Death to all Drones!

Ideas, suggestions, and constructive criticisms about EFnet's Websites

Moderators: Website/Forum Admins, Website/Ideas/Suggestions Moderators

mvibe
Posts: 4
Joined: Mon Feb 21, 2005 6:55 pm
Location: Alabama
Contact:

Death to all Drones!

Postby mvibe » Mon Feb 21, 2005 7:07 pm

Just a suggestion ...

We all know there are spam/ddos drones all over irc, and little can be done to completely wipe them all out.

But I have a suggestion to all the opers out there that might help minimize some of them on your individual servers.

Notice that a lot of drones seem to always be in 20+ channels ... No real person that I know have can have that many windows open and remain sane. Kill all clients that are in 20+ channels (or 30+ if that works better).

Also, a lot of the bot code out there that is infecting people thus creating these drones will automatically quit when a /WHOIS is done on that user -- yet another way to identify the drones.

Drones also like to move around, Join/Part out of the same set of channels (mostly XXX and WAREZ related) -- maybe there is a way to ident them this way?

As of now, in the shell host channel which I support, I use a JoinInfoKick script in my irssi that I customized to WHOIS all joins and check for certain criteria such as # of channels, and Names of certain known channels that have alot of drones in them --- when the criteria is met, that user is kickbanned from the channel.

Anyway, these are only suggestions to maybe help lighten the load on some of the servers --- feel free to comment or not comment, but at least consider.

Thanks!
--
Majestic teh Vibe
"Work like you don`t need the money,
Dance like nobody is watching,
and Love like you`ve never been hurt!"
mvibe
Posts: 4
Joined: Mon Feb 21, 2005 6:55 pm
Location: Alabama
Contact:

Postby mvibe » Tue Feb 22, 2005 12:28 pm

Oh I just thought of another idea ...

Drones can`t reply to private msgs right?
So maybe some sort of random talker bot could be used to talk to those who meet a certain criteria from my original post ... after a set amount of time, if no actual dialoged response is received then the user is temp k-lined ................
--
Majestic teh Vibe
"Work like you don`t need the money,
Dance like nobody is watching,
and Love like you`ve never been hurt!"
User avatar
deww
Posts: 125
Joined: Fri Jul 18, 2003 7:17 pm

Postby deww » Tue Feb 22, 2005 1:30 pm

Some interesting ideas, but it will definitely get innocents. Complete automation is not the way to go. Drones can respond to private msgs. There's no such thing as can't. :-)
wundr
Posts: 140
Joined: Sun Jul 06, 2003 11:34 pm
Location: Japan

Re: Death to all Drones!

Postby wundr » Tue Feb 22, 2005 1:56 pm

mvibe wrote:Notice that a lot of drones seem to always be in 20+ channels ... No real person that I know have can have that many windows open and remain sane. Kill all clients that are in 20+ channels (or 30+ if that works better).
Actually, a LOT of people DO stay in that many channels, and have legitimate reasons to do so. Not all of these channels have people talking all the time, and not all are very big channels, but killing everything that tries to join more than 20 channels would hit a lot more innocent people than drones, I am sure.
Also, a lot of the bot code out there that is infecting people thus creating these drones will automatically quit when a /WHOIS is done on that user -- yet another way to identify the drones.
I don't think any servers currently allow normal users to see when they are being /whois'ed. Opers can have this, and I know one server (in .nl?) used to allow users to have this, too, but I know most server admins don't want to do this.
Drones also like to move around, Join/Part out of the same set of channels (mostly XXX and WAREZ related) -- maybe there is a way to ident them this way?
A lot of users also like to join/part channels, especially xxx- and warez-related channels... in many of these types of channels, this is all users do... come to get files and then leave, not stay in the channel and chat.
As of now, in the shell host channel which I support, I use a JoinInfoKick script in my irssi that I customized to WHOIS all joins and check for certain criteria such as # of channels, and Names of certain known channels that have alot of drones in them --- when the criteria is met, that user is kickbanned from the channel.
To me, that sounds great as a channel policy. When running a channel like that, it doesn't matter too much if a lot of innocents get hit, but it's not usually the way a server is run.
Anyway, these are only suggestions to maybe help lighten the load on some of the servers
Yeah, and then again, I am neither an admin nor an oper, so my comments don't really have much effect, anyway :D
Hardy
Site Admin
Posts: 394
Joined: Wed Jul 02, 2003 4:54 pm
Location: Oslo, Norway
Contact:

Postby Hardy » Tue Feb 22, 2005 2:20 pm

Well...

