egghelp/eggheads community

Detecting fast botnet join with different ips

2007-05-26T03:34:32-04:00

Yes I forgot to mention that, I increase the wait-netsplit global var, to around about 3hrs or so, the maximum which I think can occur on DALnet. Hope that helps.

Statistics: Posted by awyeah — Sat May 26, 2007 3:34 am

Detecting fast botnet join with different ips

2007-05-22T03:44:31-04:00

Bind rejn won't help you in your case because it is only triggered if the rejoin occurs during the wait-split duration. As for the modes option, the server doesn't always set a mode after the net rejoin so it is not efficient enough. IMO, it's best to increase the wait-split setting if the splits are taking longer than expected.

Statistics: Posted by Sir_Fz — Tue May 22, 2007 3:44 am

Detecting fast botnet join with different ips

2007-05-15T21:27:23-04:00

Here is the script which I have currently made in accordance with the bind splt and rejn mechanisms. I am not sure if it will work or not, since haven't tested it, because netsplits don't occur when you want them too obviously.

So I'm just pasting the code and if anyone can follow up, have a look and browse through to let me know would this work or not. Once more I'll give info:

This script is basically detects fast mass joining hosts from bots, which have more than 1 host and removes all bots which joined the channel.

Code:

set mjointrigger "3:5"bind join - "*" mass:join:chanproc mass:join:chan {nick uhost hand chan} { global botnick mjointrigger joinflood kickno net_split if {[isbotnick $nick] || [info exists net_split]} { return 0 } set host "*!*@[lindex [split [maskhost $uhost] @] 1]" set user [string tolower $chan] if {[string match -nocase "#*" $chan]} { if {![info exists joinflood($user)]} {   set joinflood($user) 0  }  utimer [lindex [split $mjointrigger :] 1] [list mass:join:list $user]  if {[incr joinflood($user)] >= [lindex [split $mjointrigger :] 0]} {   if {[botisop $chan]} {    putquick "MODE $chan +b $host" -next    set clonenicks [list]; set clonenum 0    foreach person [chanlist $chan] {     if {[string match -nocase *$host* "$person![getchanhost $person $chan]"] && ![isop $person $chan] && ![isvoice $person $chan]} {      incr clonenum; lappend clonenicks $person:$clonenum      }    }    foreach clone $clonenicks {     putquick "KICK $chan [lindex [split $clone :] 0] :0,1 Clone Mass Join Flood 12,0 - You 2joined with6 [lindex [split $mjointrigger :] 0] clients 2or more 12in less than6 [lindex [split $mjointrigger :] 1] secs 12from the host 6*!*@[lindex [split $uhost @] 1] 12- (Clone2 #[lindex [split $clone :] 1] 12of2 #[llength $clonenicks]12)" -next    }    unset clonenicks; unset clonenum    timer 60 [list putquick "MODE $chan -b $host"]    }   if {[info exists joinflood($user)]} { unset joinflood($user) }  } }}proc mass:join:list {user} { global joinflood if {[info exists joinflood($user)]} { incr joinflood($user) -1 }}bind splt "*" - mass:join:splitbind rejn "*" - mass:join:rejoinproc mass:join:split {nick host hand chan} { global net_split  if {[info exists net_split]} {    return 0  } elseif {![info exists net_split] && [onchansplit $nick $chan]} {   set net_split 1   }}proc mass:join:rejoin {nick host hand chan} { global net_split  if {[info exists net_split]} {   utimer 5 [list "unset net_split"]   }}

Moreover, I searched the forum for rejn and splt and found Wcc gave a small snipplet for detecting netsplits. It basically uses RAW with keyword QUIT. I think bind splt would be more relevant to detect netsplits than just use raw.

