>>>>> "Donald" == Donald Quixote VI <holeekow@xxxxxxxxx> writes:
Donald> hi all.. As most know abuse of and on irc are rampant. The
Donald> demise of blackened on EFnet only underscore the problem.
Donald> One of the reasons irc servers are nuked so much is to cause
Donald> lag and/or splits, many times just for a chance to cause
Donald> nick collides I think.
EFNet gets smurfed regardless, and nick collisions are a lot harder on
EFNet so I don't think it's a major motivation. Personal DoS or
various forms of nuking are used on EFNet to get rid of individuals.
Server nuking and DoS appears to happen generally to hack opps on a
channel, or just to piss the server administrators off. Oddly enough,
I think our Channel Delay (which I originally thought of as unfriendly
and annoying) is probably a great deal of help here. Of-course it just
means the DoS has to last 15min, but I still think it helps.
Donald> Wouldn't eliminating nick collides reduce the attacks on the
Donald> servers themselves?
Not really, although eliminating nick collisions would of-course be a
nice thing to do, and is slated for ircd 2.11 (I believe). This will
most likely be done by removing the use of one's nick as the "key"
field.
Donald> I suggested a method that -might- help before.. but another
Donald> method just came to me.. restrict-a-nick.
Donald> Under some defined collide conditions, restrict the nicks
Donald> being set.
Donald> Some collide conditions: 1] server restart restrict nicks
Donald> for 15-30 minutes after restart 2] low server count iow, if
Donald> net normally has 70 servers, restrict nicks if <40? are
Donald> linked 3] severly lagged server 4] split server 5]] Monitor
Donald> &kills and on xx kills, restrict nicks - [damage might
Donald> already be done]
Donald> #1 and #4 might be covered by #2
Donald> There are prolly better thresholds in the ircd code to
Donald> trigger server collide protections and restrict nicks..
Donald> Now the second part.. restrict nicks how?
Donald> Several possible ways.. each needs to be thought through..
Donald> but essentially, do not allow self-serve pick-a-nick during
Donald> the collide danger period.
Donald> 1] randomize the 8th and 9th characters in a nick a]
Donald> truncate long nicks to 7 characters and add 2 random
Donald> characters /nick abcdefghi will be set as abcdefg\5 b]
Donald> expand short nicks by adding fillers and extra random
Donald> characters /nick abc is set as abc----c9
Donald> 2] allow short nicks, 6 or 7 characters to be set as is, but
Donald> alter 8 and 9 character nicks as outlined in #1. Those
Donald> desiring collide protection will favor the 8 or 9 character
Donald> nicks. Those not wanting to bother with nick variations so
Donald> they stay on the friends notify lists more often will favor
Donald> the shorter nicks.
Donald> Prolly dozens of similar ways to restrict-a-nick will come
Donald> to your minds..
Just not allowing the nick to be changed seems the most obvious, and
is what occurs when a client connects under a restricted
i-line. Obviously the user is allowed to choose their initial nick,
which you don't seem to be in favour of (for reasons I can
understand).
Donald> How it could work:
Donald> On server restart:
Donald> restrict all nicks joining by method #1. A few minutes
Donald> after the server connects to the net, and passes any other
Donald> collide danger criteria that may be included, then nick
Donald> change restriction can be turned off and the users may then
Donald> change to the nick they prefer, iow, changing back from the
Donald> server randomized form, "abcdefg\5", to the one that desired
Donald> "abcdefghi".
Donald> When servers split or the number linked is below a preset
Donald> number [1.e.40?] or another collide condition is detected a
Donald> similar restriction on pick-a-nick can be turned on until
Donald> ther danger of collisions is over.
Donald> lengthening the nick is an option too, forcing all new nicks
Donald> to 10 characters until the collide dangers passes.
Donald> These are just seeds of ideas.. perhaps you can flesh it
Donald> out.. ..
I use a simple scheme for the situation of new server starting up. I
have two configuration files. When I start the IRC server, it uses a
configuration with auto-connects but no I-lines. This is "startup"
mode and allows the IRC server to join the network and for things to
stabilise. Five minutes later, the real configuration file is put in
place and the server told to rehash, at which point clients can
connect and find the network already in place. Note that if you
regularly restart your IRC server, this is almost essential to stop
the script kiddies from using it for scheduled takeovers.
This doesn't address the problem of splits, but then again nick delay
does provide a little protection.
Note: I haven't commented on everything because some things you've
mentioned don't give me warm fuzzy feelings and I'd prefer not to be
negative. :)
- Andrew
--
#!/usr/bin/env python
print(lambda s:s+"("+`s`+")")\
('#!/usr/bin/env python\012print(lambda s:s+"("+`s`+")")\\\012')
print(lambda x:x%`x`)('print(lambda x:x%%`x`)(%s)')
Attachment:
pgp00012.pgp
Description: PGP signature