【暗影狂奔4E Unwired】 大规模探查、僵尸网络、代理脚本、拒绝服务攻击、团体袭击 P.100-102

[Cobalt 1号机]

大规模探查

黑客有时候希望快速获得一份看起来容易受到攻击的节点列表。大规模探查的功能非常类似于探查(参见探查目标，第221页，SR4)，但前者可以非常迅速地查询大量节点以找到最常见的系统缺陷。许多黑客在他们离线的时候使用代理自动化完成这个过程。大规模探查通常是创建僵尸网络的第一步；在获得了防御薄弱的节点的访问权后，黑客使用病毒或蠕虫渗入系统并建立僵尸机。

大规模探查是一个骇入+利用漏洞(4，1天)的延续检定。每一个超过阈值的成功都相当于5个节点上的一个可重用漏洞(参见上文的后门)；如果你想获得相当于一个合法账户的用户级访问权，将阈值增加3；如果你想要安保级别的访问权，将阈值增加9，对于管理员级别的访问权，将阈值增加16。检定中出现失误则表明其中一个节点是蜜罐节点(见第73页)。GM决定这些具体的节点是什么；通常情况是，它们是防御不力的系统，没有什么东西可以提供的，比如低等级的通讯链、公共终端和小型工作站。然而，后门不会永远存在，每周至少有2D6个账户会在安保升级或定期系统检查中被关闭。

与常规的探查不同，当黑客进行实际入侵时，目标节点得到两次免费的分析+防火墙检定，阈值等于入侵者的隐匿程序等级(或在代理或网精的情况下，他们的隐匿程序等级)；这个额外的检定代表了可能记录了探查的蜘蛛，在探查和入侵企图之间的时间内软件安全补丁的更新，以及防止大规模探查的其他安保措施的额外关注。

大规模探查永远不会发现隐藏的节点。

劇透 -   :

MASS PROBES

Sometimes hackers want to quickly obtain a list of nodes that appear vulnerable to their exploits. Mass probing functions a great deal like probing (see Probing the Target, p. 221, SR4) but queries a large number of nodes very quickly to find the most common system flaws. Many hackers automate this process using an agent while they are offline. Mass probing is typically the first step in the creation of a botnet; after gaining access to poorly defended nodes, the hacker uses viruses or worms to infiltrate the system and set up the bots.

A Mass Probing Test is an Extended Hacking + Exploit (4, 1 day) Test. Every hit over the threshold is equivalent to a reusable exploit (see Backdoors, above) in five nodes; for the equivalent of a legitimate account with personal access privileges, increase the threshold by +3; if you want security-level access, increase the threshold by +9, and for admin access increase the threshold by +16. Glitches on the test indicate that one of the nodes is a honeypot (see p. 73). The gamemaster decides what these specific nodes are; more often then not they are poorly defended systems without much to offer, such as low-rating commlinks, public terminals, and minor workstations. Backdoors don’t last forever, however, and every week at least 2D6 accounts are closed off in security updates or regular system audits.

Unlike regular probing, when a hacker makes the actual intrusion, the target node gets two free Analyze + Firewall Tests with a threshold equal to the intruder’s Stealth program rating (or in the case of an agent or sprite, their Stealth program); this extra test represents the additional attention of spiders who might have logged the probe, security patches updating software in the time between the probe and the intrusion attempt, and other security measures to protect against mass probing.

Mass probing never reveals hidden nodes.

黑客簿记

僵尸网络和大规模探查的一个问题是，玩家角色可以迅速积累大量被破解节点和大量的僵尸机——比GM打算要详细描述的要多得多。避免不必要的簿记和游戏拖延的关键是GM要提前计划，让玩家自己去操心大量的簿记工作。列出5个(或10个、15个)节点，这些节点可能是黑客特别感兴趣的，与任务特别相关的，或特别有趣的虚假线索；大多数被大规模探查破解的剩余节点将是家庭终端、学生通讯链，以及其他仅用于存储僵尸机或获取访问ID的节点。

劇透 -   :

HACKER BOOKKEEPING

One issue with botnets and mass probes is that player characters can quickly accumulate a lot of compromised nodes and a lot of bots— more than a gamemaster can be expected to fully detail at the table. The key to avoiding unnecessary bookkeeping and holding up the game is for the gamemaster to plan ahead and let the player worry about the bulk of the bookkeeping. Make up a list of five (or ten or fifteen) nodes that would be of particular interest to the hacker, are specifically relevant to the campaign, or are particularly amusing false leads; the majority of the rest of the nodes compromised by mass probing will be home terminals, student commlinks, and other nodes only useful as a place to store a bot or rip an access ID from.

