in the future will opers need to have more control?

Discussion of EFnet's IRCDs (hybrid, ratbox, csircd)

Moderators: Website/Forum Admins, Software/IRCD Moderators

leeh
ircd-ratbox coder
Posts: 48
Joined: Wed Jul 02, 2003 5:43 pm
Location: UK

Postby leeh » Mon Oct 06, 2003 12:40 pm

Auriga wrote:
leeh wrote:
Auriga wrote:Perhaps we need to start thinking in a different mindset. I just don't know what that is just yet.


Theres nothing saying you have to require registration - you could just make it optional to get something.. (ie, a user spoof).


You are right, but this still does not solve the problem of drones, and proxies, and spambots.


Nope - but you can do so much to help the real users. Channel modes that only allow registered users in, usermodes that ignore messages from unregistered users..

I personally like the of turing tests to connecting users - I wouldnt deny service to those who cant pass it, but I might be inclined to restrict it slightly, or offer extra features to those who pass it. You could always sort out exempted I:'s for BSPs and stuff, having a contact email for any abuse problems.

Auriga wrote:It just means we'll have less conections to look at ... but that being said, many of the problematic hosts on irc, are trojaned with more then one connection ... (One they dont know of..) and their own connection to irc, which means both will become spoofed if they choose to "register"? How do you manage spoofing people with dynamic ips's and idents? If they change their ident, we end up with an administrative nightmare of constantly responding to e-mails with spoof changes. I think we'd need to provide spoofed only servers where everyone registered.. might have access to a special IP and perhaps an Iline password..
But this also does not stop drone runners from just adding that iline, and server info to their drones...


I wouldnt do spoofs via the current method - it doesnt scale. You can easily implement stuff that allows some form of 'services' to give a user a spoof.

That way you could make most of it automatic - stuff like adding hosts etc. Youd have to implement a fair few guards into it, restricting how many users can use a specific account, how many accounts a specific host can login to, proxy checks when people register the account, etc.

It would get abused, but the abuse might be of a more controllable level..

Auriga wrote:No matter what we do will appears "services" like.. and i dont know how many people would be willing to accept this on efnet. Although they really would have no choice.. eventually... because many networks are being forced to head in this direction in order to proect their "interests.

Its a matter of time until more people fuck shit up for the network, and more "services" and other things will need to be added to avoid giving control to the kiddies who would by choice bring the network into the ground.


I think its all about surviving. efnet would be in pieces if it didnt have no join(|op) on split, and with no join on split you require a method of allowing users to regain ops..

Itll never be solved until machines are secure by default, or the internet is destroyed.. ;)
User avatar
Auriga
Posts: 78
Joined: Fri Jul 04, 2003 1:29 am
Location: Canada

Postby Auriga » Mon Oct 06, 2003 3:23 pm

leeh wrote:I wouldnt do spoofs via the current method - it doesnt scale. You can easily implement stuff that allows some form of 'services' to give a user a spoof.

That way you could make most of it automatic - stuff like adding hosts etc. Youd have to implement a fair few guards into it, restricting how many users can use a specific account, how many accounts a specific host can login to, proxy checks when people register the account, etc.

It would get abused, but the abuse might be of a more controllable level..


Who would control this "service". Would it be bound to a specific set of admins like services.int/chanfix is now. Would we have to beg to get code released to create some kind of backup?

Will we be giving a central point of failure by doing this? Who will back it up? Where will it be run?

The idea is good... but in theory it might not work ... or work the way it was intended, understanding that goodwill gets taken advantage of quite often. I think it migth create some administrative infighting, even though it could greatly help the users.

Perhaps something to think about with admins before we fully shoot something like this down.
Efnet Operator..
RIP *.qeast.net I'll miss you! :(
Auriga is qurves slave! (is a Forum moderator)
User avatar
munky
Site Admin
Posts: 826
Joined: Wed Jul 02, 2003 4:54 pm
Location: Phoenix AZ
Contact:

Postby munky » Mon Oct 06, 2003 6:50 pm

look at undernet, ala X/CService/umode +x
┌─────---─--──-──────---─--──-─────────--- -- -
| netmunky (~netmunky@netmunky.users.undernet.org) (Internic Non-Profit Organization)
│ ircname : funky munky
| channels : @#.....
│ server : washington.dc.us.undernet.org (NO WONDER ITS NUMBER ONE!)
...
∙φ∙ netmunky netmunky is logged in as
: idle : 1 hours 28 mins 50 secs (signon: Sat Oct 4 10:57:19 2003)
[13:48][+netmunky(+iwx)][Mail: 2]
In God we trust,
Everyone else must have an X.509 certificate.
User avatar
Auriga
Posts: 78
Joined: Fri Jul 04, 2003 1:29 am
Location: Canada

Postby Auriga » Mon Oct 06, 2003 8:35 pm

munky wrote:look at undernet, ala X/CService/umode +x
┌─────---─--──-──────---─--──-─────────--- -- -
| netmunky (~netmunky@netmunky.users.undernet.org) (Internic Non-Profit Organization)
│ ircname : funky munky
| channels : @#.....
│ server : washington.dc.us.undernet.org (NO WONDER ITS NUMBER ONE!)
...
∙φ∙ netmunky netmunky is logged in as
: idle : 1 hours 28 mins 50 secs (signon: Sat Oct 4 10:57:19 2003)
[13:48][+netmunky(+iwx)][Mail: 2]


Yeah.. but the whole idea is not to stop users from getting packets or hiding users IP's..

