AlliedModders - [ANY?] SourceMod Re-Banner - ban alts of banned players through clientside cookies!

AlliedModders (https://forums.alliedmods.net/index.php)

- Plugins (https://forums.alliedmods.net/forumdisplay.php?f=108)

- - [ANY?] SourceMod Re-Banner - ban alts of banned players through clientside cookies! (https://forums.alliedmods.net/showthread.php?t=342465)

[ANY?] SourceMod Re-Banner - ban alts of banned players through clientside cookies!

SourceMod Re-Banner (v. 1.3)
GitHub | Download | Wiki

Fights ban evasion through client-side "fingerprinting". Relies on security through obscurity.

Sometimes, a ban isn't enough to stop them from trying to play on your servers.
This solution tries to combat such players by leaving tiny unique files in download folders to recognize players.
Supports Basebans and SourceBans++.

I release this in hope to help the community fight ban evasion, as I personally know how annoying it can be.
Nothing can be ideal, and there are loopholes that can easily make players immune to this.
It also won't catch ban evasion instantly, but rather get more effective over time as it analyzes more and more accounts.

Designed to run autonomously without admin intervention.

Dependencies:

SourceMod 1.11+
A FastDownloads web server with PHP enabled and available. Your server's sv_downloadurl must be configured to use your FastDownloads address, preferably inside your server.cfg config file.
File Network by Batfoxkid (my fork for now, as the changes required for this to work are not upstream yet)
(Optional) SourceBans++

Currently supported games:

Team Fortress 2 Windows and Linux
Counter-Strike: Global Offensive Windows and Linux

Tested games:

Team Fortress 2 for Windows
Counter-Strike: Global Offensive for Windows

Re-Banner should be game-independent as long as you have the gamedata. For now only two games are supported. You may request support for other games.

What does it do?

To not clutter up the post, the full description can be found at:

I highly encourage you to read the Wiki version instead. Below is a stripped-down version.

Re-Banner's logic can be split into two big sections:

Early connection phase injection
Post-connection

1. Re-Banner hooks into early player connection phases, to be fully precise the phase at which the server sends it's ConVar values to the player.

During this stage, Re-Banner will attempt to recognize clients through SteamID and IP checks. If it fails to do so, a new fingerprint will be generated.

Then, Re-Banner will modify the value of sv_downloadurl like this

http://fastdownload.com/tf/serve.php...NGERPRINT&url=

And send this value to the client.

After this stage, the client starts downloading server content from the FastDownload URL that they received.

Re-Banner adds it's fingerprint file to the Download Table, so all connecting clients will eventually request that file as well. When that happens, the FastDownloads script checks whether the requested path is actually the fingerprint file path, and if so, dynamically generates that file on the FastDownloads server and sends it to the client, putting the fingerprint value inside it.

2. Re-Banner starts by sending the original sv_downloadurl value to the player to hide it's presence. Then it queries the player for their fingerprint file. From here, there are two possible outcomes: the client either successfully sends their fingerprint value to the plugin or not.

If the query is successful, Re-Banner will check the fingerprint against it's internal records and re-ban the player if necessary.

If the query fails (either the client doesn't have the file locally for some reason, or they deleted it/changed PC), Re-Banner will attempt to make the client late-download a fingerprint if a match is possible.

What happens if someone gets banned?

When a player gets banned, their unique fingerprint gets marked as banned in the internal database. Any subsequent attempts to join the server from another IP address/account/PC (any combination of the 3) will lead to a re-ban if any of the conditions are met:

Client SteamID is associated with a banned fingerprint (if the account sent the same local fingerprint value as another account at any point in time).
Client IP address is associated with a banned fingerprint.
Clientside fingerprint is recognized.

Checks are ran in the same order as shown above. If player SteamID/IP address is matched to a known fingerprint, current client fingerprint value is discarded and not taken into account.
In an event that the alt account player is missing their fingerprint client-side (and they are recognized), the fingerprint file is re-sent before they get re-banned.

Tampering prevention?

If the plugin is unable to identify the client via SteamID and IP address, but the client has a fingerprint locally which we can use for identification, this will make sure that the fingerprint is not tampered with.

Well, "tampered with" is a rather big word, it checks whether the file only contains numbers (the fingerprint is numeric only) (and) if the fingerprint is known by the server.
If the file has anything else (say, SQL commands, etc), or it's not recognized by the plugin, Anti-tamper will raise a red flag and, if configured, will kick the client.
The fingerprint won't ever reach the database to prevent SQL injection.

Setup:

Please refer to the Wiki page.
It's important to follow the setup instructions, as it not as simple as drag-n-drop.

ConVars:

Please refer to the Wiki page.

Commands:

Please refer to the Wiki page.

Known issues:

SourceBans++ bans applied via Web UI are not taken into account - a SourceBans design limitation that I'm unable to work around yet.
Banned alt. accounts will not be un-banned if the master account is un-banned earlier than expected.
...?

If you happen to stumble upon a bug/error message, please make sure to post it here or in GitHub Issues. Much appreciated!

To-Do:

Natives and forwards for easy integration
Command to completely remove a given player from the system to re-scan them
Whitelisting
Unban banned alt. accounts when master account is unbanned early
...

Credits:

Batfoxkid, Artvin and the Zombie Riot team for help with File Network
Samm-Cheese for being my test subject and providing fresh ideas
Naydef for QA, IP address check suggestion, de-bugging Source file queues and generally being a legend
The AlliedMods Discord members for help with various code-related questions

Important:

As of 22.04.2023, the latest version of Re-Banner (1.3) and all future versions will not be compatible with previous database versions.
Even if the database srtucture is the same, the fingerprint length was decreased to mitigate potential issues with the new FastDownloads fingerprinting method.
Since sv_downloadurl can hold only up to 127 characters, and old fingerprints were ~70, with Re-Banner 1.3 you might run into ConVar overflow issues.
With that in mind, I encourage you to drop the old database and do a clean re-install of Re-Banner (deleting it's old config file and changing the fingerprint path).
Please follow the wiki for detailed setup instructions.

Re: [ANY?] SourceMod Re-Banner - detect alts of banned players through client "cookie

1.1 Changelog:
- Added support for MySQL hosts. This essentially makes the plugin capable of covering multiple servers with a single unified database.
- Minor bugfixes.

I don't recommend changing database types after if you've launched the plugin at least once; If that's the case, change the fingerprint path in rebanner.cfg to avoid false anti-tamper detections.
If you're going to use a single MySQL database for multiple servers, make sure that all plugin instances use the same fingerprint path and filename!