[Cobalt 1号机]

僵尸网络

僵尸网络就像一个专用的VPN，允许黑客通过它来维护和管理大量的代理(或蠕虫)，而不会使她的订阅列表过载。代理程序与它们的有效负载的其余部分加载了无等级的僵尸网络程序的副本，并被加载到单独的节点以独立运行。从那时起，代理(或僵尸机)仅作为你订阅列表中的单个订阅者计算，它的活动程序不计入你化身的活跃程序限制。然而，与代理通信的唯一方式是通过僵尸网络。

僵尸网络程序包含一个所有在线并通过僵尸网络连接的代理的列表，用简单的状态符号表明它们的有效矩阵属性、当前矩阵CM、有效载荷、位置和它们正在执行的动作。黑客可以执行一个简单动作向僵尸网络中的任意数量的僵尸机发出命令(参见发出指令，第220页，SR4)。

僵尸网络可以像VPN一样被拦截、攻击或伪造指令(见第94页)。一个被入侵的僵尸网络会迅速导致另一个黑客“偷走”你的僵尸网络，将你锁定在自己的僵尸网络之外，甚至让它们攻击你。出于这个原因，僵尸机通常有一个加密程序以保护他们的通信，也可通过编程当如果遭受不成功的伪造指令或骇入时进行报告或直接关闭(由玩家自由决定)。你也可以通过进行一个你的骇入+分析对抗入侵黑客的骇入+隐匿的检定来检查你的僵尸网络是否被入侵；成功后你可以切断受影响的僵尸机，并拒绝入侵黑客使用僵尸网络的其余部分。

僵尸网络程序包含其处理者的访问ID，理论上允许其他程序追踪你(参见追踪，p.219，SR4)到你的源节点；大多数黑客使用代理服务器(第104页)或一次性通讯链来消除这种潜在威胁。僵尸机缺乏其他代理的独立性和适应性，其通信能力也比较有限——通常只会表示工作是否完成，是否受到损害，或者是否有人试图入侵它们而失败。

如果黑客使用大规模探查来放置僵尸机，由于安保升级和系统检查而丢失的帐户通常也会导致僵尸机被删除。僵尸网络还可以协助黑客进行大规模探查；僵尸网络中每一个携带利用漏洞程序的僵尸机添加1DP的正面修正到黑客的大规模探查检定中，最高加值等于该角色的骇入技能。

劇透 -   :

BOTNETS

A botnet is like a specialized VPN that allows a hacker to maintain and manage large numbers of agents (or worms) without overloading her subscription list. The agents are loaded with a copy of the unrated botnet program along with the rest of their payload and loaded into separate nodes to run independently. From that point on, the agent (or bot) counts as only a single subscriber on your subscription list, and its active programs do not count toward your persona’s active program limits. However, the only way to communicate with the agent is through the botnet.

The botnet program contains a list of all the agents online and connected through the botnet, with simple status symbols communicating their effective Matrix attributes, current Matrix Condition Monitor, payload, location, and what action they are undertaking. With a Simple Action, the hacker can issue a command (see Issuing Commands, p. 220, SR4) to any number of bots in the botnet.

Botnets can be intercepted, hacked, or spoofed in the same manner as virtual private networks (see p. 94). A compromised botnet can quickly lead to another hacker "stealing" your bots by locking you out of your own botnet, or even turning them against you. For this reason, bots typically feature an Encrypt program that protects their communications or can be programmed to report in or shut down if subjected to an unsuccessful Spoof or Hacking attempt (player’s discretion). You may also check to see if your botnet is compromised with an Opposed Test, putting your Hacking + Analyze versus the intruding hacker’s Hacking + Stealth; success allows you to cut off the compromised bots and deny the intruding hacker the use of the rest of the botnet.

