Grid attacks. How to minimize their impact ... ?

I am no expert in network security!

That said, I would like to ask the assembled experts here if it would not be possible to add some simple (?) changes to LSL and the administrative functions of SL that might at least minimize the impact of typical forms of grid attacks.

I sincerely believe that any software system that is user-programmable and flexible enough to do anything really interesting with will always include opportunities for malicious hacks, griefing, DoS attacks and similar abuse. But robust systems should be able to defend themselves once the the source of the attack is identified and recover gracefully.

The ideas presented may be totally naive. If this is the case, please enlighten me!

1. Throttling object creation. Many functions of LSL that could be abused or are resource intensive, are "throttled". Why not throttle the scripted creation of objects (which seems to be the core of all of the last gridwide attacks)? If this would be done on a per user base it should not affect legitimate usage much. If the scripts of one resident could create only X identical new objects per hour, and X would be a reasonable large number (500 or 1,000 or more) a griefer still could attack one sim but rarely the whole grid.
   
2. Disabling all scripts owned by a resident. If LL admins could do that, a grid attack might still be possible but would be easily stopped once the resident(s) responsible for it is/are identified. Self replicating would stop.
   
3. Deleting all objects owned by a resident. If LL admins could do that, cleanup after a grid attack would be fast and easy.

Opinions from the experts, please!

Default land to no-build. You don't usually go around uploading crap to other people's servers, unless they specifically grant you access with a username and password.

Get rid of mainland. Objects can't teleport to islands.

Ok. Since the previous two suggestions have been 'default all land to no build' and 'get rid of mainland' the only logical progression I can suggest to trump that is...close Second Life! If you stop people logging in...

Anyhoo, I thought they already did something about this in so much as they created a 'firebreak' technology to isolate infected sims? Where was it this last few times? Hmm? Hmm?

Hahaha! I saw you had responded Kris, and I had this flash in my mind of you saying to close SL!

Are you broadcasting your thoughts around the globe?

Yes. It's more feasible and less painful than attempting to use SL

Pham, throttling object creation is an 'obvious' solution but it would never work. Why? Read on...

Scenario 1: You're working on a huge unlinked/unlinkable project that's been stored using a rez-foo and rezz it out of the box to do a bit of work on it. Normally that would take a couple of minutes. I don't think many people would be too happy if that was turned into a couple of hours.

Scenario 2: You've just bought an expensive gigantic medieval castle and it just so happens to be a bazillion unlinked object held together by a rez-foo. So instead of it taking the tedious 5 minutes to rez that it would now, you'd have to wait hours.

Eggy, please forgive me, if I got this wrong, but ...

If land was no-build, wouldn't it still be possible to create a flying object somewhere else and move the object in question to this region? So objects could replicate in any spot that allows object creation and flood the surrounding land from their "nest"?

Hi Alazarin. First: Thanks for the thoughtful feedback; rare on these forums where it seems to be much more important to have a "cool" and funny comment ready.

I am not sure though, if I phrased my original post in a way that might lead to missunderstandings. I was talking about rezzing 500 or 1,000 identical objects as the throttle limit. So, while that castle might consist of a few thousand prims it certainly would not be a collection of more than a few hundred objects. Yes, I am qualified to testify in this case, because I actually own such a castle.

Anyway: I am sure that any proposed solution will have disadvantages. Thanks for pointing out a possible source for such problems.

Re-read my idea. Land that allows anyone to build arbitrary objects is a horrible idea from a security point of view.
It used to be that you could set object permissions as modifiable by everyone, and in fact the first self replicating gridwide "attack" was perpetrated by Ezhar Fairlight, back when rezzing prims cost L$10 per prim, using an object owned by Andrew Linden so he would foot the bill.
This "modifiable by everyone" permission was removed since it was a security breach.
Similarly, you shouldnt be able to have your land open to everyone who may or may not be a hacker, but rather build ACLs of people who you trust with that privilege. I suppose you can do it with groups. Physical objects built in sandboxen die at the edge of the sim dont they?

Thanks for all the fish.

I did. I am still not sure I get the idea. That might have got to do with the fact that I am not a very experienced scripter in SL and the permission system often leaves me completely confused.

So your suggestion is not only "Default land to no-build." (sorry, this was my understanding of your first reply) but: "let only those people create anything on a parcel that have been allowed to do so explicitely"?

I trying to think the idea through.... This would only work if it would be implemented universally? Because as soon as only a single parcel allows the creation of objects I could have my self replicating seed object there and have its offspring flying to other sims ...? If this - rezzing somewhere and moving to other sims/parcels - was forbidden, wouldn't we have to do without vehicles?

Maybe there is an error in this line of reasoning. Please tell me.

