Some thoughts on cloaking

[grifferz]

Hi, not sure if this is exactly the right forum, but couldn't spot one better. I have some concerns about the cloaking as implemented in Unreal and thought maybe some longstanding Unreal irc admins and possibly even those who implemented it could comment.

My first concern is that the fake hosts that are generated could possibly be existing hosts. While I do not consider it realistic that someone could create such a host ahead of time, they certainly could create one after seeing another user's host.

For example, say you have a user with the mask:

somenick![email protected]

When cloaked this may appear as:

somenick![email protected]

A miscreant can now register somenet-0x12345678.com as a real domain, costing only a few dollars, and when they have cloaking disabled they appear to have the exact same host as somenick. somenick's host may well be static so unless the server's cloak keys change then somenick will always have somenet-0x12345678.com as their cloaked host and the miscreant's host will always be creating confusion.

Do you consider that a problem?

I thought perhaps it could be solved by putting the cloaking string at the end of the host to create a new TLD that could never really exist, e.g.:

someone![email protected]

but it struck me that this removes the nice ability to ban:

*.some.example.com

and expect to have it work whether users are cloaked or not.

My second idea was to include "_" in the cloak string as that is not valid in an internet hostname, however if users had hosts that were syntactically invalid then perhaps that would confuse some scipts/clients.

Would really appreciate hearing others thoughts on this.

Cheers,
Andy

[Jason]

1) It cloaks @Jason.test.com to look like @AD53F5B.test.com, not @Jason.AD53F5B.com

2) The person registering the domain would also have their host cloaked, so it wouldnt match. (My network forces host cloaking, and I'm sure others do)

3) The malicious user's ISP would have to let them set their reverse dns like this, buying the domain would do nothing.

4) Never seen it happen. Doubt it will. If someone complains about impersionation, an oper can zline the ip of the offender.

[Matridom]

My network forces host cloaking, and I'm sure others do.

Yup, same here, i even remove the ability for users to uncloak themselves.

Additionaly, the connection notice gives the real IP, if i see a connection that looks like one of my cloaked hosts, i would definatly take steps at that point,

[grifferz]

Jason,

1) It cloaks @Jason.test.com to look like @AD53F5B.test.com, not @Jason.AD53F5B.com

In my example I specified a user with a host like example.com, not jason.example.com. Such users do exist. Furthermore even if the host contained three parts, someone who owns the domain comprising the last two parts can create their own subdomains as they wish.

2) The person registering the domain would also have their host cloaked, so it wouldnt match. (My network forces host cloaking, and I'm sure others do)

"Don't let them disable cloaking" doesn't really seem like an acceptable solution for me, though fair enough if it does for you.

[Syzop]

In my example I specified a user with a host like example.com, not jason.example.com. Such users do exist. Furthermore even if the host contained three parts, someone who owns the domain comprising the last two parts can create their own subdomains as they wish.

You mean like, someone would register such a domain specificly to annoy someone? (or do you see another scenario?).
Possible.... Haven't seen it, but.. some people got too much time (and money, or fraud creditcards) on their hands.
As others pointed out it is still limited in the amount of people you can herass by it, however.
Still, you got a (theoretical) point :P.

2) The person registering the domain would also have their host cloaked, so it wouldnt match. (My network forces host cloaking, and I'm sure others do)

"Don't let them disable cloaking" doesn't really seem like an acceptable solution for me, though fair enough if it does for you.

Some networks do it so users cannot be tricked or forced by others to -x themselves. Of course you can then still disagree if it is good or bad, but just to say it might have some more considerations than you might think ;p.

[grifferz]

You mean like, someone would register such a domain specificly to annoy someone?

Yes, and for some TLDs this would even be free. For com/net/org it is still only a couple of dollars.

So my question is, can anyone think of a way that the cloaking code could be modified to avoid this? Putting the cloak text at the END of the cloaked host is one way as I said, but not ideal.

[Matridom]

You mean like, someone would register such a domain specificly to annoy someone?

Yes, and for some TLDs this would even be free. For com/net/org it is still only a couple of dollars.

So my question is, can anyone think of a way that the cloaking code could be modified to avoid this? Putting the cloak text at the END of the cloaked host is one way as I said, but not ideal.

