Hello! I'd be really interested in seeing your alternatives for uint64_t scramble(uint64_t nInput) as used in the context of the video! KZbin Comment Coding FTW!

I honestly don't know how i discovered this channel now ? How could i miss it this whole time ? This is pure gem. Thank you sir.

I think it would have been awesome if you mentioned that this handshake is also a good way to prevent against DDoS attacks. A lot of server apps now take advantage of cryptographic functions to prevent against DDoS attacks, by having the client do a fairly process intensive task (Like sit in a tight loop, processing hashes), that is extremely simple for the server to validate (Essentially what crypto-chains use). ie. Provide the client with an initial seed # (serverSeed) randomly generated, and a complexity #. Next, the client takes the initial seed #, and begins to process thousands of hashes (Which entirely depends on the complexity #): The client starts a loop: for (var i = 0; i < int32.MaxValue; i++) { var result = sha256(initialSeed + "|" + clientInt) // Next we look at the number of zeros that the seed starts with if (result.substring(0, complexityNumber) == "00000...complexityNumber") { //We found a sha seed that starts with the number of 0's required in order to authenticate completeHandshake(clientInt); // Pass this clientInt back to the server } } The server then can really simply calculate one SHA256 hash: sha256(initialSeed + "|" + clientInt) // If the hash generated here, meets the complexity, allow the connection, otherwise simply discard it/block the connection. The client then does a tremendous amount of work to connect, thus stopping the server from wasting a ton of resources on processing connections. A quite ingenious way: If the client takes 200ms to generate this seed, for someone to DDoS, 200ms is an absolute nightmare, which will overwhelm their systems before they can do any damage to yours.

Although each video is less than an hour, it makes me half a day to consume it. I'm sure the time you spend on each video must be more than several days. Thank you very much javid!

Reminder that he has a Patreon

I think the scambling function as a stub for a connection handhake is fine for a tutorial series. But nothing that should be used in production. You never ever should rely on security by obscurity ("secret code" that is in the client application). Better would be an open protocol with good cryptographic authentication (like per user unique username/password over tls), but this would be too advanced for a tutorial like this. So make a remark, leave it in and go on ;)

5:47 It's worth mentioning that if you're developing for Windows there is a Windows Kernel specific Condition Variable type and Memory Barrier type which in combination both prevent spontaneous wake up and dead lock (in this scenario). std::condition_variable is not 100% guaranteed and std::memory_barrier [in C++ 20] are both generalizations and don't have real kernel-based implantations (Windows and IBM's Zos are the only OSs which have memory barriers in the kernel at the moment) so they will not prevent spontaneous wake up or dead lock 100% of the time but like 90% of the time) An adaptor pattern with Windows specific code would make this a super stable server.

Guys you've got to realize that this is a simple approach to client validation and isn't by any means what you should use. He's, like always giving you something you can work with. If you're looking for actual approaches to doing proper client validation, you want to look at implementing a login process using some sort of key system with a database like any other authentication process in application development does. Keep in mind that there isn't a single mmo out there that you don't type in some sort of authentication credential into before logging in to the game. His process is just a good starter for you to look at expanding upon. I assume so that he doesn't have to host the infrastructure to do proper authentication etc, which I feel because who wants to host more than they have to.

