Final Fantasy XI
From Protocolinfo
Final Fantasy XI Online is a MMORPG game produced by Square Enix Co., LTD.
Contents |
[edit] Identification
The following pertains to PlayOnline (including all related software such as FFXI):
[edit] Ports
PlayOnline Server Group:
- [OUT] TCP 25 SMTP – (PlayOnline) Email client communication outbound.
- [OUT] TCP 80 HTTP – (PlayOnline) Web information and updates.
- [OUT] TCP 110 POP3 – (PlayOnline) Email client communication inbound.
- [OUT] TCP 443 HTTPS – (PlayOnline) Secure 128-bit SSL member data.
- [OUT] TCP 50000 – 65535 Game Updates, and PlayOnline data.
- [OUT] UDP 50000 – 65535 Game Play.
According to PlayOnline Q&A the following ports may be used by gaming consoles such as Sony PlayStation 2 and Microsoft XBox.
- [OUT] TCP 1024 - 65535 (unverified)
- [OUT] UDP 50000 - 65535 (unverified)
PlayOnline can also be connected via proxy.
[edit] Server Subnets
Observed Subnets:
- 61.195.56.0/22 [Japan? Square Enix Co. Ltd] (Whois: 61.195.56.0/22) – Game updates?
- 202.67.48.0/20 [Japan? Square Enix Co. Ltd] (Whois: 202.67.48.0/20) – PlayOnline?
- 219.117.144.0/20 [US? Square Enix Co. Ltd] (Whois: 219.117.144.0/20) – PlayOnline?
[edit] CIDR
One method of classifying game client data is using the CIDR and ports 50000 to 65535.
# This example classifies traffic one-way; will need to classify the other end of traffic as well.
if [ $ENABLE_FFXI = "1" ]; then
echo " FFXI ENABLED"
cidrs="61.195.56.0/22 219.117.144.0/20 202.67.48.0/20"
for cidr in $cidrs; do
$iptables -t mangle -A $gotochain -p udp --sport 50000:65535 -s $cidr -j MARK --set-mark ${mark}
$iptables -t mangle -A $gotochain -p tcp --sport 50000:65535 -s $cidr -j MARK --set-mark ${mark}
done
fi
[edit] Notes
It maybe possible to create a pattern for PlayOnline communication based off the client "User-Agent" or the PlayOnline server header response: "Content-Type: text/x-playonline-pml". Traffic here transmits on outbound ports 50000-65535 not HTTP port 80. Secure data transmissions communicate through port 443.
Client Request:
"wh000.pol.com" or similar host always seems to resolve to net block 202.67.48.0/20; maybe different depending on regional settings.
GET /pml/game/ff11/optional/oppm01.pml?df=6&ds=0&dt=-1 HTTP/1.1 Host: wh000.pol.com User-Agent: PlayOnline-PML-Viewer/1.00 [en] (Windows XP) X-POL-VIEWER-VERSION: Ver.1.18.11 Accept: text/x-playonline-pml, image/x-playonline-ang, image/png, image/jpeg, */* Accept-Language: en-US Connection: Keep-Alive Referer: http://wh000.pol.com/pml/game/ff11/index.pml?SC=0&PF=WIN Authorization: Digest userName="(snip)", realm="POL", (snip)...
Server Response:
HTTP/1.1 200 OK Date: Fri, 26 Dec 2008 03:40:08 GMT Server: Apache/1.3.26 Ben-SSL/1.48 (Unix) Authentication-Info: rspauth="69197c2ed003aa1cfbb845c013726be8" Last-Modified: Mon, 31 Mar 2008 11:38:57 GMT ETag: "11edfd-3030-47f0cd51" Accept-Ranges: bytes Content-Length: 12336 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/x-playonline-pml
Other observed content-types: text/x-playonline-pml, image/x-playonline-ang...
It maybe possible to create a pattern for PlayOnline Updates. Traffic here transmits on outbound ports 50000-65535.
Client Request:
Always seems to resolve to net block 61.195.56.0/22.
00000000 44 00 00 00 dc 1e c9 91 50 4f 4c 50 03 00 00 00 D....... POLP.... 00000010 00 00 00 00 00 00 01 00 57 32 30 00 30 30 30 31 ........ W20.0001 00000020 20 00 00 00 33 30 30 38 31 32 31 32 5f 31 2f 44 ...3008 1212_1/D 00000030 69 72 65 63 74 2f 70 61 74 63 68 2e 74 78 74 2e irect/pa tch.txt. 00000040 73 6c 63 00 slc.
Server Response:
00000000 3c 00 01 00 52 92 f2 61 50 4f 4c 50 04 00 00 00 <...R..a POLP.... 00000010 00 00 00 00 00 00 01 00 20 00 00 00 33 30 30 38 ........ ...3008 00000020 31 32 31 32 5f 31 2f 44 69 72 65 63 74 2f 70 61 1212_1/D irect/pa 00000030 74 63 68 2e 74 78 74 2e 73 6c 63 00 tch.txt. slc. (snip)... data.
[edit] l7-filter
Please add to this section.
