View Issue Details

IDProjectCategoryView StatusLast Update
0002152unrealircdpublic2013-05-20 04:34
Reporteraquanight Assigned Tonenolod 
Status resolvedResolutionno change required 
PlatformX86OSWindowsOS VersionXP Pro SP2
Summary0002152: NOSPOOF for servers?
DescriptionThis was recently brought up in the forums here:

Servers are not checked when NOSPOOF is enabled.

I can confirm this with Anope logs if you want.

The easiest way to deal with this is just send an appropriate PING (with cookie, preferably) prior to sending the server's pass/protoctl/server back. If the PONG is not correctly (exactly) replied before the class::pingfreq hits, ERROR :Closing link (Ping timeout) :P . You could, of course, also go as far as bahamut does, and do PING/PONG exchanges between each stage of the synchronization.
TagsNo tags attached.
3rd party modules


child of 0003111 closed 3.2.7 Release 



2004-11-02 08:28

administrator   ~0008214

Perhaps, but... IMO one should really rely on the password (and preferably use SSL), that's far more secure than IP-based authentication.


2004-11-02 12:36

reporter   ~0008222

Last edited: 2004-11-02 12:41

Yes that's probably true... but IP-based certainly helps to augment the password and/or SSL, and applying NOSPOOF to servers would make it even more true :) .


And it doesn't even have to be IP-based authentication done by Unreal :) . I could make 6667 clientonly and have a serveronly port somewhere obscure like 15372. Then use firewall/iptable/whatever to ensure that my server IPs can't connect to the 6667, and are the only IPs allowed to connect to 15372. Of course, NOSPOOF isn't as important when the OS's TCP stack is secure (eg, not Win32), but still...

edited on: 2004-11-02 12:41


2004-11-02 17:17

reporter   ~0008224

Well I guess the issue is, people use passwords like "link" or "password" so if someone knows the IP, and guesses the password, they can connect.


2004-11-02 17:32

reporter   ~0008226

Last edited: 2004-11-02 17:34

It doesn't even have to be a simple password. It could be someone (accidentally?) left his unrealircd.conf or recent backup thereof readable by everyone, and some bad person gets the password-connect... which can be pretty significant depending on the server he managed to get, eg if he got a hold of a server that's hub *;'d, hicould quite some damage with that... and then it sometimes happens that password-connect and password-receive are the same...

(Usually, though when that happens you're gonna have bigger problems than just an IP spoof attack or the like :P )

edited on: 2004-11-02 17:34


2013-05-20 04:34

reporter   ~0017615

i don't believe we need to change this, reopen if you disagree.

Issue History

Date Modified Username Field Change
2004-11-01 20:36 aquanight New Issue
2004-11-02 08:28 syzop Note Added: 0008214
2004-11-02 12:36 aquanight Note Added: 0008222
2004-11-02 12:41 aquanight Note Edited: 0008222
2004-11-02 17:17 codemastr Note Added: 0008224
2004-11-02 17:32 aquanight Note Added: 0008226
2004-11-02 17:33 aquanight Note Edited: 0008226
2004-11-02 17:33 aquanight Note Edited: 0008226
2004-11-02 17:34 aquanight Note Edited: 0008226
2006-11-12 14:37 syzop Status new => confirmed
2006-11-12 14:37 syzop Relationship added child of 0003111
2007-09-06 10:10 syzop Relationship added child of 0003454
2008-12-23 16:40 syzop Relationship deleted child of 0003454
2013-05-20 04:34 nenolod Note Added: 0017615
2013-05-20 04:34 nenolod Status confirmed => resolved
2013-05-20 04:34 nenolod Resolution open => no change required
2013-05-20 04:34 nenolod Assigned To => nenolod