How Yahoo booters *REALLY* work.

[cjdelphi]

After getting fed up with booters knocking me offline, i finally got the packet sniffers out, flexed my programming skills and decided to go in search of the truth..

Misconceptions

A chat client is more bootable than another one... (yes only if the client is very very badly written)

You need some kind of secret packet to send to boot a person in yahoo.. false.

Truths.

A Chat client with a good connection will help prevent most booters, yes, this is correct (with the exception of a couple of yahoo server explots..)


If you know nothing about booters and a little about yahoo, have a look at the article i wrote here

Ymlite


if not i'll try and explain that (which is 300 odd lines) into something a bit more technical now...


Yahoo Messenger
Yahoo Chat...

Yahoo messenger can get into yahoo chat, but in reality, it's a seperate service...

Yahoo Messenger's server has a Buffer, this buffer is actually 128k not the 512 the first tests indicated in the article above.

Why does a booter work?

When the attacker sends multiple packets to you, what you don't get from the server gets stored in a buffer, in comes a chat packet, the client grabs it, in comes 5 chat packets, you grab the first 3 packets, 2 are left behind on yahoo's server, you then grab the 2 packets and then the buffer is back to empty.

Right, this time the booter sends 1k's worth in 1 packet of PM (instant messaging packets) but instead of sending the 1 packet, the booter builds up 10 pm/im packets

(800bytes) + 800 + 800
impacket+impacket+impact

Then you send it to yahoo 10 loops packets of PMs @ 1k each = 80k in 1 load to yahoo then the booter sends it again, 160k.

Now if you can send 128k's worth of data, pm packets, chat packets, anything you like to the other user BEFORE the user can get the data out, yahoo will simply d/c them over 128k why?

Most Probably because the server is instructed to d/c idle users or users
who are no longer online, what's the point of Keeping someone in yahoo chat if they are not getting the data people are sending them, after 40 minutes of a client sending data yahoo goes, we've buffered 128k, the user aint there, kick him...

another theory is that, yahoo messenger would crash if it got anything more than 128k lol

So why do some clients take longer than others to boot them...

The faster the routines, better the coding of the chat client, those few seconds really build up.

Take YahEh a VB written client, to display "Hey there " in YahEh might take 80ms to perform...

the one in Say Y!mlite, typically can do it much faster say around 20 - 30ms

So Y!mLite can process the data, display the packet, get the next packet, it's going to get the packet 50ms faster, ok not much for 1 packet but let's say 100 packets = 5000ms = 5 seconds slower over a period of 100 packets...

This means the client gets less packets from yahoo, and in turn the booter sends more data than you can get (128k) and you get disconnected from the server.

Right so Yaheh might bet booted in 30 seconds, y!mlite because it can get that extra data from yahoo fast enough, it could last say 40 before it got booted...

but, most clients have CPU's good enough now so the chat client makes very little difference, most of the ability of being boot proof is put on to the bandwith...

56k User can download in theory at 8ks
but in reality it's about 4 - 5k

So here's a 1mbit connection, 1mbit / 8 = 128k a second upload.
Here's a 56k connection 5k/s download

by the time the booter puts up 128k of data, the 56k user was only able to get 6k, which leaves 122k of data buffered at yahoo...

in less than 2 seconds, the 1mbit connection booter would have taken out a 56k user.

2 56k users trying to boot each other.

1 56k user manages to upload at 6k/s
2 56k user manages to download at 5k/s

The booter will work.

Booter is sending 6k/s 1k more than what the other 56k user can download... in 128 seconds, the booter would be able to fill up the buffer..

2 minutes it would take to boot them....


if you're on a 2mbit connection and someone tries to boot you on a 3mbit connection, you'll be able to send out at 256k/ but the 3mbit user will be able to download 384k and you'll never be able to fill the buffer fast enough to boot them...

But there's one exception to the rule

A yahoo server exploit, send 128 packets at 1k/s and providing the messenger client does not get the data from the buffer, it will be booted in exactly 128 seconds, now this server exploit

Certain Packets (not specifying what for obvious reasons)

Allow you to send the ID of the person you wish to send the packet to, eg, will you come to my conference, in the packet you can put down 10 id's and yahoo will send out 1 packet to each of them 10 users, 1 packet from me, 10 packets out of yahoo....

