Attacker’s AC effect on pummeling attacks

On page 72 of the DMG under Pummel – Base Score to Hit, it says

Attacker’s AC, per point, with negative AC being treated as positive by type* +1% …

* Magical protections such as rings … do not count as AC, so ignore them; encumbrance = AC 10

I take this to mean if the attacker is unarmored, they have a 10% bonus to their attack roll. Plate Mail gives a 3% bonus. Cool, got it!

My questions are as follows:

  1. If I have a dexterity bonus of -2 to my AC, does that lower my chances to hit by 2%?
  2. What is "positive by type"? Does an AC of -1 from enchanted Plate Mail +4 just give the Plate Mail bonus of 3%?
  3. Do magical bonuses from armor or shield affect this calculation – they aren’t rings or bracers?
  4. Does the attacker being encumbered (by how much?) give a 10% bonus regardless of what armor they are wearing?
  5. Why didn’t Gary just hire an editor (You don’t have to answer this one 😛 )

Distinguishing attacker’s leaked IP address out of many VPN servers

Imagine the case wherein a hacker failed to correctly setup his/her cheap VPN which caused a connection drops and ultimately led to IP-address disclosure. He or she made many requests and a few out of that VPN-made requests is his or her own IP-address.

What can be done to distinguish his IP-address from the VPN servers?

Website attack: What is the attacker’s goal?

A bot network(?) has been after my website for quite a while now. Here is a breakdown of what they do:

  1. They register several accounts using random characters for building a first and last name which look like this:

    HludvkxTGVIwP oBScrLdvJ AicSJbYk uWrVKZtSdTNAv ... 
  2. The email addresses used for these profiles seem to be valid email addresses from real people but I can not say whether they are just used by the attacker or if they have actual control over those addresses. What I do know, though: The emails are never confirmed by the link sent to those newly registered accounts.

  3. The attacker then goes to the password retrieval page and sends "new password" requests which is weird as I think they don’t receive the answer because of the lack of control over the email used in the profiles created …

I would like to understand what the attacker is trying to achieve in order to evaluate if this is a threat. Why would he send password requests for an account just created by themselves a minute ago?

The ip addresses change all the time, so it seems to be a network.

How does lodestone lure work if the attacker’s moved away from the target?

The level 3 battlemind discipline lodestone lure, an at-will attack power, has the following entry:

Hit: Constitution modifier damage, and you must pull the target 1 square. Until the end of your next turn, the target can move only to squares that are adjacent to you. (Psionic Power 37 and updated by errata; q.v. here)

I don’t know to what degree that second sentence should limit the target. I use should limit rather than just limits because my research shows that opinions on how the power works are varied, controversial, and sometimes heated. And, as Wizards of the Coast itself is unlikely to clarify or issue further errata for the lodestone lure power at this point, I look to experienced users for help in determining a balanced reading of the power. Here balanced means here that the power’s impact on the game approximately equals the impact of the class’s other powers of the same level.

The Scenario

On her turn a level 3 battlemind takes a standard action to use the at-will discipline lodestone lure on a target 2 squares away. The battlemind pulls the target adjacent to her (as the power’s erratum now says that she must). Then, by whatever means, the battlemind travels 2 or more squares away from the target. On the target’s turn, what’s a balanced way for the target to behave? Here are some options:

  • Essentially immobilized. A typical target is immobilized in all but name. That is, no matter where the target’s movement would take it, its first square of movement won’t move it to a square adjacent to the battlemind so the target is stuck where it is unless either it can move without moving (e.g. by teleporting) or it is moved via forced movement. This reading is mentioned in a Penny Arcade forum thread here that contains strong language. Consensus there seems to be that this reading, while possibly being technically accurate, isn’t balanced (see above). Even as a new 4e player, I tend to agree, but I’m not 100% sure if that thread’s assessment is correct.
  • Like a charge but not. A typical target can move normally except that each square of the target’s movement must bring the target closer to the battlemind, much like a creature making a charge. This reading is mentioned in a RPG.Net thread here that gets heated. Note that a user in that thread says that Wizards of the Coast customer service agrees with this reading. I absolutely believe that that’s what the user was told, but I don’t know how much weight an anonymous Wizards of the Coast customer service representative’s ruling carries in the Dungeons & Dragons, Fourth Edition community. (To be clear, I’m used to the Third Edition community where that weight is 0 lbs.) This seems balanced enough to this new 4e player, but that isn’t what the power actually says that it does, and the disconnect makes me wary.

Those were the options that I found, but I’m certain that other readings of the power are possible. Users should feel free to have their answers address alternatives. In sum, what reading of the lodestone lure power is balanced? Further, how can the lodestone lure power’s Hit entries be rephrased to reflect a new balanced reading?


Note: When assessing that second bullet’s reading, please also consider what happens if a target is affected by multiple characters’ lodestone lure powers simultaneously.

Can GET Requests with Spring Rest controllers be intercepted by attackers?

