|
|||
|
How Yahoo booters *REALLY* work.
After getting fed up with booters knocking me offline, i finally got the packet sniffers out, flexed my programming skills and decided to go in search of the truth..
Misconceptions A chat client is more bootable than another one... (yes only if the client is very very badly written) You need some kind of secret packet to send to boot a person in yahoo.. false. Truths. A Chat client with a good connection will help prevent most booters, yes, this is correct (with the exception of a couple of yahoo server explots..) If you know nothing about booters and a little about yahoo, have a look at the article i wrote here Ymlite if not i'll try and explain that (which is 300 odd lines) into something a bit more technical now... Yahoo Messenger Yahoo Chat... Yahoo messenger can get into yahoo chat, but in reality, it's a seperate service... Yahoo Messenger's server has a Buffer, this buffer is actually 128k not the 512 the first tests indicated in the article above. Why does a booter work? When the attacker sends multiple packets to you, what you don't get from the server gets stored in a buffer, in comes a chat packet, the client grabs it, in comes 5 chat packets, you grab the first 3 packets, 2 are left behind on yahoo's server, you then grab the 2 packets and then the buffer is back to empty. Right, this time the booter sends 1k's worth in 1 packet of PM (instant messaging packets) but instead of sending the 1 packet, the booter builds up 10 pm/im packets (800bytes) + 800 + 800 impacket+impacket+impact Then you send it to yahoo 10 loops packets of PMs @ 1k each = 80k in 1 load to yahoo then the booter sends it again, 160k. Now if you can send 128k's worth of data, pm packets, chat packets, anything you like to the other user BEFORE the user can get the data out, yahoo will simply d/c them over 128k why? Most Probably because the server is instructed to d/c idle users or users who are no longer online, what's the point of Keeping someone in yahoo chat if they are not getting the data people are sending them, after 40 minutes of a client sending data yahoo goes, we've buffered 128k, the user aint there, kick him... another theory is that, yahoo messenger would crash if it got anything more than 128k lol So why do some clients take longer than others to boot them... The faster the routines, better the coding of the chat client, those few seconds really build up. Take YahEh a VB written client, to display "Hey there " in YahEh might take 80ms to perform...the one in Say Y!mlite, typically can do it much faster say around 20 - 30ms So Y!mLite can process the data, display the packet, get the next packet, it's going to get the packet 50ms faster, ok not much for 1 packet but let's say 100 packets = 5000ms = 5 seconds slower over a period of 100 packets... This means the client gets less packets from yahoo, and in turn the booter sends more data than you can get (128k) and you get disconnected from the server. Right so Yaheh might bet booted in 30 seconds, y!mlite because it can get that extra data from yahoo fast enough, it could last say 40 before it got booted... but, most clients have CPU's good enough now so the chat client makes very little difference, most of the ability of being boot proof is put on to the bandwith... 56k User can download in theory at 8ks but in reality it's about 4 - 5k So here's a 1mbit connection, 1mbit / 8 = 128k a second upload. Here's a 56k connection 5k/s download by the time the booter puts up 128k of data, the 56k user was only able to get 6k, which leaves 122k of data buffered at yahoo... in less than 2 seconds, the 1mbit connection booter would have taken out a 56k user. 2 56k users trying to boot each other. 1 56k user manages to upload at 6k/s 2 56k user manages to download at 5k/s The booter will work. Booter is sending 6k/s 1k more than what the other 56k user can download... in 128 seconds, the booter would be able to fill up the buffer.. 2 minutes it would take to boot them.... if you're on a 2mbit connection and someone tries to boot you on a 3mbit connection, you'll be able to send out at 256k/ but the 3mbit user will be able to download 384k and you'll never be able to fill the buffer fast enough to boot them... But there's one exception to the rule A yahoo server exploit, send 128 packets at 1k/s and providing the messenger client does not get the data from the buffer, it will be booted in exactly 128 seconds, now this server exploit Certain Packets (not specifying what for obvious reasons) Allow you to send the ID of the person you wish to send the packet to, eg, will you come to my conference, in the packet you can put down 10 id's and yahoo will send out 1 packet to each of them 10 users, 1 packet from me, 10 packets out of yahoo.... Well these booters simply put in 1 person to invite, 10 times, and the packet gets magnified 10 times, so if you're on a 56k, you essentially have the bandwith of 56k * 10 = 560kbit connection, loop the data as i pointed out up there, and guess what happens, you get the equiv of a 1/2mb booter from a slow connection, yahoo sends so much data to the victim so quickly it fills up the buffer (128k) and you get booted from yahoo messenger... What can be done? Since i'm the one who writes y!mlite, i've done a few tricks to make it faster, for example if you're under attack, you want to get the data out fast, so as a result, y!mlite only processes the header of each packet, and if it's an IM packet / invite, whatever, it simply ignores it and gets the next packet, it will only process Chat Data since it's highly unlikely someone would try to boot you from chat. As a result, when a client like yahelite spends 40 - 50ms processing the content of ?WERWE?R>$?