UnrealIRCd Forums

Welcome to the UnrealIRCd Forums!
https://forums.unrealircd.org/

CTCP Version replies and blocking bots

https://forums.unrealircd.org/viewtopic.php?t=585

Page 1 of 2

CTCP Version replies and blocking bots

Posted: Thu Jul 15, 2004 2:54 am
by lord2800
I have a question. Recently our network has come under attack from bots which don't reply to a standard CTCP Version, is there any way I can block them with Unreal, or do you guys know any other solutions to blocking them?

Posted: Thu Jul 15, 2004 3:26 am
by codemastr
Heh. You're rather cryptic. You don't even know what the bot is called, how can we tell you how to detect it? :p there are hundreds of different bots that don't respond to a CTCP Version. Determining which one it is requires a bit more info. Does it join channels? Which ones? What nicknames does it use? What realname? Is ident enabled? What is the username? Does it respond to other CTCPs? Does it say anything? What happens when you send it a message? etc.

Posted: Thu Jul 15, 2004 4:56 am
by lord2800
codemastr wrote:Heh. You're rather cryptic.
Sorry, I don't know very much more about it than what I told you.
codemastr wrote:You don't even know what the bot is called, how can we tell you how to detect it? :p there are hundreds of different bots that don't respond to a CTCP Version.
I was hoping there was simply a way to detect, within the ircd, wether or not a client responds to CTCP Version, I can take it from there.
codemastr wrote:Determining which one it is requires a bit more info. Does it join channels? Which ones? What nicknames does it use? What realname? Is ident enabled? What is the username? Does it respond to other CTCPs? Does it say anything? What happens when you send it a message? etc.
Yes. It appears to be ones specified by the controller. Random nicknames(as in fdjkslsfde). Same as the nickname. Yes. Same as the nickname. No. Only when the controller specifies something to say it appears. Nothing, it refuses to respond.

Does that help any?

Posted: Thu Jul 15, 2004 4:31 pm
by codemastr
I was hoping there was simply a way to detect, within the ircd, wether or not a client responds to CTCP Version, I can take it from there.
Banning based on no CTCP Version reply is usually a bad idea. People have a right to their privacy. As far as I know, mIRC is the only client that doesn't give you an option to turn off the CTCP Version. I have it shut off in my client. So that means, if I connect to your server, you're going to recognize me as a drone even though I'm not. Banning based on no version reply usually catches more actual users than drones.

Posted: Thu Jul 15, 2004 11:00 pm
by w00t
Sounds a lot like the IDENT argument.

Posted: Thu Jul 15, 2004 11:56 pm
by aquanight
codemastr wrote:I have it shut off in my client. So that means, if I connect to your server, you're going to recognize me as a drone even though I'm not.
Isn't there usually an exempt option so you can allow CTCPs from the "IRC[d]" psuedo-client? (Probably more complicated than that but...)

Posted: Fri Jul 16, 2004 7:54 pm
by codemastr
aquanight wrote: Isn't there usually an exempt option so you can allow CTCPs from the "IRC[d]" psuedo-client? (Probably more complicated than that but...)
Yeah, there is, but how do I know who is the IRCd?

Posted: Fri Jul 16, 2004 10:59 pm
by aquanight
Well... IRC is a reserved nick... (isn't it?) and if you really want to know, IIRC the "hostname" is the same as the servername...

Posted: Fri Jul 16, 2004 11:24 pm
by katsklaw
codemastr wrote:
I was hoping there was simply a way to detect, within the ircd, wether or not a client responds to CTCP Version, I can take it from there.
Banning based on no CTCP Version reply is usually a bad idea. People have a right to their privacy. As far as I know, mIRC is the only client that doesn't give you an option to turn off the CTCP Version. I have it shut off in my client. So that means, if I connect to your server, you're going to recognize me as a drone even though I'm not. Banning based on no version reply usually catches more actual users than drones.
You can't shut off CTCP version, however you can disable all CTCP which will block version requests.

Code: Select all

/ignore -t *!*@*

Posted: Sat Jul 17, 2004 1:41 am
by codemastr
You can't shut off CTCP version, however you can disable all CTCP which will block version requests.
True, and from what I understand there are also some DLLs out there that can also change the version reply, so I would not be suprised if they also have a way to disable it.

Posted: Sat Jul 17, 2004 2:06 am
by katsklaw
that last mIRC exploit rumor was related to one such dll ... I'll stick with /ignore -t *!*@* :lol:

IMO CTCP is 100% useless to begin with ..

Posted: Sat Jul 17, 2004 3:53 am
by codemastr
Well, it depends. By mIRC's definition of CTCP, maybe, by the true definition, it's pretty useful. What I mean is, mIRC does not treat DCC and ACTION (/me) as CTCP messages as far as the ignore feature is concerned.

Posted: Sat Jul 17, 2004 4:12 am
by katsklaw
that's correct .. mIRC uses NOTICE for DCC and PRIVMSG for ACTION.

Posted: Sat Jul 17, 2004 5:28 am
by aquanight
Huh? All CTCPs use PRIVMSG and NOTICE...

PRIVMSG :\1PING 123\1 - CTCP request

NOTICE :\1PING 123\1 - CTCP reply

Posted: Sat Jul 17, 2004 8:39 am
by lord2800
Either way, the problem is resolved now. There wasn't any true way to block the bots - I talked with the attacker and he said he had everything customized and fully changeable on the fly. The best we could do(since we use Anope) was block all incoming connections and mass-kill based on some common denominator(all sitting in some channel, all not identified, all not in a channel, etc.). There wasn't any real way around this flood.
All times are UTC
Page 1 of 2

Powered by phpBB® Forum Software © phpBB Limited