The idea behind the current cloak is to mask the part of the IP that is constantly changing (i.e. in DNS , the left side). But leave the ISP's part UNMASKED so that you can get an idea of who the service provider is.

If you move the masking to the other side, i can easily see the most dynamic part of the IP, a simple question of asking the user who his ISP is gives me his full IP without him realizing it.

the only way to totaly mask it beyond a shadow of a doubt would be to mask it fully like IP's are.

The current mask is a compromise between total security and total information.

Finaly, cloacking is now a module, I'm sure that if you don't like it, someone will be more then happy to program an algorithm that fits your specifications(if the $ is right).

[grifferz]

The idea behind the current cloak is to mask the part of the IP that is constantly changing (i.e. in DNS , the left side). But leave the ISP's part UNMASKED so that you can get an idea of who the service provider is.

If you move the masking to the other side, i can easily see the most dynamic part of the IP, a simple question of asking the user who his ISP is gives me his full IP without him realizing it.

Apologies for not being clear. I am saying that instead of doing this:

somenick![email protected]

one could do this:

somenick![email protected]

Purely because SomeNet is not and is unlikely to ever be a valid TLD. The first part of the host is still cloaked.

But I noted that this is perhaps undesirable because most of the hosts would look a bit like this:

othernick![email protected]

a typical ban on that would end up as

*@*.x.y.z.isp.com.SomeNet

which doesn't match people from isp.com when they are uncloaked. That would be fixing one undesirable thing to add another, perhaps even more undesirable thing.

the only way to totaly mask it beyond a shadow of a doubt would be to mask it fully like IP's are.

The current mask is a compromise between total security and total information.

It's not my goal to mask it entirely, I am just concerned that the output of the cloak is still a valid domain which in some cases can just be registered, and am wondering if there is some other way to present it that would avoid that.

Finaly, cloacking is now a module, I'm sure that if you don't like it, someone will be more then happy to program an algorithm that fits your specifications(if the $ is right).

I don't actually use Unreal, only its cloaking code, so if anyone can think of a better way to present the cloaked host then I will implement that.

[aquanight]

But I noted that this is perhaps undesirable because most of the hosts would look a bit like this:

othernick![email protected]

a typical ban on that would end up as

*@*.x.y.z.isp.com.SomeNet

which doesn't match people from isp.com when they are uncloaked. That would be fixing one undesirable thing to add another, perhaps even more undesirable thing.

Not true. Even if you turn off cloaking, Unreal will still check your cloaked host against channel bans. This cloaked host is always stored whenever you are -x (even if you previously had a vhost set via SETHOST/CHGHOST).

It's not my goal to mask it entirely, I am just concerned that the output of the cloak is still a valid domain which in some cases can just be registered, and am wondering if there is some other way to present it that would avoid that.

Firstly, remember that this is a very small set of users that have a two-part domain name.

Secondly, klines and glines don't check cloaked host at all, so...

Code: Select all

/gline *@<cloakprefix>-* 0 Faking cloaked hosts is not permitted on this network.

(For extra permanence, stick it in your OperServ AKILL list, or your ircd configuration as ban user{} blocks.)

Personally, I wonder if cloaking is appropriate at all when a two-part domain is involved. The current algorithm cloaks the bottom level domain of the hostname, which leaves the ISP name visible in case an abuse@ email needs to be fired off. When a two-part domain is involved... the information is unavailable completely.

[Matridom]

with control over reverse DNS, it's possible to make your name look like anything, wether it's a valid domain or not.

I had one user who's revers dns come out to "localhost" So your concern about masking the DNS name will always be there no matter what you try to do to avoid it. If i really wanted to, i could make my dns name resovle to "YouAreAnIdiot".

IP's are the only constants, that's why Unreal does DNS spoofing, IP->dns and dns-> IP must match, if it does not, the IP get's registered with the connection.

if someone is gonna go through the trouble of making a domain name based on a masked host, they won't bother registering, they will just hack/modify the appropriate pointer record for their IP.

[grifferz]

Thanks aquanight, those are very good points I had not considered. I think with a ban on *@prefix-* I would be happy leaving the cloaked host format pretty much as it is.