@#$ it could waste valuable time, in effect y!mlite becomes unlaggable no matter how many bots are booting you.. (P.S if you have the bandwith, you could boot a person with 1 ID just sending them lots of pm messages faster than they can get out to fill 128k) So in this type of boot, y!mlite might survive the d/c simply because it's faster at getting the data while yahelite processed it and got lagged and as a result it gets booted. Y!mLite has Booter Detection, it talks to tell you it's happening, it measures the data throughput and calculates if it's an attack, Y!mLite's also in the proccess of getting an anti booter type routine in, the secret is to use 2 id's... but it's a new experimenental thing and it will quite effectively stop booters... Y!mlite p.s i've become quite an expert in this field, any questions feel free to ask, but if you're an absolute noob i suggest reading the article above, it explains everything in detail and precisly what point you get booted... Craig C. |
|
||||
|
This is very off topic.
1. It doesnt change the fact people on Yahoo! Messenger get booted. 2. It's nothing but another sales pitch to use Ymlite, if so it should be in here 3. This thread is for supporting Yahoo! Messenger problems. 4. Most people come to these forums for help not more confusion.
Irish Gaming - 1000+ Games and climbing! |
|
|||
|
Dermot, you're not a yahoo expert, and people like to know what's really going on... Your idea of help is pushing programmable buttons, this is real information based on tried and tested programming...
Oh and since when has booting yahoo messenger not been a problem for yahoo messenger users? As i pointed out, you can be safe from boots even on messenger if you follow some little steps like disable all pms except from buddies, and turn off as much as you can as well as upgrade your connection.. the information above can be applied to any yahoo client. Craig C. |
|
||||
|
Quote:
![]() And Dermot has proven to know enough about Yahoo! to be part of the Yahoo! staff here, so his words count for something. ![]() Quote:
Quote:
Here at BigBlueBall we of course offer suggestions on how to reduce your chances of getting booted, but there is no true way to prevent this because as i stated, and will always state: If someone really wants to boot you (and they know how), they will do it.... As a side note: Lets keep this thread friendly because it seems to be going the wrong way. I told my psychiatrist that everyone hates me. He said I was being ridiculous - everyone hasn't met me yet. |
|
|||
|
For the ones who read my article properly, they will understand how booters work, if my article was not true the booter i wrote to test my theory does not exist but since it does, i'm going to presume the information given is valid until proven otherwise.
Craig C. |
|
||||
|
You still don't get why i posted what i did.
This is a Yahoo! Messenger Support Forum Booting can not be solved on Messenger at this time by you or anybody else but yahoo! I do not claim to be a yahoo! expert nor have i ever, but the fact remains people who are not technicially minded come here for help on Yahoo! Messenger not wanting to know the psychics of yahoo! servers and how they get booted as 70ms to a 30ms execution makes no difference, they will be both booted. It does not matter whether your theory is right or not, it does not change the fact that you will and can be booted on ymlite or y! messenger and stating this to the non computer savvy person does nothing but confuse them. If you want to promote your client which you're the author of and obviously doing in that post then i suggested posting it the submit your favourite program thread. Booting will and always will be a issue for any Yahoo! user no matter their method of connection to yahoo! servers and the same thing boils down to yahoo! being the only people who can fix it, not a post about how it happens. You know as well as i do craig that even disabling these options don't actually stop you recieving the packet but just the client having to work to deny them as even yahoo ignore isn't serverside as all it does is add that name to a list stored on the server that is there to be recieved by messenger and added to the ignore list in preferences to just get the client to ignore it again. This is as useful as going to a africa and telling all the children why they are dying, don't stop it, don't remedy it, just simple logistics. Irish Gaming - 1000+ Games and climbing! |
|
||||
|
Reply to this...
