I don't think so. You don't need any skills to fire up your Agents and send them forth.

As long as he can get the necessary level of access and has programs not on the node that he wants to run stored in physical storage he has access to, I don't see why not.

Assuming the TM doesn't have Hacking or the Exploit complex form, you can Default Hacking with the -1 penalty and thread Exploit to "Hack on the Fly" in an extended hacking+exploit (Firewall, 1 IP) extended test (FW + 3 for security access and FW +6 for admin). In this case, getting your threaded Exploit - 3 (- 1 die for defaulting, -2 dice for sustaining the threaded form) each IP, so you need at least 4 net hits for threading to even have a chance. You won't have much of a chance, but it can, theoretically, be done.

Thanks for the corrections, I knew I was on the right track.

I appreciate it.

Distributed Denial of Service attacks (DDoS) on current day websites envlove getting thousands of "users" to all login at once and overload a target system. They don't require admin access, but attempt to choke bandwidth and server resouces.

This is modeled in SR4 by lots of Agents entering the same node. There is no mention of personas causing Reponse issues, but instead Agents. This model allows an infinite amount of users, but only a limited number of "free thinking" programs (Agents) to draw on it's resoueces.

I like the idea of being able to do this and I don't see the need to restrict it since you'd need to get all those Agents into the system in the first place by unloading yourself or having them Hack in themselves.

DDoS-2070: (aka ZombieArmy)
Agent (Pilot-3+)
Exploit-3+

DumpBot: (Persona dumped)
Agent (Pilot-1)

That depends on it's role, see Device Rating Table and funds of the owner.

It means it has the first four at 6, and Signal at whatever fits per Signal Table.

It's a checkstick, no real interface included.

Infinite - running too many may cause them to be ineffective, though.

Infinite - running too many may cause them to be ineffective, though.

Because exceptions kill any rule.

Because it's just one program.

No, they do count against the inherited Response of the IC/Agent.

Not at all... except RP.

You didn't even touch the real problem: Connections.

At first, the rules state you can only run your Persona on Systemx2 Nodes simultaniously... which is fine. Then that changes to connections overall.

Which causes any server to accept... a dozen connections at best.
Even with the castrated half-open connections max of WXP SP2, you can still have hundreds of the with any normal PC, today.

Basically, this results in applying the Systemx2 limit only for Persona Access, and handwaving the rest.

Not if they're well defined. A rule that fits every occasion perfectly is of course optional, but rarely possible.

The problem is not as much as when they apply... it's about remembering them in the first place.

At which point SR4 allows judgement calls... which is more flexible, yet requires more experience/trust.

From what I remember, there is nothing limiting or degrading a node's performance by having more and more people access it currently described in the rules. It does mention that you are limited to System X 2 nodes, agents, and drones that you can simultaneously access, but nothing about how many people can be reading a node at the same time, so the effect of a current day DDoS attack is not described in the rules. It does mention that a subscription list can be practically unlimited in size, but you can only subscribe (I think it means link or actively subscribe) to so many at once.

As I read it, the only way to degrade a node's response is to load more and more programs, be they agents, hacking tools, common use programs or what not, and that would require you to gain access to the node and make it run programs. If that's the case, an agent only affect the node it can be traced back to, not the ones it accesses (so if a hacker loads an agent on his Response 5 commlink sends it out to a Response 3 system before logging off, it would still be at a Response 5).

I kind of see wireless like this:
you can have 1 person shouting to 1 or 1 million and the only thing that affect whether they hear you is distance (signal strength) so as many people are in range can read a what a node
if 100 people are shouting different things, you can only make out one or a couple at any given time (active subscription or linking limit) but you can change you you focus on at any given time
If you are shouting back and forth, both have to focus on listening (you both count against the linking limit of the other)

I'd apply all this to any single device and consider mainframes meshed networks, many devices completely interconnected but acting as 1 device with a common set of attributes, which then allows an expansion of the # of programs and interacting users, but doesn't increase the system, response, or firewall rating.

That means you just removed the 'hard' limit to implement a 'common sense' limit... which would be around... not more than a handfull of them?
Six of one, half a dozen of the other.

