router) that connects to a network. Specific to this document, any device that connects to the Internet using an IP address with the intention of communicating with other hosts on the Internet. Your Mac that you run our game client on is a host, as is our server running the game.

ICMP: Internet Control Messaging Protocol - a suite of messages that hosts and routers can send to other hosts on the Internet to inform the networking software on those hosts of critical situations that might affect the network traffic that a host is attempting to accomplish.

IP: Internet Protocol - a suite of standard protocols that allow many heterogeneous hosts to communicate with each other over the Internet. Some key features are that all IP addresses must be unique on the Internet, and programs on that host each use a port number ranging from 1 to 65535 to identify themselves to the networking piece of the operating system, so that packets coming into that host get routed to the right program.

ISP: Internet Service Provider - a company that gives you a connection to the Internet in exchange for a monthly fee.

NAT: Network Address Translation - a technique used by networking hardware and/or software that can allows multiple hosts to appear to be coming from only one unique IP address on the Internet. One common reason for using NAT is if your ISP only allows you to use one IP address, but you want to put more than one computer on the Internet. Another reason that NAT is often used is that it can provide some additional security.

PPPoE: Point-to-Point Protocol over Ethernet - a connection protocol that many DSL and some CableModem ISPs use to manage their customer's connection ot their networks. Usually with PPPoE, a customer's computer is always connected to the ethernet port of the DSL or Cable Modem, but the customer has to run an additional program and provide a logon and password before they can access the Internet.

TCP: Transmission Control Protocol - This is a protocol used when the programs need to be assured that all data sent to the remote host is received completely and correctly (compare to UDP). When communicating using TCP, the networking layer of the operating system is responsible for assuring data integrity, lightening the load of the application programmer.

UDP: User Datagram Protocol - This is a 'connectionless' protocol that does not assure any data integrity (compare to TCP). The operating system doesn't do any work with UDP packets other then to take them from the application running on a host, and send them out to the network. It is up to the application to decide if it wants to perform it's own data integrity. This allows applications to have more control over their networking, and lightens the load on the operating system.

 

ESRB™ Privacy Certified - click to privacy statement
Sony Online Entertainment ESRB