Home › Forums › Archives › Instant Messaging › Yahoo! Messenger Support › How Yahoo booters *REALLY* work.
- This topic has 45 replies, 18 voices, and was last updated 15 years, 8 months ago by bulb1234.
-
AuthorPosts
-
September 15, 2006 at 1:06 pm #24954cjdelphiMember
After getting fed up with booters knocking me offline, i finally got the packet sniffers out, flexed my programming skills and decided to go in search of the truth..
Misconceptions
A chat client is more bootable than another one… (yes only if the client is very very badly written)
You need some kind of secret packet to send to boot a person in yahoo.. false.
Truths.
A Chat client with a good connection will help prevent most booters, yes, this is correct (with the exception of a couple of yahoo server explots..)
If you know nothing about booters and a little about yahoo, have a look at the article i wrote here
if not i’ll try and explain that (which is 300 odd lines) into something a bit more technical now…
Yahoo Messenger
Yahoo Chat…Yahoo messenger can get into yahoo chat, but in reality, it’s a seperate service…
Yahoo Messenger’s server has a Buffer, this buffer is actually 128k not the 512 the first tests indicated in the article above.
Why does a booter work?
When the attacker sends multiple packets to you, what you don’t get from the server gets stored in a buffer, in comes a chat packet, the client grabs it, in comes 5 chat packets, you grab the first 3 packets, 2 are left behind on yahoo’s server, you then grab the 2 packets and then the buffer is back to empty.
Right, this time the booter sends 1k’s worth in 1 packet of PM (instant messaging packets) but instead of sending the 1 packet, the booter builds up 10 pm/im packets
(800bytes) + 800 + 800
impacket+impacket+impactThen you send it to yahoo 10 loops packets of PMs @ 1k each = 80k in 1 load to yahoo then the booter sends it again, 160k.
Now if you can send 128k’s worth of data, pm packets, chat packets, anything you like to the other user BEFORE the user can get the data out, yahoo will simply d/c them over 128k why?
Most Probably because the server is instructed to d/c idle users or users
who are no longer online, what’s the point of Keeping someone in yahoo chat if they are not getting the data people are sending them, after 40 minutes of a client sending data yahoo goes, we’ve buffered 128k, the user aint there, kick him…another theory is that, yahoo messenger would crash if it got anything more than 128k lol
So why do some clients take longer than others to boot them…
The faster the routines, better the coding of the chat client, those few seconds really build up.
Take YahEh a VB written client, to display “Hey there :)” in YahEh might take 80ms to perform…
the one in Say Y!mlite, typically can do it much faster say around 20 – 30ms
So Y!mLite can process the data, display the packet, get the next packet, it’s going to get the packet 50ms faster, ok not much for 1 packet but let’s say 100 packets = 5000ms = 5 seconds slower over a period of 100 packets…
This means the client gets less packets from yahoo, and in turn the booter sends more data than you can get (128k) and you get disconnected from the server.
Right so Yaheh might bet booted in 30 seconds, y!mlite because it can get that extra data from yahoo fast enough, it could last say 40 before it got booted…
but, most clients have CPU’s good enough now so the chat client makes very little difference, most of the ability of being boot proof is put on to the bandwith…
56k User can download in theory at 8ks
but in reality it’s about 4 – 5kSo here’s a 1mbit connection, 1mbit / 8 = 128k a second upload.
Here’s a 56k connection 5k/s downloadby the time the booter puts up 128k of data, the 56k user was only able to get 6k, which leaves 122k of data buffered at yahoo…
in less than 2 seconds, the 1mbit connection booter would have taken out a 56k user.
2 56k users trying to boot each other.
1 56k user manages to upload at 6k/s
2 56k user manages to download at 5k/sThe booter will work.
Booter is sending 6k/s 1k more than what the other 56k user can download… in 128 seconds, the booter would be able to fill up the buffer..