A device should, too. Otherwise, the whole AR concept breaks down in DoS.

They do already count... to the Response of the IC/Agent, which degrades it's effectiveness very quickly, as any Program it owns must be running.
Slapping them onto the device results in immediate DoS dropout.

No real reason for that - that's what the System+Firewall is for, initally... if one does try to exceed one's right, it fails and gets reported anyway.
Using RL analogies, even a home gateway running linux has a fullblown right managment system.

I think you missed my point: Personas don't effect reponse, but Agents do.

PS - I fixed my typos in the quote.

No I think that 3 IC in one system should almost be the maximum. Add more and you have super tight, unhackable security. Nobody can defeat 3+ IC of about equal rating. You may as well log off.
Furthermore I sacrifice the "hard" limit due to balancing considerations. (see beyond)

No problem with this. I dont really see what should be unbalanced if you completely skip that rule.

The agent uses the nodes response. They dont have independent response. Furthermore you are multiplying total response if you grant every agent his own response and lower it only when the number of programms activated by the agent exceed his response. For example,you can run a total number of 36 programms on a node of response 6 without lowering response if you pack them into 6 agents. But you can only run 6 programms without lowering response if you let them run without agents.
This sounds illogical.
But the main problem is balancing. I do not want to let players or npcs run 6 agents with 6 programms on their raiting 6 commlink. This collides with my consideration, that 3 IC should be almost the maximumin security.
On the other hand, if I count each programm seperately I get something which is quite consistent AND is quite good for the game balance.

You mean that everytime you attempt an illegimate action and fails, this is reported, and no other firewall+analyze actions by the node are needed? That would be perfectly OK for me. (Although I cant finde any statement in the rules, that every hack action is an opposed test between hacking+programme vs system+firewall).

Thanks again for the comments.

Good explanation. But my problem with the whole degradation buisnes is the following:

If an agent counts only as 1 programme, players and NPCs can make their comlink into IC castles. I do not want that for balancing reasons. There is no way to handwave this, as players need rules to know what they can do with their comlink and what they can not.

So I have to rule, that each program in an agent counts towards the response limit, to keep players from building the aforementioned ICbergs. But now I have a problem with matrix nodes. They should be able to be preotected a little better than mere comlinks. Thats why I skip the degradation rule there, and fortunately I can do this, because I am now in the region where players will never go (meaning ruleswise, they will most likely never design matrix hosts). I can handwave IC numbers by introducing traffic arguments and such.

After all I am just looking for rules with the following baselines:

Rules that comlinks even of response 6 can not be loaded (without a severe response hit) with more than 2 agents containing 6 programs at max.
There cant be more because I can not handwave agruments that not all available agents are not launched immediately. Nobody can face more than 2 such monsters at once,and I want to give players achance, that want to hack commlinks of NPCs, that have such a configuration (why shouldnt they, when they players can do it).

Handwaving arguments that normal Matrix nodes have about 2 IC with 4 programmes, and extreme high security nodes have about a maximum of 4 IC with 6 programmes. Furthermore I need handwaving arguments that not all the IC is loaded immediately but in a way that adds more to the tension of a good hacking experience (like a tracing routine IC first, and if it is crashed an attacking IC and then a black hammer IC and such). With the normal rules there is no reason to not load all the IC at once. Thats why I need handwaving there.

The combination of:
"Programmes in agents affect response" and "matrix hosts do not care about response reduction" delivers the baseline I want. The rest is just fluff tailored to fit this baseline.

Speaking from play experience:

You are worrying waaay too much.

Usually, IC will never even spot an intruder - Stealth is tough to beat on Matrix Perception tests.
Even if it would, nothing prevents a hacker using Agents, too.

It's a bit like letting guards patrol alone...

PS: The real ugly thing are data bombs.

