mIRC Home    About    Download    Register    News    Help

Print Thread
Joined: Aug 2003
Posts: 2
T
Tones Offline OP
Bowl of petunias
OP Offline
Bowl of petunias
T
Joined: Aug 2003
Posts: 2
What about limiting the available sockets in MIRC to help prevent current MIRC socket flood scripts attacking networks.
I have seen many floods using a script opening many sockets through a users MIRC spoofing addresses causing widespread services lag.

Any comments?

Last edited by Tones; 01/09/03 04:57 AM.
Joined: Dec 2002
Posts: 349
S
Fjord artisan
Offline
Fjord artisan
S
Joined: Dec 2002
Posts: 349
.."to help prevent current MIRC socket flood scripts"..

But how would this stop the current flood scripts? The flooders aren't going to use a new mIRC when they know they wont be able to flood with it; their scripts aren't going to stop working because a new mirc version is released.

If any limitation were to be placed on sockets they should be (as an option) disabled alltogether (similar to disabling /run and /dll) to prevent users of future mIRC versions being easily infected with a current or future socket trojan.

Joined: Aug 2003
Posts: 2
T
Tones Offline OP
Bowl of petunias
OP Offline
Bowl of petunias
T
Joined: Aug 2003
Posts: 2
Point taken..
maybe a network flag mirc sends to server when a certain amount of sockets are opened, so that IRCops on the server can know which clients are running a large amount of sockets. This would make it easier to detect and then G-line offending users?

Joined: Mar 2003
Posts: 1,271
L
Hoopy frood
Offline
Hoopy frood
L
Joined: Mar 2003
Posts: 1,271
Problem remains that those who would use such scripts would simply use an older version that doesn't send a flag to the server.


DALnet #Helpdesk
I hear and I forget. I see and I remember. I do and I understand. -Confucius
Joined: Dec 2002
Posts: 169
J
Vogon poet
Offline
Vogon poet
J
Joined: Dec 2002
Posts: 169
How many sockets I have open is none of their damn business. Sockets are used for more than connecting to an irc server. How many sockets do you consider too many? Besides, if it's a socket based flooder mirc wont send anything to the server. It will only get sent to servers that mirc is connected to normally. Ex:

Connect mIRC to dalnet
Connect 150 socket bots to EFnet
mIRC sends dalnet opers a notice or something saying that you have exceeded some magical socket limit
Dalnet G-Lines you.
EFnet still has 150 socket bots connected to it. Whoops.

Locking sockets like /run and /dll are a good idea. Limiting the number of sockets is a bad idea. Having mIRC tell someone else how many sockets are open without the users knowledge is a horrible idea.

Joined: Dec 2002
Posts: 2,985
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 2,985
Competant opers can already deal with this sort of thing anyway. Come to think of it, so can a decent security bot.

Joined: May 2003
Posts: 2,265
P
Hoopy frood
Offline
Hoopy frood
P
Joined: May 2003
Posts: 2,265
this is what i use(opers only)
Code:
getip {
  return $gettok($address($1,1),2,64)
}
scan {
  if ($1 != $me) {
    var %s 1
    var %clones 0
    var %address $getip($1)
    var %nicks
    while (%s <= $nick($chan,0)) {
      if ($getip($nick($chan,%s)) == %address) {
        inc %clones
        %nicks = %nicks $nick($chan,%s)
      }
      inc %s
    }
    if (%clones > 3) {
      ban -u600 %address
      kick # $replace(%nicks,$chr(32),$chr(44)) Clones Found: $replace(%nicks,$chr(32),$chr(44)) - Banned: 10 minutes
    }
  }
}
clonescan {
  var %c 1
  while (%c <= $nick($chan,0)) {
    scan $nick($chan,%c)
    inc %c
  }
}
on *:JOIN:#:{
  clonescan
}

the server i go on allows up to 10 connections per person, but i dont agree with that-_-
this is channel specific(im not that experienced with being an oper)

Last edited by pheonix; 01/09/03 02:38 PM.

new username: tidy_trax
Joined: Dec 2002
Posts: 2,985
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 2,985
One problem. True cloning is very rare now as modern IRCd's have inbuilt protection against them. You'll find that most if not all warbots connect with unique IPs now.

Joined: May 2003
Posts: 2,265
P
Hoopy frood
Offline
Hoopy frood
P
Joined: May 2003
Posts: 2,265
ah, i said i would test my code on multi servers, but this is 1 that i cant frown, it works on the 1 i use, might work on some others smile


new username: tidy_trax
Joined: Dec 2002
Posts: 2,985
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 2,985
Yes but which part of your script can differentiate between 10 genuine users and ten warbots with unique addresses? You could only pick up 'clones' with that and managing clones from the channel level is very outdated security management.

Joined: May 2003
Posts: 2,265
P
Hoopy frood
Offline
Hoopy frood
P
Joined: May 2003
Posts: 2,265
thats what i said, its very basic(channel specific), ive only been an oper for about a month,but as far as im concerned, there is no such thing as an "innocent" user with 10 connections in 1 channel, if the bit after the "@" is exactly the same on 10 connections in 1 channel, how could that be innocent in any way?


new username: tidy_trax
Joined: Dec 2002
Posts: 3,138
C
Hoopy frood
Offline
Hoopy frood
C
Joined: Dec 2002
Posts: 3,138
Bouncer hosts often have 10+ people on the same vhost, as can LANs or ISPs using NAT to put multiple people on one IP.

Joined: Jan 2003
Posts: 119
A
AKO Offline
Vogon poet
Offline
Vogon poet
A
Joined: Jan 2003
Posts: 119
None of these scripts would stop what Watchdog is describing. He''s not talking about clones at all. What he's talking about are zombie IRC bots that you can't tell the difference between a real user and a fake user. There can be 1500 of them on at once, all from different hosts.

The only real way to tell is to check by nicks and ident....though most bots still aren't 'smart' enough to handle that.


Link Copied to Clipboard