Dear hosters,

I want to ask you about a privacy issue. I know there are good reasons to display the IP address of connecting clients (in the logs and in an InSim packet) but there is also a problem.

Unscrupulous people are able to start a host and obtain the IP address of any users who connect. We can't prevent this if we do provide guest IP information. If we ban a known unscrupulous user, they can always create a new user name and do it again.

But as we (LFS developers) are doing the physical hosting, we could provide complete privacy for the IP address of connecting clients. We could simply not show them in the logs or InSim packets.

What do you think? I know some of you have good reasons for using IP address information, but could you do without it? Please try to weigh up the upsides and downsides.

Thanks.

I think those that want to do harm servers can always find out the ip adress.
I don't mind hiding ip adress in log.

Thank you for addressing this important topic.

One possible solution could be to hide the IP addresses for users connecting to free servers, while still allowing IP access only on rented servers. This way, privacy is protected where there’s less control over who is hosting, and at the same time, serious hosts still have the necessary tools to manage their servers effectively.

However, I do believe that additional security measures are needed for hosts. For example:

Implementing serial number-based bans would be a stronger and more reliable alternative to IP bans.

https://www.lfs.net/forum/thread/110537-Security-Update

In summary, limiting IP visibility only to rented servers, combined with stronger moderation tools, could be an ideal balance between privacy and security.

Quote from RealistAdam :

One possible solution could be to hide the IP addresses for users connecting to free servers, while still allowing IP access only on rented servers.
...

Quote from RC-Maus :

I think those that want to do harm servers can always find out the ip adress.

I completely agree with this, all this change will do is make it more difficult - a determined user will get around it.

I suppose we can get rid of everything IP address related from the hosts pages, but keeping them in the insim packets.

The ip address can beneficial to determine if the connecting user is a shared account with ip comparison. Though personally, thats about it.

I've used it before to compare troublemakers with other server admins, but I could live without that.

I've got it in our user-signup system, but it's a redundancy there that I added just because it was available. No problem if we lose it there either.

If you do remove the IP address, might you replace it with some other identifier? A lot of troublemakers have alt accounts, but a hardware identifier would foil them where an IP couldn't. If it's hashed to fit the current IP space it shouldn't be a security issue.

Quote from RC-Maus :

I think those that want to do harm servers can always find out the ip adress.
I don't mind hiding ip adress in log.

This is not about people harming servers, it is about server owners gathering information about clients who connect to their servers.

What I am saying is, if we don't pass the guest IP address information to the hosters, they will not know it, and there is no possible way around that. So that is a security or privacy improvement for people going online in LFS.

Quote from RealistAdam :

One possible solution could be to hide the IP addresses for users connecting to free servers, while still allowing IP access only on rented servers.

This is not a suitable solution. I am talking about unscrupulous people with the means to rent servers and with their own database and possibly website. Please note that when I say "unscrupulous" this is really an understatement.

Quote from RealistAdam :

Implementing serial number-based bans would be a stronger and more reliable alternative to IP bans.

https://www.lfs.net/forum/thread/110537-Security-Update

OK now we are talking about trying solve the (different) problem of guest troublemakers when IP address is not available (and isn't a good identifier anyway as people can keep changing it).

Quote from Racon :

If you do remove the IP address, might you replace it with some other identifier? A lot of troublemakers have alt accounts, but a hardware identifier would foil them where an IP couldn't. If it's hashed to fit the current IP space it shouldn't be a security issue.

A PC-based identifier is certainly something to be considered, although no doubt that part of LFS could be hacked so it won't be a perfect solution either.

The IP address is useful to lookup the ISO country code of the player.

Would it make sense to be able to select a country of origin in the Options - Game (which would be included in IS_NCI)?

Obviously if the IP address is used malevolently too frequently it should be removed.

Would the IS_IPB packet become obsolete?

I would be strongly against not showing IP address in the hosting panel and logs.

Usage for such feature:
- When people are using multiple accounts
- When people are using VPN
- When people are sharing one account
- When certain IP is sending requests to the server but not connecting (malicious actor)
etc.

Also considering the one time I asked to deal with a player that has been harassing our servers and got the answer "Hopefully he will get bored soon and move on.". I think it wouldn't be very wise to take away tools from hosting admins. By improving player identity security you are greatly reducing the server safety of all servers. The toxicity on demo servers would certainly increase and then players would be like "why admins aren't taking actions".

