One of the problems with self replicating objects is - occasionally they are required for some tasks, removing the functionality removes a tool from the SL content creator's toolbox.
The problem comes, when someone creates (deliberately or not) a self replicator that then consumes the whole grid. There are a multitude of solutions to this problem - but most of them require features to be disabled and removed from SL.
There is however, a simpler option - default permissions. One of the reasons these grid attacks are so successfully is twofold.
1) Autoreturn is usually set high enough that the objects can replicate a few generations before the parents being returned.
2) Most land in SL is set 'others can build here'.
When both of those things are combined - it creates a form of Agar Jelly, perfect nutrients for the spread of replicating prims.
If LL were to consider changing the default land parcel permissions from 'other can build', to 'others cant build' - and then allowed users to toggle it (as it can be done now), then vaste swathes of the mainland would be unbuildable - this would significantly impede the progress of any out of control replicator, since each unbuildable parcel acts like a barrier wall against the oncoming flood.
If enough parcels were unbuildable, then most outbreaks would be contained to just a localised area. The problems with this are also self evident - if you want to build on someone elses plot, they need to either have on in a group the land is set to, or alternatively, enable the 'anyone can build' option on the land menu.
The biggest downside to this is, anyone who's using anothers parcel as a free sandbox wont be able to anymore - but the advantage is that it's a scalable solution to a common form of attack; that wont cripple functionality.
Welcome to the Second Life Forums Archive
These forums are CLOSED. Please visit the new forums HERE
Self Replication & "The Grid" |
|
|
Adam Zaius
Deus
Join date: 9 Jan 2004
Posts: 1,483
|
04-28-2006 23:49
_____________________
|
|
SuezanneC Baskerville
Forums Rock!
Join date: 22 Dec 2003
Posts: 14,229
|
04-29-2006 00:08
Might it be possible to add some high velocity leaping and flying about to the self replicators to get across the nobuild areas well enough to render them not too effective?
_____________________
-
So long to these forums, the vBulletin forums that used to be at forums.secondlife.com. I will miss them. I can be found on the web by searching for "SuezanneC Baskerville", or go to http://www.google.com/profiles/suezanne - http://lindenlab.tribe.net/ created on 11/19/03. Members: Ben, Catherine, Colin, Cory, Dan, Doug, Jim, Philip, Phoenix, Richard, Robin, and Ryan - |
|
Simon Nolan
I can has ur primz?
Join date: 28 Mar 2006
Posts: 157
|
04-29-2006 00:10
Adam's idea to me sounds like a very reasonable and easy-to-implement way to limit the problem. If LL decides to do something like this, would it be a good idea to just set all parcels to "others CANT build" and tell everyone that if they want others to build, they'll have to turn it on again? What kind of support issues would that cause?
Others have suggested a limit to the number of generations an object can self-replicate. What types of things are builders doing that require an indeterminate number of generations? What would limiting the number of generations hurt that presently exists in SL? What would be a reasonable limit in such a scenario? I'm trying to get enough information so that I can at least comprehend the issues, so these are real questions, not rhetorical ones. I'm sure LL is looking at ways to fix this problem. I'm sure it's just as frustrating for them as us that the grid can be so easily overwhelmed. I wonder what other possible solutions there are out there. |
|
Nepenthes Ixchel
Broadly Offended.
Join date: 6 Dec 2005
Posts: 696
|
04-29-2006 00:17
Others have suggested a limit to the number of generations an object can self-replicate. What types of things are builders doing that require an indeterminate number of generations? What would limiting the number of generations hurt that presently exists in SL? What would be a reasonable limit in such a scenario? Well.. how do you calculate ho many generation old an item is? There's currently no way to figre that out. Of course, if there was a limit on the number of times a prim could be copied it would add a whole new aspect to making items for sale... just not a very good one. |
|
Ordinal Malaprop
really very ordinary
Join date: 9 Sep 2005
Posts: 4,607
|
04-29-2006 00:19
Might it be possible to add some high velocity leaping and flying about to the self replicators to get across the nobuild areas well enough to render them not too effective? Yes, I would think so. All you'd have to do would be to use llScriptDanger to check whether where you were travelling to was "dangerous" or not, and if so apply a big impulse to get you through it. Nobuild counts as "dangerous". |
|
SuezanneC Baskerville
Forums Rock!