*Summary* This video focuses on addressing two key issues in the framework from Parts 1 & 2: CPU load and client validation. *1. Problem: High CPU Usage on Server and Potential Solutions* (0:00) * The server example consumes a full CPU core even when idle (demonstrated at 0:58). * Client applications also utilize 100% of a CPU core, but this is less of a concern (since games typically demand high processing for logic and rendering). (3:06) * *Application-Specific Considerations:* Whether high CPU usage on the server is a problem depends on the type of server-side logic. (2:20) * A server primarily focused on relaying messages should be efficient and not constantly consume CPU. * A game server running AI or simulations might legitimately need full CPU power. * *Solutions:* * *This video's focus: Server sleeps until a message arrives.* (4:00) * Other potential solution: Utilizing a dedicated server framework (briefly discussed) for applications demanding maximum server performance. (2:54) *2. Implementing a Sleep Mechanism for the Server* (4:05) * *Threadsafe Queue Enhancements:* * `wait()` function added to `net_tsqueue.h`. This function blocks the calling thread until a message is pushed into the queue, thereby releasing the CPU resource until needed. (4:44) * Implemented using a `std::condition_variable` to signal when the queue transitions from empty to non-empty. (4:54) * A `std::mutex` is used to protect access to the condition variable. (4:58) * `notify_one()` is used to signal the condition variable in the queue's `push_back` and `push_front` functions. (6:35, 6:39) * *Server (`net_server.h`):* * A boolean flag `bWaitforActivity` added to control whether `Server::Update()` utilizes the `queue_incoming_messages.wait()` functionality. Default is set to `false` (7:16) to allow user control. *3. Problem: Server Vulnerable to Malicious Clients* (7:58) * Demonstration using telnet to send random data (8:31) results in massive memory allocation on the server (a sign of the server misinterpreting the data). (8:34) * The server is open to attacks from malicious actors (like port sniffers). (9:09) * Compatibility issues might arise when using different versions of the client and server. (9:25) *4. Solution: Client Validation* (9:42) * The goal is to add a step where the server verifies that the client understands the network protocol and is "friendly". (9:42) * A basic "Hello" handshake is considered, but rejected as too easily bypassed. (14:31) * *Challenge-Response Validation* (15:04): * The server generates random data. (15:37) * Server sends the data to the client. (15:40) * Server calculates a "scrambled" version of the data using a secret function. (15:42) * Client receives the data, performs the *same* scrambling function on it, and sends the result back to the server. (15:51) * Server compares the client's result with its own scrambled version. (16:00) * If they match, the client is validated as authentic. (16:05) *5. Implementation of Validation* (14:31) * `Connection` class (`net_connection.h`): * A `scramble(uint64_t)` function is added to handle scrambling the data (specific implementation intentionally kept simple in this tutorial, with emphasis on needing a more secure approach). (17:28) * Variables added: * `nHandshakeOut`: Stores the random data sent by the server. * `nHandshakeIn`: Stores the data received from the client. * `nHandshakeCheck`: Stores the server's scrambled data. * *New Functions:* * `WriteValidation()`: Asynchronously writes the `nHandshakeOut` data to the client. (20:52) * `ReadValidation(olc::net::Server* pServer)`: Asynchronously reads the response (`nHandshakeIn`) from the client, calls the `scramble()` function as needed, and triggers further actions. (21:36) * `Server` Interface (`net_server.h`): * Function `OnClientValidated(olc::net::connection& conn)` added (as virtual). Called from `Connection::ReadValidation()` when a client's response passes validation. (23:22, 24:25) * Control Flow Changes: * `Connection` constructor: * If server-owned: Generates random data for `nHandshakeOut`, calculates `nHandshakeCheck` (using `scramble()`). (19:15) * `Connection::ConnectToClient()`: Calls `WriteValidation()` to initiate the handshake. (20:35) * `Connection::ConnectToServer()`: Calls `ReadValidation()` to start the client-side validation process. (20:21) * `Connection::ReadValidation()`: * If client-owned: After receiving the challenge, calls `scramble()` on it, assigns the result to `nHandshakeOut` and then calls `WriteValidation()`. (22:36) * If server-owned: Compares the received `nHandshakeIn` with `nHandshakeCheck`. If they match, the client is validated and `pServer->OnClientValidated()` is called. Then `ReadHeader()` is triggered to resume normal message handling. (23:03) * *If validation fails in either case, the connection is closed immediately.* (24:10) *Key Improvements & Takeaways:* * *Reduced CPU load:* By using a condition variable and waiting for messages, the server significantly reduces its idle CPU consumption. (7:28) * *Basic client validation:* The added handshake process significantly improves server security by preventing most connection attempts by non-conforming clients, including malicious ones. * *Modular design:* Validation logic is contained within the framework, making it transparent to users and simplifying client/server application development. * *Room for Improvement:* The `scramble()` function's simplicity is highlighted (17:28), stressing that more sophisticated cryptographic techniques are crucial for robust real-world security. i used gemini 1.5 pro to summarize the youtube transcript

Go ahead javidx9. You are the single best ever person I have seen at explaining non-trivial programming topics.

