If the user is masked, how do you ban their ISP?
On Tue, Oct 13, 2009 at 10:42 PM, Jason Hill <secrtagnt@gmail.com> wrote:
On Tue, Oct 13, 2009 at 9:31 PM, Jason Hill <secrtagnt@gmail.com> wrote:
> On Tue, Oct 13, 2009 at 8:33 PM, Vin King <vin.king@gmail.com> wrote:
<snip>
>> The potential from abuse by a vhost is mitigated by wildcarding the ip
>> address, which can't be done with hostmasks.
>>
>> Additionally, with each hostmask now being independent, wildcard bans on
>> ISPs become ineffective, and the current limitations on ban list lengths
>> become a major shortfall.
>>
>> Providing the capability without proper planning into all the affected
>> systems will easily create room for abuse, especially if the system isn't
>> properly tested for abuse potential.
>>
>> Specific examples of how hard it is for your average channel operator to
>> keep a determined attacker out of a channel when the IRCD provides the
>> attacker with the ability to change their hostmask can be seen on any
>> network that does provide the address. I know I myself have abused the
>> capabilities of other networks easy enough, so it's not impossible.
>>
>> I personally don't see how hostmasking provides any end user security, as
>> the vast majority of the network users are not dealing with attacks against
>> themselves or their connections, and since the vast majority of attacks on
>> the network are through query anyways with OMG DO THIS FOR OPS //decode
>>
>
> Ban evasions will be possible with or without hostmasking; however, a
> lot of what you mentioned can be mitigated by the fact that a server
> will know both the real and masked host for a user. This makes it
> possible for ban list entries (and silence lists, etc) to be easily
> matched against a user, regardless of whether a user has
> enabled/disabled hostmasking and whether the ban is against the user's
> real or masked host. For example, a ban against *!*@*.aol.com should
> work even if the user is umode +H and their mask is generated based on
> their IP address (due to the server being unable to perform a reverse
> lookup).
>
I accidentally deleted half of my example, so I'll clarify...
Ban matching should not be problem if the server knows both the real
and masked host for the user, regardless of whether the user is
actually umode +H or not. For example, a ban against
*!*@98a866b7.ipt.aol.com should match userA even if their umode +H and
their masked (visible) host is now dalnet-84725.ipt.aol.com. As for
ISP wildcard bans no longer matching masked users, this would only be
the case if the hash is generated against the user's IP address, which
would only happen if the server is unable to perform a reverse lookup
on it -- in which case it wouldn't match regardless of hostmasking.
-SecretAgent
_______________________________________________
DALnet-src mailing list
DALnet-src@lists.dal.net
https://lists.dal.net/mailman/listinfo/dalnet-src