Code:

bind raw - QUIT raw:netsplitproc raw:netsplit {from keyword text} { if {![regexp "(.*) (.*)" $text match server1 server2]} { return 0 } foreach chan [channels] {  putserv "PRIVMSG $chan :Netsplit detected: $server1 just split from $server2" } return 1}

Here is what I came up with to detect users which have split:

Code:

bind raw - QUIT raw:netsplitproc raw:netsplit {from keyword text} { global detect_netsplit if {![info exists detect_netsplit]} {  if {[string equal "2" [llength $text]] && [regexp {^(.*) (.*)$} $text] && [string is lower [string map {"." "" " " ""} $text]] && [string equal "0" [regexp -all {[0-9]} $text]] && ([regexp -all {\.} [lindex $text 0]] > 3) && ([regexp -all {\.} [lindex $text 1]] > 3)} {   foreach chan [channels] {    putserv "PRIVMSG $chan :Netsplit detected: $server1 just split from $server2"     if {![info exists detect_netsplit]} { set detect_netsplit 1 }      utimer 10 [list "unset detect_netsplit"]; return 1      }    }  }}

Also is it NECESSARY to include a bind on SIGN for the nicks which didn't join back from the netsplit on REJN (users which quit IRC after the servers split). And how would I implement that?

Example of a netsplit rejoin:

Code:

* PapaJaHaT- (one@64.18.135.100) has joined #chatzone* mariahilal (tin@208.98.24.223) has joined #chatzone* Uk_Dude (vdn@[censored].this.is.an.all-out-war.net) has joined #chatzone* Toyong^Hasibuan (Toyong@208.98.12.236) has joined #chatzone* }-|-{ (united@im.coming.back.home.kg) has joined #chatzone* Ramoo (sam@Harami.org) has joined #chatzone* brain.hub.eu.dal.net sets mode: +ovo The^Lovely^Slut Forecast[V23] DenDen* brain.hub.eu.dal.net sets mode: +b *!*@60.53.52.62* Hong24 (~Hong24_C_@37.248.208.218.klj02-home.tm.net.my) has joined #chatzone

When server sets channel modes, the channel rejoin from the netsplit is complete. Can I also do something like using bind MODE instead of bind REJN, so that I don't need to add a delay to unset the global var net_split. Coz bind rejn will detect the first user joining and for channels with big user counts, lots of people will rejoin, so I have to make the script run after everyone has rejoined from the netsplit.

Code:

bind mode - "*" server:mode:on:rejoinproc server:mode:on:rejoin {nick uhost hand chan mode arg} { global net_split if {([regexp -all {\.} $nick] > 3) && [regexp {o|v|b} $arg]} { #which will match the nick as the server setting chanmode #the only time server sets mode on DALnet is after netsplit rejoins  if {[info exists net_split]} {    unset net_split    }  }}

Statistics: Posted by awyeah — Tue May 15, 2007 9:27 pm

Detecting fast botnet join with different ips

2007-05-13T20:25:10-04:00

Thanks for the very detailed info, appreciate it. I will try to imply this and let you know in time what I solution I come up with for this problem.

Statistics: Posted by awyeah — Sun May 13, 2007 8:25 pm

Detecting fast botnet join with different ips

2007-05-13T13:35:33-04:00

Well, as stated, if you're not the "hardcore coder" (most of us are'nt), there's always "bind splt" and "bind rejn" to help detect netsplits and netmerges..

The splt-binding checks the quit-messages for hints on netsplits, in order to try and determine wether it was a normal quit or a netsplit (in which case we suspect that the user will rejoin once the split merges). The wait-netsplit variable is just a setting for how long we will bother to keep track of already splitted nicks...
The rejn-binding, as well as ischansplit only rely on wait-netsplit in the way that it uses the same list of splitted nicks that was generated by the same mechanisms that generate the split-triggering...

So, wait-netsplit has nothing todo with the actual detection of any netsplits, it only tells us how long we bother to keep track of netsplitted nicks before we assume they've quit'd, changed nicks, or the server was permanently unlinked.

So, getting back on the main subject; being not triggering join-floods on netmerges. This would be a mere issue of checking wether the nick joining was considdered netsplit'd before he joined or not. If (s)he was, then don't count the join, if not, count it...

Statistics: Posted by nml375 — Sun May 13, 2007 1:35 pm

Detecting fast botnet join with different ips

2007-05-13T13:11:15-04:00

I don't beleive I'm a hardcoder. I'm just like all the other people out there. Just that I spend more time trying to analyze and solve the problem myself and then ask help, rather ask people for help from scratch.