2 minutes it would take to boot them….
if you’re on a 2mbit connection and someone tries to boot you on a 3mbit connection, you’ll be able to send out at 256k/ but the 3mbit user will be able to download 384k and you’ll never be able to fill the buffer fast enough to boot them…
But there’s one exception to the rule
A yahoo server exploit, send 128 packets at 1k/s and providing the messenger client does not get the data from the buffer, it will be booted in exactly 128 seconds, now this server exploit
Certain Packets (not specifying what for obvious reasons)
Allow you to send the ID of the person you wish to send the packet to, eg, will you come to my conference, in the packet you can put down 10 id’s and yahoo will send out 1 packet to each of them 10 users, 1 packet from me, 10 packets out of yahoo….
Well these booters simply put in 1 person to invite, 10 times, and the packet gets magnified 10 times, so if you’re on a 56k, you essentially have the bandwith of 56k * 10 = 560kbit connection, loop the data as i pointed out up there, and guess what happens, you get the equiv of a 1/2mb booter from a slow connection, yahoo sends so much data to the victim so quickly it fills up the buffer (128k) and you get booted from yahoo messenger…
What can be done?
Since i’m the one who writes y!mlite, i’ve done a few tricks to make it faster, for example if you’re under attack, you want to get the data out fast, so as a result, y!mlite only processes the header of each packet, and if it’s an IM packet / invite, whatever, it simply ignores it and gets the next packet, it will only process Chat Data since it’s highly unlikely someone would try to boot you from chat.
As a result, when a client like yahelite spends 40 – 50ms processing the content of ?WERWE?R>$?@#$ it could waste valuable time, in effect y!mlite becomes unlaggable no matter how many bots are booting you..
(P.S if you have the bandwith, you could boot a person with 1 ID just sending them lots of pm messages faster than they can get out to fill 128k)
So in this type of boot, y!mlite might survive the d/c simply because it’s faster at getting the data while yahelite processed it and got lagged and as a result it gets booted.
Y!mLite has Booter Detection, it talks to tell you it’s happening, it measures the data throughput and calculates if it’s an attack, Y!mLite’s also in the proccess of getting an anti booter type routine in, the secret is to use 2 id’s… but it’s a new experimenental thing and it will quite effectively stop booters…
p.s i’ve become quite an expert in this field, any questions feel free to ask, but if you’re an absolute noob i suggest reading the article above, it explains everything in detail and precisly what point you get booted…
September 15, 2006 at 4:34 pm #152331DermotParticipantThis is very off topic.
1. It doesnt change the fact people on Yahoo! Messenger get booted.
2. It’s nothing but another sales pitch to use Ymlite, if so it should be in here
3. This thread is for supporting Yahoo! Messenger problems.
4. Most people come to these forums for help not more confusion.🙂
September 15, 2006 at 5:50 pm #152327cjdelphiMemberDermot, you’re not a yahoo expert, and people like to know what’s really going on… Your idea of help is pushing programmable buttons, this is real information based on tried and tested programming…
Oh and since when has booting yahoo messenger not been a problem for yahoo messenger users?
As i pointed out, you can be safe from boots even on messenger if you follow some little steps like disable all pms except from buddies, and turn off as much as you can as well as upgrade your connection.. the information above can be applied to any yahoo client.
September 15, 2006 at 6:21 pm #152336NessaParticipantcjdelphi;207257 wrote:Dermot, you’re not a yahoo expert, and people like to know what’s really going on… Your idea of help is pushing programmable buttons, this is real information based on tried and tested programming…No one is “really” ever a Yahoo! expert unless you truly work for Yahoo! and even then, some of the Yahoo! workers probably don’t know what they heck they are doing. 😉
And Dermot has proven to know enough about Yahoo! to be part of the Yahoo! staff here, so his words count for something. 🙂
cjdelphi;207257 wrote:Oh and since when has booting yahoo messenger not been a problem for yahoo messenger users?Of course booting is a problem in Yahoo! Messenger, or else i’d never hear anyone complain about getting booted!
cjdelphi;207257 wrote:As i pointed out, you can be safe from boots even on messenger if you follow some little steps like disable all pms except from buddies, and turn off as much as you can as well as upgrade your connection.. the information above can be applied to any yahoo client.Trust me, if someone wants to boot you badly enough, they will eventually boot you. It doesn’t really matter if you are using a chat client or disable all PM’s except friends in messenger. Booters don’t all use flooding methods, some just send side packets to kick you off.
