Anope IRC Services

Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1]   Go Down

Author Topic: KillClones vs Exceptions  (Read 11601 times)

0 Members and 1 Guest are viewing this topic.

Adonis

  • Anope User
  • Offline Offline
  • Posts: 11
KillClones vs Exceptions
« on: October 05, 2007, 03:24:58 PM »

This bug however did not exist in my previous version 1.7.10. I think i like that version better, because that one also still had the killclones command which made life so much easier in weeding out botnets. Also the MySQL still worked pretty well back then without killing the services every 10 minutes.

[Edited on 5-10-2007 by Adonis]
Logged

Jobe

  • Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Posts: 1023
    • Anope IRC Services
(No subject)
« Reply #1 on: October 05, 2007, 03:26:16 PM »

It should be fixed in the SVN, from r1262 onwards which means it should be fixed in the next release.
Logged
Your IP: ()
My IRC Status:

Come along and visit http://www.anopequotes.org/

Adonis

  • Anope User
  • Offline Offline
  • Posts: 11
(No subject)
« Reply #2 on: October 05, 2007, 03:32:32 PM »

I'll be playing with the svn version this weekend then on my test environment. I also hope the MySQL issues will be solved there since i can't use MySQL at the moment anymore due to the services timing out every 10 minutes or so. MySQL is needed for cacti stats and a few other database apps.
Logged

katsklaw

  • Guest
(No subject)
« Reply #3 on: October 05, 2007, 09:26:11 PM »

Quote
Originally posted by Adonis
This bug however did not exist in my previous version 1.7.10. I think i like that version better, because that one also still had the killclones command which made life so much easier in weeding out botnets. Also the MySQL still worked pretty well back then without killing the services every 10 minutes.

[Edited on 5-10-2007 by Adonis]


What you do not understand is that dozens of other bugs have been fixed since 1.7.10, which makes 1.7.19 much more secure. Literally hundreds.

KillClones was NOT effecient be any means of the term, Try session limits, they do EVERYTHING killclones did and then some! I have real issues with people that cant understand that killclones was such a horrid, static, ineffecient hack.I produced far too many false positives, can't be relied upon and you can't set dynamic host specific limitations. Please take the few minutes it takes to learn about session limits, you'll then see what I'm refering to. KillClones has been dead, buried and decomposed now. Please do not think that 1.7.10 was more secure or better just because of KillClones, you are only fooling yourself. Dont be taken by ignorance, read and learn.

Think of it this way, killclones is a go-cart whereas session limits is a Porche!
Logged

Adonis

  • Anope User
  • Offline Offline
  • Posts: 11
(No subject)
« Reply #4 on: October 06, 2007, 01:25:47 AM »

I never said 1.7.10 was more secure, i just said that it worked better, like MySQL which back then did not kill the services every 10 minutes.

Also i have read your previous stances regarding killclones. Killclones made it easy to clean up botnets. Sure we can kill em now from channels, but before, we could also find and kill em quite easy if they were not on a channel. Now we have to hunt them down one by one... and that is a real tedious task if you're having a shitload of those on the server, wreaking havoc. Ofcourse you have to find them one by one with killclones as well, but when you kill one, you kill all its clones too so that saves a lot of time.

Session limits do NOT solve that problem. We do have session limits set, but clone bots can ofcourse enter the server for as long as the session limit allows it. When it gets heavy (Which goes fast), then Defcon kicks in and then we can clean the stuff up.  So now with Killclones gone we have to spend a *very* long time trying to find and kill those bots AND their clones.

So how is session limits going to help here? If you properly explain this?

Quote
Think of it this way, killclones is a go-cart whereas session limits is a Porche!


You don't want to drive your shiny porche through the neighbourhood where gangs and pricks rule....  i'd rather drive the go-cart there.

[Edited on 6-10-2007 by Adonis]
Logged

katsklaw

  • Guest
(No subject)
« Reply #5 on: October 06, 2007, 02:48:30 AM »

Clone = multiple users from the same IP. Most ircds have a max-per-ip threshold in the config, thaqt means that the ircd won't allow more than X from the same IP. Neither will Session Limits, you don't have to go hunt them, the ircd and services will handle that for you. Those that you claim to have been killing as a botnet may or may not have been a real botnet, it's possible you killed real users with it as well.

Lets look at KillClones for a second, then look at Sessions and Exceptions and then please point out how KillClones is more efficient than sessions.

KillClones:
Code: [Select]

Syntax: KILLCLONES nick

Kills all users who have the same hostname as nick. A
temporary AKILL, in the form *@host, is added to
prevent the offending clients from immediately
reconnecting. A wallops is also sent indicating who
used the command, which host was affected and how many
users were killed. It's usefull for removing numerous
clones from the network.

Limited to Services operators.


Note the "Kills all users who have the same hostname as nick". Most IRCD's do that automaticlly now and so does Anope, Anope does it automaticlly via Sessions and exceptions.