The whole idea is to create some kind of "registration" service to stop proxies, floodbots and drones from connecting to the network.

Undernet still gets floodbots and drones, and im sure a large perentage of them are "spoofed".

Were looking along the right lines, but there are still problems with the logic, and how do you implement this without breaking bots, and/or turning away hoards of users?
Efnet Operator..

RIP *.qeast.net I'll miss you! :(

Auriga is qurves slave! (is a Forum moderator)
User avatar
slushey
Posts: 43
Joined: Sat Aug 09, 2003 4:11 pm
Location: Newfoundland, Canada
Contact:

Postby slushey » Wed Oct 08, 2003 2:02 pm

The problem with EFnet's host masking is that it's very inaccessable. You can't host mask unless you know a staff member who is nice enough to give you a spoof line, they usually say "ask an admin in your area" or "no." There are no admins in my area.

While I do not agree with more tools, I do agree with hostmasking. It would be nice to get a MD5 type +x added, but that would also mean sharing keys among server admins and keeping them up to date.
Humor is the best sense we ALL have in common.

slushey ....just me
nothing more.....nothing less

"In Canada we play Duck, Duck, Moose."
User avatar
munky
Site Admin
Posts: 826
Joined: Wed Jul 02, 2003 4:54 pm
Location: Phoenix AZ
Contact:

Postby munky » Wed Oct 08, 2003 4:21 pm

Auriga wrote:The whole idea is to create some kind of "registration" service to stop proxies, floodbots and drones from connecting to the network.

Undernet still gets floodbots and drones, and im sure a large perentage of them are "spoofed".


+eb *!*@*.efnet.users *!*@*

that would keep most drones out of your channel

i believe what you are looking for is a chanmode that requires users that join to be 'registered', which undernet has along with the user spoofs. personally, i don't like giving every user a spoof, that just means the server gets the packets rather than the user (why should the server pay the cost of the bandwidth when packet_kiddieA pisses off packet_kiddieB?).
if such a system were to be implemented, i would rather see the registration done without the spoofing, with a chanmode +R or something.

and yes, undernet still gets spoofed drones, but it is more tedious on the drone runner. you have to register each username from a unique ip, and each must have a unique email address (that isn't @mail.com, etc). it can still be done, but it takes more time, and probably wouldn't be done for 1000 bot dronenets (though i've seen nets on undernet with 20-30 spoofed hosts).
In God we trust,

Everyone else must have an X.509 certificate.
User avatar
Auriga
Posts: 78
Joined: Fri Jul 04, 2003 1:29 am
Location: Canada

Postby Auriga » Wed Oct 08, 2003 8:10 pm

munky wrote:
Auriga wrote:The whole idea is to create some kind of "registration" service to stop proxies, floodbots and drones from connecting to the network.

Undernet still gets floodbots and drones, and im sure a large perentage of them are "spoofed".


+eb *!*@*.efnet.users *!*@*

that would keep most drones out of your channel



I'm not concerned about keeping drones out of my channel. I'm concerned about keeping drones off efnet. silly. :)

munky wrote:i believe what you are looking for is a chanmode that requires users that join to be 'registered', which undernet has along with the user spoofs. personally, i don't like giving every user a spoof, that just means the server gets the packets rather than the user (why should the server pay the cost of the bandwidth when packet_kiddieA pisses off packet_kiddieB?).
if such a system were to be implemented, i would rather see the registration done without the spoofing, with a chanmode +R or something.


Well.. it dosent mean that a user has to be spoofed. Its just an idea that Leeh tossed around as an incentive for users to register while still letting regular users hang out on efnet if they wanted to. The premice of this whole convo here is.. how do we keep drones off efnet. I believe we are loosing sight of the idea of this thread. Were trying to think of soloutions, and idea on how this can be done. This was just one of the things that was discussed, that's all.

munky wrote:[
and yes, undernet still gets spoofed drones, but it is more tedious on the drone runner. you have to register each username from a unique ip, and each must have a unique email address (that isn't @mail.com, etc). it can still be done, but it takes more time, and probably wouldn't be done for 1000 bot dronenets (though i've seen nets on undernet with 20-30 spoofed hosts).


All you need is 20 drones to take out a user you dont like very much. :)
Agreed it would mean more work, but as you said it has been done.
Over time if the channel builds up slowly, someone could potentially have every single drone spoofed. Get a team of runners and this could be faster.

It's just something to think about.
I don't think anything can be done, like a magic wand to fix it completly without potentially turning away thousands of users.

But if someone has that magic wand, im sure all the efnet admins would be interested in hearing it. :)
Efnet Operator..

