mIRC Homepage
Posted By: Tones Limiting the sockets available through MIRC - 01/09/03 04:54 AM
What about limiting the available sockets in MIRC to help prevent current MIRC socket flood scripts attacking networks.
I have seen many floods using a script opening many sockets through a users MIRC spoofing addresses causing widespread services lag.

Any comments?
Posted By: Skip Re: Limiting the sockets available through MIRC - 01/09/03 09:55 AM
.."to help prevent current MIRC socket flood scripts"..

But how would this stop the current flood scripts? The flooders aren't going to use a new mIRC when they know they wont be able to flood with it; their scripts aren't going to stop working because a new mirc version is released.

If any limitation were to be placed on sockets they should be (as an option) disabled alltogether (similar to disabling /run and /dll) to prevent users of future mIRC versions being easily infected with a current or future socket trojan.
Point taken..
maybe a network flag mirc sends to server when a certain amount of sockets are opened, so that IRCops on the server can know which clients are running a large amount of sockets. This would make it easier to detect and then G-line offending users?
Problem remains that those who would use such scripts would simply use an older version that doesn't send a flag to the server.
Posted By: Jerk Re: Limiting the sockets available through MIRC - 01/09/03 01:40 PM
How many sockets I have open is none of their damn business. Sockets are used for more than connecting to an irc server. How many sockets do you consider too many? Besides, if it's a socket based flooder mirc wont send anything to the server. It will only get sent to servers that mirc is connected to normally. Ex:

Connect mIRC to dalnet
Connect 150 socket bots to EFnet
mIRC sends dalnet opers a notice or something saying that you have exceeded some magical socket limit
Dalnet G-Lines you.
EFnet still has 150 socket bots connected to it. Whoops.

Locking sockets like /run and /dll are a good idea. Limiting the number of sockets is a bad idea. Having mIRC tell someone else how many sockets are open without the users knowledge is a horrible idea.
Competant opers can already deal with this sort of thing anyway. Come to think of it, so can a decent security bot.
this is what i use(opers only)
Code:
getip {
  return $gettok($address($1,1),2,64)
}
scan {
  if ($1 != $me) {
    var %s 1
    var %clones 0
    var %address $getip($1)
    var %nicks
    while (%s <= $nick($chan,0)) {
      if ($getip($nick($chan,%s)) == %address) {
        inc %clones
        %nicks = %nicks $nick($chan,%s)
      }
      inc %s
    }
    if (%clones > 3) {
      ban -u600 %address
      kick # $replace(%nicks,$chr(32),$chr(44)) Clones Found: $replace(%nicks,$chr(32),$chr(44)) - Banned: 10 minutes
    }
  }
}
clonescan {
  var %c 1
  while (%c <= $nick($chan,0)) {
    scan $nick($chan,%c)
    inc %c
  }
}
on *:JOIN:#:{
  clonescan
}

the server i go on allows up to 10 connections per person, but i dont agree with that-_-
this is channel specific(im not that experienced with being an oper)
One problem. True cloning is very rare now as modern IRCd's have inbuilt protection against them. You'll find that most if not all warbots connect with unique IPs now.
ah, i said i would test my code on multi servers, but this is 1 that i cant frown, it works on the 1 i use, might work on some others smile
Yes but which part of your script can differentiate between 10 genuine users and ten warbots with unique addresses? You could only pick up 'clones' with that and managing clones from the channel level is very outdated security management.
thats what i said, its very basic(channel specific), ive only been an oper for about a month,but as far as im concerned, there is no such thing as an "innocent" user with 10 connections in 1 channel, if the bit after the "@" is exactly the same on 10 connections in 1 channel, how could that be innocent in any way?
Bouncer hosts often have 10+ people on the same vhost, as can LANs or ISPs using NAT to put multiple people on one IP.
Posted By: AKO Re: Limiting the sockets available through MIRC - 01/09/03 05:08 PM
None of these scripts would stop what Watchdog is describing. He''s not talking about clones at all. What he's talking about are zombie IRC bots that you can't tell the difference between a real user and a fake user. There can be 1500 of them on at once, all from different hosts.

The only real way to tell is to check by nicks and ident....though most bots still aren't 'smart' enough to handle that.
© mIRC Discussion Forums