hiding servers

These are old archives. They are kept for historic purposes only.
Post Reply
crazytoon
Posts: 20
Joined: Thu Jul 15, 2004 11:27 am
Location: Germany
Contact:

hiding servers

Post by crazytoon » Tue Dec 07, 2004 2:34 am

** moderator edit: this topic was split from another topic, context: syzop was taking over 5 modules from angrywolf, not mentioning hideserver **
hi syzop :)

hideserver is a very nice modules too(not because you have the possibility to disable /map or /links) its because you can hide the HUB/s or not U:lined server to protect them a bit (can be a nice feature for UnrealIRCd too :P -hide-ulines +hide-server *g*)
The modules work well I know no bugs the only thing its not support flat-map :/ , so if you ever have time mabye you can take a look :)

thanks

Syzop
UnrealIRCd head coder
Posts: 1957
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop » Tue Dec 07, 2004 5:44 pm

crazytoon: well, I don't like that module because it gives a false sense of security[1], so no.. I'm not going to maintain it :p.

Stealth: For the modules that I'll take over (the ones mentioned above, angrywolf gave his ok btw), I'll integrate them in the module packs (win&nix)[2], so I'll take care of that, you won't have to bother about those anymore :)
I'll do that within 1-2 weeks, I'll (try to :P) remember to notify you once I have them in the new modpack.

[1] Hubs should be protected by the DNS-technique mentioned in Docs: 8.6 Denial of Service attacks (DoS) [or: how to protect my hub], if one would simply hide /map & /links then admins are very likely to "forget" doing that, and since hiding map&links does not offer any real security you make problems worse. Basically this is the long explanation of "a false sense of security is worse than no security"
[2] Well, probably marked that they are based on Angrywolfs work, I hate not giving(/getting) proper credit ;)

crazytoon
Posts: 20
Joined: Thu Jul 15, 2004 11:27 am
Location: Germany
Contact:

Post by crazytoon » Thu Dec 09, 2004 4:29 pm

>> crazytoon: well, I don't like that module because it gives a false sense of security[1], so no.. I'm not going to maintain it :p.

Well I can understand you :p (but as I said is NOT because admins have the possibility to disable /map or /links)...


>> [1] Hubs should be protected by the DNS-technique mentioned in Docs: 8.6 Denial of Service attacks (DoS) [or: how to protect my hub], if one would simply hide /map & /links then admins are very likely to "forget" doing that, and since hiding map&links does not offer any real security you

I know how to protect my hub :)
("Der punkt ist aber : was man nicht sieht kann man nicht angreifen *sfg*)

medice
Posts: 42
Joined: Fri Jul 09, 2004 11:02 pm

Post by medice » Thu Dec 09, 2004 6:59 pm

crazytoon wrote:Der punkt ist aber : was man nicht sieht kann man nicht angreifen *sfg*
I'll take the freedom to translate that one *g*
"The point is, you can't attack what you don't see"

but I can't see a point there - since /map oder /links are not the only way to get data on the available servers, you don't remove/hide anything. you just remove the "cheapest" way to get the information - but there is still much to see and much to attack...

if a user connects - he has at least one ip and servername - that one he is on...
he may meet other users - whois them - he gets other servernames...

most irc-networks are constructed to be a public place - so there is information going around how to connect, maybe a webpage, they have round-robin-DNS - so a single resolve of "irc.thatnetwork.tld" or whatever they have opens every single server available...

solution: you have a private network with some IPs - no names, no hosts pointing to, no webpage - let's say something, noone's knowing about except the handful guys setting this up and their girl-/boyfriends - maybe you even firewall down all incoming IP-Ranges except the static-IPs of the people mentioned above (don't accept anyone with dynamic-connects!) - the firewall should be at the first possible router of your ISP - not the holy ircd-machine itself...

a really great understanding of irc and the sense of a community
have fun! ;)
greets
/medice

aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight » Fri Dec 10, 2004 4:58 pm

The idea is to hide the dedicated hubs that clients don't connect to, not the leafs (there's little point in that). Now, you say server names can be grabbed from whois, but you could always take things to ircu's extremes: no servername/hopcount/local-channels (which aren't in unreal)/idle time (for anyone)/localoper status(?) from /whois /who anything else, but I think that's probably just asking for more trouble. The DNS trick works much better :P .