Botnet programs contain access IDs for their handlers, theoretically allowing others to trace you (see Track, p. 219, SR4) back to your originating node; most hackers use proxy servers (p. 104) or disposable commlinks to negate this potential threat. Bots lack some of the independence and adaptability of other agents and have a more limited ability to communicate—usually only to signify if a job is done, if they take damage, or if someone has attempted to hack them and failed.

If a hacker is using mass probing to place bots, accounts lost to security upgrades and system audits will usually remove the bots as well. A botnet can also assist a hacker in performing a mass probe; add a 1 die positive modifier to the hacker’s Mass Probing Test for every bot in the botnet carrying an Exploit program, up to a maximum bonus equal to the character’s Hacking skill.

[Cobalt 1号机]

代理脚本

像IC一样，代理(包括傻瓜代理、僵尸机和无人机自驾)可以设定脚本(见脚本，第69页)，即当特定条件适用时他们所采取的动作列表。脚本可以让黑客(和GM)的生活更轻松，因为黑客可以花更少的时间来微观管理他们的代理或僵尸机。玩家和GM应该意识到，无论脚本有多长、多复杂或多详细，都无法处理代理可能遇到的所有情况。一些事件，比如遇到一个AI，可能是没有先例的，代理程序可能什么都不做——或者把这个事件错当成脚本中的另一个触发器。当不确定代理是否应该遵循脚本时(或在脚本建议两种相反动作的情况下)，让代理对由GM决定的阈值进行自驾+响应能力检定；如果成功，玩家将选择代理的动作，如果不成功，则GM将进行选择(参见发布指令，第214页)。适应性自动软件(第113页)可以协助进行这个检定。

劇透 -   :

AGENT SCRIPTS

Like IC, agents—including mooks, bots, and drone pilots can have scripts (see Scripting, p. 69), a list of actions that they take when certain conditions apply. Scripts can make a hacker’s (and a gamemaster’s) life much easier, as hackers can spend less time micromanaging their agents or bots. Players and gamemasters should be aware that no script—no matter how ridiculously long, complex, or detailed—can handle every situation in which an agent might find itself. Some events, like encountering an AI, might be without precedent, and the agent will do nothing—or mistake the event for a different trigger on the script. When in doubt about whether an agent should follow a script or not (or in a situation where the script suggests two contrary courses of action), have the agent make a Pilot + Response Test against a threshold determined buy the gamemaster; if successful the player chooses the agent’s action, if not the gamemaster does (see Issuing Commands, p. 214, SR4). The Adaptability autosoft (p. 113) may aid in this test.

傻瓜代理	花费乘数	可获得性修正
非受限代理	1.2	+2

劇透 -   :

Mook	Cost Multiplier	Availability Modifier
Unrestricted Agent	1.2	+2

是否使用傻瓜代理？

对于某些角色来说，特别是那些刚刚起步的角色，投资一个高等级的通讯链、操作系统和代理(傻瓜代理)来满足你所有的黑客需求可能更加划算。使用傻瓜代理并不违反规则，也不会破坏游戏规则，但玩家和GM都应该意识到这种情况的利弊。

当傻瓜代理被大量使用，或与僵尸网络相结合时，一个非黑客角色可以维持一小支代理军队，并在相对安全的AR界面上恐吓矩阵。然而，由于几个原因，傻瓜代理并不是黑客的完美替代品。对于初学者来说，代理实际上只擅长服从命令——即所谓的代理脚本(第100页)——而在独立处理决策方面不是很有用。有关这方面的更多细节，请参阅代理能力，第111页。

尽管如此，傻瓜代理还是很有用的，就像一只训练有素的狗——只需要指着目标，说“上”。它们在本质上也是可替换的——一个被毁掉了，装载另一个。然而，即使是一个高等级的傻瓜代理也不会像一个拥有良好技能、程序和正确殖装的黑客那样掷出那么多骰子。然而，作为第二梯队或后备计划，傻瓜代理当然是有意义的。但是，不要期望用一群复制的代理来围攻一个目标，因为它们内置的访问ID将使超过一个的所有代理都处于节点之外(参见自主程序，第110页)。

需要注意的是，商业上购买的合法代理具有内置的限制，这将阻止它们执行任何非法动作——这意味着即使它们加载了正确的程序，它们也不会执行任何需要骇入检定的动作，尽管GM可以规定对任何公然非法的矩阵活动的更广泛的限制。黑客可以通过进行软件+逻辑(13+等级，1小时)延续检定移除这些限制，也可以在没有限制的条件下自行编码代理，或者从其他黑客那里购买不受限制的代理。

傻瓜代理的主要缺点是，依赖它们的角色几乎永远不会发展他们团队的破解技能组，并将错过矩阵的大部分乐趣。

值得记住的是，玩家角色并不是唯一可以使用傻瓜代理的角色；如果非玩家角色缺乏矩阵技能，他们也会使用傻瓜代理，GM可以利用这一点。

劇透 -   :

TO MOOK OR NOT TO MOOK?

For some characters, particularly those just starting out, it may look like a better deal to invest in a high-rated commlink, OS, and an agent (the mook) to take care of all of your hacking needs. Using a mook isn’t against the rules, nor is it gamebreaking, but players and gamemaster should both be aware and the advantages and disadvantages of the situation.

When mooks are used en masse, or combined with botnets, a non-hacker character could potentially maintain a small army of agents and terrorize the Matrix from the relative safety of an AR interface. Mooks aren’t a perfect replacement for hackers, however, for several reasons. For starters, agents are really only adept at following orders— so-called agent scripts (p. 100)—and are not very useful at handling decisions on their own. For more details on this, see Agent Competency, p. 111.

Still, mooks are useful as a trained dog—just point at the target and say go. They are also inherently replaceable—one gets trashed, load up another. Even a high-rating mook won’t roll as many dice as a hacker with good skills, programs, and right implants, however. As a second-string team or backup plan, however, mooks certainly make sense. Don’t expect to use a mob of copied agents to gang up on a target, though, as their built-in access IDs will keep all but one out of node (see Autonomous Programs, p. 110).

Note that commercially-bought legal agents have built-in limitations that prevent them from taking any illegal action—broadly, this means they won’t perform any action that requires a Hacking Test, even if they have the correct program loaded, though gamemasters may rule this is a much broader restriction on any blatantly illegal Matrix activity. Hackers can remove these limitations with an Extended Software + Logic (13 + Rating, 1 hour) Test, code agents without them, or buy unrestricted agents from other hackers.

The main drawback to a mook is that a character that relies on them will almost never develop their Cracking group skills and will miss out on most of the fun of Matrix.

It’s worth keeping in mind that player characters aren’t the only ones that could use mooks; non-player characters are as likely to use a mook if they lack Matrix skills, and gamemasters can use that to their advantage.

[Cobalt 1号机]

拒绝服务攻击

拒绝服务(DOS)攻击是一种阻止合法用户访问特定节点，甚至整个矩阵的方法。切断特定节点的通信可能是一个敲诈勒索计划的开始，也可能是在黑客忙于处理某个节点时，试图阻止外部增援进入该节点的努力。更简单的情况，DOS攻击可以阻止某人使用他们的通讯链呼救，或者在他们的载具中时获取导航。合法用户无法访问的设备更容易受到欺骗，因为合法用户无法抵消给它们的指令。

大多数DOS攻击的焦点是节点的活跃帐户列表；通过编辑列表，黑客可以切断连接(参见终止连接，第223页，SR4)。黑客还可以指示节点阻止来自特定节点或访问ID(或一系列节点/访问ID)的未来访问连接请求，将目标锁定在外面。为了做到这一点，黑客必须访问节点，如果他们有安保或管理员权限则并必须进行计算机+编辑(1)检定；或者如果没有，一个骇入+编辑(2)检定。假设你有安保或管理员权限，在软件+编辑(1)检定成功的情况下，也可以删除账户(如果是活跃账户，则必须先终止该用户的连接)；或者如果你没有的话，骇入+编辑(2)检定。

有许多其他的方式来完成DOS攻击：干扰无线设备，切断物理网络上的硬线，或改变路由以阻止进入或离开目标节点的流量，都可以完成相同的任务。导致系统崩溃也可以达到同样的效果，尽管只能影响系统重新启动所花费的时间。

劇透 -   :

DENIAL OF SERVICE ATTACKS

A denial of service (DOS) attack is a method of keeping legitimate users from accessing a specific node, or even the Matrix at large. Cutting off traffic to a specific node could be the beginning of a plan for extortion, or an effort to prevent outside reinforcements from entering a node while a hacker is busy working with it. More simply, a DOS attack can prevent someone from calling for help using their commlink or from getting directions while in their vehicle. Devices that a legitimate user cannot access are much more susceptible to spoofing because legitimate users cannot counteract the orders given them.

The central focus of most DOS attacks is a node’s active account list; by editing the list a hacker can sever a connection (see Terminate Connection, p. 223, SR4). A hacker can also instruct the node to block future access connection requests from a particular node or access ID (or a range of nodes/access IDs), locking the target out. To accomplish this, the hacker must have access to the node and must make a Computer + Edit (1) Test if they have security or admin privileges; or a Hacking + Edit (2) Test if he does not. Accounts may also be deleted (if active, the user’s connection must be terminated first) with a successful Software + Editing (1) Test, assuming you have security or admin privileges; Hacking + Edit (2) Test if you do not.

There are many other ways to accomplish a DOS attack: jamming a wireless device, cutting the hardlines on a physical network, or changing the routing to prevent traffic in or out of the target node all accomplishes the same task. Causing the system to crash can also achieve the same effect, though only for the amount of time it takes the system to reboot.

分布式拒绝服务攻击(DDOS)

黑客也可以使用僵尸网络(第100页)来执行一种拒绝服务攻击，这通常比直接入侵目标节点更容易完成。即使在2070年，节点可以同时处理的数据传输和访问请求的数量依然是有限的，尽管这很少成为问题。执行分布式拒绝服务攻击(DDOS)攻击的黑客试图通过僵尸网络以各种流量淹没节点。

大多数情况下，DDOS攻击需要一个大规模僵尸网络。对于标准节点，每有系统等级x4个试图用流量淹没它的僵尸机，将目标节点的响应能力减少1。例如，一个拥有系统等级5和响应能力5的节点，如果受到来自一个拥有100个僵尸机的僵尸网络的DDOS攻击，它的响应能力将被减少为0，冻结该节点上的所有活动。即使该节点被重新启动，它也会在再次启动后受到流量的猛烈攻击，直到DDOS攻击结束。

受到DDOS攻击的节点有三种选择。首先，它可以欺骗自己的访问ID，这样DDOS攻击就再也找不到目标了。该节点必须处于离线状态(未与其他节点链接)，才能切换访问ID。其次，它可以尝试阻止僵尸网络访问ID的访问，或尝试过滤掉所有洪水流量。后面这些选项的成功与否主要取决于GM的判断。

劇透 -   :

DISTRIBUTED DENIAL OF SERVICE ATTACKS (DDOS)

Hackers can also use botnets (p. 100) to perform a form of denial of service attack that is generally easier to accomplish than hacking the target node directly. Even in the 2070s, nodes have limits to the number of data transfers and access requests they can handle at once, though this is rarely an issue. A hacker performing a DDOS attempts to overload the node by having a botnet flood it with traffic of all kinds.

In most cases, DDOS attacks require massively large botnets. For standard nodes, reduce the target node’s Response by 1 for every System x 4 bots flooding it with traffic. A node with System 5 and Response 5, for example, hit by a DDOS attack from a botnet with 100 bots, would have its Response reduced to 0, freezing all activity on the node. Even if the node is rebooted, it will be slammed with traffic as soon as it starts again, until the DDOS attack ends.

A node under DDOS attack has three options. First, it can spoof its access ID, so that the DDOS can no longer find its target. The node must be offline (not meshed with other nodes) to switch access ID. Second, it can try to block access from botnet access IDs or attempt to filter out all flooding traffic. The success of these latter options is largely up to the gamemaster’s discretion.

[Cobalt 1号机]

团体袭击

团体袭击是指一队黑客集中他们的资源来入侵一个特定的系统。从功能上讲，团体袭击是通过团队协作检定探查目标(参见探查目标，第221页，SR4)。黑客和超链者可以一起进行团体袭击。如果检定成功，所有参与检定的黑客都可以访问该节点。代理和网精不能直接参与团队检定，但每个协助的代理或网精可以在主要角色的骰池中添加1个骰子(最多+5)。

劇透 -   :

MASS ATTACKS

A mass attack refers to a team of hackers pooling their resources to hack a particular system. Functionally, a mass attack is Probing the Target (see Probing the Target, p. 221, SR4) with a Teamwork Test. Hackers and technomancers can work together on mass attacks. If the test is successful, all of the participating hackers gain access to the node. Agents and sprites cannot participate directly in Teamwork Tests, but add +1 die to the prime character’s dice pool for each agent or sprite assisting (maximum +5).

代码僵尸大军！

通过僵尸网络和团体袭击，玩家可能想知道为什么黑客不简单地派遣一个又一个代理去攻击一个节点。从统计学上讲，在某一时刻，骰子会掷出6，你就可以自由了。所以为什么要浪费时间和精力策划一次骇入呢?

首先，具有相同访问ID的僵尸机将被阻止同时进入同一个节点(参见自主程序，第110页)。即使他们有不同的访问ID，安保黑客也不傻。虽然前两到三个代理可能会被当作小孩子的玩闹或试图突破防火墙的垃圾邮件发送者而不予理会，但重复的尝试(特别是如果代理是相同的副本或来自同一节点)将引起怀疑，进而触发活跃警报或吸引安保黑客调查并可能会追踪违规代理的来源，这些代理将被从节点的订阅账户列表中删除，两者之间的所有连接都将被拒绝。

暴力破解方法——在矩阵战斗中派出一组代理强行通过一个节点——很少有效。大多数节点会迅速终止代理的连接和/或引入大量的IC来应对入侵者。因为它们缺乏真正的智能，代理通常容易受到简单策略的影响，比如破坏他们正在使用的程序。一旦解除武装，代理就会成为安保黑客和IC容易对付的目标。

那么掌握大量的代理有什么意义呢？代理可以方便地同时出现在比你的通讯链所允许的更多的地方，可以帮助应对DOS攻击，还可以自动执行大规模探查和数据搜索等操作。精明的黑客更喜欢在使用自己的额叶上线来骇入节点之前，先看看代理对节点的表现如何。在必要时刻，代理也是确保你在矩阵战斗中拥有数量优势的好方法。

劇透 -   :

ARMY OF CODEZOMBIES!

With botnets and mass attacks, players are probably wondering why hackers don’t simply send agent after agent to hack a node. Statistically, at some point the dice will roll sixes and you’ll be home free. So why waste the time and energy planning a hack?

First, bots that have the same access ID will be blocked from entering the same node at the same time (see Autonomous Programs, p. 110). Even if they have different access IDs, security hackers aren’t stupid. While the first two or three agents might be dismissed as kids playing around or spammers trying to break through a firewall, repeated attempts (especially if the agents are identical copies or from the same node) will rouse suspicion, triggering an active alert or drawing a security hacker to investigate and possibly trace the source of the offending agents, which will be removed from the node’s subscriber list and all connections between the two refused.

Brute force methods—sending a group of agents to force their way through a node in cybercombat—are rarely effective. Most nodes will quickly terminate the agents’ connections and/or bring in large numbers of IC to deal with the intruders. Because they lack true intelligence, agents are usually susceptible to simple tactics like crashing the programs they are using. Once disarmed, agents are easy game for security hackers and intrusion countermeasures.

So what’s the point in having massive numbers of agents on hand? Agents are handy for being in more places at once than your commlink allows, for helping with denial of service attacks, and for automating actions like mass probing and data searches. Savvy hackers prefer to see how well an agent does against a node before they put their own frontal lobes on the line trying to hack it. In a pinch, agents are also a good way to ensure you have numbers on your side in cybercombat.