Well these booters simply put in 1 person to invite, 10 times, and the packet gets magnified 10 times, so if you're on a 56k, you essentially have the bandwith of 56k * 10 = 560kbit connection, loop the data as i pointed out up there, and guess what happens, you get the equiv of a 1/2mb booter from a slow connection, yahoo sends so much data to the victim so quickly it fills up the buffer (128k) and you get booted from yahoo messenger...

What can be done?

Since i'm the one who writes y!mlite, i've done a few tricks to make it faster, for example if you're under attack, you want to get the data out fast, so as a result, y!mlite only processes the header of each packet, and if it's an IM packet / invite, whatever, it simply ignores it and gets the next packet, it will only process Chat Data since it's highly unlikely someone would try to boot you from chat.

As a result, when a client like yahelite spends 40 - 50ms processing the content of ?WERWE?R>$?@#$ it could waste valuable time, in effect y!mlite becomes unlaggable no matter how many bots are booting you..

(P.S if you have the bandwith, you could boot a person with 1 ID just sending them lots of pm messages faster than they can get out to fill 128k)

So in this type of boot, y!mlite might survive the d/c simply because it's faster at getting the data while yahelite processed it and got lagged and as a result it gets booted.

Y!mLite has Booter Detection, it talks to tell you it's happening, it measures the data throughput and calculates if it's an attack, Y!mLite's also in the proccess of getting an anti booter type routine in, the secret is to use 2 id's... but it's a new experimenental thing and it will quite effectively stop booters...

Y!mlite

p.s i've become quite an expert in this field, any questions feel free to ask, but if you're an absolute noob i suggest reading the article above, it explains everything in detail and precisly what point you get booted...

[Dermot]

This is very off topic.

1. It doesnt change the fact people on Yahoo! Messenger get booted.
2. It's nothing but another sales pitch to use Ymlite, if so it should be in here
3. This thread is for supporting Yahoo! Messenger problems.
4. Most people come to these forums for help not more confusion.

[cjdelphi]

Dermot, you're not a yahoo expert, and people like to know what's really going on... Your idea of help is pushing programmable buttons, this is real information based on tried and tested programming...

Oh and since when has booting yahoo messenger not been a problem for yahoo messenger users?

As i pointed out, you can be safe from boots even on messenger if you follow some little steps like disable all pms except from buddies, and turn off as much as you can as well as upgrade your connection.. the information above can be applied to any yahoo client.

[Nessa]

Quote:

Originally Posted by cjdelphi

Dermot, you're not a yahoo expert, and people like to know what's really going on... Your idea of help is pushing programmable buttons, this is real information based on tried and tested programming...

No one is "really" ever a Yahoo! expert unless you truly work for Yahoo! and even then, some of the Yahoo! workers probably don't know what they heck they are doing.

And Dermot has proven to know enough about Yahoo! to be part of the Yahoo! staff here, so his words count for something.

Quote:

Originally Posted by cjdelphi

Oh and since when has booting yahoo messenger not been a problem for yahoo messenger users?

Of course booting is a problem in Yahoo! Messenger, or else i'd never hear anyone complain about getting booted!

Quote:

Originally Posted by cjdelphi

As i pointed out, you can be safe from boots even on messenger if you follow some little steps like disable all pms except from buddies, and turn off as much as you can as well as upgrade your connection.. the information above can be applied to any yahoo client.

Trust me, if someone wants to boot you badly enough, they will eventually boot you. It doesn't really matter if you are using a chat client or disable all PM's except friends in messenger. Booters don't all use flooding methods, some just send side packets to kick you off.

Here at BigBlueBall we of course offer suggestions on how to reduce your chances of getting booted, but there is no true way to prevent this because as i stated, and will always state: If someone really wants to boot you (and they know how), they will do it....

As a side note: Lets keep this thread friendly because it seems to be going the wrong way.

[cjdelphi]

The article explains how the server side d/cs happen and why

[tim2679]

You forgot to mention the connection protocol. ( YMSG and Chat2 )
Which is also a factor. YChat was harder to boot for the simple fact
that it lacked in features compared to YMSG. This is also why YMSG
is easier to boot then Chat2. The more features the more ways you
can be booted. Yes there are ways to provent from being booted.
However as Hatedjealousy said, if someone wants to boot you bad
enough and has the proper knowledge you are goning to be booted.