RIP *.qeast.net I'll miss you! :(

Auriga is qurves slave! (is a Forum moderator)
leeh
ircd-ratbox coder
Posts: 48
Joined: Wed Jul 02, 2003 5:43 pm
Location: UK

Postby leeh » Wed Oct 08, 2003 10:50 pm

slushey wrote:While I do not agree with more tools, I do agree with hostmasking. It would be nice to get a MD5 type +x added, but that would also mean sharing keys among server admins and keeping them up to date.


md5'd +x does not work.

If you hash all of the hostname, then a users ISP becomes "unbannable". They can redial, get a completely different hash value and carry on flooding (or whatever).

If you dont hash all of the hostname, then you only fix the problem for the users who are on large ISPs. There are enough "small" isps out there that simply by knowing the ISP you can knock them offline.

If youre trying to stop users being attacked, you dont code something that doesnt work completely.
-wassup-
Posts: 103
Joined: Wed Aug 13, 2003 8:25 pm
Location: Middle East

Postby -wassup- » Thu Oct 09, 2003 9:24 am

so if these spoofs make people unbannable does unreal ircd servers and other spoofing servers suffer from this problem? also if they dont suffer how do they implement correctly?

one idea is to create a hash for each network. it is randomly generated at install and the same hash is given to all servers on the network (set ala ircd.conf or something). using this hash servers would generate spoofs for the IP. in this way one IP wouldnt generate multiple hashes as MD5 seems to do. similiar subnets would also have similiar spoofs. so lets say we have a dial up user on blah@user12-43-5.dialup.isp.com. lets say normally someone in the channel bans blah@user*.dialup.isp.com. in a spoofed case the user can have blah@user<cryptedhere>.dialup.isp.com. this would in a way solve the unbannable problem. the problem would be with non resolving IPs. for example lets say someone is on 4.4.4.211. Unlike what Unreal does i think the spoof should be 4.4.4.<encryptedhashere>. this way someone could normally ban a class C or whatever. the trick is to have each network have a specific (and kept secret) hash in which they encrypt their IPs, so a single user wont get multiple encrypted IPs.
User avatar
munky
Site Admin
Posts: 826
Joined: Wed Jul 02, 2003 4:54 pm
Location: Phoenix AZ
Contact:

Postby munky » Thu Oct 09, 2003 12:36 pm

ok, this is getting way off topic. we're sypposed to be talking about keeping drones off the network, remember?

so, to get back on topic...

the problem with any attempt to keep drones off the network is it would also keep legitimate bots off the network (did we cover this already?). hell, i've even seen dronenets running eggdrop 1.6.10. so how do you keep that drone off the network while allowing legitimate eggdrop 1.6.10 bots on? IMHO, there is no foolproof way, and we probably just need to keep on keeping on as we've been doing.

edit: ok, just went back and read the first post again, apparently this is supposed to be a "control" post, dealing with operspy, chanfix, etc. not drones, not DoS attacks... so uh... anyone? :)
Last edited by munky on Thu Oct 09, 2003 12:42 pm, edited 2 times in total.
In God we trust,

Everyone else must have an X.509 certificate.
leeh
ircd-ratbox coder
Posts: 48
Joined: Wed Jul 02, 2003 5:43 pm
Location: UK

Postby leeh » Thu Oct 09, 2003 12:38 pm

-wassup- wrote:so lets say we have a dial up user on blah@user12-43-5.dialup.isp.com. lets say normally someone in the channel bans blah@user*.dialup.isp.com. in a spoofed case the user can have blah@user<cryptedhere>.dialup.isp.com. this would in a way solve the unbannable problem.


Youve just completely ignored what ive said.

If a kiddie wants to attack a user, and that user is on a small regional ISP, then its easy enough for the kiddie to take the full ISP offline. Some of the DoSnets these kiddies have are huge.
-wassup-
Posts: 103
Joined: Wed Aug 13, 2003 8:25 pm
Location: Middle East

Postby -wassup- » Thu Oct 09, 2003 3:44 pm

yeah it wont stop it but it'll help
User avatar
Osc
Posts: 75
Joined: Mon Aug 11, 2003 8:08 pm
Location: Atlanta, GA

Postby Osc » Thu Oct 09, 2003 8:31 pm

when the users entire ISP is offline, how does that help?

Really, this time, think prior to responding.
irc.he.net Notice -- Osc (osc@irc.packetmonkeys.com) is now an operator
<CHANFIX> You're now logged in with the following flags: ADMIN.
<OCF> Authentication successful. Welcome, Osc.
-wassup-
Posts: 103
Joined: Wed Aug 13, 2003 8:25 pm
Location: Middle East

Postby -wassup- » Fri Oct 10, 2003 9:42 am

because first of all not all stupid botnet kiddies have abilities to take the entire isp offline, they may only have like 20 or so drones and can take a few users offline. secondly even kiddies know if they packet a large ISP they are gonna get investigated and get a huge fine or be jailed.
-wassup-
Posts: 103
Joined: Wed Aug 13, 2003 8:25 pm
Location: Middle East

Postby -wassup- » Fri Oct 10, 2003 9:47 am

also it will help with insecure clients. lets say a client forgot to patch an exploit, it will stop a user from directly hacking into thier box.

Return to “IRCD”

Who is online

Users browsing this forum: No registered users and 1 guest