Didn't i warn you about trying to make sense of SR computing? Actually there is some handwaving to deal with this, but you should probably drop a microdot before attempting to read it. So get ready, and make sure you stay away from the brown blotters with the Mickey Mouse stencil, people are getting really bad trips off those:

An Agent is it's own program space, with all the programs that it is running integrated within that. This works because it only has one or two programs doing things at any given moment. A persona has no program space of it's own, which is why it doesn't take up a slot. So any program loaded for use by the persona must have it's own program space. Why not, then, just have a program space to load all the programs into it for a persona? Because that adds an extra layer of interface that would require extra communication interaction in the same way that you have to spend an action to tell an Agent what to do and then there is another action spent for the Agent to do it.

Now just meditate on that while you listen to the chirping of the gecko pattern on the wallpaper.

You should definately read the "Idiots guide to Matrix 2.0" thread.

There they argue, that if the IC wins in an pilot+analyze vs hacking+stealth test, they IC has sucessfully uncovered the hacker as such, a hacker with faked permissions.

Thats what I am fighting against. This idea is pertly backed up by the patrolling IC paragraph on p. 222.

And the chances to lose a for example 10 vs 10 dice opposed test are not low, 41,4%.
Thats why I do not want IC that is constantly scanning everything and uncovering hackers with this opposed test.

Still, there is lots n lots of confusion about the matrix rules out there . . .

BTW:Agents are bad. They highten the danger of beeing detected, and when you are detected, the matrix run is mostly over. I think agents are mostly for doing stuff for you in a node when you have left.

Well, maybe I could.

Basically, that is correct.
Keep in mind that if the IC tries again before a certain intervall, it will lose dice.

Sure... some action is good.
Any hacker with about two to three runs will have Response 6, though, and most Node will run around 4.

That's a necessity, in fact - as there are no more security tallies.

Only if you run them on the Node... if they run in your Persona, they count as Programs and are only detected if you are, anyway.

So what? Scanning IC or System+Firewall?
I would substitute a an analyze+firewall(stealth) test everytimea hacker performs an illegitimate action for the security tallies. No need for analyzing IC.

Btw: The chance of losing a 12 vs 8 (hacker skill 6 stealth 6, vs pilot 4 analyze 4) are still 20%. Add the standard assumption that IC counts only as 1 programme, and you have 3-4 of these scanners in a 4 node. That gives you a 50%-60% chance of being detected (3-4 times 12 vs . Too high for my taste. A 4 node should be fair game for a 6/6 Hacker (at least 80% propability to hack in, perform 3 actions and log out undetected)

Both.
Initial and long term difficulty.

3, if you have Analyze running.
Less if you want Agents performing tasks.

The key question deciding that is - how 'often' does IC patrol?

I don't think I missed it, but mine got lost in all the stuff I typed.

Mine was that, as I understand it, Agents only slow down the node they originate from, not the node they are currently in (unless it it the node the originated from). So sending a bunch of Agents to a node won't slow it.

That seems to fly in the face of other's current thinking. Certainly mine. That when the Agent moves (you are talking about an independant Agent, right?), it completely moves including all it's proccessing and memory usage.

I know the rules are kinda vague in that area, but could your give the rundown on the reasoning behind your take? Or is there something that is in the "Idiot's Guide to the Matrix 2.0" better explaining that position? If so could you link me to a good entry on it. I stopped reading it some time back when the swirling vortex of mush got above my threshold, and i'd rather not try sort through a couple hundred posts to try find it.

If there was still an Agent to controller subscription in place they could track back on that, similar to someone tracing back from a drone. But if the Agent is out there operating on it's own and not reporting back (and wasn't given information about how to contact with the originator that you could extract out of the Agent somehow) then they'd have to try trace the Agent's movements through datatrails to see where it was initially spawned (i think it would leave a datatrail). Even then that location need not be the true originator's commlink as you can spawn an Agent in any node you have access to.

At that point i think the rules get very nebulous as to whether they could check the node's log to see if they could figure out who spawned the Agent. My best guess as a GM would be an Analyze by the tracker with lots of hits might overcome the efforts of the originator trying keep his identity hidden, and that would pick up the datatrail again (i think, maybe, but maybe not if the persona is no longer there).

So yup, it's tough to track back the perp of a worm Agent. And that is basically what a malicious independant Agent is, a worm.

