Detecting your client

A client detection mod (CDM) is an client that is run by an operator in a hub. The CDM will gather information about users and try to enforce rules set by the operator. The CDM have various ways of gathering information and using it, some obvious and some not so obvious ones. We have all seen them; an ‘operator’ is mass-kicking users in a hub because of cheating, slot ratio or some other stuff. CDMs are sometimes (jokingly) referred to as ‘spreading cancer’ because of their nature; they use purely logic and assumptions. For a CDM, you are either good or bad. No grey area. And of course, innocent users will always come in the middle…

CDMs can be set to use a ‘white list’ or a ‘black list’. Clients on the white list is the only clients that are allowed in the hub, with no exceptions. If the CDM discover a client not being part of the white list family, it will be kicked (or banned). Clients on the black list are the only clients that are restricted from the hub. This means that if the CDM discover your client, and it’s not on the black list, it will be allowed in. From a security point of view, the white list is better. However, from a network point of view, the black list is better since it will allow new clients so they have a possibility to grow.

There are various things a CDM check to conclude the client’s status;

  • Commands
  • Share
  • Tag

The first is essentially that the CDM will monitor traffic from your client and if the traffic is, or not, in the list of (un)approved clients, the CDM will act on it. Eg, you can use your fresh copy of DC++ to detect other DC++ clients; connect to them, and their icon should become blue. This is because DC++ has a set of specific commands it sends, thus increasing the possibility for someone to know which client you’re using.

The second, share, can be divided into a few sub-categories.

  • Number of broadcast bytes
  • File list
  • Normal files

The number of broadcast bytes is a classic. Essentially, the one thing checked is the amount of bytes your client claim you share. If the value is too common, or the entire number share some common denominator, the CDM will know about it. Most CDMs will e.g. kick if they see someone broadcasting “444444444” bytes with the message “Too many similar numbers” or something like that. This is only the first frontier, and will most likely flush out the most common and crappy cheaters. (Of course, some normal users may be kicked, though it’s probably rather rare.)

Going on to file lists, they are the second frontier and most often the last stop for CDMs regarding share. What the CDM does is that is downloads your file list, (1) looks at the amount of broadcast bytes and compares with the file list’s shared byte. If they differ too much, you’ll (most likely) be kicked. (2) The CDM will also go through the share, and look at file names and hashes. If one of the files is the same file as a known fake or illegal (as in not allowed in that particular hub) file, you’ll (most likely) be kicked. (3) Also, besides checking for file name and hash, most hubs enforce a “maximum file size” rule, and the CDM will look for that, too.

The last part is verifying normal files, which to my knowledge, very few CDMs actually do. This means that the CDM will download the file list, and then attempt to download a random file. If the CDM can download the file without trouble, no action is taken. However, if there’s an constant error, like TTH inconsistency (wrong leaves) or ‘no slots available’ etc, the CDM will conclude that the user is faking somehow. This is non-trivial for the CDM because; it requires more logic on behalf of the CDM to download a ‘random’ file and then delete it when the download is complete. To successfully pass such a CDM of that skill, the client need to successfully create a correct leaf-database for each of the shared files, which is non-trivial.

The third part a CDM will look at is the tag. This usually contain (1) client and version, (2) slots, and (3) amount of hubs. Most CDMs use a white-list and the CDM will look at (1) as a means of seeing if that’s an allowed client and version. Sometimes, users are kicked by CDMs because they use a brand new version of the client (has happened to me several times). The CDM will also look at (2) as a means of figuring out how many slots are acceptable in the hub. The CDM may also run a search, and check the ‘search window’ and see how many slots appear there. (The CDM can search, see that there’s plenty of slots available, and try and download a file, but being unable to because of a ‘no slots available’. The CDM can then conclude that the client in question has locked its slots.) And lastly, (3), is used to enforce a “maximum hubs” rule. This rule concern most often the amount of ‘normal’ hubs you’re in, and not where you’re registered and/or operator. And of course slot ratio is enforced; the amount of slots you have to have open per amount of hubs you’re in.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: