ChrisJW suggested making a thread about this on #GameDev, and in the interests of brining up some interesting discussions besides "how do I do this" onto the forums, I thought, hey, why not :-). The "Goal" would be to create a completely peer to peer based database with the expectance of untrusted clients, a database which will hold data which in fact changes. I'll outline my thoughts on the subject in this opening post. First off, the target goal, or what this database is and is not suitable for.

So, what would such a database target?

I believe it is unsuitable for:

1) Sensitive data. Given the promiscuous nature of a peer to peer network, especially given that we do not trust the clients, sensitive data such as medical or bank records are straight out. 2) Integrity-cruicial data. Again, given the untrusted nature of our clients, we should not use this database for nuclear power plant control, or things of that nature.

I believe it would be suitable for:

1) A theoretical P2P MMO. No, I'm not planning on building one, just colasing ideas. It is more important that the server be extremely difficult and expensive in resources to "hack" (alter the data of) rather than impossible. If a dedicated hacker is more likely to get struck by lightning than successfully alter the database illegally, I would consider this "secure enough" for a MMO. 2) Any traditional filesharing P2P network. Further posts will cover some of the difficulties with such a P2P network, detection, and possible solutions. [Edited by - MaulingMonkey on August 11, 2005 7:42:14 PM]

Theoreticaly yes, you could create a game system like that, the problem comes with administering it. Since there is no central server, administration is impossiable, hence if things do get unwieldy, passwords stolen, or hackers attack, there is no way to do anything about it.

A quick solution, but against your methodologies, is to use a napster like system. Have a central system that only checks in and out peers. You could then build the client to update patches from there, as well accept that ip address as the administrative contact. While this wouldent fix hacking quite as much, it would make recovery easier, as IP spoofing would be necessary to get into it.

EDIT: no, its not about hackers, but its common maintinance that would be impossiable. Even for a free MMORPG, it could get terriable quickly

Mallicious Attack (Part 1, Independant)

Obviously, a P2P network is useless unless it can be partially trusted, if only for the reason that it'd have no reason to behave with malice. For a game, however, the desire of another player to have a level 99 omgwtfbbq instakillyou character can be considered mallicious, so this direct level of trust is not available.

Some of the forms of malicious attacks to attempt to alter the database that I can think of:

Independant, localized attack:

Where the attackee runs multiple clients on a single network which agree with each other with the intent of spreading misinformation on the "real" database. This is probably the simplest to both implement (attack with) and counter (defend against).

Detection Method(s):
1) Run redundant data-checks against peers accross varied (sub)networks.

Countersolution(s):
1) Ensure a client has peers from varied networks. When results don't match, preform a larger poll check. If only one specific network area seems to differ (in that particular manner), the client (temporarilly?) blacklists that area as untrustworthy. This causes a netsplit(!), the hacker believes themselves to be level 99 whereas the remainder disagree and ignore/block them as invalid data.

Independant, diffuse attack:

Where the attackee has access to multiple networks, either via proxies or similar.

Detection Method(s):
1) Run redundant data-checks against peers accross varied (sub)networks (should tumble through the results occasionally to have a chance of being alerted to a problem should all peers be from the single attacker, however unlikely).

Countersolution(s):
1) This one is a bit harder to deal with, since the user has infiltrated multiple networks. Larger polls, or checking with whitelists, may be the way to go here.

Sidenotes:

One of the nice things about independant attacks is they're self defeating in a large group. What I mean by this is in order to not be recognized as obviously bogus (i.e. disagreeing with every single thing in the database) most of the parts will be equal with the "correct" version - including the parts which other independants are trying to change. Given twenty peers, all of them seperate mallicious attackers, it would be possible to identify the bad data on each machine, as it would be different only on that single machine for that item (i.e. 5% of the clients).

[Edited by - MaulingMonkey on August 11, 2005 8:40:38 PM]

Administration (Authorization & Moderation, Part 1)

Quote:Original post by PaulCesar
Theoreticaly yes, you could create a game system like that, the problem comes with administering it. Since there is no central server, administration is impossiable, hence if things do get unwieldy, passwords stolen, or hackers attack, there is no way to do anything about it.

Let's expand on this. Here, we're assuming a traditionalistic user authorization method, a central authority that says who is who. What if we toss that out the window?

P2P user authorization?

Do we have any current examples of this? I'd say yes - PGP keys, commonly used in website authorization, are a prime example. If you can communicate with the same key given out before, you know it's the same user. There's no password in this situation, there's your private key. If a hacker gets it, they get your identity, however. Is it possible to re-key yourself? Prehaps, this would have client(s) with the private key for the old public one confirming through that old key that the new public key is in fact their own.

If that made any sense, I'm beginning to confuse myself :-).

P2P moderation

P2P moderation presents an interesting challange. For this to work effectively, users must collase to form groups which are partially trusted - enough to pass judgement on a user's expressiveness anyways.

Two basic methods I can see would be opt-in and opt-out.

With the opt-in model, a moderation group must selectively choose to add users for their names, chat, spraypaints, etc, to be visible/unfiltered. This allows for those who would prefer not to suffer the weight of all the morons in the world to select those whom they would listen to.

With the opt-out model, a moderation group must selectively choose to add users for their names, chat, spraypaints, etc, to be filtered/blured/hidden. This allows people to help each other select racists, swearers, and so forth, that they'd rather not hear.

This can also apply to user-groups, otherwise known as clans in many games. I might opt-in to a group of my friends (kicking those whom I dislike, individual muting, or leaving the group if it refuses to do this itself).

Well, here is a cool idea for p2p -- nothing exists on the computer's harddrive ... the clients, upon recieving data, send it to another client, so data only exists on the wire. Easily corruptable, but infinite space ;)

I had this idea a year or two ago, and then a day later, a paper came out about something similar. Here it is.

<3 visage

To moderate the network all you need to do is put a public key in all clients and keep the privite key. When you need to change something on the network you broadcast a message that is signed with the private key.

Quote:Original post by hplus0603
Take a look at FreeNet for a distributed database.

Also take a look at the "performance" of FreeNet.

Will do.

Quote:In a game, there's state that changes. Any database needs to have clear rules for how to get that state to everybody who would want to know about that state, and clear rules for applying and distributing changes. All within tolerable latency limits.

I'm not very optimistic about P2P MMOs.

I'm definately not optimistic about a traditional style MMO being hosted on a P2P framework, in large part due to the huge amount of redundancy checking required. I still think it'd work for low-bandwidth MMOs, starting with fast initial results which arn't exactly trustworthy, then later affirmation or disagreement with more umph by higher-latency peers.

However, I havn't studied this in terrible depth yet, it may not be as bad as all that. Greeting another player, you have to verify inventories, character stats, and the like. That said, some things can be entirely client-verified - e.g. if your client "knows" (verified against a larger group) that player B can only move 3 paces a second, and player B's client tells you it's decided to move 30 paces in a second, it by itself has contradicted the rest of the game world - no independant confirmation is required to see that something is wrong.

I suppose I'm not aiming for a truely unhackable server, rather, a hack resistant and automatic repelling/healing one.

Not sure what you mean by p2p database??
Maybe you mean distributed database?? Probably.

So is the querying distributed..or the data transfer..or both.
If you mean a distributed database, then concurrency control will
overshadow security as a major difficulty.
How do you plan on tackling concurrency control?