Hrmm, didn't think of that. Maybe. Though as i mentioned earlier in the thread i read the Trace action acting on an active persona as all occuring from the node where the persona is being tracked from. So until the IC finds the end of the trail they don't leave their home node.

When they do find the end of the trail they pass the location onto a meat-world security team and then pull out the can of whoopazz to knock out the intruder's meat body or maybe even hop to his node if his physical location is moving so it can try to disable whatever vehicle he is moving around in.

So far in game we've just winged it. Nobody else at my table has nearly the same depth of background in computers as me, so in play it tends to be much lighter and fluffer than these indepth rules senarios.

That assumes that every Node in that chain allows Access... otherwise, that Node would have to be hacked to continue tracking.

Maybe. But because they are following the live packets themselves, in the same way that you don't need to hack into a node to use it to relay your signal (assumed) you should be able to follow the signal.

In fact once your persona moves out of the intermediary device and on i'm not sure there is a guarantee that that device is even used for relaying. In the same way that the current internet does not guarantee a path of travel for a specific packette, the Matrix could be adjusting . Being wireless, and therefore having even more potential routes, i'd expect this to be even moreso.

Except for some specific chokepoints going into or out of facilities where it switches from wireless to a fixed path for security perimeter reasons, but those are very unlikely to be low rating devices.

So just hoping your persona into a rating 1 Device first and then hoping onto the target system is no guarantee that your active path of packets from the traget system is going to flow through that rating 1 Device.

However when following a cold trail, where you have to check for arrival and departure in the logs, that might be true that the Agent has to hop into the device to get access to that. I'd still be inclined though to treat it like a Matrix Search and let it be done remotely (if you didn't let Search be done remotely a rating 1 Device would become fairly secure from Agent searches ).

Because of the range limitations of a low signal, i evision part of the protocol that each device do it's Matrix good citizenship duty by being willing to forwarding towards the nearest known hub node or the destination device/node the packets without requiring any sort of login. Yes this is somewhat different than the more fixed heirarchy of the internet, but the internet doesn't include as valid world addresses things with the kind of limited range that the Matrix seems to, nor does it have the Matrix's seemingly universal transmission rates.

Thus my point about it requiring processing power and specific programs, which proxy/firewall/anonymizers do. If you are trying to use a rating 1 device that has some other type of use it's going to suck going through it. There aren't specific rules because it falls somewhat outside the core's range of explaination. If someone tried to argue that it was crippling IC by them going through like that it is clearly an excellent place for the GM to use a great big "nuh-ah". Perhaps even inflicting a bit of physical pain on the player via thrown dice?

Remember also that such a system would be very easy to exploit to get it to cough up the anonymizer patch list. A lot better idea would be to use a hard to get into system (perhaps one that is partially trusted by the target system) that was protected with IC, sprites, or some other watchdog to protecting the hop. As a GM i would generally add those as steps that the hacker realizes they must do just to have any chance of success. But even then for a live connection the i see the Trace program sniffing the traffic going in and out to try track without having to log into the node itself.

Really all that fancy stuff is already abstracted into the Track action, page 219, quite neatly as things that a decker and their Stealth software would normally be trying to do. So as such it makes great fluff, and can be used by the GM to add spice (both crunch and fluffwise) to a run on a host by making certain hops defacto mandatory. Or perhaps giving IC bonus dice to their Track action or for the target system to notice the illegal login attempt from an untrusted system if the decker chooses not to do the intermediary hop(s).

That may or may not be so - it is not specified. However, it is quite secondary on the question at hand.

You might want to prove that.

That doesn't really matter - it costs time... the time you have to pull the plug.

As the rules are pretty explicit about hackers having success without any hops at all, that does not really impress me.

Not really... it would make Track allmighty.
Aside from being able to track Damien Knight back to his personal office, it would be the ultimate exploit.

Stealth does not relay traffic - Stealth disguises it.

Again, there is nothing to find about that being mandatory... in fact, it's rather the exception than the rule.
As Anonymizer Hosts popped up in Matrix, I expect such tricks to be featured by Unwired.