Browser/Javascript POST attack
Browser/Javascript POST attack
Just wanted to drop a note that if anyone is experiencing problems like this (also called Firefox XPS IRC Attack). Then this is what I suggest you do:
1. If not done so already, then compile UnrealIRCd with NOSPOOF (spoof protection) enabled, on *NIX this is the first question asked during ./Config, on Windows it is always enabled.
2. I've released a nopost module which will kill/zline/etc such connections. http://www.vulnscan.org/UnrealIRCd/modu ... ost.tar.gz
You can do #2 without #1, and #1 without #2, but if you're really under attack then combining them is most effective.
1. If not done so already, then compile UnrealIRCd with NOSPOOF (spoof protection) enabled, on *NIX this is the first question asked during ./Config, on Windows it is always enabled.
2. I've released a nopost module which will kill/zline/etc such connections. http://www.vulnscan.org/UnrealIRCd/modu ... ost.tar.gz
You can do #2 without #1, and #1 without #2, but if you're really under attack then combining them is most effective.
-
- Posts: 20
- Joined: Fri Feb 26, 2010 12:06 pm
- Location: Portadown, Northern Ireland
- Contact:
Re: Browser/Javascript POST attack
Thank you for posting this, Syzop.
My network hasn't had this problem yet,
but one can't be to careful. Thank you,
for creating the module as well. :)
MightyWings
My network hasn't had this problem yet,
but one can't be to careful. Thank you,
for creating the module as well. :)
MightyWings
Re: Browser/Javascript POST attack
If I'm not mistaken the /close command would help too as it closes all unknown connections. So if I'm correct, issuing a /close command after a /rehash and loading the module should clean things up.
Perhaps someone that knows for sure can verify my statement.
Perhaps someone that knows for sure can verify my statement.
-
- Head of Support
- Posts: 2085
- Joined: Tue Jun 15, 2004 8:50 pm
- Location: Chino Hills, CA, US
- Contact:
Re: Browser/Javascript POST attack
CLOSE will only help if you have NOSPOOF enabled and there are a bunch of these connections stuck in user registration. Also, just loading the module will catch new connections and the old ones will time out after the user registration timeout (IIRC it's 30 seconds)
Re: Browser/Javascript POST attack
I see alot of That's a msn bot. Why would msn index irc?
Code: Select all
[nopost] Killed connection from 207.46.195.226
Re: Browser/Javascript POST attack
Well given that it triggered the [nopost] notice this suggests that somewhere there is a url directed at your IRC server:port that the bot/crawler followed as the only way [nopost] notices are triggered with the nopost module is if the IRCd receives a "POST" "GET" or "PUT" command.transacid wrote:I see alot ofThat's a msn bot. Why would msn index irc?Code: Select all
[nopost] Killed connection from 207.46.195.226
Re: Browser/Javascript POST attack
Also the config doesn't seem to work. I getIf i dun use the setting at all it works fine.
Code: Select all
*** Notice -- error: unrealircd.conf:949: unknown directive set::nopost
Re: Browser/Javascript POST attack
My bad. I've updated the module to fix this (url still the same).transacid wrote:Also the config doesn't seem to work. I getIf i dun use the setting at all it works fine.Code: Select all
*** Notice -- error: unrealircd.conf:949: unknown directive set::nopost
As for the MSN bot, I (obviously) don't know the MSN bot internals, but it somehow thinks your IRC server is a website
Re: Browser/Javascript POST attack
Ok thanks, this one works fine ;)Syzop wrote:My bad. I've updated the module to fix this (url still the same).transacid wrote:Also the config doesn't seem to work. I getIf i dun use the setting at all it works fine.Code: Select all
*** Notice -- error: unrealircd.conf:949: unknown directive set::nopost
As for the MSN bot, I (obviously) don't know the MSN bot internals, but it somehow thinks your IRC server is a website :)
Re: Browser/Javascript POST attack
oh btw, now i dun see any logmessages anymore :/
Re: Browser/Javascript POST attack
What settings do you use?
I get a message both with kill and with gline (though with anything other than kill it's like '*** G:Line added for ...... the reason..', and not a 'killed connection ..' as well, as that would seem a bit redundant)
I get a message both with kill and with gline (though with anything other than kill it's like '*** G:Line added for ...... the reason..', and not a 'killed connection ..' as well, as that would seem a bit redundant)
Re: Browser/Javascript POST attack
oh nevermind. Didn't check my snomask ;) Everything good now.Syzop wrote:What settings do you use?
I get a message both with kill and with gline (though with anything other than kill it's like '*** G:Line added for ...... the reason..', and not a 'killed connection ..' as well, as that would seem a bit redundant)