While it is a valid concern, these days everything collects some data about the visitor/user/player. For example our forum saves data on IP address when account was created and last known IP address. So just like site popups or discord popup I think there should be a popup before joining a server informing the player about data that is being collected and the option to join the server, go back or set this server as trusted ("I trust this server").

First and foremost, the bad actor should be held accountable for his actions. Any form of doxxing should be punished. In addition to being banned their server should be closed and user should not be allowed to host a server for a given period (if is a temporary ban).
ToS 1.5:
"1.5 Extreme disruptive or offensive behavior by a user, towards the developers or members of the community, may result in temporary or permanent suspension of the user's Live for Speed license."

On the other hand I consider that certain compromises can be taken regarding IP information. Free hosts are temporary and can't really be trusted, so for free hosts IP information can be stripped away. Another thing is that server trust must be earned, thus only servers which are older than 1 year get the feature to show IP addresses.

I was really looking for simple solutions to a serious problem, which is why I suggested not revealing IP addresses to hosts.

Your post seems very much from the point of view of a hoster. No doubt it's fine if someone's IP address is linked with their user name on your system, and most hosters who will read this, but it's not you or them we are worried about.

I don't really think a warning when you join a host, warning about the issues of someone seeing your IP address, could really help. That would be about as much help as the ridiculous lengthy legal documents you have to agree to when installing software, or these stupid dialogs that come up every time you visit a website "We really care about your privacy so is it OK to send your personal information to 1000 legitimate businesses?".

Quote from mcmustang :

"1.5 Extreme disruptive or offensive behavior by a user, towards the developers or members of the community, may result in temporary or permanent suspension of the user's Live for Speed license."

Unfortunately this is no more than a dream. If we could remove bad people simply by removing their LFS license, things would be pretty easy. Unfortunately, the people who have caused the most disruption and destruction are easily able to obtain multiple licenses (and obviously IP addresses).

Sometimes it seems like people think that we have all the world's police forces under our control, waiting for us to snap our fingers and they'll jump into action and lock up the baddies. Actually we're just a couple of people on the internet trying to make a nice game and the police are obviously not interested. So holding people to account isn't really an option.

Quote from mcmustang :

Free hosts are temporary and can't really be trusted, so for free hosts IP information can be stripped away.

Yes that's easy and I'm sure it should be done, but as already mentioned won't solve the problem.

Quote from mcmustang :

Another thing is that server trust must be earned, thus only servers which are older than 1 year get the feature to show IP addresses.

This would have to be more like assess on an individual basis and manually set the option. Just existing for a year isn't necessarily enough to be trusted. So we would then be in the position of answering requests for hosters via tech support, which puts us in a difficult position (some easy decisions, some not, it's the ones in the middle that are more of a concern - trying to detect deception in tech support emails is something we have to do but it's not a nice part of our life and really not something we want to increase).

I'm trying to weigh up the advantages to hosters, compared with the privacy of users.

Trouble is, I've asked in the hosters forum section, so answers are likely to be biased in favour of hosters.

But we have a genuine problem. Without wanting to name anyone (and I will not confirm or deny any user names, please don't ask) I believe there is a strong possibility of a hoster who will collect IP addresses and link them with user names for malicious reasons.

What I am really asking is if these apparently small advantages that you get as a legitimate hoster, from seeing IP addresses, is really worth the potential invasion of privacy and revealing of private data to malicious actors when we can easily prevent it.

Quote from mcmustang :

Usage for such feature:
- When people are using multiple accounts
- When people are using VPN
- When people are sharing one account
- When certain IP is sending requests to the server but not connecting (malicious actor)
etc.

Maybe we should take a look at these, consider each point, how valuable it is and if there could be other solutions.

- When people are using multiple accounts
Yes, this can sometimes be detected by linking one IP address with multiple accounts. But users can get around that by changing IP address (dynamic IP or VPN).

- When people are using VPN
I don't know much about this, can VPN usage be identified from the IP address? And if so, what does that matter?

- When people are sharing one account
Right, when you see the same account on multiple IP addresses. But there are perfectly legitimate reasons why that might be the case so I don't think this is much use.

- When certain IP is sending requests to the server but not connecting (malicious actor)
I don't think this is seen these days, because of how the system works, but correct me if I am wrong.

etc.
Feel free to elaborate.

Before Discord was banned in Türkiye, I was storing the IP information of everyone who logged into the server for security. I just checked that 200,000 IP addresses were stored in 1 year.

I was storing this information only for those who were thinking of alternative ways to avoid the ban.

I never checked a player's IP address in the server log on the LFS website, to be honest. Because I was storing it through InSim.

I am currently doing this through Telegram, but what can be done with a player's IP address?

