mIRC Homepage
Posted By: Stefan76 Syn Bot Akiller - 26/07/04 12:06 AM
Hello, is there anybody who know how to make a script that akills Syn-Bots on joining a Channel?
The bots joining a Channel should be akilled by IP-Address.
Many thanks for every Idea!
Posted By: LocutusofBorg Re: Syn Bot Akiller - 26/07/04 07:04 AM
Depends - how do you rexognize them?
Posted By: Stefan76 Re: Syn Bot Akiller - 26/07/04 11:58 AM
They are Joining one Channel like ##syn and have nicknames like "BGKMSGHNM"

Posted By: Venoman Re: Syn Bot Akiller - 26/07/04 06:23 PM
that doesn't really answer the question. The only way to auto-kill them is to know what the bots have in common, so you know what to look for. Either that or if you have a list of specific nicks you want to kill you can maintain them in a text doc or something and use that.

Also, how do you mean theyshould be killed by IP? do they never show up in the channel with an actual address? is it always something like carl!carl@111.111.111.111 ? because otherwise you need to do something complicated like /dns the nick on join.

-Venoman
Posted By: Watchdog Re: Syn Bot Akiller - 26/07/04 07:55 PM
The simplest way of dealing with this is to close and block the channels. The other way (if the bots are actually DDoSing your server is to z:line (z:line is like a firewall though depending on the server software it is sometimes called something else) them ON CONNECT, not when they join the rooms.

Do achieve this you need to have some experience with making security bots or be prepared to 'learn the ropes' and that is not a job that can be mastered in a few minutes here. All connections have a unique set of signatures, just like a virus on your computer. This is not limited to IP ranges, user details like full name and nickname, etc. It could also be a CTCP reply from the bots (some authors of war bots are stupid enough to include a version reply in the bot's code :tongue:) it could be what rooms the bots join once connected, it could be whether the bots try to flood-register rooms or nicknames (server notices will inform you of this if you use a decent IRCd), it could be patterns in the user details, amount and arrangement of upper/lower case, numerals, vowels/consenants, ASCII characters, how many of them log in in a given period of time. I have a few other ways to detect hostile connections but they are trade secrets and probably beyond what you will need in this case.

In my time as an oper the hardest bots to detect are those that simply find normal English nicknames from databases but as you now see, there's more than one way to skin a cat. If you use imagination and a keen eye for detail just about any connection can be verified as either friendly or hostile. One last thing though, security bots, like any automated object, are not 100% accurate all of the time. There will be a time when it nails an innocent user but you have to choose between two things - having a good bot that keeps most hostile connections off your server and the occasional innocent user or letting everything on and hoping it doesn't overload the server. Having said that I am yet to get a complaint from someone regarding denial of access due to a wrongful automated ban though there's nothing to say it'll never happen.
© mIRC Discussion Forums