Err, lemme clarify that a little. If the user is banned, how do you ban a segment if their ISP? Example, 127-0-0-1.mn.rocks.someisp.net can be banned at a state level, without banning all of someisp.net. Banning all of an ISP isn't usually a wanted thing, but banning regions of an ISP is. On Tue, Oct 13, 2009 at 10:46 PM, Vin King <vin.king@gmail.com> wrote:
If the user is masked, how do you ban their ISP?
On Tue, Oct 13, 2009 at 10:42 PM, Jason Hill <secrtagnt@gmail.com> wrote:
On Tue, Oct 13, 2009 at 9:31 PM, Jason Hill <secrtagnt@gmail.com> wrote:
On Tue, Oct 13, 2009 at 8:33 PM, Vin King <vin.king@gmail.com> wrote:
<snip>
The potential from abuse by a vhost is mitigated by wildcarding the ip address, which can't be done with hostmasks.
Additionally, with each hostmask now being independent, wildcard bans on ISPs become ineffective, and the current limitations on ban list lengths become a major shortfall.
Providing the capability without proper planning into all the affected systems will easily create room for abuse, especially if the system isn't properly tested for abuse potential.
Specific examples of how hard it is for your average channel operator to keep a determined attacker out of a channel when the IRCD provides the attacker with the ability to change their hostmask can be seen on any network that does provide the address. I know I myself have abused the capabilities of other networks easy enough, so it's not impossible.
I personally don't see how hostmasking provides any end user security, as the vast majority of the network users are not dealing with attacks against themselves or their connections, and since the vast majority of attacks on the network are through query anyways with OMG DO THIS FOR OPS //decode
Ban evasions will be possible with or without hostmasking; however, a lot of what you mentioned can be mitigated by the fact that a server will know both the real and masked host for a user. This makes it possible for ban list entries (and silence lists, etc) to be easily matched against a user, regardless of whether a user has enabled/disabled hostmasking and whether the ban is against the user's real or masked host. For example, a ban against *!*@*.aol.com should work even if the user is umode +H and their mask is generated based on their IP address (due to the server being unable to perform a reverse lookup).
I accidentally deleted half of my example, so I'll clarify...
Ban matching should not be problem if the server knows both the real and masked host for the user, regardless of whether the user is actually umode +H or not. For example, a ban against *!*@98a866b7.ipt.aol.com should match userA even if their umode +H and their masked (visible) host is now dalnet-84725.ipt.aol.com. As for ISP wildcard bans no longer matching masked users, this would only be the case if the hash is generated against the user's IP address, which would only happen if the server is unable to perform a reverse lookup on it -- in which case it wouldn't match regardless of hostmasking.
-SecretAgent _______________________________________________ DALnet-src mailing list DALnet-src@lists.dal.net https://lists.dal.net/mailman/listinfo/dalnet-src