I almost suggested using an asymmetric public key algorithm to exchange keys and become immune to man in the middle attacks - then I realised, the attacker has complete control over the client, they can do their hacks before the encryption and defeat that as cheat prevention. Anti-cheat must be done primarily on the server, where attackers have no control over it.

I am into creating operating systems. Everyone has their own favorite thing.

best video on the internet so far this epoch.

From the EPOCH till the break of dawn and so on ...∞

You’re teaching the next generation man

You can't imagine how anxious I was waiting for this part 3 😂. Waiting for the MMO implementation and furthur tweaks

Epoch caught me off guard 🤘

@javidx9 25:30 forward declaration is unable here according to used method OnClientValidated of server_interface at 23:27 of video. Yes, one of project can use only forward declaration but second required including of header with server_interface class.

"Bonjour" "Yo" Very nice

I don't know what your saying but I like your words magic man.

Nice to see how validation could be implemented, but honestly I think for this kind of project a simple header validation (check for valid id and a max message size) would be good enough, since the current validation logic can be easily "hacked" anways. These simple pre filters (id and size) would already disconnect many random connects and the ones who sent a corret header, but "invalid" data (by accident or purpose) must be filtered out later anyways, because the server has to validate everything the client sends to it. For example if the client sends a "UseItemRequest" message with invalid data (for example an item id that doesn't exist), then the server has to detect the invalid message anyways, no matter if it was sent by a client, random connect or hacker.

My go-to for C++ ♥️

your condition variable use is wrong, no need for the second mutex and the in the wait() the unique_lock (of the original mutex) should be moved to outside the while loop. Otherwise if you get preempted right after the empty call and before locking the blocking mutex and another thread does a push you can still be stuck in the wait without getting woken. You can also pass a lambda to make the while loop proper: cvBlocking.wait(muxQueue, [&](){return !empty();}); this will handle the loop for you and will wait until the predicate returns true.

"Erroneous WakeUp" also known as the NSA checking in on you.

The Legend strikes again ♥️♥️♥️

For the scramble data function: Take the sent data and append some known string (possibly the version number) and compute a hash (such as MD5.) Even though MD5 isn't considered secure anymore, I suspect it good enough. If not, there's other hashing functions. For added fun scramble the string before hashing it.

Why not check the size of data before allocating memory? If sent a data size in the header that is bigger than expected, close the connection instead of allocating the memory.

omg you scared the crap out of me with that EPOCH.................. :)

Thanks sir Javid! Cool videolesson!

I'm probably not contributing much, but according to the cryptography class I took in college, a good cryptographic function can be known. Things like RSA are public knowledge, but they're still secure because as long as you don't know what the key is, you can't get in, even if you know how the lock is built. Assuming nobody will reverse engineer your code is security through obscurity, or not secure at all. It's probably fine for a game, but with things like passwords and sensitive information, trusting nobody to reverse engineer your stuff isn't smart.

Hey, Do you have an idea about how long this series will be? How many parts exactly. coincidentally, I am trying to learn client-server communication (using cpr framework and I feel comfortable with it), but your videos keep coming out and they're really interesting, making me ambitious about learning ASIO.

What about have a user/pass system that connects to a DB. Let's you in if authorized, else kicks you out. But I do believe most games usually have a token generated by the lobby/client that is used for the socket to identify the player. By no means do I know what I'm talking about. Just a few guesses here and there.

I'd be really interested in more videos on proceduraly generated content and especially on how to "save" the users interactions with the proceduraly generated content. And to go even further it would be very interesting to know if one could proceduraly generate agents, besides the user, who interact with each other and the rest of the content independently of the user, as well as with the user.

You are a Top Notch programmer

I had been waiting so long

You scared me with THE EPOCH dude

Ill you talk about linked-list more in derth ? I just love the way you explain code

Would it be fairly easy to convert this to UDP? Will there be UDP tutorials in the future? Thanks for making these.