Join date: 22 Dec 2003
Posts: 14,229
|
04-29-2006 00:29
Yes, I would think so. All you'd have to do would be to use llScriptDanger to check whether where you were travelling to was "dangerous" or not, and if so apply a big impulse to get you through it. Nobuild counts as "dangerous". I'll try to remember that on my next batch.  _____________________
-
So long to these forums, the vBulletin forums that used to be at forums.secondlife.com. I will miss them. I can be found on the web by searching for "SuezanneC Baskerville", or go to http://www.google.com/profiles/suezanne - http://lindenlab.tribe.net/ created on 11/19/03. Members: Ben, Catherine, Colin, Cory, Dan, Doug, Jim, Philip, Phoenix, Richard, Robin, and Ryan - |
|
Adam Zaius
Deus
Join date: 9 Jan 2004
Posts: 1,483
|
04-29-2006 00:44
Might it be possible to add some high velocity leaping and flying about to the self replicators to get across the nobuild areas well enough to render them not too effective? I thought about this too - do a scan for a safe spot to build. But, several factors work against this. 1. Can only scan in a single sim, cant scan neighbours for a safe spot to build. 2. Border crossings for physical objects without an agent sitting on them are unreliable at best. In high load doubly so. 3. Autoreturn has a chance to kick in, if the speed of replication is slowed down. 4. Prim limits on those build parcels limit the number of generations from a single parent. Basically setting no-build as the default will over the long term make SL a good deal more hostile to self replicating prims. That hostile enviroment means that a replicator isnt going to be able to spread as quickly, and has a good chance of not getting very far. _____________________
|
|
Jeffrey Gomez
Cubed™
Join date: 11 Jun 2004
Posts: 3,522
|
04-29-2006 00:59
I see two viable options to this problem. Unfortunately, both would require some forethought and understanding by the community to be implemented properly.
a) Limit the "dangerous LSL commands" (such as llGiveInventory to non-agent keys) to the premium account. What this would allow is for a credit card to always be on file when an exploit has been tied to a given individual. That way, you would simply ban the offending credit line, and when the person runs out of cards and IP addresses, it's game over. However, this could easily be construed by many newcomers as a pathetic bid for their business or real life identity, and potentially scare them away. b) Create permanent firelanes that objects cannot cross. Or, if possible, establish a quota for these "buffer sims." Essentially, fragment the connected grid for the scope of self-replicating objects. This would be done in predetermined "districts" and would only affect crossings of those sim boundaries. Optimally, a buffer of Linden Land would then be used at the edges of these districts. The downsides of this, of course, are its implications on travel and urban planning, and realistically is probably not viable at this point.  In either case, this is a rather messy situation, and is not bound to fix itself so long as user features conflict with it. Given LL does not wish to have another "oops, we turned off llGiveInventory for you" episode with vendors, I can more than understand their reluctance on this issue. _____________________
---
|
|
Adam Zaius
Deus
Join date: 9 Jan 2004
Posts: 1,483
|
04-29-2006 01:05
Well, option a) isnt really doable since it means a lookup to the DB server on every rezobject() call. Option B is closer to what I'm suggesting, but isnt something that can be phased into the existing grid area.
