[Ircd] the drone problem on che
Bill Fumerola
billf at mu.org
Sat May 31 14:45:37 PDT 2003
che currently has a fair amount of the client load being used by drones.
i'd guess 15% +/- 5% depending on time of day and active opers. drones
are compromised machines that gather and lurk on an irc network to be
discovered and controlled.
typically drones are used as distributed dos packet generators, but i
haven't looked at all what they're doing once they connect (or who, if
anyone, is controlling them). i don't really plan to either, manual
intervention doesn't scale well.
to the human eye, they're trivially easy to spot, examples:
User users GJ1425[~o24837746 at ipdial-184-83.tri-isys.com] (202.81.184.83) 674 5566
User users FD3913[~f83516355 at ipdial-184-83.tri-isys.com] (202.81.184.83) 696 5566
User users JW2715[~r21841314 at 203.215.92.172] (203.215.92.172) 675 5553
User users bacca779[~9442 at gw-ta.mining.itb.ac.id] (167.205.3.3) 34 12222
User users bacca3403[~3312 at gw-ta.mining.itb.ac.id] (167.205.3.3) 33 12222
we can grab the low hanging fruit of the bots that virtually announce
their presence with neon lights by trying to spawn more then 5 clients
(often 10 or more) on che. when they attempt the 6th client, this generates
a message to opers:
!che.indymedia.org Too many on IP for just^3917[1911 at 203.215.92.84] (203.215.92.84).
and this is logged in the ircd's main log file (ircd/logs/ircd.log):
[2003/5/31 09.09] Too many connections on IP from just^3917[1911 at 203.215.92.84].
as much fun as watching for these and adding d:lines by hand was getting,
i wrote a script (ircd/bin/dronefind.sh) to find the habitual offenders.
the script finds these drones/clones and either reccommends d:lines or
generates an ircd.conf section (an auth class that references a user
class that allows one connection per ip) that can be included from the
main config file. the sensitivity values can all be tweaked. dronefind
does take into account current d:lines and won't reccommend a configuration
that doesn't make sense because the host is already banned.
this still doesn't help get rid of the drones for good, they'll continue
to hammer away trying to connect. though they are taking up less resources
(one connect instead of five) they still generate log noise (they'll
still try and connect more than one) and are still using imc irc as a
gathering point for god knows what activity. a gradual approach of
limiting known bad hosts and networks to one connection and then later
d:lining the aggressive drones will probably work well.
the more technically advanced solution involves setting up a connection
monitoring bot that checks incoming hosts for open wingate/socks/etc
proxy connections. this code is already available (hybrid-tcm, others),
but it is a bit more invasive (as opposed to passively monitoring our
own logs) so i would consider it something to discuss at the jun 01
meeting. the ssl irc sessions would be exempt from this.
for those who are on this mailing list but don't have accounts on che,
i've attached the script. without a ircd.log populated with "Too many
connection" messages, it's not all that interesting. explaining the
problem and sending this mail now beats spending a lot of time explaining
this problem tomorrow, though.
thanks for reading this far,
--
- bill fumerola / fumerola at yahoo-inc.com / billf at FreeBSD.org / billf at mu.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dronefind.sh
Type: application/x-sh
Size: 4702 bytes
Desc: dronefind.sh
Url : http://lists.indymedia.org/pipermail/ircd/attachments/20030531/3fbca288/dronefind.sh
More information about the ircd
mailing list