[ANY?] SourceMod Re-Banner - ban alts of banned players through clientside cookies!

NoloZero01 · **Author**

SourceMod Re-Banner (v. 1.3)
GitHub | Download | Wiki

Fights ban evasion through client-side "fingerprinting". Relies on security through obscurity.

Sometimes, a ban isn't enough to stop them from trying to play on your servers.
This solution tries to combat such players by leaving tiny unique files in download folders to recognize players.
Supports Basebans and SourceBans++.

I release this in hope to help the community fight ban evasion, as I personally know how annoying it can be.
Nothing can be ideal, and there are loopholes that can easily make players immune to this.
It also won't catch ban evasion instantly, but rather get more effective over time as it analyzes more and more accounts.

Designed to run autonomously without admin intervention.

Dependencies:

SourceMod 1.11+
A FastDownloads web server with PHP enabled and available. Your server's sv_downloadurl must be configured to use your FastDownloads address, preferably inside your server.cfg config file.
File Network by Batfoxkid (my fork for now, as the changes required for this to work are not upstream yet)
(Optional) SourceBans++

Currently supported games:

Team Fortress 2 Windows and Linux
Counter-Strike: Global Offensive Windows and Linux

Tested games:

Team Fortress 2 for Windows
Counter-Strike: Global Offensive for Windows

Re-Banner should be game-independent as long as you have the gamedata. For now only two games are supported. You may request support for other games.

What does it do?

To not clutter up the post, the full description can be found at:

I highly encourage you to read the Wiki version instead. Below is a stripped-down version.

Re-Banner's logic can be split into two big sections:

Early connection phase injection
Post-connection

1. Re-Banner hooks into early player connection phases, to be fully precise the phase at which the server sends it's ConVar values to the player.

During this stage, Re-Banner will attempt to recognize clients through SteamID and IP checks. If it fails to do so, a new fingerprint will be generated.

Then, Re-Banner will modify the value of sv_downloadurl like this

http://fastdownload.com/tf/serve.php...NGERPRINT&url=

And send this value to the client.

After this stage, the client starts downloading server content from the FastDownload URL that they received.

Re-Banner adds it's fingerprint file to the Download Table, so all connecting clients will eventually request that file as well. When that happens, the FastDownloads script checks whether the requested path is actually the fingerprint file path, and if so, dynamically generates that file on the FastDownloads server and sends it to the client, putting the fingerprint value inside it.

2. Re-Banner starts by sending the original sv_downloadurl value to the player to hide it's presence. Then it queries the player for their fingerprint file. From here, there are two possible outcomes: the client either successfully sends their fingerprint value to the plugin or not.

If the query is successful, Re-Banner will check the fingerprint against it's internal records and re-ban the player if necessary.

If the query fails (either the client doesn't have the file locally for some reason, or they deleted it/changed PC), Re-Banner will attempt to make the client late-download a fingerprint if a match is possible.

What happens if someone gets banned?

When a player gets banned, their unique fingerprint gets marked as banned in the internal database. Any subsequent attempts to join the server from another IP address/account/PC (any combination of the 3) will lead to a re-ban if any of the conditions are met:

Client SteamID is associated with a banned fingerprint (if the account sent the same local fingerprint value as another account at any point in time).
Client IP address is associated with a banned fingerprint.
Clientside fingerprint is recognized.

Checks are ran in the same order as shown above. If player SteamID/IP address is matched to a known fingerprint, current client fingerprint value is discarded and not taken into account.
In an event that the alt account player is missing their fingerprint client-side (and they are recognized), the fingerprint file is re-sent before they get re-banned.

Tampering prevention?

If the plugin is unable to identify the client via SteamID and IP address, but the client has a fingerprint locally which we can use for identification, this will make sure that the fingerprint is not tampered with.

Well, "tampered with" is a rather big word, it checks whether the file only contains numbers (the fingerprint is numeric only) (and) if the fingerprint is known by the server.
If the file has anything else (say, SQL commands, etc), or it's not recognized by the plugin, Anti-tamper will raise a red flag and, if configured, will kick the client.
The fingerprint won't ever reach the database to prevent SQL injection.

Setup:

Please refer to the Wiki page.
It's important to follow the setup instructions, as it not as simple as drag-n-drop.

ConVars:

Please refer to the Wiki page.

Commands:

Please refer to the Wiki page.

Known issues:

SourceBans++ bans applied via Web UI are not taken into account - a SourceBans design limitation that I'm unable to work around yet.
Banned alt. accounts will not be un-banned if the master account is un-banned earlier than expected.
...?