Here at BigBlueBall we of course offer suggestions on how to reduce your chances of getting booted, but there is no true way to prevent this because as i stated, and will always state: If someone really wants to boot you (and they know how), they will do it….
As a side note: Lets keep this thread friendly because it seems to be going the wrong way.
September 15, 2006 at 7:39 pm #152328cjdelphiMemberThe article explains how the server side d/cs happen and why
September 15, 2006 at 9:50 pm #152352tim2679MemberYou forgot to mention the connection protocol. ( YMSG and Chat2 )
Which is also a factor. YChat was harder to boot for the simple fact
that it lacked in features compared to YMSG. This is also why YMSG
is easier to boot then Chat2. The more features the more ways you
can be booted. Yes there are ways to provent from being booted.
However as Hatedjealousy said, if someone wants to boot you bad
enough and has the proper knowledge you are goning to be booted.As for a secret packet how could you say thats false ? It may not be
a secret that no one will ever know but most boot programs do not
use the normal packets that have been made for Yahoo. They have
been modified for the purpose of lagging, disconnecting, C++ Error,
and all of the other ways of booting/annoying the victim.There is no need to go into the connection speed issue as you has
highlighted that subject pretty well. As for being an expert, I believe
the only true experts are the actual programmers of Yahoo Messenger.
I am sure that you might know a great deal about Yahoo, but I don’t
see how you can claim yourself an expert of Yahoo. As for people
wanting to know whats going on. Most of the people that I talk to on
Yahoo Messenger does not really care how it works, nor do they want
to know how and why. All they care about is that is works and works
how they would like it to work.I am not trying to start anything … just stating my humble opinion.
September 16, 2006 at 4:08 am #152326cjdelphiMemberFor the ones who read my article properly, they will understand how booters work, if my article was not true the booter i wrote to test my theory does not exist but since it does, i’m going to presume the information given is valid until proven otherwise.
September 16, 2006 at 4:43 am #152330DermotParticipantYou still don’t get why i posted what i did.
This is a Yahoo! Messenger Support Forum
Booting can not be solved on Messenger at this time by you or anybody else but yahoo!
I do not claim to be a yahoo! expert nor have i ever, but the fact remains people who are not technicially minded come here for help on Yahoo! Messenger not wanting to know the psychics of yahoo! servers and how they get booted as 70ms to a 30ms execution makes no difference, they will be both booted.
It does not matter whether your theory is right or not, it does not change the fact that you will and can be booted on ymlite or y! messenger and stating this to the non computer savvy person does nothing but confuse them.
If you want to promote your client which you’re the author of and obviously doing in that post then i suggested posting it the submit your favourite program thread.
Booting will and always will be a issue for any Yahoo! user no matter their method of connection to yahoo! servers and the same thing boils down to yahoo! being the only people who can fix it, not a post about how it happens.
You know as well as i do craig that even disabling these options don’t actually stop you recieving the packet but just the client having to work to deny them as even yahoo ignore isn’t serverside as all it does is add that name to a list stored on the server that is there to be recieved by messenger and added to the ignore list in preferences to just get the client to ignore it again.
This is as useful as going to a africa and telling all the children why they are dying, don’t stop it, don’t remedy it, just simple logistics.
September 16, 2006 at 9:00 am #152342Torseq Tech.MemberFor the server-side “boots” craig is describing what’s called an amplification attack. It works by amplifying the traffic load while only having to send a small amount of traffic to make it happen. It’s also called the snowball effect. These server-side d/c packets are basically a Yahoo!-specific SMURF attack using Yahoo!’s own protocol to abuse their server’s traffic routing rules. I know of a couple ways to stop them from working but there’s only a couple tricks you can use to stop one of these attacks if it uses chat invitations or PMs *deliverable in all scenarios regardless of whether you’re using Chat 2 or YMSG, cloaked on YMSG or not*. If the packets can be delivered to you it’s a potential avenue for flooding to boot you.