For the server-side "boots" craig is describing what's called an amplification attack. It works by amplifying the traffic load while only having to send a small amount of traffic to make it happen. It's also called the snowball effect. These server-side d/c packets are basically a Yahoo!-specific SMURF attack using Yahoo!'s own protocol to abuse their server's traffic routing rules. I know of a couple ways to stop them from working but there's only a couple tricks you can use to stop one of these attacks if it uses chat invitations or PMs *deliverable in all scenarios regardless of whether you're using Chat 2 or YMSG, cloaked on YMSG or not*. If the packets can be delivered to you it's a potential avenue for flooding to boot you.
Cloaking in YMSG aids in preventing most of these attacks but can't cover all of them. To combat against strong PM bombing even if the PM bomb is using an amplified packet structure to force lots of traffic on you (booters call these "looped" packets) something can be done about it. What you can do is log your ID into YMSG/HTTP and then use a chat client to log that same ID into Chat 2 to join a room. You'll be able to chat regularly on the Chat 2 connection, use voice etc. while all of the chat invites that you receive as well as all of the PMs you'll receive will all be sent to your YMSG/HTTP connection. It's impossible to flood off a user that's signed into YMSG/HTTP even if they're on dial-up due to the nature of how HTTP operates and how the servers deal with the excess traffic that's buffered or built up. The excess is simply discarded while using this protocol. There are other "tricks" you can use but this is the cleanest and would truly make anyone regardless of their connection "unbootable" as far as the flooding goes unless that flood is generated inside the chat room (on the Chat 2 connection). Cookie exploits and other disconnect exploitation methods that don't involve flooding you would still be susceptible to. |
|
|||
|
Torseq Tech, thank you for that post it was very informitive. When you say to log into YMSG/HTPP do you mean web browser YMSG >>> Yahoo! Chat or normal yahoo messenger. I understand all the rest of your post about entering chat with 3rd party client in chat2..
|
![]() |
LinkBacks (?)
LinkBack to this Thread: http://www.bigblueball.com/forums/yahoo-messenger-support/37778-how-yahoo-booters-really-work.html
|
||||
| Posted By | For | Type | Date | |
| Info.com - New Yahoo Booters - www.Info.com | This thread | Refback | 04-18-2009 12:15 PM | |
| Romanian Security Team - [ Security Research ] • View topic - program cu care ii scoti p aia d p mess | This thread | Refback | 09-15-2008 05:39 PM | |
| Yahoo Booters are Rogues Who Boot You Out of Yahoo Chat - The Internet Patrol | This thread | Refback | 07-29-2008 12:38 AM | |
| Yahoo! Coder's Cookbook • View topic - April 07 - What Really Causes a Yahoo! Booter to work? | This thread | Refback | 06-09-2008 09:10 AM | |
| YCC • View topic - April 07 - What Really Causes a Yahoo! Booter to work? | This thread | Refback | 05-15-2008 06:19 AM | |
| YahELite Forum -> ymlite | This thread | Refback | 10-04-2006 08:41 AM | |
| Currently Active Users Viewing This Topic: 1 (0 members and 1 guests) | |
| Topic Tools | |
|
|
Similar Topics
|
||||
| Topic | Topic Starter | Forum | Replies | Last Post |
| Yahoo! Messenger “Online Status” Privacy Issue | Chet | Yahoo! Messenger Support | 11 | 05-30-2009 06:22 PM |
| Supermode doesn't work in Yahoo | Festes | Yahoo! Messenger Support | 4 | 05-28-2006 09:14 PM |
| Yahoo! Announces Yahoo! 360 Service | Jeff | Yahoo! Messenger News | 3 | 08-09-2005 12:23 AM |
| AOL and Yahoo! Back Away From Enterprise IM | BigBlueBall News | General / Other IM News | 0 | 06-23-2004 01:00 AM |