Some of the ideas would likely catch drones, but the number of innocents would be way to high aswell, especally with the 20+ channels thingy.

Its simply not an good enough way to identify drones on, and making sure it is drones we are dealing with, and because of that we cant use it.

Today efnet have several "programs" fighting spam, drones, proxies etc and we are slowly walking toward better solutions with new technology to identify the drones. When it comes to drones and efnet we are way way better then we was just a year ago and with requireing glines on all efnet servers, and working on ways to have better redundancy on proxy scanning we are reducing the drones connecting every day.

The real problem is however not fixed. the machines are still vulnerable, infiltrated and can be used to things like flooding, attacks and warez sharing.
-- Hardy
Administrator: irc.underworld.no
Services Administrator
http://www.efnet.org admin/staff
User avatar
munky
Site Admin
Posts: 826
Joined: Wed Jul 02, 2003 4:54 pm
Location: Phoenix AZ
Contact:

Postby munky » Tue Feb 22, 2005 3:19 pm

actually, most ddos drones are in 1 channel, if any, and it is something like ##your_mother_likes_me##, which is usually +sk
the ones that are joining 20-30 xxx/warez channels are usually xdcc grabber/bottler type clients. these are generally harmless, other than being a nuisance.
In God we trust,
Everyone else must have an X.509 certificate.
mvibe
Posts: 4
Joined: Mon Feb 21, 2005 6:55 pm
Location: Alabama
Contact:

Postby mvibe » Wed Feb 23, 2005 1:50 pm

I can see everyone's point .. I guess most of my suggestions would work better as channel solutions.

I know efnet is busting their humps in trying to minimize unwanted traffic from drones and such.

I guess I saw that these solutions were working in my channel(s) and wondered if they would work as a server solution as well.

Oh well .. maybe something will spawn one day that is a flawless server solution ... Until then All Hail the KICK/BAN :lol:
--
Majestic teh Vibe
"Work like you don`t need the money,
Dance like nobody is watching,
and Love like you`ve never been hurt!"
mvibe
Posts: 4
Joined: Mon Feb 21, 2005 6:55 pm
Location: Alabama
Contact:

Postby mvibe » Wed Feb 23, 2005 8:39 pm

Though .. You have got to admit, when you see this every few minutes:

----------------
T-14:28:15 y0-> ProsPer ~ProsPer@dD5E0CC05.access.telenet.be |-|az j01|\|3|) #veritynet
T-14:28:16 y0-> ProsPer is "..." on #veritynet #fauske #I'm a spammer!-iso #counterstrike #hdp #dvdrs #narcotics #idol #windows2000
#gbanow #xxxpasswords #redhat #html #mp3addicts #TrudawgZ #0day-Xdcc #warez-iso #music-videos #xboxzone #mp3channel
#DivX-Movies #BAYTIGHT #Naruto #fedora #M_TOWN #METALMETAL #chatlife #novascotia #prime-tyme-movies #bay2la #roms-isos
#bootlegcentral #VIDEO-DEVILZ #houseofmovies-kidney stones #SpAnKiN-NeW #xxxpassworld #warez_sitez #videopimp #PS2PEOPLE
#lost.no
T-14:28:19 y0-> mode/#veritynet >>+v ProsPer<< |3Y ilec
T-14:28:41 y0-> ProsPer ~ProsPer@dD5E0CC05.access.telenet.be has quit >>Connection closed<<
-----------------------------

You really have got to wonder why a user would be in so many channels then all of a sudden quit inside of a few seconds?
--
Majestic teh Vibe
"Work like you don`t need the money,
Dance like nobody is watching,
and Love like you`ve never been hurt!"
dexter
Posts: 9
Joined: Sat May 01, 2004 12:11 pm
Location: San Diego, CA

Postby dexter » Thu Feb 24, 2005 9:09 am

mvibe wrote:Though .. You have got to admit, when you see this every few minutes:

----------------
T-14:28:15 y0-> ProsPer ~ProsPer@dD5E0CC05.access.telenet.be |-|az j01|\|3|) #veritynet
T-14:28:16 y0-> ProsPer is "..." on #veritynet #fauske #I'm a spammer!-iso #counterstrike #hdp #dvdrs #narcotics #idol #windows2000
#gbanow #xxxpasswords #redhat #html #mp3addicts #TrudawgZ #0day-Xdcc #warez-iso #music-videos #xboxzone #mp3channel
#DivX-Movies #BAYTIGHT #Naruto #fedora #M_TOWN #METALMETAL #chatlife #novascotia #prime-tyme-movies #bay2la #roms-isos
#bootlegcentral #VIDEO-DEVILZ #houseofmovies-kidney stones #SpAnKiN-NeW #xxxpassworld #warez_sitez #videopimp #PS2PEOPLE
#lost.no
T-14:28:19 y0-> mode/#veritynet >>+v ProsPer<< |3Y ilec
T-14:28:41 y0-> ProsPer ~ProsPer@dD5E0CC05.access.telenet.be has quit >>Connection closed<<
-----------------------------

You really have got to wonder why a user would be in so many channels then all of a sudden quit inside of a few seconds?
That client is most likely a bottler/xdcc catcher type client that joined all those channels, then attempted to join a juped channel one or more times resulting in a kline.
User avatar
Dario
Posts: 30
Joined: Wed Aug 13, 2003 3:33 am
Location: somewhere near Philly
Contact:

Re: Death to all Drones!

Postby Dario » Thu Mar 10, 2005 7:06 pm

mvibe wrote:Just a suggestion ...

We all know there are spam/ddos drones all over irc, and little can be done to completely wipe them all out.

But I have a suggestion to all the opers out there that might help minimize some of them on your individual servers.

Notice that a lot of drones seem to always be in 20+ channels ... No real person that I know have can have that many windows open and remain sane. Kill all clients that are in 20+ channels (or 30+ if that works better).

Also, a lot of the bot code out there that is infecting people thus creating these drones will automatically quit when a /WHOIS is done on that user -- yet another way to identify the drones.

Drones also like to move around, Join/Part out of the same set of channels (mostly XXX and WAREZ related) -- maybe there is a way to ident them this way?

As of now, in the shell host channel which I support, I use a JoinInfoKick script in my irssi that I customized to WHOIS all joins and check for certain criteria such as # of channels, and Names of certain known channels that have alot of drones in them --- when the criteria is met, that user is kickbanned from the channel.

Anyway, these are only suggestions to maybe help lighten the load on some of the servers --- feel free to comment or not comment, but at least consider.

Thanks!
I guess I am a Nobody!! ;-)

Dario : jmjames@whaddu.com (Jeffrey M. (maybe) James) [Commercial]
Channels : @#yes_I_am_that_lame_that_being_idle_on
@#20_channels_makes_me_feel_31337 @#561 @#DarioJames @#megatokyo #whaddu
@#idleville @#lamerdude #scrollz #bored_as_fuck @#medievaltotalwar
@#irc4kids @#treehouse @#new2linux @#new2irc @#ircanonymous @#global
@#Help @#zarbsworld @#OlsenTwins @#newbies #EFnet
Member DNRC
lyness
Posts: 4
Joined: Mon May 24, 2004 4:22 pm
Location: england

Postby lyness » Sun Apr 24, 2005 3:25 pm

Although many of those ideas would work as chan ideas the problems with having them on the servers would probably create as much hassel as it might solve, as you would get people who are in over 20chans (im only in an average of 18) complaining. Many of those people who are in over 15chans have been online over a period of a long time and have developed networks of friends in various chans.
The problem of having Klines for people who join and quit quickly would probably hit many of the new users to Efnet. I am in many of the chans that are mentioned in the mIRC channel list and i often see the same person go through many of these chans, and as many of them do not have many ppl in and a few are just the same people over various chans, the user does not see the point and moves on to a larger channel, cycling through all of those chans in about 10min staying in only 3 or so out of all of them.
What ever ideas users and servers come up with to stop the problem the people who write the code for these bots will come up with ways to get round it. the problem of keeping these bots off efnet will be an ongoing process, and although the number of them may drop they will always be around I feel and it will be a damage limitation job and a job of containment to keep their effects to a minimum.

Who is online

Users browsing this forum: No registered users and 2 guests