Because you are someone who has had a lot of experience in SL .. could I please ask you to give me some feedback on the ideas I presented, too?

Pham, first of all, I'm a human. Flesh and blood as your own. You don't need to treat me with any special formality or respect or whatever. I can comment on your suggestions, but my comments should be taken with a grain of salt and will not be much better than anyone else's
My idea was not meant to detract any value from yours. They are good ideas, doable I suppose. Throttling might break some obscure content-swapping system out there, I dunno. My point here is that SL was not planned with security in mind and therefore it has some design flaws. A lot of things, namely building, follow a "default-allow" policy - by default, you can build anywhere. Imagine if we were to apply this to the "real" world! By default, anyone could put files on your computer, cover up your website with unrelated material, or even mess with your bank account... not a great idea, eh?
Generally, servers default to read-only, and for write access, you need to have an appropriate username and password. We could translate this to SL in a number of ways.
Right now I'm thinking that we could do this with groups.
Every non-grouped parcel would be deeded to a 1 person group with the former owner as officer and founder. Building would be disabled for other people, and then if you wanted to allow building for a few people, you could add those people to your group.
If you want to have a public place where anyone can build, then tick the box to let anyone join your group.
Ideally, I would like LL to dedicate a small team of 1-3 people to continuously focus on enhancing security, so that we can at least get a plan in place and eventually be impervious to attacks, host our own servers etc.

Indeed, this is also why preventing things like o2o llGiveInventory won't stop grid attacks. The first thing I did when they killed that last time was to script up a "hive" based replacement.

No.

And making most land no-build would kill way too much content, from followers to starax' wand.

Only accounts that have been in existence for more than a month can use llRezObject and other "grief-potential" functions, unless the account holder contacts Linden Lab for a specific reason. Let's face it; these grid crashes are being done on a whim by alts created the day of the attack cause some teen who doesn't have a girlfriend is bored.



Regards,

-Flip

If you use any modern web browser, then anyone can put files and execute code on your computer. If you use Windows, they can even install software there!

Plus, getting rid of land where anyone can build objects sort of kills all the sandboxes. I was discussing with another resident the idea of a firebreak which we are discussing here. That is we are taking a small performance hit (checking the rate of object creation) in order to prevent a much larger one (the grid crashing). You could even set a warning and cutoff points. It would then be a global setting for your SL domain (collection of sims) and then overriden on a sim by sim basis by LL and sim owners. This allows for the creation of public sandboxes and personal workplaces. Each sim then monitors itself from the setting it either inherits from the domain or its explicit setting to avoid bottlenecking checks at a central server. Add then add in some reporting to tools so that you can monitor where your weak spots are.

But then again do we as residents know the root cause of the grid crashing? This is all conjecture.

Plus, getting rid of object creation by anyone completely, kills some of the nice touches in SL like coming back to your land and finding Christmas cards left by your friends.

But Pham commenting on your ideas. If their database structure is sound, they should be able to delete all objects owned by a user. I am assuming they are hesitant to so because they need to be sure and restoring them might not be as easy. And technically script enabling and disabling is that fine tuned as you set individual scripts to running or not. So, I expect they have stored proceedures to disable all scripts owned by that user everywhere. Again they just need to be sure. It's just tough as it takes time for them to log in and witness the attack and identify the cause which is all the more time the attack has to damage. And of course during this time, residents panic.

Throttling still doesn't prevent attacks. An attacker could build much slower paced self-replicating objects that spawns physical objects and do pretty much the same damage.

You overlooked the part where I mentioned an ACL.

The only trouble with ACLs is that it may not be very intuitive for your average user. We could just base it off everyone's friend list for the mainland. It's simple to understand and already exists in game. Then give sim owners a more powerful and detailed ACL system.

I never heard about that. When did that happen?

The Great Flying Fish Attack of '03. The grid was small enough and the auto-rez was slow enough (intentionally?) that the Liaisons were able to go in game and just kill them all.

The ownership "hack" I think was designed to lead one to think "here's a Linden created thing that is copyable, that can't be harmful, right?". If you copied one and rez'ed it, it would slowly drain your wallet at L$10/prim; however, when the prims were deleted, you got the L$10 back (as always happened then).

I seem to recall that it was designed as a not-too-malicious trick by the Mythical Ez to see if it could be done, not to crash the grid (the slow-rez, the small wallets, and non-physical fish) made it more a surprise than a grief tool.

Those were the days, my friend. I think this was before Eggy started. ( )

So we could use social engineering, provide all SL players with a free girlfriend, problem solved, no?

Or all the drive-by... er... fly-by easter eggs!

How would that work? Starax would provide a list of everyone who bought the wand to all landowners so they could set the ACL for each of them so each wand-weilder's wand would work on their land, in the hope of garnering some good will from the few people who can afford a wand?