UnrealIRCd Forums

Hi folks,

we are running a new network with a max load of 4,8k users, Unreal3.2.3 orig. After spending hours here to find anything what might be reported/ asked allready, I'm a little bit tired of it and so i start this post. hoping u may help us in this way.


spamfilter (bug?):

added spamfilter to trigger on user. reason was botnet of 350 clients. only index on all had been realname. action was added to join viruschan. spamfilter was added on ircd (not included in spamfilter.conf).
result: all leafs laoded with users had been killed. lost 1,8k users in once.


regex for windows paths are showing in spamfilter wrong and being triggered false. in example spamfilter.conf u'll find a dcc block for gaggle worm........ C:\\WINNT\\........blah . its be showing on /spamfilter as C:\WINNT\.....blah . we got lot of kills for users who tried to sent plain textfiles, only thing was they had one of the triggered texts in their filename.


then one question:
how do i deactivate '/dns nickname' for norm users ?


thx for helping
TKT

TigerKatziTatzi wrote: how do i deactivate '/dns nickname' for norm users ?

that is something that mirc does... that means that mirc handles the dns command, not the ircd.
the ircd DOES have a dns command (you can access it via /raw dns) but it is already oper only if im not mistaken....

Winbots wrote:

TigerKatziTatzi wrote: how do i deactivate '/dns nickname' for norm users ?

that is something that mirc does... that means that mirc handles the dns command, not the ircd.
the ircd DOES have a dns command (you can access it via /raw dns) but it is already oper only if im not mistaken....

it suppose to be oper only. but it isn't. so may another bug. dunno. at least it should be for oper only. otherwise its to easy for haxors to gain ips and in my expirences fighting against botnets this should work propper. so no regular user is able to use it.

Erm...

/dns nickname (as was pointed out) is already client side, and can still be done in a command console (lets say windows for this example) by a simple:
nslookup <host.goes.here>

THIS COMMAND CAN NOT BE DISABLED, IT'S CLIENT SIDE.
(as i pointed out, there isnt much point)

To see the OPER (ie IRCd) DNS command, try /quote dns or /raw dns

And you should note that in Unreal, setting usermode +x cloaks your host to other users.

On the spamfilter, well, you probably goofed up We'd need more information to be sure.

As for the \\ == \ thing, if you had half a clue here, you'd realise that the first \ means the following character is a literal (in this case a backslash).

TigerKatziTatzi wrote:spamfilter (bug?):

added spamfilter to trigger on user. reason was botnet of 350 clients. only index on all had been realname. action was added to join viruschan. spamfilter was added on ircd (not included in spamfilter.conf).
result: all leafs laoded with users had been killed. lost 1,8k users in once.

Please tell us the exact /spamfilter command.

TigerKatziTatzi wrote:regex for windows paths are showing in spamfilter wrong and being triggered false. in example spamfilter.conf u'll find a dcc block for gaggle worm........ C:\\WINNT\\........blah . its be showing on /spamfilter as C:\WINNT\.....blah . we got lot of kills for users who tried to sent plain textfiles, only thing was they had one of the triggered texts in their filename.

That's already fixed in CVS.

TigerKatziTatzi wrote:it suppose to be oper only. but it isn't. so may another bug. dunno. at least it should be for oper only. otherwise its to easy for haxors to gain ips and in my expirences fighting against botnets this should work propper. so no regular user is able to use it.

/quote dns IS oper only.
/dns is client side, you can't disable it.

EDIT: w00t was faster

Dukat wrote:That's already fixed in CVS.

Hmm, sounds like I've missed something though... Care to inform me?

No problem:

- spamfilter.conf Gaggle worm sigs were broken causing odd things to match, this is because
\\ now needs to be escaped as \\\\ due to the 3.2.3 conf change... didn't think of updating sigs.

Thanks.

about the dns thingy...........

we are comming from a bahmut based mod version. there was /dns nickname disabled for norm user. dunno otherwise we have think about how to handle. at least the command does a readout of servers dns-cache.



about the the kill of spamfilter add

/spamfilter add u viruschan - - abc\|d

realname was set abc|d


edited:
we are trying to redo it on a test net this weekend. lets see if it is repeatable. latest on sundy u'll have more info

I'll ignore the spamfilter thing for now (Dukat seems better informed )

The DNS thing. Let me explain a few fundamentals about how the internet works.