_____________________
|
|
Jeffrey Gomez
Cubed™
Join date: 11 Jun 2004
Posts: 3,522
|
04-29-2006 01:11
Well, option a) isnt really doable since it means a lookup to the DB server on every rezobject() call. Option B is closer to what I'm suggesting, but isnt something that can be phased into the existing grid area. Yep. My thoughts on this issue have more or less led to the conclusion that the "one [physically] interconnected grid" is in fact the Achilles' Heel here. After seeing LL firelane sims in the past to contain the problem, perhaps it is possible to automate the process in some way? As correlary to the permanent firelane districts, perhaps it is possible to give CSR^H^H^H liasons a "Panic Button" that takes down sims in this fashion and alerts the grid monkey(s) on duty. That may be the right middle ground for this situation, provided reports are fast enough. Though again, there are special implications of being in a "firelane sim." Perhaps add a little relish and randomize the pattern?  _____________________
---
|
|
Adam Zaius
Deus
Join date: 9 Jan 2004
Posts: 1,483
|
04-29-2006 01:14
Well, the estate tools have a 'remove all of X's objects from this sim', I dont see why LL cant implement something like that for the entire mainland. Seems like better tools would stop a lot of the damage.
_____________________
|
|
Simon Nolan
I can has ur primz?
Join date: 28 Mar 2006
Posts: 157
|
04-29-2006 01:15
Well.. how do you calculate ho many generation old an item is? There's currently no way to figre that out. Of course, if there was a limit on the number of times a prim could be copied it would add a whole new aspect to making items for sale... just not a very good one. I see your point about making items for sale. And of course there is no way to know how many generations old an object is at the present. That's the part that would have to be added. And in my mind it would have to be something handled in a way that is not exposed in the scripting language. I haven't been scripting long enough to know how to make a self-replicating object, and I haven't even thought of why I'd need to make an object replicate itself. I don't know what is going on when a vendor replicates an object and puts it in someone's inventory. I guess I'm kinda looking at this from an OOP standpoint, where an object could create an instance of itself. A simple local variable in the parent class could hold a generation count when the object is instantiated, and be set in the child object when the parent object instantiates a copy of itself. Now, I don't know if that's anywhere near how objects self-replicate in SL, but that seems to be different from a vendor object instantiating a different object--not itself. Maybe the whole problem is that when an object replicates itself, its not handled any differently from an object replicating something completely different. I don't know the innards of the scripting language to guess. I'm thinking this idea would require a complete retooling of the way objects create other objects, and that would indeed be a Bad Thing. Aww, dangit, and there's the way around any generational limits on self-replicating objects... An object of type A creates an object of type B, which creates an object of type A, ad infinitum. Generation counts would be broken. Baaaaaahhhh! I give up! |
|
Pham Neutra
Registered User
Join date: 25 Jan 2005
Posts: 478
|
04-29-2006 01:17
Hmmm ...
I got the same suggestion from Eggy when I posted the following ideas after the last grid attack. Excerpt: The ideas presented may be totally naive. If this is the case, please enlighten me!
I am still not sure if this really would be a solution because an universal "No Build" would make vehicles nearly useless. (Where to rez them?) And a few remaining areas which still allow object creation would create home bases for swarming objects from which they could send out fast moving children with high replication rates. I still believe that throttling the object creation process (on a per user basis) would be much more effective. |
|
Jeffrey Gomez
Cubed™
Join date: 11 Jun 2004
Posts: 3,522
|
04-29-2006 01:18
Seems like better tools would stop a lot of the damage. Truer words were never spoken on these forums. _____________________
---
|
|
Adam Zaius
Deus
Join date: 9 Jan 2004
Posts: 1,483
|
04-29-2006 01:21
I still believe that throttling the object creation process (on a per user basis) would be much more effective. Problem is -- you cant do that on a grid-wide scale, it means centralised requests for RezObject. The server incharge of recieving those requests would be crushed under normal load, let alone the load in 6 months time. _____________________
|
|
Pham Neutra
Registered User
Join date: 25 Jan 2005
Posts: 478
|
04-29-2006 01:33
