CIDR notation in sapp rangebans?

[mouseboyx 149]

If someone has an ip address that changes following a pattern like:

123.123.123.123

123.123.123.124

123.123.123.125

123.123.122.111

123.123.120.122

123.123.124.222

Where the first 2 numbers are always the same, the 3rd number only changes by 2 or 4 digits and the last number could be anything.  What's the appropriate CIDR notation for banning this range?

 

From wikipedia, I'm gathering somewhere from 123.123.123.123/23 -- 123.123.123.123/16 seems like it should work, but /16 seems like too many and /23 seems like too few.  I don't really understand how masks like 255.255.192.0 or 255.255.128.0 translate to a specific range when paired with an ip address.  A mask like 255.255.255.0 makes perfect sense it would be 123.123.123.xxx and 255.255.0.0 would be 123.123.xxx.xxx but the others don't make sense.

[Takka 13610]

Defining ranges seems to vary a lot between platforms.

 

123.123.*

 

^ another common one, where * denotes a wildcard. I have no idea if that works here though.

[AntiMomentum 75]

6 hours ago, mouseboyx said:

If someone has an ip address that changes following a pattern like:

123.123.123.123

123.123.123.124

123.123.123.125

123.123.122.111

123.123.120.122

123.123.124.222

Where the first 2 numbers are always the same, the 3rd number only changes by 2 or 4 digits and the last number could be anything.  What's the appropriate CIDR notation for banning this range?

 

Ok, the ip ranges can be different sizes. What I mean by that is as 123.123.123.123 could be in a /24 network, which has 256 ips or 254 hosts. However that ip could be in a larger block, like /8 with over 16 million ips. It all depends on how the whole network gets divided. More specifically for this purpose which ISP owns the specific public network block (which also has an ASN number tied to it as a side note). The organization owning the ip block and ASN are public information. They must submit a request to IANNA and pay for the addresses to get the block of ipv4 ip addresses from whoever already owns them. The larger the block the more it costs. Anyways:
 

To show this go to ipinfo.io in your browser and put that 123 ip in. You'll see it's owned by some Chinese host. It's an isp and this isp apparently owns this ip block: 123.123.64.0/18

If you scroll down you'll even see that ip block is within an even larger 123.112.0.0/12 network, probably a backbone with multiple hosts using it including the isp. So 123.123.64.0/18 is one subnet within 123.112.0.0/12.
 

So you'd ban the 123.123.64.0/18 network since the ip belongs to that ASN block of public ips.

There is a nuance though. Some of the ISPs have both cheaters and legit players, like Telmex. It's still ultimately going to come down to how vigilant you are admining the server manually especially since the player's real ip can be hidden, but this range ban has helped for some cheaters not saying it's useless either.

Edited October 21, 2022 by AntiMomentum

[mouseboyx 149]

Thanks ipinfo.io makes this a lot easier to understand, I totally get what you mean with the range ban having unintended consequences, I thought it could be narrowed down to mitigate that, but it seems even then it's not going to be bulletproof.

 

I did my own testing and I'm unsure whether it's even applicable to how the real division of the internet works, and how sapp is interpreting that.

I used "ifconfig lo xxx.xxx.xxx.xxx" to set my loopback interface to several different ip addresses and attempted to see whether the client could join with different cidr settings in the ipbans.txt

I'm starting to think this test is pretty much useless though:

 

127.127.127.127/17:ban:0
EVEN: yes ODD: no
127.127.128.127 yes
127.127.129.127 no
127.127.130.127 yes
127.127.254.127 yes
127.127.192.127 yes
127.127.253.127 no
127.127.126.127 yes
127.127.125.127 no
127.127.124.127 yes
127.127.123.127 no
127.127.122.127 yes
127.127.121.127 no
127.127.120.127 yes
127.127.119.127 no
127.127.118.127 yes

 

127.127.127.127/18:ban:0
127.127.0.127 yes
127.127.1.127 yes
127.127.2.127 yes
127.127.3.127 no
127.127.4.127 yes
127.127.5.127 yes
127.127.6.127 yes
127.127.7.127 no
127.127.11.127 no

 

127.127.127.127/19:ban:0
127.127.0.127 yes
127.127.1.127 yes
127.127.2.127 yes
127.127.3.127 no
127.127.4.127 yes
127.127.5.127 yes
127.127.6.127 yes
127.127.7.127 no

[AntiMomentum 75]

Yeah, no problem

One thing you can do is check cheater ips against your past server logs and seeing if legit players also joined in the same ip range. If they don't have the same range ban it, provided your logs have "enough" records.

I actually didn't know sapp could do the range bans until that comment and trying your 3 examples in ipbans.txt, thanks! I've just been doing this at the firewall(s)

I'll test this sometime today by putting it in a vlan since you can throw whatever ip you want at it from inside a local network I'll start a capture and send halo query packets at it from different source ips

Edited October 22, 2022 by AntiMomentum

[AntiMomentum 75]

On 10/20/2022 at 10:22 PM, mouseboyx said:

I'm starting to think this test is pretty much useless though:

 

127.127.127.127/17:ban:0
EVEN: yes ODD: no
127.127.128.127 yes
127.127.129.127 no
127.127.130.127 yes
127.127.254.127 yes
127.127.192.127 yes
127.127.253.127 no
127.127.126.127 yes
127.127.125.127 no
127.127.124.127 yes
127.127.123.127 no
127.127.122.127 yes
127.127.121.127 no
127.127.120.127 yes
127.127.119.127 no
127.127.118.127 yes

