WIP: Chasing sock puppets in a world of sparse data
In my spare time, I administer a Minecraft server. My focus in on technologies that help legitimate players have a great experience, and players who would violate our rules have a short, non-compelling experience followed by a ban.
This sounds simple, but is extraordinarily difficult.
As a platform, Minecraft is incredibly pliable. This is good news for modders, plugin developers, and other people who would like to modify the game experience. We make use of this in our own server (We meaning, myself and my fellow admin) by running a custom set of plugins. These game modifications give players the ability to defend their possessions and structures from other players, and enforce their own notion of law and order in game.
This pliability also makes it difficult to ensure a level playing field for all players, and nearly impossible to detect or prevent all uses of exploit, as the server tends to trust the client. While it’s a great model if everyone uses an unmodified client, it fails in practice as the Minecraft client is also easy to modify. As a consequence, we do a lot of extra tracking and analysis to police the fringe of our player-base who simply can’t resist stretching or breaking our rules governing play.
The Frightful Four
There are four major problems that most Minecraft server administrators will face.
Duplication. The Minecraft server trusts its connected clients, and appears to lack rigorous consistency checking code, the absence of which allows clever players to duplicate items. Other duplication bugs arise not from Minecraft itself, but from the use of custom plugins that create the infrastructure for desired play. Race conditions, timing bugs, and lacking or incomplete check code allows clever players to discover and exploit small or large scale duplication to become “rich” beyond measure. This will, of course, entirely destroy any server economy, and must be carefully monitored. Remember Civcraft 2.0?
X-ray. Minecraft’s data transmission model enables X-ray and worse. World data is sent to clients in whole and complete chunks. Every block in that chunk is sent; any updates (active redstone, etc) are sent, and all of this is sent without regard to line of sight or other visibility checks. If line of sight visibility is important in disguising secret bases, chest caches, and the like, Minecraft makes the server admin’s life very difficult by giving the client all the data and trusting the client not to exploit it.
Combat Hacks. Player vs. player (PvP) activity is a large component of all but a fringe of Minecraft servers. It’s a big part of our server, too; however, playing fair (e.g. not using combat hacks to gain an edge) is an increasingly rare position. The meta-war between those who would use combat hacks to outperform their rivals vs. the server operators who would prevent their use rages ever wild. Many large servers have increasingly complex, and in many cases artificially intelligent, systems in place to detect and remove players leveraging “hacks”.
Sock Puppets. More commonly called “Multi-accounting”, some servers allow this without reservation. Others, like ours, restrict players to using a single account. Our purpose is civilization; actions need consequence and using sock puppet accounts would allow players to avoid consequence. This devalues the experience for all players. As such, in our unique circumstances, we do not allow it.
This is just a top four from my experience — where I’ve spent the most time, administratively. There are many, many more exploits, and many more persistent issues, but these — these are the ones that don’t go away and are renewed with every new update.
My focus for this article is the last issue — Multi-accounting — and how to defend against it. This is not a trivial task; sock puppets are extremely accessible, easy and cheap for individuals to use, and difficult or costly for admins to detect and prevent. My experiences and tooling are imperfect, but in recording my thoughts here I hope to help you —as admins or prospective admins — gain renewed insight into the problem and how it can be addressed.
Lines of Defense
For a blacklist server, the first line of defense against sock puppets is an orchestration plugin that will prevent multiple accounts from using the same connection without permission. Many of these are available, and come in all shapes and sizes to fit your needs. Regardless of which plugin you choose, the majority of your player population will be unaware until multiple players from the same household attempt to join.
The second line concerns VPN and VPS use. The very first thing players seeking to bypass a ban or in-game pursuit will do is boot up a VPN or connect to a Proxy (either public or for better performance, a cheap VPS). Now the problem has gone from finding shared connections to finding the same player against a backdrop of 2^32 potential connection sources. The good news is that the same process your players need to follow to find a service to use, helps you restrict where possible sock puppets could be connecting from. It is an ongoing battle, and regardless of your tooling won’t be won overnight. In my opinion this is where public or free plugin options are most lacking, and I created my own plugin — BanStick — to empower this line of defense.
The final line of defense is in-game analysis, behavior tracking, and activity analysis. At its most complex, this can involve hardcore data science, artificial intelligence discriminators, and more. This has a complexity similar to the Combat Hacks; unlike combat hacks, I have more to offer here.
Regardless, it is a complex problem. My understanding of the problem, and the steps I’m taking to identify and address it, are many fold. All paths to solution must start at the beginning, with an understanding of the reasons players use sock puppets.
Motivations, or, the Root of the Problem
Why do players multi-account? Why use a sock puppet to disguise identity? Is the player trying to live two very different virtual lives, run bots, play a con or skip out on “criminal” behavior, or avoid adhering to server rules?
I’ve known players who had largely unique personalities spread across multiple accounts on the same server, in order to experience in more totality the breadth of community content the server had to offer. In many ways, this is the single most legitimate use of sock puppets —a player has lots of time to spare, and wants to experience more fully otherwise relatively low-content communities; by aggregating their experiences across many communities they can find a more fulfilling experience. It’s also the rarest motivation I’ve encountered.
