A temporary proxy checker for the freedom-01 server

Before you immediately slam the object button, I just want to explain how The System™ that I have in mind would work:

First, an admin would find a need for enabling the proxy checker, either due to an individual repeatedly joining on alternate accounts and proxies to disrupt the server or another user using a bot program to spam the freedom-01 server.

Once a use case is found, the admin would run a command along the lines of /pc enable, which will enable The System™ for a configurable amount of time. After the time elapses, or the server restarts, The System™ is automatically disabled.

The System™ | how does it work?

The System™ would hook into Bukkit's PlayerLoginEvent. When a player attempts to log into freedom-01 while The System™ is enabled, it'll query the English Wikipedia's API for any active blocks on the IP Address. (you can see an example of the API response here)

If the reason for the block contains {{colocationwebhost}}, {{Webhostblock}}, {{blocked proxy}}, or {{zombie proxy}}, then the player will be kicked and the IP address would be added to an in-memory cache to prevent repeated requests to the endpoint.

If the IP is blocked but not for being an open proxy, or is simply not blocked at all, then the connection is allowed, with the IP address also being added to an in-memory cache to prevent unnecessary requests.

In the event that the API endpoint either times out, doesn't respond, or responds with an error object, the connection will be allowed but won't be added to the cache. It'll also log an error to console.

The System™ | caveats?

Yes, actually. Due to the way Bukkit's PlayerLoginEvent works, a connection attempt will hang until the allow() method is called, which would normally be when the API responds. Luckily, under normal conditions, the response time is less than 500ms from my measurements. The in-memory cache that I mentiond earlier would also prevent a player who has already connected to the server once from having to experience this delay again.

There is also the fact that there are OPs who play on freedom-01 who have a legitimate use for using a VPN or proxy, and that The System™ would prevent them from playing if it was enabled, which is why I also suggest that NetworkManager or LuckPerms is used to create a permission node for The System™ which would skip all checks for that player.

Luckily MediaWiki is pretty lax with their API etiquette, especially for read-only requests like the one that The System™ uses. They only ask that you set a User-Agent header so that they can identify and contact you if needed.

The System™ | do we even fucking need it?

Need is a pretty strong word.

It would certainly be a better solution than just preventing all logins to the freedom-01 server in the event of a bot attack, or having the admin team play a game of Whack-A-Mole with server crashers.

I also understand that the development team for TotalFreedom is pretty light at the moment, which is why I'm not asking the dev team to drop everything they're doing and slam this shit into TFM. I'm just proposing a potential solution.

The System™ | TL;DR

Fine.

The System™ is a temporary proxy checker that attempts to stop bad faith users and bots that use proxy or VPN connections while also minimising the effect on legitimate players.

If you have any questions, I'll be here for the next hour or two. Thank you for taking the time to read this.

↩ @'wxtermelon' I can reference one moment: https://discord.com/channels/76965…642398541860955

Quote

↩ @' 5 ' this blocks all VPN users. the situation isn’t dire enough for that. i find it a very bad sign that we’re becoming less accepting of VPN users. in my experience, admins have loads of fun handling spammers manually anyway. it’s the point of the role.

It's not about being less accepting of VPN users, it's about temporarily disallowing VPN connections in situations where somebody repeatedly rejoins the server with a proxy and causes disruption or when somebody with OQ.Minebot and a TheAltening sub decides to try and slam the freedom-01 server. I don't want it to be enabled all the time.

I understand there are legitimate uses for proxies, and in some cases people don't have a choice, which is why I also suggested this;

Quote

↩  Deauthorized There is also the fact that there are OPs who play on freedom-01 who have a legitimate use for using a VPN or proxy, and that The System™ would prevent them from playing if it was enabled, which is why I also suggest that NetworkManager or LuckPerms is used to create a permission node for The System™ which would skip all checks for that player.

How the player would request to be exempted isn't something I worked out yet. Maybe via NetworkManagers ticket system or the forums.

I'm not an administrator, so I can't speak on your last point.

Quote

↩ @' 5 ' alt shops will be wiped out of supply on the migration deadline. when MS accounts are logged into from unrecognized locations, MS sends an email and text w/ a security code. will this system still be worth configuring?

Maybe. People will always find another way when it comes to this type of stuff. Until then, we'll just have to see.

Quote

↩  Fleek We used to have this system, but we removed it because it causes issues

What kind of issues? (if you remember)

Quote

↩  videogamesm12 I would like to mention that with the current way we store player data (combination of IP addresses and names), I am actually inclined to encourage the use of a VPN/proxy under that condition that you are the only one who has access to it. When I was still archiving the flatlands, I had to administrate under a separate user account and use my server as a proxy to avoid fucking up the player data I had in place under both accounts.

ST47ProxyBot (Wikipedia's own anti-proxy admin bot) does block webhosts, as they can be used as proxies or VPNs. Most of them are range-blocks, so even if you technically were the only one who had access to that server, it would most likely still be blocked.

I did state that a system to whitelist UUIDs or usernames from being checked would be needed in cases where you use a proxy or VPN in good faith. Maybe have it just be an automatic thing for players on the admin list.

Quote

↩  Fleek A lot of false positives - I remember not being able to join due to system thinking my IP is a VPN/proxy when it isn’t.

Yeah, unfortunately that'll happen sometimes. IPv4 addresses are deallocated and reallocated nearly constantly. I haven't seen a lot of false positives with the English Wikipedia's block database though to be honest, but that may be because I don't participate on Wikipedia that much anymore.

False positives are another reason why I'd want a proxy checking system to not be on 24/7, just as a standby thingy in case a situation arises where it would be an effective solution to that situation. That way it causes a minimal amount of disruption.

But a Captcha is an effective solution when it comes to spambots, I definitely agree on that. Do you know why the plugin was removed by any chance?

Quote

↩  Fleek It is most likely because it hasn’t been updated for a long time, and no one could be bothered.

Oh. That's unfortunate.

Quote

↩  Telesphoreo Would Captchaify have also been a solution? Were the spambots automated or was it an actual person joining over and over again spamming with different IPs?

For bots it would most likely be a better solution, as I'm pretty sure there aren't any bot programs that are that advanced yet, but a proxy checker would work as well since most bots are routed through open proxies.

Quote

↩  Telesphoreo I wouldn’t be opposed to having a database of IPs that are known to be VPNs (that is up to date, of course) provided that it is easily toggleable in the event that it does happen.

This is literally what I'm suggesting.