If you happen to stumble upon a bug/error message, please make sure to post it here or in GitHub Issues. Much appreciated!

To-Do:

Natives and forwards for easy integration
Command to completely remove a given player from the system to re-scan them
Whitelisting
Unban banned alt. accounts when master account is unbanned early
...

Credits:

Batfoxkid, Artvin and the Zombie Riot team for help with File Network
Samm-Cheese for being my test subject and providing fresh ideas
Naydef for QA, IP address check suggestion, de-bugging Source file queues and generally being a legend
The AlliedMods Discord members for help with various code-related questions

Important:

As of 22.04.2023, the latest version of Re-Banner (1.3) and all future versions will not be compatible with previous database versions.
Even if the database srtucture is the same, the fingerprint length was decreased to mitigate potential issues with the new FastDownloads fingerprinting method.
Since sv_downloadurl can hold only up to 127 characters, and old fingerprints were ~70, with Re-Banner 1.3 you might run into ConVar overflow issues.
With that in mind, I encourage you to drop the old database and do a clean re-install of Re-Banner (deleting it's old config file and changing the fingerprint path).
Please follow the wiki for detailed setup instructions.

NoloZero01

1.1 Changelog:
- Added support for MySQL hosts. This essentially makes the plugin capable of covering multiple servers with a single unified database.
- Minor bugfixes.

I don't recommend changing database types after if you've launched the plugin at least once; If that's the case, change the fingerprint path in rebanner.cfg to avoid false anti-tamper detections.
If you're going to use a single MySQL database for multiple servers, make sure that all plugin instances use the same fingerprint path and filename!

RealEdan

Appears nobody has noticed the significance of this plugin yet and I'm thrilled to be the first to comment. I had this idea about 5 years ago but never got to it unfortunately.

Hoping the cheat community does not figure out the work around for quite some time, rendering cheaters clueless when their IP changes. Great work!

q1085909155

Quote:

Originally Posted by RealEdan

Appears nobody has noticed the significance of this plugin yet and I'm thrilled to be the first to comment. I had this idea about 5 years ago but never got to it unfortunately.

Hoping the cheat community does not figure out the work around for quite some time, rendering cheaters clueless when their IP changes. Great work!

I agree, this is a great step forward for the community against cheating!

JLmelenchon

Left 4 dead 2 has a quite specific download system, will it work?

backwards

Good work but you should add a security feature if requiring sv_allowupload to be set to 1.

OnFileReceived should have a default option to automatically delete the received file if it is not inside the RequestListing array.

I would also add a convar option that forces clients to have cl_allowupload 1 or kick (off by default).

NoloZero01

Re-Banner 1.3:

Revamped the fingerprint sending logic.

Re-Banner 1.3 now has two ways of sending fingerprints:

- FastDownloads injection
- File Network late-downloading

You may read a thorough description in the Wiki: (LINK).

The initial thread message was also updated.

In order to use this version and any future releases, you NEED a FastDownloads server available and configured, and it needs to have PHP installed. Most game server providers provide such a webserver free of charge.

Due to changes in fingerprint length and the new FastDownloads method of sending fingerprints, it is highly recommended to do a clean re-install of Re-Banner (that is, delete the old database, delete the config file and change the fingerprint path).

I also strongly recommend using the Wiki page to (re)install the plugin. Please save your and my time.

Tested and confirmed working with default ConVar values in TF2 and CSGO on Windows SCRDS.

Some elaboration on the new FastDownloads method:

CS:GO disables sv_allowupload by default for clients. This prevens File Network from being able to send files to clients.
To fully support CS:GO (and improve the chances of successful fingerprinting), Re-Banner now uses FastDownloads to ship fingerprint files to clients.

foxsay

Please add support for materialadmin - https://github.com/SB-MaterialAdmin/NewServer

xiaoli · *Last edited by xiaoli; 04-25-2023 at 13:45.*

possible to add way to recognize client ban evading through steam webhelper cookies? can be userful for games that support motd, and its possible to open motd in background without displaying it, could be great for games that support motd (https://forums.alliedmods.net/showthread.php?t=157953)

NoloZero01

Quote:

Originally Posted by xiaoli

possible to add way to recognize client ban evading through steam webhelper cookies? can be userful for games that support motd, and its possible to open motd in background without displaying it, could be great for games that support motd (https://forums.alliedmods.net/showthread.php?t=157953)

Hello!

I already have an idea regarding MOTD - Canvas Fingerprinting. While not 100% false positive proof, it should still be quite reliable. It will likely be added in one of the future releases.
As for Steam Web Helper cookies - I'll take a look, that sounds like a nice idea. Thanks!