Cloaking in YMSG aids in preventing most of these attacks but can’t cover all of them. To combat against strong PM bombing even if the PM bomb is using an amplified packet structure to force lots of traffic on you (booters call these “looped” packets) something can be done about it. What you can do is log your ID into YMSG/HTTP and then use a chat client to log that same ID into Chat 2 to join a room. You’ll be able to chat regularly on the Chat 2 connection, use voice etc. while all of the chat invites that you receive as well as all of the PMs you’ll receive will all be sent to your YMSG/HTTP connection. It’s impossible to flood off a user that’s signed into YMSG/HTTP even if they’re on dial-up due to the nature of how HTTP operates and how the servers deal with the excess traffic that’s buffered or built up. The excess is simply discarded while using this protocol. There are other “tricks” you can use but this is the cleanest and would truly make anyone regardless of their connection “unbootable” as far as the flooding goes unless that flood is generated inside the chat room (on the Chat 2 connection). Cookie exploits and other disconnect exploitation methods that don’t involve flooding you would still be susceptible to.
September 17, 2006 at 11:54 am #152349ned kellyMemberTorseq Tech, thank you for that post it was very informitive. When you say to log into YMSG/HTPP do you mean web browser YMSG >>> Yahoo! Chat or normal yahoo messenger. I understand all the rest of your post about entering chat with 3rd party client in chat2.. 🙂
September 17, 2006 at 5:12 pm #152351tim2679MemberHe means you set the Connection settings for Yahoo Messenger to Firewall with no Proxies.
September 17, 2006 at 10:08 pm #152343Torseq Tech.MemberWhat Tim said, ned, is correct. It’s called YMSG/HTTP because it’s actually YMSG protocol over HTTP protocol (YMSG packets encapsulated inside of HTTP). I probably should have specified by naming the actual option in Messenger to use. In this case if you open Messenger and then go to preferences, then Connection and choose the radio/option button called “Firewall with no proxies” apply then ok you’ll sign into the network with YMSG/HTTP. It’s also important to mention that you should go to Messenger’s preferences and then to the “Ignore List” section and apply the “Ignore anyone who is not on my Messenger List” so if you are being PM bombed or other the packets will be ignored locally. The only thing that can bother you in this case would be add buddy requests but those won’t be all over your screen if you’re attacked but instead isolated (overlapping one another) since the “Ignore anyone who is not on my Messenger List” option doesn’t stop you from seeing those.
After you do this do not enter chat just leave it in “pager mode” signed into Messenger. After this is done the same ID you used to sign into YMSG/HTTP with use that ID to sign into Chat 2 protocol on either the browser DHTML chat (which uses Chat 2) or a separate 3rd party client. You could leave the YMSG/HTTP messenger session minimized but still active and just focus on your Chat 2 session inside the 3rd party client or DHTML browser page (whichever means you go about when using Chat 2).
This works because YMSG protocol (including YMSG/HTTP) has priority/precedence over Chat 2 protocol and it overrides all of the packet types that you can receive such as chat invites and PMs. There’s a way to toggle this back and forth from the YMSG connection not getting priority and the chat 2 connection receiving the PMs and chat invites but then this will make your chat 2 connection “bootable” by means of flooding (back to square one). What could be done is to toggle it on when you’re not under attack *so you can receive your PMs and chat invites on the Chat 2 connection normally* and when you are under attack shift the priority back to YMSG/HTTP receiving that traffic so your Chat 2 (room) connection is unaffected. Let me know if you’re wanting to know how to change that up and I can share that information.