I've been having an issue. For some reason, the code in part 2 doesn't work properly. It only lets me send 1 ping message, and it takes a few tries to get it to send anything but garbage data, and the resulting time is something like 2 centuries. I even resorted to copy/pasting code, just to see if I missed something, but no, it still doesn't work properly. (The other message types don't work either, it's the same with the ping)

Soooo we are using TCP sockets, but the goal is to make a game with this. From what I know (I don't know very much) TCP sockets are good for sending chat messages or other messages that you need to get there in the same order, but if I need to send the players position to the server every frame then I don't care if some of them don't get there, the server just needs the current players position. That's what you would use UDP sockets for. So I'm just wondering if we are going to add UDP sockets to the framework, or if we are just going to make a game that doesn't need to send a lot of data to the server every frame.

Thank you

6:36 Can someone please explain to me why we are locking using muxBlocking here? Isn't this already locked by the wait() function resulting in a deadlock?

@javidx9 just a thought: it may be worth to allow the user to provide his own implementation of scramble, don't you think ?

Your videos are awesome!!!can u make a series on writing Joystick emulators?

In the same way you fixed the Server CPU consumption, can we apply that same method to the clients so they don't use a full CPU core?

Hello, great video! Here is my thought => when some thread calls tsqueue::wait, it might be locked forever(rare case, but what if there is empty queue and we want to close our program), so, is it a good idea to add some bool flag to 'wait' loop + one "wakeup" function to tsqueue(which just sets 'stop' bool flag and calls cvar.notify_all to notify and unblock all threads when we don't want to wait anymore)? This approach seems to be "ill-formed", but how can we finish our app properly while some thread is blocked at tsqueue::wait? Also, in my code instead of using 'update' mechanism, I use default callback for every incoming message, provided by io_context::strand to execute these callbacks consistently.

Thanks handsome bearded C++ wizard!

your scramble could simply be AES encrypt with a hardcoded key. AES has hardware implementations for 128bit keys on most architectures, so it should be fairly fast, too. and you can be sure that people are not going to find out your key by looking at the traffic in the near future. of course they would find out your key if you post it on github :P of course the initial message from the server could very well include the version number, too, even in clear text. Of course you could just encrypt the whole session, but if you go that route you might as well do the whole key exchange thing and use tls1.3. www.cryptopp.com/wiki/Advanced_Encryption_Standard

Can you provide the source code? It's been two months since this video. Thanks. Amazing serie! Please, continue doing this amazing job.

Hi Javid, In the git repository of this project, you were mentionning that there is a memory leak. I can not figure where it is, any ideas ? Thanks

What if client sends garbage after being successfully validated?

Wait, I thought mutexes (mutices?) guard the whole data structure? Like muxQueue would guard not just deqQueue, but also cvBlocking. I've never seen any mutex assigned an association to a variable. I thought it just guarded the whole scope. This validation reminds me of the now-very insecure Hotline Connect protocol. It had a header/body system all the same, but upon connecting, the client sends "TRTPHOTL\0\1\0\2" to which the server replies with "TRTP" and a 4 byte error code, usually 0.

Hello! Why "OnClientDisconnect" function is not working ?

You adressed one problem by solving a completely different problem... While authenticate the client is an important problem to solve, it does nothing to actually solve the problem that the consistency of the message header is not protected. The header should include some sort of redundancy field, like a checksum or a crc that guarantee that the header is consistant before trying to use any information from it. Also the read message function need to put a reasonable max size on the length, a full 32-bit length field implies you could be trying to read 4 GB from the client, wich doesn't seem necessary.

What do you think of Go programming language?

Some DTLS encryption would be good

Hi! Thanks a lot! Please tell me can I enter the number of port by myself from a simple string(cin>>port;)?

Hello javidx9 I have a question: On Silicon Valley tv show they make an app where they are able to convert large files into smaller files so that way they have access to accumulate more data. Can we make something like that and if so how would we call it so I could find a course that does that?

So, I can just wait for client to validate, then send junk and crash server..... You still should do checks on each requests. Simple things like capping body size to something reasonable. Also, server could send version, as well as challenge upon connection so client can notify user what version is needed.

'if (m_nOwnerType == owner::server)' code is linked into the client? Make it a template argument so it only gets linked with the server. Clients shouldn't see that code from a debugger.

Amazing as always.

If the library that implements connection class and all logic is shared between server and client that means client will have this library on his hard drive after he download the client, in this case this library can be decompiled and all handshake logic can be easily analysed and used to hack our server, Am I right or no?