Detecting netsplits is not an easy task and to integrate that for a fast botnet join script isn't a trivial task as well. As I am aware the wait-netsplit global var in the .config file also plays a role in detecting netsplits. Since it is an approximation prediction hence I thought it is a difficult task to detect netsplit rejoins, since bind splt and rejn utilize that global var and onchansplit also I guess.

However RAW SJOIN and SQUIT notices would be a good idea to take into consideration, but theres always a different delay for every channel as we know when split rejoins. Anyway I will see what I can come up with, in free time to solve this problem once and for all.

Statistics: Posted by awyeah — Sun May 13, 2007 1:11 pm

Detecting fast botnet join with different ips

2007-05-13T11:17:24-04:00

I believe he's just not thinking what you can accomplish using "bind splt", "bind rejn", "onchansplit", etc..
And if you're a really hardcore coder *j*, I guess you could join your bot to &servers and grab the SERVER and SQUIT notices to try and predict netsplits/netmerges...

In any case, all that is needed to do some fancy netsplit detection/handling is in there, it's just up to the scripters to use it...

Statistics: Posted by nml375 — Sun May 13, 2007 11:17 am

Detecting fast botnet join with different ips

2007-05-13T07:36:48-04:00

Yes, i've experienced people getting kicked on netsplit rejoins. I guess tcl is still though limited as compared with mIRC scripting, for accomplishing this.

In what way exactly? What does "the extremely advanced" mIRC scripting offer that Tcl cannot accomplish?

Statistics: Posted by Sir_Fz — Sun May 13, 2007 7:36 am

Detecting fast botnet join with different ips

2007-05-13T03:11:40-04:00

Yes, i've experienced people getting kicked on netsplit rejoins. I guess tcl is still though limited as compared with mIRC scripting, for accomplishing this.

Statistics: Posted by awyeah — Sun May 13, 2007 3:11 am

Detecting fast botnet join with different ips

2007-05-12T16:03:53-04:00

This ain't flawless as some innocent people may join and get banned.

Exactly, especially after netsplits. IMO it's a bad idea to kick users on mass joins, a channel lock is enough.

Statistics: Posted by Sir_Fz — Sat May 12, 2007 4:03 pm

Detecting fast botnet join with different ips

2007-05-12T16:00:44-04:00

This ain't flawless as some innocent people may join and get banned.

Statistics: Posted by caesar — Sat May 12, 2007 4:00 pm

Detecting fast botnet join with different ips

2007-05-11T02:53:17-04:00

Okay thanks, yes I am using an array for $host:$chan. Thanks I will switch it to $chan only and then see how things work. So basically I'll create a list and then lappend all joining nicks to that list and then ban and kick them. kthx.

Statistics: Posted by awyeah — Fri May 11, 2007 2:53 am

Detecting fast botnet join with different ips

2007-05-10T16:06:35-04:00

When you're detecting join floods from 1 host you're probably using an array of $chan:$host, well if you just use an array for $chan then you'll be able to detect a join flood from unique hosts, just save the nicks that are joining at every increment.

Statistics: Posted by Sir_Fz — Thu May 10, 2007 4:06 pm

Detecting fast botnet join with different ips

2007-05-11T02:50:11-04:00

I wanted to accomplish something, which is done through hashes in mIRC scripting. If suppose a fast botnet joins with similar hosts and a bot within that has a different host? how should it be detected?

I can detect the users which have similar ips, but not the users which have only one ip?

example all this botnet joins fast in a channel within a sec

Code:

user1 (a@a.com)user2 (a@a.com)user3 (a@a.com)user4 (b@dfds.org)user5 (a@a.com)user6 (a@a.com)user7 (afgf@fdsgdf.net)

how can i detect user4 and user7? all the rest can be detected for clones, and can be filter kicked. All help would be appreciated thanks. Because I would want to remove all bots who joined, even the ones who have different ip addresses.

Statistics: Posted by awyeah — Thu May 10, 2007 4:07 am