*edit* In fact, I wonder if the server names (in me::name, link::, etc) should be allowed to have characters not normally valid in a hostname... so as to facilitate the use of the DNS trick :) */edit*

Syzop
UnrealIRCd head coder
Posts: 1957
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop » Fri Dec 10, 2004 9:07 pm

but you could always take things to ircu's extremes
Well, AFAIK you can still get a server map, it's just that such things are less known (hence people might think they are safe, when they are in fact not).
but I think that's probably just asking for more trouble. The DNS trick works much better
Exactly.
I wonder if the server names (in me::name, link::, etc) should be allowed to have characters not normally valid in a hostname... so as to facilitate the use of the DNS trick
I don't see why this would help? You just need not to put a DNS entry in your dns servers :P. Perhaps it would even encourage subtle tricks like using ß online and s/ss in the domain name. Not to mention, the other aspects of this (compatability, etc).
I also wondered when writing the "how to protect my hub" section to say something like "or put it in DNS under a complete different name (eg: hub1.thisisprivate.mynet.net), but quickly realized how often people fail to protect against zone transfers (Tens of TLD's have ZXFR's enabled, and I even recently notified the bopm team that the whole *.opm.blitzed.org could be fetched [thus giving you a nice proxy list of thousands ips]).. It's easy stuff to misconfigure/forget [it even happens to me], and it's not always your fault (dns provider, ..).

crazytoon
Posts: 20
Joined: Thu Jul 15, 2004 11:27 am
Location: Germany
Contact:

Post by crazytoon » Fri Dec 24, 2004 1:54 am

I don't see why this would help?
well ... I don't see the point why other things are helpfull just for example:

hide-ulines; <--- "false sense of security" YES! , helpfull ?
why? to protect your services ? don't think so :) ( just type /version services.* or /whois someserv )

flat-map; <--- "false sense of security" YES! ( a big one for lazy admins),
helpfull ? (YES! can be but not at the time) , logically NO! ( it was a feature request here to have the possibility to set a QUIT message if a server split ) (don't know the bug number now :P) so with such a OPTION flat-map; can be helpfull ..

btw all this OPTIONS / features can have "false sense of security" but can be felpfull to..

so why is sooo bad to have a option like hide-server ? or set::splitmsg ?
because some admins are to lazy to read the docs ? lol

If someone BAD he will ddos / flood your know IPs / Hosts ...

aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight » Fri Dec 24, 2004 2:08 am

hide ulines isn't so much to hide services but to hide what server they link to. That information is near impossible to get :) .

Syzop
UnrealIRCd head coder
Posts: 1957
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop » Fri Dec 24, 2004 2:28 am

I'm afraid your attitude doesn't match ours...

You think the more you hide, the more secure you are.

We think, the more you hide using a FLAWED concept, the more FALSE sense of security you will get, which is DANGEROUS.
As said, we could go into ircu extremes, and then you can still get a server map via tricks... that is NOT good.

I suppose you are the type of person who would like to block /version and then simply forgets the other super-simple way to see the version.
hide-ulines; <--- "false sense of security" YES! , helpfull ?
why? to protect your services ? don't think so Smile ( just type /version services.* or /whois someserv )
- You are wrong, hide-ulines was never there for that reason, it was to hide to which server it was linked to (it has existed for years, flat-map is a much more recent idea). Almost nobody adds services.mynet.net to DNS, so D(Dos) was never the reason.
- You are right, hiding servers for that reason is just stupid!

On a sidenote, it seems you are contradicting yourself?
("Der punkt ist aber : was man nicht sieht kann man nicht angreifen *sfg*)

aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight » Fri Dec 24, 2004 2:35 am

Of course, following this, removing all servers from whois / etc (like ircu does) isn't necessarily for protecting servers... consider that someone wants to knock a user off the server to try to take over his channel, but with cloaked hosts he can't get the real IP, so he might attack the server that user is on, but while he could probably get the name of every connectable server, he won't be able to find out which one that user is on, he'd probably have to attack at random, which may result in lots of missing and getting him glined off the net before he can even accomplish his goal...