Hej, what about adding encryption SSL/TLS?

When do you think the series will be finished? Like what number in the series? Just curious.

I don't see how the scramble is more useful then just sending some data and letting the client add some secret to it and then hash it. I mean if the "attacker" actually has a client he can just edit packet sizes after validation. If its just about blocking random attacks anything that isn't just a static response (that then could be part of a list for bruteforcing) should be equal, or am I missing something? I think there is no way to make anything than can be used in public with client packet sizes, but if I understood you correctly you intend not to do that with the mmo :)

Hi, Could you please help me, How to construct a TCP Protocol with 3 arguements? I have the "IP Address", "Port", & "An integer" as third arguement for indentification of the cconnection.

19:41 you could also use std::radom_device to generate an arbitrarly-long random data for users that would like to rely on longer-sized validations

Nobody: olc : DEADBEEFC0DECAFE

Love your videos keep it up!

Hello, there's a way to contact you about the convex polygon collision code or for some other informations? Maybe you don't receive comment notifications on old video.

the E P O C H

what's wrong with basic http authentification or public/private key pair for your use-case ?

EPOCH

Javid, more of a philosophical question about dependencies At what point bringing a new one in can be justified? I try avoiding having more dependencies then absolutelly necessary In certain places I end up rewriting ton of code from scratch If you put it all together, I probably wrote half of Boost by myself I am not some fundamentalist who would write his own OS implementation only to have no external dependencies If complexity is not really worth it or I need really big chunk of library and it is just dumb to, basically, remake an existing lib, why would I do that? Also, for some dummy functionality where I need working it now and either don't really care about how or replace it soon enough What bugs the hell out of me Is people adding a new dependency only to use a couple of semi-trivial features that would take only a couple hours or a day to reimplement from scratch. Langs like Python are the biggest offenders as dependencies have their own dependancies and you might end up installing Anaconda to read excel data Not to mention that some libs (even widely accepted) are badly designed, poorly maintained, rely on some guy in a middle of Siberia not dying during bear hunt or all of the above and you just add a ticking time bomb to the project. What is your take on that? I know that you use a lot of external libs in your tutorials, but they are home projects that are not meant to take a lot of time, be simple and you don't really care about lib existing because your interest clearly won't outlast the lib. Even I don't write my own code for that, unless there are some bad offenders like string.h C library (I rewrote a lot of C standard library because it is clearly a product of it's time) or libPNG

Could this be the basis for a real online MMO of thousands (10-25k) of players each making thousands of requests? I guess I'm asking if it is scalable or is it best to start elsewhere!

I really disagree with your plan to "accept something I'd expect" when you connect. It's quite easy to mimic that by looking at how the client connects, and then specify the max size for integer, to allocate a large amount of memory, and crash your program. It would have been lightyears simpler to limit the size that can be allocated to a reasonable size. Anything over that, simply reject and disconnect the client.

Ok now back to the serious work! Let's rewrite everything without the stupid ASIO.

"Epoch" 19:39

Whats stopping me to just decompile the client and extract the function that does the scrumble? I don't need to understand the function I cant treat it an a blackbox

So hyped ^.^

Nice.

I wish you would take care about stuff like "hole punching"(STUN, etc.). Having a server, that handles every single player, might be very expensive for tiny projects. Having some server-independent communication between clients might be helpful, so you server only needs to tell the clients, where to send their packets. Also it might reduce the delay between actions.

Source?

Its cool! 😎

You know game Dwarf Fortress? Could you please explain how dwarvies AI works in game Dwarf Fortress? From proger view ofcourse.

french be like - bonjour. - yo

Hi Javid, i love your videos bro they help me alot especially the ones about gaming. Its slightly off subject but i am trying to make a card game with an image array that holds the cards. I am stuck on this. Do you know how to create an image array in Java that iterates through images in a file? cheers

nothing just wanna refresh the scrap book

👋

18:01 the client for a game is under complete control of the attacker, they will simply decompile your client with ghidra and see exactly what the algorithm does.

Hey do you mind if I create a blog series based on your videos ( basically referencing it and then making my own ) ?

Make c++ tutorials

17:44 what is this new English word? is it xor?

:D

Please sir make a full tutorial on c++

first

EPOCH