Problem is -- you cant do that on a grid-wide scale, it means centralised requests for RezObject. The server incharge of recieving those requests would be crushed under normal load, let alone the load in 6 months time. And the asset server has to actually "deliver objects" to another server. The throttling would only need a kind of ping towards a central authority waiting for an ACK or NACK. In my endless naivity I would assume that it should be possible to build a service like this which can handle a few thousand pings per second (in a local network setting). Last time I checked, there were many DB servers on the market with performance well above that threshold. But, as I said before, I am certainly no expert for SL systems architecture.  |
|
Adam Zaius
Deus
Join date: 9 Jan 2004
Posts: 1,483
|
04-29-2006 01:56
I am no expert for the current systems architecture of SL, but doesn't the asset server already experience a much higher load? And the asset server has to actually "deliver objects" to another server. The throttling would only need a kind of ping towards a central authority waiting for an ACK or NACK. In my endless naivity I would assume that it should be possible to build a service like this which can handle a few thousand pings per second (in a local network setting). Last time I checked, there were many DB servers on the market with performance well above that threshold. But, as I said before, I am certainly no expert for SL systems architecture. The asset server is a filesystem - it doesnt have any details about the files it's storing, just their names (in this case, UUIDs). Information about the objects are stored on the DB server, and the two are not nessecarily congruent (for scalability reasons). Basically, when your doing that kind of lookup, you end up with table scanning huge log tables. Plus, if that server dies, nothing will rez. Basically, if there is a good solution for this, it's going to be distrobuted or heavily scalable, so that when SL has 10,000 sims - nothing will choke. _____________________
|
|
MC Seattle
Registered User
Join date: 3 Apr 2006
Posts: 63
|
04-29-2006 02:05
I'm not sure how the default no rez permission will prevent the asset server from getting bogged down. What's to prevent the next infection from continually rezzing objects in sandbox x and sending them in random directions all across the world? Then as the objects pass over rez friendly land (like other sandboxes) they can drop more of these seeds, and boom you have just as bad as a problem and the only net effect was a lot of friendly freedom (like the ability to rez vehicles) was lost.
The new llHttpRequest is throttled per user instead of per script/object, possibly llRezObject could be throttled in the same manner? For example a 200/20 rule would allow scripts like Rez-Foo/Rez-Faux/etc to work instantly for builds up to a certain size, and at a slower rate for very large builds, an acceptable compromise, and viral scripts like the recent ones could be caught by a Linden before things get out of hand. |
|
Pham Neutra
Registered User
Join date: 25 Jan 2005
Posts: 478
|
04-29-2006 02:41
The asset server is a filesystem - it doesnt have any details about the files it's storing, just their names (in this case, UUIDs). Information about the objects are stored on the DB server, and the two are not nessecarily congruent (for scalability reasons). Basically, when your doing that kind of lookup, you end up with table scanning huge log tables. Plus, if that server dies, nothing will rez. Basically, if there is a good solution for this, it's going to be distrobuted or heavily scalable, so that when SL has 10,000 sims - nothing will choke. Additionally, if I am not mistaken, this kind of operation can easily be paralized and distributed. Simply log (and check) object creation per user and distribute the user between machines. So if one server can handle the current population of SL and this population doubles in size, you set up a second server (each server now handles half the population) and off we go. At least for this purpose I can see not much need for the machines to talk to each other, which makes the solution nearly perfectly scaleable. The system could even be setup in a redundant fashion. |
|
FlipperPA Peregrine
Magically Delicious!
Join date: 14 Nov 2003
Posts: 3,703
|
04-29-2006 08:42
connect to central servers
select $avatar_id from avatar where avatar_first='Plastic' and avatar_last='Duck' delete from item_master where avatar_id_owner = $avatar_id delete from inventory where avatar_id_owner = $avatar_id (object stops rezzing) for(mainland_sims) { connect_to_sim_db(); delete from item where avatar_id_owner = $avatar_id } Bam, bam, bam and done. Linden Lab should really have a construct to delete all items in world by avatar name. This firelane stuff should be scrapped - go straight to the source. Oh, and what ever happened to the FBI reporting? Regards, -Flip _____________________
Peregrine Salon: www.PeregrineSalon.com - my consulting company
Second Blogger: www.SecondBlogger.com - free, fully integrated Second Life blogging for all avatars! |
|
Ralph Doctorow
Registered User
Join date: 16 Oct 2005
Posts: 560
|
How about watching prim creation rate
04-29-2006 09:15
It seems to me that there are lots of possible actions that could be taken, but don't scale if used all the time. Perhaps the prim creation rate or 2nd derivative could be used as a trigger for more resource intensive investigation by each individual sim.