September 17, 2006 at 10:40 pm #152350ned kellyMemberThankyou, now i understand 🙂
September 20, 2006 at 6:38 am #152356SodaMemberTorseq Tech.;207298 wrote:For the server-side “boots” craig is describing what’s called an amplification attack. It works by amplifying the traffic load while only having to send a small amount of traffic to make it happen. It’s also called the snowball effect. These server-side d/c packets are basically a Yahoo!-specific SMURF attack using Yahoo!’s own protocol to abuse their server’s traffic routing rules. I know of a couple ways to stop them from working but there’s only a couple tricks you can use to stop one of these attacks if it uses chat invitations or PMs *deliverable in all scenarios regardless of whether you’re using Chat 2 or YMSG, cloaked on YMSG or not*. If the packets can be delivered to you it’s a potential avenue for flooding to boot you.Cloaking in YMSG aids in preventing most of these attacks but can’t cover all of them. To combat against strong PM bombing even if the PM bomb is using an amplified packet structure to force lots of traffic on you (booters call these “looped” packets) something can be done about it. What you can do is log your ID into YMSG/HTTP and then use a chat client to log that same ID into Chat 2 to join a room. You’ll be able to chat regularly on the Chat 2 connection, use voice etc. while all of the chat invites that you receive as well as all of the PMs you’ll receive will all be sent to your YMSG/HTTP connection. It’s impossible to flood off a user that’s signed into YMSG/HTTP even if they’re on dial-up due to the nature of how HTTP operates and how the servers deal with the excess traffic that’s buffered or built up. The excess is simply discarded while using this protocol. There are other “tricks” you can use but this is the cleanest and would truly make anyone regardless of their connection “unbootable” as far as the flooding goes unless that flood is generated inside the chat room (on the Chat 2 connection). Cookie exploits and other disconnect exploitation methods that don’t involve flooding you would still be susceptible to.
Your 100% right on this subject how you finding out i have no clue i been using this method going on 5 months now i made a program called CGuard that does all that for you.And only reason this does work cuz 99% of the time YMSG HTTP doesn’t get the packets it just floating on yahoo so call lose air.but yes and as you taken cerdit for the YMSG D.C why would a newblet like you go around and take cerdit for someone else ****? just a subjection not go around and take or release other idea such as this post ty not to mean any harm just think it lame
Here the download for it so stop taken cerdit newblet (download at bottom of this post)
cjdelphi;207245 wrote:After getting fed up with booters knocking me offline, i finally got the packet sniffers out, flexed my programming skills and decided to go in search of the truth..Misconceptions
A chat client is more bootable than another one… (yes only if the client is very very badly written)
You need some kind of secret packet to send to boot a person in yahoo.. false.
Truths.
A Chat client with a good connection will help prevent most booters, yes, this is correct (with the exception of a couple of yahoo server explots..)
If you know nothing about booters and a little about yahoo, have a look at the article i wrote here
if not i’ll try and explain that (which is 300 odd lines) into something a bit more technical now…
Yahoo Messenger
Yahoo Chat…Yahoo messenger can get into yahoo chat, but in reality, it’s a seperate service…
Yahoo Messenger’s server has a Buffer, this buffer is actually 128k not the 512 the first tests indicated in the article above.
Why does a booter work?
When the attacker sends multiple packets to you, what you don’t get from the server gets stored in a buffer, in comes a chat packet, the client grabs it, in comes 5 chat packets, you grab the first 3 packets, 2 are left behind on yahoo’s server, you then grab the 2 packets and then the buffer is back to empty.
Right, this time the booter sends 1k’s worth in 1 packet of PM (instant messaging packets) but instead of sending the 1 packet, the booter builds up 10 pm/im packets
(800bytes) + 800 + 800
impacket+impacket+impactThen you send it to yahoo 10 loops packets of PMs @ 1k each = 80k in 1 load to yahoo then the booter sends it again, 160k.
Now if you can send 128k’s worth of data, pm packets, chat packets, anything you like to the other user BEFORE the user can get the data out, yahoo will simply d/c them over 128k why?
Most Probably because the server is instructed to d/c idle users or users
who are no longer online, what’s the point of Keeping someone in yahoo chat if they are not getting the data people are sending them, after 40 minutes of a client sending data yahoo goes, we’ve buffered 128k, the user aint there, kick him…another theory is that, yahoo messenger would crash if it got anything more than 128k lol
So why do some clients take longer than others to boot them…
The faster the routines, better the coding of the chat client, those few seconds really build up.
Take YahEh a VB written client, to display “Hey there :)” in YahEh might take 80ms to perform…
the one in Say Y!mlite, typically can do it much faster say around 20 – 30ms
So Y!mLite can process the data, display the packet, get the next packet, it’s going to get the packet 50ms faster, ok not much for 1 packet but let’s say 100 packets = 5000ms = 5 seconds slower over a period of 100 packets…
This means the client gets less packets from yahoo, and in turn the booter sends more data than you can get (128k) and you get disconnected from the server.