In most games, admins have access to this information on public servers. I understand that this issue is being discussed, but the steps to be taken to prevent this situation will not be good.

If we want to solve the privacy problem, other problems will arise this time. If you hide the IP addresses, you will definitely need to find different methods to detect multiple accounts. Otherwise, the number of toxic players in the community will increase.

I can't even imagine the stored IP addresses being stolen. If we gave this data to someone, willingly or unwillingly, it would probably be a huge problem.
When we checked, I found that our IP addresses are constantly cycling when you provide multiple connections to the servers. It may be different, but this is what I found. When you think about it, storing this data is not good at all.
As I mentioned at the beginning and in the post I opened a topic about before, we need to detect the serial number of any hardware part of our computer. This data will not cause any privacy violation.

Quote from Scawen :

I was really looking for simple solutions to a serious problem, which is why I suggested not revealing IP addresses to hosts.

Simple on or off solution doesnt offer any compromises. It would certainly be a simple fast fix but you are taking away options from hosting admins which has server safety implications. We specialize in getting rid of wrong doers from our server and let it stay that way, otherwise we would have to rely on tech support every time there is a major problem and it is of best interest that there are less tech support requests. It is of best interest for LFS that servers stay free of wrong doers.

90% of LFS servers wont need the IP info but the 10% that need it are high frequency servers, ones that are likely to represent the culture of the people in the community. If the LFS community gets bad word about wrong doings it is irreparable damage.

Quote from Scawen :

This would have to be more like assess on an individual basis and manually set the option. Just existing for a year isn't necessarily enough to be trusted. So we would then be in the position of answering requests for hosters via tech support, which puts us in a difficult position (some easy decisions, some not, it's the ones in the middle that are more of a concern - trying to detect deception in tech support emails is something we have to do but it's not a nice part of our life and really not something we want to increase).

This feels like a good direction but not fully explored. It doesnt have to be manual approval for every server, limiting parameters can be applied. Given the stats from AA GTi server, the server has high activity for about 6 hours daily, lets say that for every hour 12 players connect (not 12 unique users). That would equate to 72 connects daily, now if we apply that for 1 year we would have 26.280 connects. So if a server has achieved connects over that number it can apply for IP info. From there on it can either be automatically approved given more parameters or manually approved.

Feel like that number is too small? Increase it. Feel like that is not enough as a parameter for decision? Add more, the sky is the limit.

Quote from RealistAdam :

In most games, admins have access to this information on public servers.

Is that the case? I did wonder about this. As I think many game developers may do their own hosting, as we do now, I wondered if handing out personal data (IP address) of some customers (client racers) to other customers (hosters) was now a thing of the past, and possibly LFS devs were the only nutters freely handing out this information.

I really don't know how it is in other games, so I'd like to hear more about that.

Quote from mcmustang :

We specialize in getting rid of wrong doers from our server

What does this really mean? Are you talking about people who join and crash into people? You say "safety implications" but do you just mean rammers messing up races? How many times has it been that you can't simply get rid of them by an ordinary user name ban? In my previous post I was questioning how you really used IP addresses to solve such a safety issue. Could you post a brief description of a time you have used IP addresses to eliminate a hooligan or someone who affected server safety?

I'm not being sarcastic or anything, I think I need it illustrated by real examples (no actual user names though).

Quote from Scawen :

- When people are using multiple accounts
Yes, this can sometimes be detected by linking one IP address with multiple accounts. But users can get around that by changing IP address (dynamic IP or VPN).

Well,there was one case of such abuse - in 2023 Crashmas event there was a guy gaining unfair advantage by buying an S1 licence for new account to have 2nd chance at the event. This was noticed only later and confirmed when checking server logs for IP when joining server. So it would be handy to have this option in case someone tries to pull this stunt again.

Quote from Scawen :

- When certain IP is sending requests to the server but not connecting (malicious actor)
I don't think this is seen these days, because of how the system works, but correct me if I am wrong.

I believe it was at some point last year when some IP adresses where in server log with some spam-like behaviour - people were reporting that in discord chats,checked myself and did couple IP bans just to be sure. Again something worth to have as option except that can be somehow prevented serverside from actual host.

Quote from RealistAdam :

I am currently doing this through Telegram, but what can be done with a player's IP address?

I don't actually know, but IP address is often referred to as personal information.

From my point of view, there are definitely some people I would not like to have my IP address.

I guess there is possibility of DDoS of a person's home? And maybe there is a hacking possibility depending if someone has left open ports?