As for a secret packet how could you say thats false ? It may not be
a secret that no one will ever know but most boot programs do not
use the normal packets that have been made for Yahoo. They have
been modified for the purpose of lagging, disconnecting, C++ Error,
and all of the other ways of booting/annoying the victim.

There is no need to go into the connection speed issue as you has
highlighted that subject pretty well. As for being an expert, I believe
the only true experts are the actual programmers of Yahoo Messenger.
I am sure that you might know a great deal about Yahoo, but I don't
see how you can claim yourself an expert of Yahoo. As for people
wanting to know whats going on. Most of the people that I talk to on
Yahoo Messenger does not really care how it works, nor do they want
to know how and why. All they care about is that is works and works
how they would like it to work.

I am not trying to start anything ... just stating my humble opinion.

[cjdelphi]

For the ones who read my article properly, they will understand how booters work, if my article was not true the booter i wrote to test my theory does not exist but since it does, i'm going to presume the information given is valid until proven otherwise.

[Dermot]

You still don't get why i posted what i did.

This is a Yahoo! Messenger Support Forum

Booting can not be solved on Messenger at this time by you or anybody else but yahoo!

I do not claim to be a yahoo! expert nor have i ever, but the fact remains people who are not technicially minded come here for help on Yahoo! Messenger not wanting to know the psychics of yahoo! servers and how they get booted as 70ms to a 30ms execution makes no difference, they will be both booted.

It does not matter whether your theory is right or not, it does not change the fact that you will and can be booted on ymlite or y! messenger and stating this to the non computer savvy person does nothing but confuse them.

If you want to promote your client which you're the author of and obviously doing in that post then i suggested posting it the submit your favourite program thread.

Booting will and always will be a issue for any Yahoo! user no matter their method of connection to yahoo! servers and the same thing boils down to yahoo! being the only people who can fix it, not a post about how it happens.

You know as well as i do craig that even disabling these options don't actually stop you recieving the packet but just the client having to work to deny them as even yahoo ignore isn't serverside as all it does is add that name to a list stored on the server that is there to be recieved by messenger and added to the ignore list in preferences to just get the client to ignore it again.

This is as useful as going to a africa and telling all the children why they are dying, don't stop it, don't remedy it, just simple logistics.

[Torseq Tech.]

For the server-side "boots" craig is describing what's called an amplification attack. It works by amplifying the traffic load while only having to send a small amount of traffic to make it happen. It's also called the snowball effect. These server-side d/c packets are basically a Yahoo!-specific SMURF attack using Yahoo!'s own protocol to abuse their server's traffic routing rules. I know of a couple ways to stop them from working but there's only a couple tricks you can use to stop one of these attacks if it uses chat invitations or PMs *deliverable in all scenarios regardless of whether you're using Chat 2 or YMSG, cloaked on YMSG or not*. If the packets can be delivered to you it's a potential avenue for flooding to boot you.

Cloaking in YMSG aids in preventing most of these attacks but can't cover all of them. To combat against strong PM bombing even if the PM bomb is using an amplified packet structure to force lots of traffic on you (booters call these "looped" packets) something can be done about it. What you can do is log your ID into YMSG/HTTP and then use a chat client to log that same ID into Chat 2 to join a room. You'll be able to chat regularly on the Chat 2 connection, use voice etc. while all of the chat invites that you receive as well as all of the PMs you'll receive will all be sent to your YMSG/HTTP connection. It's impossible to flood off a user that's signed into YMSG/HTTP even if they're on dial-up due to the nature of how HTTP operates and how the servers deal with the excess traffic that's buffered or built up. The excess is simply discarded while using this protocol. There are other "tricks" you can use but this is the cleanest and would truly make anyone regardless of their connection "unbootable" as far as the flooding goes unless that flood is generated inside the chat room (on the Chat 2 connection). Cookie exploits and other disconnect exploitation methods that don't involve flooding you would still be susceptible to.

[ned kelly]

Torseq Tech, thank you for that post it was very informitive. When you say to log into YMSG/HTPP do you mean web browser YMSG >>> Yahoo! Chat or normal yahoo messenger. I understand all the rest of your post about entering chat with 3rd party client in chat2..