Possible actions might be checking if the prims are on the owner's land or spreading, are they all from the same owner, throttling or stopping prim handoff to other sims, etc. This would be monitored in each individual sim and only if there was a noticable increase in the rate of prim creation would any further action be taken. It would seem to be a very low overhead monitoring function that would scale. |
|
Luciftias Neurocam
Ecosystem Design
Join date: 13 Oct 2005
Posts: 742
|
04-29-2006 09:29
Oh, and what ever happened to the FBI reporting? Probably names were handed over to the FBI, the FBI said thanks and promptly filed those names away to wherever they keep the holy grail, the ark of the covenan, urgent terror alerts and other items waiting to be studied. |
|
Darkness Anubis
Registered User
Join date: 14 Jun 2004
Posts: 1,628
|
04-29-2006 09:30
One of the problems with self replicating objects is - occasionally they are required for some tasks, removing the functionality removes a tool from the SL content creator's toolbox. The problem comes, when someone creates (deliberately or not) a self replicator that then consumes the whole grid. There are a multitude of solutions to this problem - but most of them require features to be disabled and removed from SL. There is however, a simpler option - default permissions. One of the reasons these grid attacks are so successfully is twofold. 1) Autoreturn is usually set high enough that the objects can replicate a few generations before the parents being returned. 2) Most land in SL is set 'others can build here'. When both of those things are combined - it creates a form of Agar Jelly, perfect nutrients for the spread of replicating prims. If LL were to consider changing the default land parcel permissions from 'other can build', to 'others cant build' - and then allowed users to toggle it (as it can be done now), then vaste swathes of the mainland would be unbuildable - this would significantly impede the progress of any out of control replicator, since each unbuildable parcel acts like a barrier wall against the oncoming flood. If enough parcels were unbuildable, then most outbreaks would be contained to just a localised area. The problems with this are also self evident - if you want to build on someone elses plot, they need to either have on in a group the land is set to, or alternatively, enable the 'anyone can build' option on the land menu. The biggest downside to this is, anyone who's using anothers parcel as a free sandbox wont be able to anymore - but the advantage is that it's a scalable solution to a common form of attack; that wont cripple functionality. Actually when we were in Jouppi before we got the island there was one of these attacks (I am thinking it was right before 1.7 was released but it might have been 1.  . Our land ALWAYS has a 1 min autoreturn and no build. we were overrun in no time. The balls with the evil face just bounced in from neighboring lands. Sorry to shot your idea in the foot but it just didn't work for us._____________________
 |
|
Nexus Nash
Undercover Linden
Join date: 18 Dec 2002
Posts: 1,084
|
04-29-2006 09:46
Good solution, it's that or make it so that llRez only works on own land... which would suck.
_____________________
|
|
Buck Darrow
Registered User
Join date: 24 Apr 2006
Posts: 12
|
04-29-2006 09:58
I am no expert for the current systems architecture of SL, but doesn't the asset server already experience a much higher load? I don't know about that, but I do know that it will continue to experience a much higher load every week. Just in the past few days they've added 4000 residents, and I'm not good enough with statistics to extrapolate it out, but if you are adding that many resident, and they are generating who knows how many assets per resident, then I would assume that LL would continue to scale it up to handle existing loads (i.e. add more hardware). I still like the idea of confining certain actions to one sim. While people might be able to take them to other sims and activate them, thereby attacking that sim, it seems like the damage could be confined, and the perp(s) stopped early enough. It just seems like it would word, but I don't know the system enough to say. |