I’m building a Spring app and a React app which also contains Chat functionality. I use WebSocket with RabbitMQ as message broker.

I store the chat history as encrypted messages with AES, and before I send them to the client, I decrypt them. So I’m wondering if someone could “intercept” the GET request and actually see the messages? I use JWT as authorisation, so to get the messages, the user of course has to be logged in. Also is it better to decrypt the messages in the backend or send the key and encrypted messages to be decrypted in the frontend?

I know it’s better to use a hybrid of AES and RSA, and to send the private key with SSL, however, this is just for a bachelor thesis so writing about it in the report is “good enough”. I don’t have enough time to implement the hybrid version. I do however want to keep the chat the most secure I can.

So really my questions are: Can GET requests be “captured” by attackers even when you have to be authenticated to call the requests, and since I have to use symmetric cryptography, is it better to decrypt the messages in the backend or sending key and encrypted messages to frontend?

Why do Invalid Host header errors exist, what are attackers trying to achieve?

I have recently launched a new django based api, and quite quickly, I started to receive INVALID_HOST_HEADER SOME RANDOM URL errors. My understanding is that this is caused by somebody manually changing the HOST header, or proxying my API through some other domain.

This is probably a basic question, but what is the point? What are they trying to achieve? Presumably it’s not a regular MITM attack, because it would be easy enough to correct the HOST header on its way out of the middle server, and they’re not doing so.

Does the Armor of Agathys spell still damage attackers if you have temp HP from another source, such as the Dark One’s Blessing feature? [duplicate]

This question already has an answer here:

  • How does Armor of Agathys interact with getting temporary hit points? 3 answers

Recently, I played a warlock in a 5e one-shot. We were playing at level 7 and I was a Pact of the Blade warlock with the Fiend patron. As a Fiend Warlock, I have a feature called “Dark One’s Blessing”, :

Starting at 1st level, when you reduce a hostile creature to 0 hit points, you gain temporary hit points equal to your Charisma modifier + your warlock level (minimum of 1).

The description of the Armor of Agathys spell reads:

A protective magical force surrounds you, manifesting as a spectral frost that covers you and your gear. You gain 5 temporary hit points for the duration. If a creature hits you with a melee attack while you have these hit points, the creature takes 5 cold damage.

At Higher Levels. When you cast this spell using a spell slot o f 2nd level or higher, both the temporary hit points and the cold damage increase by 5 for each slot level above 1st.

The situation was that there was a pack of ‘minions’ (4th-edition term, I know… but they were low-AC 5 hp monsters that died in 1 hit most of the time) attacking my group. The dragonborn wizard knew Fly, and grabbed the halfling and flew out of reach of the group of minions; I was left there with Armor of Agathys cast on me at level 4, so I had 20 temp hp and did 20 damage to each minion.

The question comes from the functionality of Temp HP (THP)… It does not stack. Instead, you must choose which set to acquire, either keeping the THP you currently have or using the new number provided by whatever is trying to give you more THP.

Once I was below 20 THP from the attacks made on me by this swarm of minions, I started taking the 10 (warlock level + CHA mod= 7+3) THP provided by Dark One’s Blessing. After rereading Armor of Agathys today, I noted it says ‘while you have these hit points’… leading me to believe that choosing to take the 10THP from Dark One’s Blessing would remove the Armor of Agathys and its damaging capability.

TL;DR

Does Armor of Agathys only work if you have THP from the spell specifically, or does it still work if you gain more THP from another source (like from Dark One’s Blessing) while the spell is still active?

Mathematically, is a +2 bonus to AC better than attackers having disadvantage?

Mathematically speaking, I’m trying to determine if Bracers of Defense (AC+2) is better than a Cloak of Displacement, which causes all attackers to have disadvantage on attack rolls against you.

If it’s pertinent, I’m a monk, my character level is 15, and my AC without the bracers is 18. I don’t have any other sources that will consistently impose disadvantage on my opponent’s attacks. I’m trying to choose between these two items and I’m trying to determine which one would ultimately result in less loss of HP.

It’s been too long since my high school statistics classes, so I’m finding the advantage/disadvantage statistics threads too hard to follow and don’t really take into account AC.

How do attackers hit a website with thousands of similar but distinct IP addresses?

I have a website that is being hit with invalid URL requests by thousands of distinct IP addresses, never the same one used twice. Most of them are in a few ranges of IP addresses and often just go up sequentially.

Could this be a zombie botnet of compromised devices, or is it possible the attacker is spoofing these addresses?

The clustering of IP addresses into a handful of ranges seems inconsistent with what I would expect from random devices across the world being compromised and part of a botnet.

User agents are all legitimate and quite varied, but I know that is simple to spoof.

It doesn’t feel like a DDOS attack as it is “just” a few thousand per hour. If they really wanted to DDOS it seems like they would crank the volume up more. Once I adjusted some exception handling I was able to get my server to resume being responsive to legitimate use.

I suspect it is a malicious (poorly constructed) crawler/spider.

Is IP address spoofing easily done and common now in these scenarios?