Security Alert/Hack Attempt

The PlanetSide servers and their networks are access-controlled, secured, and monitored systems, and it is not likely that they are ever used as a launchpad for hack attempts across the Internet. The two most common causes for an alert on your firewall system are false alarms due to the type of networking that our games utilize, and packets where the source IP address was spoofed.

The PlanetSide game uses a high rate of UDP packets to pass game movement and change data between the client (your PC) and our servers. ICMP is used as a control protocol for the UDP data when the client or server disconnect or when a character zones and timing isn't perfectly synchronized. Traffic back to your PC can be on any UDP port greater than 1023, and during the course of the game a client PC will regularly connect to different servers and different ports.

The PlanetSide game is also very aggressive when attempting to recover from connectivity problems. During times of poor connectivity (e.g. ISP congestion, route flapping, backbone circuit outage), the PlanetSide clients and servers will retransmit packets at an increasing packet rate for up to 30 seconds. At the 10th or 20th second, this rate can be quite high and appear to be a flood or storm of traffic. Most personal firewall software (e.g. ZoneAlarm, BlackIce, Norton Personal Firewall) will false alarm and report valid PlanetSide traffic as hacking attempts in certain conditions. This can be caused by the high rate of packets, and early disconnect situations (where our servers think you've disconnected before your PC process that change, and vice-versa). The most common false alarms are:

• "Default Trojan" (of many of a list of Trojans, e.g. "Bla," "Deep Throat," etc.) are triggered when UDP traffic returns from our servers to your computer on a port that is in a list of "well known" default Trojan ports configured in the firewall product. Even though the UDP traffic was initiated by your computer from a port on the list, and therefore the return packets are valid, many firewall products fail to recognize them as such, and will trigger a false alarm.
• "UDP port scans" but your logs only show traffic from one port >1023 on our server to one port >1023 on your PC. This is *NOT* a true fingerprint of a port scan. A true port scan will often hit many ports (e.g. port 1 through port 65534), or known sensitive ports (e.g. 7, 9, 13, 53, 111, 123, 137, 161, 2049, 13373 etc.) This usually happens when your computer closes or crashes the game application or when you zone and there are still unacknowledged packets in the server's queue.
• "Default Block Remote Grab" also called "Inbound TCP connection" and usually referencing a 'vdolive' service or port 7000: Our patchers are TCP servers running on port 7000. When you start one of our games that use a patcher, your client PC will make a connection to one of our many patchers at port 7000. In order to optimize the patching proccess, we are using load-balancing network hardware, and have distributed the patchers among different geographic locations. As an artifact of that optimzation, there are times when you patching client will complete the proccess, but a few more packets keep coming back from the patching servers.
• UDP packet storm/flood: PlanetSide uses a highly optimized retransmit scheme to recover from lost UDP packets. During times of Internet connectivity problems between your PC and our servers, there may be a high rate of retransmitted small UDP packets until the communication session recovers, some times for up to 30 seconds. There is also an unlikely event that will cause UDP packets to continue to come in from the old zone for up to 10 seconds.
• ICMP Unreachable storm/flood: An ICMP message will be generated for each UDP packet that cannot be received by the server or client. Due to the high rate of UDP packets, following any port change or brief connectivity outage there might be a high rate of ICMP Unreachable packets for up to 30 seconds.

Some possible scenarios where these conditions might occur:

• Your upstream ISP has a circuit down for a few seconds while you're playing PlanetSide, during which time your computer might disconnect from the game. When the outage is restored, your computer will receive a flood of retransmitted packets for a few seconds. At that time, your firewall software doesn't expect those packets, since your computer has disconnected from the game, but our game servers haven't processed your disconnect yet, so they are still sending you traffic. This scenario can be even worse if your PC is behind a NAT device, because the ICMP messages that will notify our server of your disconnect do not NAT properly.
• Somebody else on the Internet is attempting to probe or attack our PlanetSide servers, and is doing so with a forged source address, and the address they used happens to be yours. In this case, malicious packets come in to our network, our firewalls or servers respond, but the packets are sent back to you, the true user of the IP address the packets appeared to come from. Unfortunately, in this case, it's nearly impossible to determine where the forged packets are coming from.
• You just connected to the Internet via dial-up, PPPoE, DHCP, where you get your IP address dynamically. If someone using the same ISP as you was playing PlanetSide when they lost their Internet connection, and you connected within 30 seconds of that, you might have gotten their IP address. Since it can take up to 30 seconds until our servers mark an abrupt disconnect like that as a client out of game, you might be getting some of the residual packets that were intended for the previous user of that IP address.

In all of these cases, hacking attempt alerts from your firewall software aren't anything to worry about -- chances are it was either a hiccup in the game or the network, or somebody trying to attack *us*, and not you.

You can find details on the IP addresses, protocols, and ports of the PlanetSide servers here.

If you have considered the above scenarios, and still believe you were subjected to an attack, please send a detailed email, including all logfile output, your IP address at the time of the alarm, and your Station Name to planetsidehelp@soe.sony.com.

Glossary of Terms used in this document

>1023: "greater than 1023" - port numbers in the range 1023 thru 65535, also known as . During an IP communication session, 2 hosts (e.g. your client PC and our Server) send packets to each other specifing source and destination IP addresses and port numbers. This is how the packets get to the right program running on your computer as well as on our servers.

DHCP: Dynamic Hosts Configuration Protocol - this is a standard way for a computer to attach to the network and ask for IP address and other relevant settings in order to properly communicate on that network. Commonly used on office environments, cablemodem connections, and DSL services.

Host: Any device (e.g. computer, router) that connects to a network. Specific to this document, any device that connects to the Internet using an IP address with the intention of communicating with other hosts on the Internet. Your PC that you run our game client on is a host, as is our server running the game.

ICMP: Internet Control Messaging Protocol - a suite of messages that hosts and routers can send to other hosts on the Internet to inform the networing software on those hosts of critical situations that might affect the network traffic that a host is attempting to accomplish.

IP: Internet Protocol - a suite of standard protocols that allow many heterogenous hosts to communicate with each other over the Internet. Some key features are that all IP addresses must be unique on the Internet, and programs on that host each use a port number ranging from 1 to 65535 to identify themselves to the networking piece of the operating system, so that packets coming into that host get routed to the right program.

ISP: Internet Service Providor - a company that gives you a connection to the Internet in exchange for a monthly fee.

NAT: Network Address Translation - a technique used by networking hardware and/or software that can allows multiple hosts to appear to be coming from only one unique IP address on the Internet. One common reason for using NAT is if your ISP only allows you to use one IP address, but you want to put more than one computer on the Internet. Another reason that NAT is often used is that it can provide some additional security.

PC: Personal Computer.

PPPoE: Point-to-Point Protocol over Ethernet - a connection protocol that many DSL and some CableModem ISPs use to manage their customer's connection ot their networks. Usually with PPPoE, a customer's computer is always connected to the ethernet port of the DSL or Cable Modem, but the customer has to run an additional program and provide a logon and password before they can access the Internet.

TCP: Transmission Control Protocol - This is a protocol used when the programs need to be assured that all data sent to the remote host is received completely and correctly (compare to UDP). When communicating using TCP, the networking layer of the operating system is responsible for assuring data integrity, lightening the load of the application programmer.

UDP: User Datagram Protocol - This is a 'connectionless' protocol that does not assure any data integrity (compare to TCP). The operating system doesn't do any work with UDP packets other then to take them from the application running on a host, and send them out to the network. It is up to the application to decide if it wants to perform it's own data integrity. This allows applications to have more control over their networking, and lightens the load on the operating system.