 

127.127.127.127/18:ban:0
127.127.0.127 yes
127.127.1.127 yes
127.127.2.127 yes
127.127.3.127 no
127.127.4.127 yes
127.127.5.127 yes
127.127.6.127 yes
127.127.7.127 no
127.127.11.127 no

 

127.127.127.127/19:ban:0
127.127.0.127 yes
127.127.1.127 yes
127.127.2.127 yes
127.127.3.127 no
127.127.4.127 yes
127.127.5.127 yes
127.127.6.127 yes
127.127.7.127 no

Finally got around to vlan testing. With the ban of this in ipbans.txt:
test:123.123.64.0/18:ban:0

the ban works until getting to 123.123.65.x which is only banning 256 of like 16,000+ ips

So I'm thinking sapp might be limited to just /24 but I'm not really sure exactly what the issue is yet.


But there is no doubt some kind of issue with the sapp range ban one way or another. I'd say it's best to do range bans on a firewall.

*update*
ban is working again at 123.123.68.x lol. So it's not even as simple as being /24 only

ban stopped working again at 123.123.69.x

Going to stop the test at this point. I went ahead and ran the 66 individual /32 cheater/DoS ips I have in my ipabns.txt from many different ranges. All were still banned thankfully, seems to just be a range issue.

Edited October 22, 2022 by AntiMomentum

[mouseboyx 149]

On 10/22/2022 at 4:10 PM, AntiMomentum said:

Finally got around to vlan testing. With the ban of this in ipbans.txt:
test:123.123.64.0/18:ban:0

the ban works until getting to 123.123.65.x which is only banning 256 of like 16,000+ ips

So I'm thinking sapp might be limited to just /24 but I'm not really sure exactly what the issue is yet.


But there is no doubt some kind of issue with the sapp range ban one way or another. I'd say it's best to do range bans on a firewall.

*update*
ban is working again at 123.123.68.x lol. So it's not even as simple as being /24 only

ban stopped working again at 123.123.69.x

Going to stop the test at this point. I went ahead and ran the 66 individual /32 cheater/DoS ips I have in my ipabns.txt from many different ranges. All were still banned thankfully, seems to just be a range issue.

With the unpredictability of the built in range banning feature of sapp, this seems like a good opportunity for someone to write an lua script to implement range bans differently or more correctly than sapp does.  I'm thinking using EVENT_PREJOIN to execute the detection/kick logic, however it would be limited because it wouldn't work like a full ip ban. 

 

Also might be able to introduce a different syntax to the range ban, like start and end ip addresses.  Like start at "123.123.120.0" and end at "123.123.124.255", I don't know if that's a good idea though but it seems like it would work.

 

I went ahead and made the range ban lua script.  I don't know if this will work for every possible range condition, because it checks starting at the leftmost ip address digit to the rightmost to see if it is in the range.  I don't even know if this is the correct way to implement the idea but here you go

 

basic_rangeban.lua

Edited October 23, 2022 by mouseboyx

[AntiMomentum 75]

I went ahead and tested it. For some reason basic_rangeban.lua doesn't seem to be working for me even though the halo console says it's successfully loaded. Also tried switching api version to 1.12.0.0 didn't help. I also did a smaller /24 ban using your script by itself and then sapp's built-in ip range ban by itself to make sure it wasn't just some deeper issue with sapp/halo, sapp was able to do the /24 ban but the script did not ban any of the ips.

Edited October 26, 2022 by AntiMomentum

[mouseboyx 149]

On 10/26/2022 at 4:40 PM, AntiMomentum said:

I went ahead and tested it. For some reason basic_rangeban.lua doesn't seem to be working for me even though the halo console says it's successfully loaded. Also tried switching api version to 1.12.0.0 didn't help. I also did a smaller /24 ban using your script by itself and then sapp's built-in ip range ban by itself to make sure it wasn't just some deeper issue with sapp/halo, sapp was able to do the /24 ban but the script did not ban any of the ips.

Thanks for testing it, I assumed it would work after it kicked 127.0.0.1 based on the range {'127.0.0.0','127.0.0.255'}, but for some reason it was failing with other ip address ranges.  I ended up wrapping all of the comparison statements within lua's tonumber() and it should work now I think.  It worked at kicking a 192.168.x.x address based on the range {'192.168.0.0','192.168.255.255'} where as before the fix it failed to do that. 

 

Probably some strange quirk of lua, because it failed at the 3rd digit of banning 192.168.86.61, based on the rangeban of {'192.168.0.0','192.168.255.255'}

I printed the strings encapsulated in quotes to makes sure there wasn't any whitespace or something funky with the strings cprint('"'..from_ip[3]..'","'..ip_digits[3]..'","'..to_ip[3]..'"')

and it gave me "0","86","255", my assumption was that lua could compare these strings as numbers, but I guess not.  (But it worked for the first 2 digits so it's strange)

 

I'm probably spoiled by JavaScript and PHP where you can compare two strings like "12">"10" and it evaluates to true, then I write some lua and step into a string/number pitfall.

basic_rangeban_fixed.lua

Edited October 29, 2022 by mouseboyx

[AntiMomentum 75]

Nice, your updated script is kicking an ip from both a /24 and the same ip in a larger /18 range. It seems to require actually joining though so I'm not sure if I'll be able to test the entire ranges. When I have some time I should at least be able to try it using some ips that sapp itself missed with the /18 123 ips in ipbans.txt