Quote from Scawen :

I don't actually know, but IP address is often referred to as personal...

Yes, the attackers of LFS servers had attempted to do this to me before. But I wanted this. I wanted to confirm if it was really them.

Quote from Scawen :

I really don't know how it is in other games, so I'd like to hear more about that.

Those who can open a server in multiplayer games can access this information. I will not share the game names, but those who play different games already know. I have definitely not encountered a bad situation, but it can happen.

Quote from Scawen :

Could you post a brief description of a time you have used IP addresses to eliminate a hooligan or someone who affected server safety?

Incidents such as crashes, foul language and such can be easily handled by anyone with limad power (access to insim tools). It is typically when hacks, impersonation or generally people using means to ruin the reputation of the server using multiple accounts that IP information becomes irreplaceable tool. Due to the ability of easily creating multiple demo accounts at no cost it is quite easy to attack a demo server. Rare are cases when that happens but it does happen.

As a concrete example I would point out the case back when I messaged tech support back in May 2023. The person was impersonating other people pretending to be them and trying to defame them. The individual was banned multiple times using insim tools or lfs commands but he would keep going back having created a new demo account. Since new accounts were being created in mere seconds the next logical decision was to block his IP address, that's when he started using VPN to get a new IP address to circumvent the IP ban and IP ban of the entire VPN IP range had to be applied.

EDIT: To add that it wasn't just a single instance attack, or few days. It was sustained over several months.

Quote from Scawen :

I'm not being sarcastic or anything, I think I need it illustrated by real examples (no actual user names though).

When I opened a server on LFS, I was new to InSim and didn't know anything. I'm still learning, but I'm currently working on my website.

Imagine opening a server for the first time and you ban a player for breaking the rules. Then that player logs back in with a new account or a different account they already have and breaks the rules.

The most common violation of the rules is that they swear at the server and the admins. When we ban them, they can't stand it and they immediately go back to the server and swear.

Every server has different rules. There are servers that write pages and pages for this. But no one bothers to read it. Or there's no space for them to read it. So when you connect to a server, you can add a clickable link to the welcome.txt section or write more characters.

This seems really stupid, but they enjoy it.

Since we're tired of constantly banning new accounts, blocking their IP addresses is all we need. To be honest, IP address banning has gotten rid of hundreds of toxic players. It doesn't matter for licensed or unlicensed servers.

This also happens on licensed servers. In short, since the rule violation is a major violation, they open a new account again or log in to the server with an existing account and commit the same violation or a bigger violation.

Does anyone know what percentage of people have:

1) fixed or static IP (in this case, IP ban forces user to use VPN or alternative connection to get around ban)
2) dynamic IP (in this case, user simply restarts router to get new IP address)

In both cases, an IP ban is weak but in the first case there is at least some inconvenience for the banned user. Against users with dynamic IP, an IP ban is of little or no use.

Trying to verify, with an open mind, if IP bans really are that useful, or if they are more just a bit of misplaced hope to the hoster while a disruptive player simply gets a new IP to use with his spare account.

I have never seen any players with static IP addresses. There are players with dynamic IP addresses who use the same IP address for months. Since they do not restart their routers, their IP addresses remain the same.

Yes, IP bans are insufficient. Because it is very easy to change the IP address.

In the topic, they asked which country the players are connecting from. I think we can transfer our own country flag to the server on the LFS website.

The success rate of IP bans is 50% in my opinion. When we ban a player, we automatically ban them. When the ban period is over, the IP ban is also lifted. If they log in with a different account during this period, they are banned indefinitely. Although it seems sufficient, I think it is insufficient.

Would it work to give users an option to mask their IPs if they want to, and give hosts an option to require an unmasked IP to join a server?

Quote from Racon :

If it's hashed to fit the current IP space it shouldn't be a security issue.

Quote from Scawen :

A PC-based identifier is certainly something to be considered, although no doubt that part of LFS could be hacked so it won't be a perfect solution either.

I've not studied cryptography, but wouldn't this add a minor computational overhead and by using SHA3-256 provide a much bigger effort (technical, computational, timewize) to the baddies over the implementation time/effort?

Edit: Took some time reading through some posts and it seems reasonable if done with IPv6 (bigger space). And in the end is not a perfect solution, like you said, if the attackers have a way to log your hashed IP, by social engineering and computing you could find patterns and reverse it...but are we "defending" against these types of sociopaths? One comment asks, "do you really need the perfect solution?" and maybe with this, imperfect deterrent, privacy and multi-account banning would be solved for 99% of the use-cases...