More often is to play a con —the player wants to be a bad boy criminal but doesn’t want their misdeeds to reflect on their more public personality (their “main” account). Although a form of the first motivation, this is uniquely subversive as there is no intent to “play legitimate” — e.g. face the consequences of your devilish deeds — on their sock puppet accounts, the desire is simply action without consequence and without connection to their main account. This is also the main reason we don’t allow multi-account on my server: Minecraft as a game platform already largely eliminates meaningful consequence and allowing multi-accounting means consequences are reserved for those unwilling or unable to run alternate accounts. That’s overwhelmingly unfair to a large portion of the player-base, and creates many situations of uneven play. It helps exacerbate the divide between those able to invest many hours online and those who cannot, those who have extra “real” financial resources and those that do not, and undermines player communities who are attempting to “Nation Build” by devaluing their ability to pursue those who violate their criminal statutes.
“Who are you, really” becomes the norm, instead of being able to treat each account as a unique real person. The discourse focuses on figuring out the con, not on pursuing the con artist. It introduces an overpowering meta to the game in a way that players cannot fully handle, and that is why it is best held as an admin concern. Although we’re also often under-equipped, the admin tool box is server wide. With some care and attention, we have the ability to more concretely link players with their sock puppets, which is something players can only do with extreme effort and high false positives (unless the con artist is particularly bad).
Avoiding consequences aside, a more concerning (administratively) imbalance is formed when players use sock puppets to bypass bans that have resulted from violating server rules. In this case either punitive or to protect other players, certain people are given short or long “time-outs”, in the hopes that it will give time to establish perspective, maturity, or changes in behavior. The rules are there to protect all players; breaking the rules devalues play for everyone else, and the only real recourse for an admin is to ban the offenders.
However, the offenders in many cases have no intention to wait out the ban. Instead, they employ a sock puppet to either continue their prior behavior, start a con, or “play legitimate” for a time. Using VPNs, VPSs, Proxies, mobile hotspots, public or neighbor wifi, or IP address reassignment (depending on their ISP), these folks will join on new accounts, bypassing the layer 1 and 2 protections already described. Depending on the quality of your second layer, many of these attempts will be stopped before they begin. Still, it’s a very large collection of providers to evaluate, and a lot of churn makes it difficult to keep current. Social engineering can also work against you; some people have a legitimate reason to use a VPN or VPS and admins will often grant the request to use one if made in earnest. This can be leveraged against admins to let sock puppets slip through the cracks. The same can occur for legitimate connection sharing requests.
Given these complexities and more I haven’t discussed, how can we determine instances of sock puppet vs. legitimate player?
Finding Patterns in Sparse Data
Connection data is sparse. In game activity data is rich and complex but sparse against the backdrop of narrow session time. Players spend on my server between 30 and 45 minutes total in any given day they connect. Some spend more — much more. There is a correlation between people who invest a lot of time in the server and those who tend to play a con, avoid consequences, and those avoiding rule breaking. However, their sock puppets are often very sparse in comparison, in many cases representing a small handful of connections or under an hour of online activity.
Many of the best connections surround actual activity: chests used, locations visited, times online. These imprints are the most unique, and they become difficult to sort only if players are significantly invested into making the sock puppet unique. Taken to an extreme, the sock puppet can become a stand-alone, consequential in-game actor and the line between sock puppet and new unique legitimate account becomes thin. In the absolute sense they are still multi-accounting; however, detection can approach true impossibility.
What follows are some sketches for myself and for discussion concerning how best to identify connections using this sparse data.
Session Time “Profiling”. Each player has a very recognizable profile created by their life circumstances, and it’s highly likely to repeat week to week; this is especially true as humans are creatures of habit and schedule, and our behaviors both off and online conform to this expectation in the general case. Using a tool like CivSpy to track online sessions can give great insight into the two biggest indicators of sock puppet use: precise overlap (high correlation) and precise inversion (no correlation). Consider this technique to be useful but don’t depend on it in exclusion.
Group analysis. Players rarely snitch on their friends, even when those friends are breaking server rules. Association bans can help motivate snitching — better to see the one friend banned then the whole group — but it only helps so much. What can help is analyzing who this player interacts with; look not only at who they interact with during active playtime, but look at who leaves them goods and equips them even if they are offline.
Enemy analysis. Just like looking at their friends can often be telling, look at their enemies. Look for degrees of overlap between enemy groups; often immediate pursuit against a group can be very telling.
Sudden appearance during times of conflict. “War” in the virtual world is when rule breaking comes to a fore as any advantage can be the difference between victory and defeat. Look for a sudden influx of new or lightly aged accounts on either side of active conflicts.
Speech habits. People have a unique way of speaking, and often a unique way of approaching both known and unknown players. Keep an eye out for similar speech habits.
Behavior. Some players when using a sock-puppet, especially to ban evade, will immediately resume whatever activity they were doing prior to the ban, or will return to it shortly after. They will often immediately raid, although that by itself is a poor indicator of multi-accounting. A more holistic perspective is necessary.
Exploit or near exploit triggers. I’ve identified “multi-accounters” by the nature of their exploit use as flagged by NoCheat; it’s rarely a good indicator on its own but can be a very good discriminator in some cases.
Please note that one area players can meaningfully contribute is in assisting with behavior analysis. However, player reports should help bootstrap or enhance an investigation, and should rarely be the sum total of evidence motivating a ban (unless it’s something more conclusive, like an admission).
These are complex issues; the indicators to evaluate are dominated by sparse dataset with often poor data access, recording, and retrieval. BanStick, CivSpy, and various exploitative trackers in NoCheatPlus and SimpleAdminHacks can be invaluable in your efforts. My tool-set and the analysis here will grow as my work continues.