|
Joined: Aug 2003
Posts: 2
Bowl of petunias
|
OP
Bowl of petunias
Joined: Aug 2003
Posts: 2 |
What about limiting the available sockets in MIRC to help prevent current MIRC socket flood scripts attacking networks. I have seen many floods using a script opening many sockets through a users MIRC spoofing addresses causing widespread services lag.
Any comments?
Last edited by Tones; 01/09/03 04:57 AM.
|
|
|
|
Joined: Dec 2002
Posts: 349
Fjord artisan
|
Fjord artisan
Joined: Dec 2002
Posts: 349 |
.."to help prevent current MIRC socket flood scripts"..
But how would this stop the current flood scripts? The flooders aren't going to use a new mIRC when they know they wont be able to flood with it; their scripts aren't going to stop working because a new mirc version is released.
If any limitation were to be placed on sockets they should be (as an option) disabled alltogether (similar to disabling /run and /dll) to prevent users of future mIRC versions being easily infected with a current or future socket trojan.
|
|
|
|
Joined: Aug 2003
Posts: 2
Bowl of petunias
|
OP
Bowl of petunias
Joined: Aug 2003
Posts: 2 |
Point taken.. maybe a network flag mirc sends to server when a certain amount of sockets are opened, so that IRCops on the server can know which clients are running a large amount of sockets. This would make it easier to detect and then G-line offending users?
|
|
|
|
Joined: Mar 2003
Posts: 1,271
Hoopy frood
|
Hoopy frood
Joined: Mar 2003
Posts: 1,271 |
Problem remains that those who would use such scripts would simply use an older version that doesn't send a flag to the server.
DALnet #Helpdesk I hear and I forget. I see and I remember. I do and I understand. -Confucius
|
|
|
|
Joined: Dec 2002
Posts: 169
Vogon poet
|
Vogon poet
Joined: Dec 2002
Posts: 169 |
How many sockets I have open is none of their damn business. Sockets are used for more than connecting to an irc server. How many sockets do you consider too many? Besides, if it's a socket based flooder mirc wont send anything to the server. It will only get sent to servers that mirc is connected to normally. Ex:
Connect mIRC to dalnet Connect 150 socket bots to EFnet mIRC sends dalnet opers a notice or something saying that you have exceeded some magical socket limit Dalnet G-Lines you. EFnet still has 150 socket bots connected to it. Whoops.
Locking sockets like /run and /dll are a good idea. Limiting the number of sockets is a bad idea. Having mIRC tell someone else how many sockets are open without the users knowledge is a horrible idea.
|
|
|
|
Joined: Dec 2002
Posts: 2,985
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 2,985 |
Competant opers can already deal with this sort of thing anyway. Come to think of it, so can a decent security bot.
|
|
|
|
Joined: May 2003
Posts: 2,265
Hoopy frood
|
Hoopy frood
Joined: May 2003
Posts: 2,265 |
this is what i use(opers only) getip {
return $gettok($address($1,1),2,64)
}
scan {
if ($1 != $me) {
var %s 1
var %clones 0
var %address $getip($1)
var %nicks
while (%s <= $nick($chan,0)) {
if ($getip($nick($chan,%s)) == %address) {
inc %clones
%nicks = %nicks $nick($chan,%s)
}
inc %s
}
if (%clones > 3) {
ban -u600 %address
kick # $replace(%nicks,$chr(32),$chr(44)) Clones Found: $replace(%nicks,$chr(32),$chr(44)) - Banned: 10 minutes
}
}
}
clonescan {
var %c 1
while (%c <= $nick($chan,0)) {
scan $nick($chan,%c)
inc %c
}
}
on *:JOIN:#:{
clonescan
}
the server i go on allows up to 10 connections per person, but i dont agree with that-_- this is channel specific(im not that experienced with being an oper)
Last edited by pheonix; 01/09/03 02:38 PM.
new username: tidy_trax
|
|
|
|
Joined: Dec 2002
Posts: 2,985
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 2,985 |
One problem. True cloning is very rare now as modern IRCd's have inbuilt protection against them. You'll find that most if not all warbots connect with unique IPs now.
|
|
|
|
Joined: May 2003
Posts: 2,265
Hoopy frood
|
Hoopy frood
Joined: May 2003
Posts: 2,265 |
ah, i said i would test my code on multi servers, but this is 1 that i cant  , it works on the 1 i use, might work on some others
new username: tidy_trax
|
|
|
|
Joined: Dec 2002
Posts: 2,985
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 2,985 |
Yes but which part of your script can differentiate between 10 genuine users and ten warbots with unique addresses? You could only pick up 'clones' with that and managing clones from the channel level is very outdated security management.
|
|
|
|
Joined: May 2003
Posts: 2,265
Hoopy frood
|
Hoopy frood
Joined: May 2003
Posts: 2,265 |
thats what i said, its very basic(channel specific), ive only been an oper for about a month,but as far as im concerned, there is no such thing as an "innocent" user with 10 connections in 1 channel, if the bit after the "@" is exactly the same on 10 connections in 1 channel, how could that be innocent in any way?
new username: tidy_trax
|
|
|
|
Joined: Dec 2002
Posts: 3,138
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 3,138 |
Bouncer hosts often have 10+ people on the same vhost, as can LANs or ISPs using NAT to put multiple people on one IP.
|
|
|
|
Joined: Jan 2003
Posts: 119
Vogon poet
|
Vogon poet
Joined: Jan 2003
Posts: 119 |
None of these scripts would stop what Watchdog is describing. He''s not talking about clones at all. What he's talking about are zombie IRC bots that you can't tell the difference between a real user and a fake user. There can be 1500 of them on at once, all from different hosts.
The only real way to tell is to check by nicks and ident....though most bots still aren't 'smart' enough to handle that.
|
|
|
|
|