DNS stands for Domain Name Service. Now, a user connects from an IP address. But IP addresses are hard to remember, so DNS maps those IP addresses to "human" names so we fallible beings can understand them more easily, think of it as a big table.

Now, ANYONE can access a DNS entry, as I pointed earlier by using nslookup. Let's do this on myself...

My host is xxxx.hay.dsl.connect.net.au [I'm not going to post it publically.]
I now run into a command console, and type:

nslookup xxxx.hay.dsl.connect.net.au

It returns

*** Can't find server name for address 10.1.1.1: Non-existent domain
*** Default servers are not available
Server: UnKnown
Address: 10.1.1.1

Non-authoritative answer:
Name: xxxx.hay.dsl.connect.net.au
Address: 61.xx.xx.xx

[Again, i'm liberally blacking out stuff.]

In mIRC, I'll /dns w00t!

[01:01:50] * Dns resolving rox-B719AC3D.hay.dsl.connect.net.au
-
[01:01:51] * Dns unable to resolve rox-B719AC3D.hay.dsl.connect.net.au

Shock horror, I have +x set! So I'll -x...

[01:02:32] * Dns resolving xxxx.hay.dsl.connect.net.au
-
[01:02:32] * Dns resolved xxxx.hay.dsl.connect.net.au to 61.xx.xx.xx

Look at that...

i don't really care about this dns thing. every user sould be able to secure his system by himself. but being ask by users, i have to inform me and them if its possible to deactivate. whatever, doesn't look like.
btw, running without +x as umode would show ur completely dns/ ip right in onjoin notice in window public.

also a /raw dns l would give u not all cached dns entries. so theres an expiring time. guess have to find out how this dns thingy really works.

e.g. did /raw l recieved round about 80 dns entries.

Current Local Users: 781 Max: 922
Current Global Users: 3435 Max: 4820

havin close to 2k n00bs on a net is a different story and most of them clicking on spam urls which contains botnet virus.

I ignore the DNS thing (w00t's right ).

TigerKatziTatzi wrote:/spamfilter add u viruschan - - abc\|d

realname was set abc|d


edited:
we are trying to redo it on a test net this weekend. lets see if it is repeatable. latest on sundy u'll have more info

That spamfilter looks fine (ok, ^ and $ would have been nice...).
If you can reproduce it, you should report it to http://bugs.unrealircd.org/

Only one last thing:
How exactly were the leafs killed? What happened?

Dukat wrote:I ignore the DNS thing (w00t's right ).

TigerKatziTatzi wrote:/spamfilter add u viruschan - - abc\|d

realname was set abc|d


edited:
we are trying to redo it on a test net this weekend. lets see if it is repeatable. latest on sundy u'll have more info

That spamfilter looks fine (ok, ^ and $ would have been nice...).
If you can reproduce it, you should report it to http://bugs.unrealircd.org/

Only one last thing:
How exactly were the leafs killed? What happened?

the ircds died. all ircds with user load
we had one leaf without user load. hubs and this leaf where still running.
it works fine when u don'T have this load on users where the filter will be triggered. we tested the filter first on testnet, without users and joining then some floodbots with settings for triggering.

for w00t......... an the dns thingy

i did some couple tries. its as i guessed allready with the readout of the servers dns cache.


/dns nickname on a long time connected user, won't give u any resolve

/whois nickname as ircop will show u still the dns and ip of a user

/dns nickname of a recently connected user will give u dns entry


so far about /dns nicknames ....................

only vhost users are able to be resolved on long term. but this will show then ip of ur dns server

hi guys. i'm from the same network team as TigerKatziTatzi.

I actually set that spamfilter.

So a little more in-depth explanation of what i did:

1.) Connected on a testserver ( one single server, with anope services running).
2.') set /spamfilter add u viruschan - - abc\|d reasonhere
3.) disconnected and set (one for each connect) nickname, ident and realname to "abc|d" and connected
4.) everytime i was correctly joined into the viruschan, worked exactly how it was meant to be

5.) back on the real network, i set the same filter. This time, it should have triggered ~350 clients with that realname at once (botnet as Tiger already mentioned).
6.) by the moment i set the spamfilter, i got disconnected (i was connected to a hub), and after reconnect, all leafs who had userload (and therefore a part of those 350 bots) on them had died. only hubs and 1 leaf were running.

so, this is exactly what happened, hope it helps you guys.