View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0001933||unreal||ircd||public||2004-07-09 00:22||2004-11-25 19:05|
|Target Version||Fixed in Version||3.2.3|
|Summary||0001933: "set::allow-userhost-change force-rejoin;" allow banwalks?|
|Description||Sure, it is set to FORCE-rejoin, but yet I find this quite strange, if "set::allow-userhost-change" is set to force-rejoin, and a user is banned from a channel, yet he rejoins without a problem when he set/unset +x .. it might be a weak configuration by me, but yet, it can be exploited to flood/spam a channel? Like a (odd) example, if a channel is attacked with a botnet, you can +l to lock them out, +i to lock them out, +m to make them quite, etc.. yet they can simply set/unset their +x modes to join/part flood the channel. Here's an example:|
-- snip --
barfoo sets mode: +i
barfoo sets mode: +l 1
barfoo sets mode: +b *!*@c-2ce130e5.042-05-6e72632.cust.bredbandsbolaget.se
Parts: foobar (foobar@spoof-13E3BB9A.cust.bredbandsbolaget.se) (Rejoining because of user@host change)
Joins: foobar (firstname.lastname@example.org)
-- snip --
Is this "my own fault" or is it a "bug" ?
|Steps To Reproduce||See description.|
|Tags||No tags attached.|
|3rd party modules|
|This can't be used to exploit anything. The user never really left, it's a simulated rejoin. And if you kick the user, they can't rejoin. So I don't see the problem.|
||The idea was more like, when a botnet attacks a channel.. let's say you have 150 hostile bots in your channel.. then you can easily set +iml1 to "halt" the attack.. all they can do then is parting the channel or leaving the network to do a "flood" again.. but with this option enabled, they can simply set +x and they have just flooded the channel with 300 lines of text.. and as simply as before, just unset +x .. but sure, it's quite easy to disable by not having it to "force-rejoin", but yet, I think you should consider some way to fix that.. Like checking against the banlist if the user is banned (even if it's just simulated) and refuse it to join again in case it's banned.. or? Am I just too paranoid now? :)|
I see. I can understand your concerns now... instead of disallowing pretty much any traffic except a part (assuming you would have set +N too) they can still semi-flood with rejoins.
I'm thinking about the following (slight variation on what you suggested):
don't allow people to +x/-x if they wouldn't be allowed to rejoin (actually: +v or lower and banned or prevented by some channelmode, it makes sense to me to still allow +hoaq to rejoin). Oh and if the user IS allowed, do our rejoin trick :).
To implement this we would need (in a nice seperate function):
a loop which goes to the channels and checks if +v or lower, then if the user is banned or if any of the channel modes apply or if the PRE_LOCAL_JOIN hook returns HOOK_DENY.
We can't exactly use can_join directly... like we don't want it to suddenly use +L and join another channel (but we do want to check for +l), and actually it shouldn't check for the correct key either (but we could simulate that ;p).
We could add a flag to can_join or code a seperate thingy, the former doesn't seem too bad.
Then.. our nice "check if +v or lower and prevented from rejoining anywhere"-function would loop trough chans: call can_join(), call PRE_LOCAL_JOIN, and that's pretty much it... and then set some flag that a rejoin is in progress since stuff like:
if (UHOST_ALLOWED == UHALLOW_REJOIN)
isn't that easy anymore ;p.
codemastr: any objections?
I don't really like the idea. It seems like it will confuse users. "You can't set +x because you are banned from #test" You don't see that as being confusing? I doubt any user will see that +x has anything to do with #test. I can see how this could cause a flood, and therefore should be addressed, I'm just not sure that's the best way to do it. Remember too, +x isn't the only thing that triggers that rejoin code. "You can't /oper because you are banned on #test," "You can't use /vhost because you are banned on #test," "You can't /chghost on foobar because foobar is banned on #test," etc. Then of course we have the issue of U:lines. What happens if a U:line sends the command? Do we just allow it through? If so, then /ns set vhost (or whatever the command the services use) could be used to flood just as well. And rejecting it would cause problems as well. The services assume SETHOST succeeds, so it auto sets the vhost locally. So if we make it fail on the IRCd, now we have desync.
I'm really not too sure how to deal with this...
> don't really like the idea. It seems like it will confuse users. "You can't set +x because you are banned from #test" You don't see that as being confusing? I doubt any user will see that +x has anything to do with #test.
Well, isn't UHALLOW_NOCHANS similary confusing? :P
I'm in a hurry, so I didn't really read the rest properly, but if you say it doesn't help much anyway due services/others then yeah.. that sucks ;).
But do you see the problem he talked about? I think it's quite real.
(Then again, chanmode f should have prevented hundreds of bots from joining in the first place ;p)
I was looking for something between UHALLOW_NOCHANS and UHALLOW_REJOIN.
well why not...
if the user is banned/whatever, just don't send the part/join. The host still gets set, but it can't flood by simply using the rejoin aspect of +x.
|I kind of like aquanight's solution. No flood, and they can still change their host. And really, we could even still send the JOIN/PART to all the other channels so the IAL desync is as small as possible. Plus, usually, if you are +b'ed the /kick isn't too far away :) so the problem is even less serious.|
>And really, we could even still send the JOIN/PART to all the other channels so
>the IAL desync is as small as possible.
My thoughts exactly ^_^ . Of course, said "desync" really only occurs with clients that have an IAL... need I bring up telnet here (if that counts as a client that is :P )?
>Plus, usually, if you are +b'ed the /kick isn't too far away :) so the problem
>is even less serious.
Well, you can't really say that's always true. There's still the +bquiet techinique (and while ~q handles that well, straight +b blocks "other forms" as well. Better one ban than two where possible ;) ). And on the other hand, when /kick isn't too far away, it's usually /ban -k - IOW immediately :P .
I did a tad bit of thinking here...
Considering the whole purpose of this... preventing part/join flooding by changing host... I had that thought that "mute" users were just as likely to host-flood as banned users... so do you think +mM should have some kind of effect as well? :)
|aquanight, no. If I'm +b and I type /part #chan, /join #chan, it will fail (because I'm banned). If the channel is +m and I do that, it will succeed. Hence, the flood is "natural." If they want to stop that, then they'd set +b on the user.|
||True... as I said, it was just a thought...|
|Added in .194|
|2004-07-09 00:22||Z3l3zT||New Issue|
||Note Added: 0006936|
|2004-07-09 00:51||Z3l3zT||Note Added: 0006937|
|2004-07-09 09:34||syzop||Note Added: 0006942|
||Note Added: 0006948|
|2004-07-09 12:41||syzop||Note Added: 0006949|
|2004-07-09 15:45||aquanight||Note Added: 0006955|
||Note Added: 0006958|
|2004-07-09 18:34||aquanight||Note Added: 0006960|
|2004-07-17 00:55||aquanight||Note Added: 0007117|
||Note Added: 0007124|
|2004-07-17 18:25||aquanight||Note Added: 0007133|
||Status||new => assigned|
||Assigned To||=> codemastr|
||Status||assigned => resolved|
||Fixed in Version||=> 3.2.3|
||Resolution||open => fixed|
||Note Added: 0008414|