[Server] - Man in the middle attack

When a server is hosted on a secondary IP and a client tries to connect an error pops up that says.

'Potential man in the middle attack detected. Your client claims it connected to: xxx.xxx.xxx.xxx, but the server does not consider this reasonable.'

Any ideas what might cause this?

PS. Primary IP's work fine.

Comments

  • edited January 2009
    This is something I suspected would come up soon enough and is likely due to the way the IP verification determines its own address. I'll try to make sure we address this in the next update, but for now a temporary fix that should work for servers using a different BindAddress is to use the following line to set the IP check variable manually:
    $IPv4::InetAddress = $Host::BindAddress;

    If you pop this into any file that loads before our scripts are run (maybe create a new .cs file to pop in autoexec if you run multiple configs) it should be fine assuming it's set to the IP the clients see.
    I'm asleep at the moment myself, but in the morning I can open the script on our end and check it out.


    Edit: I've updated the installer with something that should fix this particular problem (as well as an uninstaller, but that's unrelated). If you don't want to download the whole thing, you could just replace your existing T2csri.vl2 with this: http://www.tribesnext.com/krash/T2csri.vl2
  • That did the trick.

    Thanks!
  • That ruined my login.
  • This is something I suspected would come up soon enough and is likely due to the way the IP verification determines its own address. I'll try to make sure we address this in the next update, but for now a temporary fix that should work for servers using a different BindAddress is to use the following line to set the IP check variable manually:
    $IPv4::InetAddress = $Host::BindAddress;

    If you pop this into any file that loads before our scripts are run (maybe create a new .cs file to pop in autoexec if you run multiple configs) it should be fine assuming it's set to the IP the clients see.
    I'm asleep at the moment myself, but in the morning I can open the script on our end and check it out.


    Edit: I've updated the installer with something that should fix this particular problem (as well as an uninstaller, but that's unrelated). If you don't want to download the whole thing, you could just replace your existing T2csri.vl2 with this: http://www.tribesnext.com/krash/T2csri.vl2

    Is this file available anywhere?

    I am getting the error listed above.
  • This particular error was fixed back then, and I included the update in the installer shortly after. Effectively how the server determines if the connecting address is reasonable is that the client indicates the server it believes it connected to, then checks this against the primary public address the server is reporting. If this fails, it then checks against a variety of common LAN address conditions, as well as the $Host::BindAddress if it's being used on a server with multiple IPs. If none of these passes, the client is disconnected with the error above.

    Are you connecting to a local server? If so, what address are you attempting to connect to?
  • This particular error was fixed back then, and I included the update in the installer shortly after. Effectively how the server determines if the connecting address is reasonable is that the client indicates the server it believes it connected to, then checks this against the primary public address the server is reporting. If this fails, it then checks against a variety of common LAN address conditions, as well as the $Host::BindAddress if it's being used on a server with multiple IPs. If none of these passes, the client is disconnected with the error above.

    Are you connecting to a local server? If so, what address are you attempting to connect to?

    I am trying to set up a server on my other computer and it seems to be working but when I try and join I get the man in the middle error.

    The server is called "Boot" in the server list.



    I also tried adding that bit of code in the VL2 but when I zipped it back up the file was half the size which was weird. Anyway it seemed to work and I could join but I would drop after a few minutes.
  • Is that installer with the fix the main T2 download that has the multiple links or just the patch?

    I tried applying the patch again but it didn't fix the problem.
  • The patch. The fix that was applied to the man in the middle check just enabled $Host::BindAddress as an allowable destination IP on servers with different WAN addresses to bind to.

    If you use non-standard addresses for your LAN and want to connect yourself using your internal address, you might need to add the format to the IP check. However, if you're trying to connect to your server's bound WAN address, it should automatically allow the connection if the bind preference is correctly set.

    If you're able to connect and are dropped after minutes, it's not caused by this issue, as the check occurs only when joining. A common cause of delayed disconnections is the $Host::CRCTextures preference, which will disconnect any players running custom skins. I would make sure it is set to $Host::CRCTextures = 0; in your serverprefs.
  • I was able to join via going into Classic Online and adding the local machines IP and directly joining that. If I try and join via the internet IP I get the man in the middle error.

    I am new to this so am trying to figure it out.


    My server seems to reset itself pretty often which is why I was getting disconnected.


    t2server.jpg
  • Yeah, if you're getting it when connecting to the internet address, the IP the client sees and notifies the server of on joining just doesn't match the address detected by the web service or an address you've attempted to bind the server to.
Sign In or Register to comment.