Right so Yaheh might bet booted in 30 seconds, y!mlite because it can get that extra data from yahoo fast enough, it could last say 40 before it got booted…
but, most clients have CPU’s good enough now so the chat client makes very little difference, most of the ability of being boot proof is put on to the bandwith…
56k User can download in theory at 8ks
but in reality it’s about 4 – 5kSo here’s a 1mbit connection, 1mbit / 8 = 128k a second upload.
Here’s a 56k connection 5k/s downloadby the time the booter puts up 128k of data, the 56k user was only able to get 6k, which leaves 122k of data buffered at yahoo…
in less than 2 seconds, the 1mbit connection booter would have taken out a 56k user.
2 56k users trying to boot each other.
1 56k user manages to upload at 6k/s
2 56k user manages to download at 5k/sThe booter will work.
Booter is sending 6k/s 1k more than what the other 56k user can download… in 128 seconds, the booter would be able to fill up the buffer..
2 minutes it would take to boot them….
if you’re on a 2mbit connection and someone tries to boot you on a 3mbit connection, you’ll be able to send out at 256k/ but the 3mbit user will be able to download 384k and you’ll never be able to fill the buffer fast enough to boot them…
But there’s one exception to the rule
A yahoo server exploit, send 128 packets at 1k/s and providing the messenger client does not get the data from the buffer, it will be booted in exactly 128 seconds, now this server exploit
Certain Packets (not specifying what for obvious reasons)
Allow you to send the ID of the person you wish to send the packet to, eg, will you come to my conference, in the packet you can put down 10 id’s and yahoo will send out 1 packet to each of them 10 users, 1 packet from me, 10 packets out of yahoo….
Well these booters simply put in 1 person to invite, 10 times, and the packet gets magnified 10 times, so if you’re on a 56k, you essentially have the bandwith of 56k * 10 = 560kbit connection, loop the data as i pointed out up there, and guess what happens, you get the equiv of a 1/2mb booter from a slow connection, yahoo sends so much data to the victim so quickly it fills up the buffer (128k) and you get booted from yahoo messenger…
What can be done?
Since i’m the one who writes y!mlite, i’ve done a few tricks to make it faster, for example if you’re under attack, you want to get the data out fast, so as a result, y!mlite only processes the header of each packet, and if it’s an IM packet / invite, whatever, it simply ignores it and gets the next packet, it will only process Chat Data since it’s highly unlikely someone would try to boot you from chat.
As a result, when a client like yahelite spends 40 – 50ms processing the content of ?WERWE?R>$?@#$ it could waste valuable time, in effect y!mlite becomes unlaggable no matter how many bots are booting you..
(P.S if you have the bandwith, you could boot a person with 1 ID just sending them lots of pm messages faster than they can get out to fill 128k)
So in this type of boot, y!mlite might survive the d/c simply because it’s faster at getting the data while yahelite processed it and got lagged and as a result it gets booted.
Y!mLite has Booter Detection, it talks to tell you it’s happening, it measures the data throughput and calculates if it’s an attack, Y!mLite’s also in the proccess of getting an anti booter type routine in, the secret is to use 2 id’s… but it’s a new experimenental thing and it will quite effectively stop booters…
p.s i’ve become quite an expert in this field, any questions feel free to ask, but if you’re an absolute noob i suggest reading the article above, it explains everything in detail and precisly what point you get booted…
lmao dude you have no clue has a booter really works do you? OKay here i’ll explain in wannabe tearms okay you take your bandwith and take someone else bandwith if they have a higher bandwith then the user there trying to send.it’s using yahoo protocol to boot that person witch this means BUFFER OVER FLOW okay good you with me now? good now to stop this there isn’t a way to stop this, but one call your isp and have them to upgrade your cheapass ty Soda has said enough now
September 20, 2006 at 9:16 am #152353tim2679MemberSoda, where exactly in Torseq Tech post does he take credit for someone else’s work ?
If you would actually read what he posted you will see he only gave information
on how to try and prevent from being booted. No where does he state he came
up with the methods that he posted. I am not being mean just hate seeing someone
being blamed for something to did not do. -
AuthorPosts
- The topic ‘How Yahoo booters *REALLY* work.’ is closed to new replies.