CTCP Version replies and blocking bots

These are old archives. They are kept for historic purposes only.
lord2800
Posts: 22
Joined: Sun Mar 07, 2004 3:49 am
Location: root: /dev/null

CTCP Version replies and blocking bots

Post by lord2800 »

I have a question. Recently our network has come under attack from bots which don't reply to a standard CTCP Version, is there any way I can block them with Unreal, or do you guys know any other solutions to blocking them?
codemastr
Former UnrealIRCd head coder
Posts: 811
Joined: Sat Mar 06, 2004 8:47 pm
Location: United States
Contact:

Post by codemastr »

Heh. You're rather cryptic. You don't even know what the bot is called, how can we tell you how to detect it? :p there are hundreds of different bots that don't respond to a CTCP Version. Determining which one it is requires a bit more info. Does it join channels? Which ones? What nicknames does it use? What realname? Is ident enabled? What is the username? Does it respond to other CTCPs? Does it say anything? What happens when you send it a message? etc.
-- codemastr
lord2800
Posts: 22
Joined: Sun Mar 07, 2004 3:49 am
Location: root: /dev/null

Post by lord2800 »

codemastr wrote:Heh. You're rather cryptic.
Sorry, I don't know very much more about it than what I told you.
codemastr wrote:You don't even know what the bot is called, how can we tell you how to detect it? :p there are hundreds of different bots that don't respond to a CTCP Version.
I was hoping there was simply a way to detect, within the ircd, wether or not a client responds to CTCP Version, I can take it from there.
codemastr wrote:Determining which one it is requires a bit more info. Does it join channels? Which ones? What nicknames does it use? What realname? Is ident enabled? What is the username? Does it respond to other CTCPs? Does it say anything? What happens when you send it a message? etc.
Yes. It appears to be ones specified by the controller. Random nicknames(as in fdjkslsfde). Same as the nickname. Yes. Same as the nickname. No. Only when the controller specifies something to say it appears. Nothing, it refuses to respond.

Does that help any?
codemastr
Former UnrealIRCd head coder
Posts: 811
Joined: Sat Mar 06, 2004 8:47 pm
Location: United States
Contact:

Post by codemastr »

I was hoping there was simply a way to detect, within the ircd, wether or not a client responds to CTCP Version, I can take it from there.
Banning based on no CTCP Version reply is usually a bad idea. People have a right to their privacy. As far as I know, mIRC is the only client that doesn't give you an option to turn off the CTCP Version. I have it shut off in my client. So that means, if I connect to your server, you're going to recognize me as a drone even though I'm not. Banning based on no version reply usually catches more actual users than drones.
-- codemastr
w00t
Posts: 1136
Joined: Thu Mar 25, 2004 3:31 am
Location: Nowra, Australia

Post by w00t »

Sounds a lot like the IDENT argument.
-ChatSpike IRC Network [http://www.chatspike.net]
-Denora Stats [http://denora.nomadirc.net]
-Omerta [http://www.barafranca.com]
aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight »

codemastr wrote:I have it shut off in my client. So that means, if I connect to your server, you're going to recognize me as a drone even though I'm not.
Isn't there usually an exempt option so you can allow CTCPs from the "IRC[d]" psuedo-client? (Probably more complicated than that but...)
codemastr
Former UnrealIRCd head coder
Posts: 811
Joined: Sat Mar 06, 2004 8:47 pm
Location: United States
Contact:

Post by codemastr »

aquanight wrote: Isn't there usually an exempt option so you can allow CTCPs from the "IRC[d]" psuedo-client? (Probably more complicated than that but...)
Yeah, there is, but how do I know who is the IRCd?
-- codemastr
aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight »

Well... IRC is a reserved nick... (isn't it?) and if you really want to know, IIRC the "hostname" is the same as the servername...
katsklaw
Posts: 1124
Joined: Sun Apr 18, 2004 5:06 pm
Contact:

Post by katsklaw »

codemastr wrote:
I was hoping there was simply a way to detect, within the ircd, wether or not a client responds to CTCP Version, I can take it from there.
Banning based on no CTCP Version reply is usually a bad idea. People have a right to their privacy. As far as I know, mIRC is the only client that doesn't give you an option to turn off the CTCP Version. I have it shut off in my client. So that means, if I connect to your server, you're going to recognize me as a drone even though I'm not. Banning based on no version reply usually catches more actual users than drones.
You can't shut off CTCP version, however you can disable all CTCP which will block version requests.

Code: Select all

/ignore -t *!*@*
codemastr
Former UnrealIRCd head coder
Posts: 811
Joined: Sat Mar 06, 2004 8:47 pm
Location: United States
Contact:

Post by codemastr »

You can't shut off CTCP version, however you can disable all CTCP which will block version requests.
True, and from what I understand there are also some DLLs out there that can also change the version reply, so I would not be suprised if they also have a way to disable it.
-- codemastr
katsklaw
Posts: 1124
Joined: Sun Apr 18, 2004 5:06 pm
Contact:

Post by katsklaw »

that last mIRC exploit rumor was related to one such dll ... I'll stick with /ignore -t *!*@* :lol:

IMO CTCP is 100% useless to begin with ..
codemastr
Former UnrealIRCd head coder
Posts: 811
Joined: Sat Mar 06, 2004 8:47 pm
Location: United States
Contact:

Post by codemastr »

Well, it depends. By mIRC's definition of CTCP, maybe, by the true definition, it's pretty useful. What I mean is, mIRC does not treat DCC and ACTION (/me) as CTCP messages as far as the ignore feature is concerned.
-- codemastr
katsklaw
Posts: 1124
Joined: Sun Apr 18, 2004 5:06 pm
Contact:

Post by katsklaw »

that's correct .. mIRC uses NOTICE for DCC and PRIVMSG for ACTION.
aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight »

Huh? All CTCPs use PRIVMSG and NOTICE...

PRIVMSG :\1PING 123\1 - CTCP request

NOTICE :\1PING 123\1 - CTCP reply
lord2800
Posts: 22
Joined: Sun Mar 07, 2004 3:49 am
Location: root: /dev/null

Post by lord2800 »

Either way, the problem is resolved now. There wasn't any true way to block the bots - I talked with the attacker and he said he had everything customized and fully changeable on the fly. The best we could do(since we use Anope) was block all incoming connections and mass-kill based on some common denominator(all sitting in some channel, all not identified, all not in a channel, etc.). There wasn't any real way around this flood.
Locked