Forums General Discussion REALLY noobish question

I've noticed this a long time ago, but I never bothered to actually ask about it.

Why is it that most IRC users show *@*.something.com as their hostname when you /whois, and others show something like "34HBWE.234RF.2EDF34T.2ED2D.IP"?

There's a user on my server whos actual hostname never shows; instead something like the above shows. How do IRCops ban these people? It appears that it's different everytime the user joins.. I just don't understand. :P

I know how they're banned, but how are they banned if their hostname is different every time is what I'm asking.

Those are regular hosts that are masked or hidden by the server. In theory, any single host should always translate to the same hidden mask.

Example:


12.34.56.78

always translates to:

12345.23456.34567.45678.IP

If the mask is changing, it means the user is connecting from a different host.

-genius_at_work

From what I've seen, it always translates to the same shadow'ed mask - at the same network. I've seen someone connected to 2 networks at the same time, and he has different masks at each network, even though he always has the same mask within the same network. When shadowing someone's IP, i've always seen them taking someone's @12.34.56.78 ip and translate it into @AA.BB.CC.IP where CC comes from the 12.34, the BB comes from the .34 and the AA comes from the .78 - so everyone from @12.34.*.* has the same @*.*.CC.IP mask. I guess they do this so that wildcard masks can be assigned into levels the same way that text hostnames are assigned.

It looks like the scrambled ip's are using some sort of encryption or hash, so if you want to know where everyone is from, you'll need to build a dictionary listing the 12.34-to-CC.IP translations.

Simply put, this is just a hidden IP from the network. The network itself knows the correct IP information, so IRCops have no issues banning them. Also, as explained, you can ban that same masked IP the same way you could ban an unmasked IP. This is also the same idea as people using vhosts such as nick!ident@dont.whois.me or some such thing. It's not a "real" host, but you can still ban it. The thing you need to remember is the same user can usually choose to either log into the masked or vhost or not to, so they technically have 2 hosts that you may need to ban - their real one and their "fake" one. You'd only know their real one if they ever join without the "fake" one and if they don't join without their "fake" one, there's no need for banning the real one anyhow.

Also, as was also mentioned, the masked address will always be the same if the host/dns stays the same while on the same network. Different networks use different methods to mask an address, so the nick may have different masks on different networks.

You are correct. Different networks will have different masks for the same host/IP. Different IRCd's obviously use their own method for masking. And on the same IRCd, between two networks, the mask will be different because each network uses a different 'salt' (a secret string of characters) that is combined with the host while it is being masked. The actual algorithm each IRCd uses is different, but an analogy is the $md5 identifier in mIRC.

You could hide your host with $md5(%myhost). The actual MD5 hash would be different for every host, but would be identical if the host were identical. Also (in the case of MD5) the host cannot be calculated in reverse. The whole idea is to keep secret each user's host/IP information, while still allowing them to be banned in a way that is as effective as banning their real host/IP.

-genius_at_work