This of course is less important with channel services, but... still a thing to think about?
("Der punkt ist aber : was man nicht sieht kann man nicht angreifen *sfg*)
Translation? (I don't trust babelfish :P )

Syzop
UnrealIRCd head coder
Posts: 1957
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop » Fri Dec 24, 2004 3:03 am

but while he could probably get the name of every connectable server, he won't be able to find out which one that user is on
Why not? A simple example is if you /whois someone and (s)he is local, you will see idle time... Just to name ONE example of how to detect such things ;p. If he can go flood all servers, then I suppose it isn't too hard either to just connect to them and /whois ;).
That said, indeed.. this is not much of an issue on networks with chanserv etc... Which is, IMO, a real must for a real public network. (and yes, that's me saying that, even though I originally come from ircnet :P).

Also, forgive me if this will be my last post here, as you might understand one can get a bit tired of it, and I have, just like others, other nicer things to do.. the next days in particular ;).

medice translated it (correctly) a few posts up here: "The points is, you can't attack what you don't see" ;p

crazytoon
Posts: 20
Joined: Thu Jul 15, 2004 11:27 am
Location: Germany
Contact:

Post by crazytoon » Fri Dec 24, 2004 4:25 am

I suppose you are the type of person who would like to block /version and then simply forgets the other super-simple way to see the version.
no syzop i'm not..
On a sidenote, it seems you are contradicting yourself?
no! it was only a example for the service or Ulined server like stats irc defender or whatever ... because everyone knows 99% of the networks hiding them with hide-ulines; ...

my HUB is called H.U.B , none knows the IP (well a few admins :P) , only to IPs are allowed to connect to HUB just in case something is wrong , only SSL connects on non standard port , /stats P is restricted too and you need the right password to connect which is ripemd160 (as you can see I do my best to protect my HUB) .. (don't think I don't read the UnrealIRCd docu)
You think the more you hide, the more secure you are.
NO I don't think so! and hideserver is not really a new idea is a bit modifyed version of hide-ulines then... but I don't think is bad to have such options .
and then you can still get a server map via tricks
yes you can by using hopcount or something but you need to know the netorkmap first ...

So just a examlpe ( because I think my english sucks really and I can't explain what I mean *g*)

flat-map on

user do /map from server 1 this look like :

server1.my.cool.net
|-H.U.B
|-server2.my.cool.net
|-server3.my.cool.net
|-H.U.B2
|-services.for.my.cool.net <-- hiden by hide-ulines

looks all nice an secure but If someserver splits you see the link
Quit (H.U.B server2.my.cool.net ) BAD ! or not ?

falt-map on
hide-server on ( let we say we have this)
set:slpitmsg ( let we say we have this)
now we can play a bit .. H.U. B ,H.U.B2 services are Hiden now ( and just to confuse the" bad" ppls i just JUPE 2 (for example but not needed))

user do /map from server 1 this look like :

server1.my.cool.net
|-H.U.B.my.cool.net <-- the host is know so I can do this(and is a fake)
|-H.U.B <-- hiden for the user
|-server2.my.cool.net
|-server3.my.cool.net
|-H.U.B2.my.cool.net
|-H.U.B2 <-- hiden for the user
|-services.for.my.cool.net <--- hiden for the user

on split we have :

Quit ( just updating ) or something ....
I think now "flat-map" has a good function or not ? and is more secure ..

is only my opinion ... but mabye I'm wrong can be

@ aquanight
Der punkt ist aber : was man nicht sieht kann man nicht angreifen *sfg*
it means :
"The point is, you can't attack what you don't see"
Last edited by crazytoon on Fri Dec 24, 2004 4:30 am, edited 2 times in total.

crazytoon
Posts: 20
Joined: Thu Jul 15, 2004 11:27 am
Location: Germany
Contact:

Post by crazytoon » Fri Dec 24, 2004 4:27 am

just connect to them and /whois
if you can connect then yes :P

Post Reply