Sessions and Exceptions:

Code: [Select]

Allows Services admins to manipulate the list of hosts that
have specific session limits - allowing certain machines,
such as shell servers, to carry more than the default number
of clients at a time. Once a host reaches it's session limit,
all clients attempting to connect from that host will be
killed.


This means that Anope can be configured to AUTOMATICLLY kill clones at lets say 3 from the same IP. Then along comes a bunch of users from the same shell hosting company that wants to host more than 3 eggdrops, not a botnet, but real users with real bots. If you ran killclones, all those real bots will be killed! With sessions and exceptions, the shell hostign company can have 50 bots and Anope will not kill them! everyone else gets 3! You can except Services as well, opers, trusted users .. none will be killed. With Sessions and Exceptions, there is no manual command to run, it's automaticly done for you. I fail to see how that is more "tedious", you are doing nothing vs running killclones manually. IF you get users plaging your network from DIFFERENT IP's ... those are NOT clones and KillClones will be useless in that scenario.

I'll use my net as an example. I have the global max clone limit of 3 connections per IP. I personlly can connect upto 100 clones from my IP. If ANYONE else tries it, the 4th and beyond clones will b automaticlly killed. With KillClones they are allowed to connect and you have to MANUALLY run the command. Really now, which if the 2 is more tedious?? Be honest.

Sessions and exceptions has become a "hands off" clone management system. The ONLY time you need to mess with Sessions and exceptions is to add trusted users to the list of users NOT getting automaticlly killed by Services.

Drop by irc.ircmojo.net and I'll give you a live, personal demonstration and personally teach you how to use Sessions and Exceptions.

killclones = manually kill per host
exceptions = monitor the network and automaticlly kill clones that reach the threshold so I don't have to scan for them manually.

PS: If you think of your network as a neighborhood full of gangs and pricks ... I pity you.
Logged

katsklaw

  • Guest
(No subject)
« Reply #6 on: October 06, 2007, 02:58:00 AM »

Splitting and topping Thead.
Logged

Adonis

  • Anope User
  • Offline Offline
  • Posts: 11
(No subject)
« Reply #7 on: October 06, 2007, 03:35:35 AM »

Quote
I'll use my net as an example. I have the global max clone limit of 3 connections per IP. I personlly can connect upto 100 clones from my IP. If ANYONE else tries it, the 4th and beyond clones will b automaticlly killed. With KillClones they are allowed to connect and you have to MANUALLY run the command. Really now, which if the 2 is more tedious?? Be honest.


What i mean is. I do have session limits set on my IRCD, which means that it already, for many years, has been limiting sessions from users. The problem with botnets is that they usually consist of a huge number of IP's and their clones. The first batch gets through, and then anything after that get slowed down by Defcon3 which limits the max sessions from 4 to 2, and then at defcon2 it kills new connections. So then you still have lots of bots and their clones on your network:

E.g.: 100 IP's at 4 sessions per IP is 400! And a few more that get through when the session limit is reset to 2. Clearely you must see that killing 100 IP's is less work with killclones than having to kill 400 or more manually.

And the chance of getting false positive is there but very remote because these botnets almost always consist of some recognisable naming structure. You usually see this structure when they start flooding the server.

Quote
PS: If you think of your network as a neighborhood full of gangs and pricks ... I pity you.


Look at it like a beautiful city where everyone wants coexist in peace, and then like in ancient times, some big boat of uncivilized armed to the teeth Vikings land in your harbour and start terrorizing your city. Yes, at that time i have a network with a rather large number of pricks and gangs, and you cant stop that with playing nice. You have to fix that with blunt force as that is the only language these pricks understand (eventho the pricks usually are drones controlled by one person). Killclones was a great help there in cleaning up the mess.
Logged

katsklaw

  • Guest
(No subject)
« Reply #8 on: October 06, 2007, 04:53:11 AM »

Quote
Originally posted by Adonis
E.g.: 100 IP's at 4 sessions per IP is 400! And a few more that get through when the session limit is reset to 2. Clearely you must see that killing 100 IP's is less work with killclones than having to kill 400 or more manually.


I think you should look into AkillOnAdd, and /operserv akill. AkillOnAdd kills users from the akilled host/ip when added. Since KillClones uses akills, I see no functional difference.

Assuming 4 connections per IP:

killclones = Manually use KillClones 100 times X 4 clones = 400
akill = Manually use akill 100 times X 4 clones = 400

There is a module on the module site called os_qakill, that will help shorten the syntax of using akill and may feel a bit more like /os killclones. Syntax: QAKILL Nick [Reason] Actually if you like I can edit that module to be killclones if you likes you can type: /os killclones nick reason if that will help you.

Optional IRCd commands, at least in Unreal would be /gline and /shun.

Quote

Look at it like a beautiful city where everyone wants coexist in peace, and then like in ancient times, some big boat of uncivilized armed to the teeth Vikings land in your harbour and start terrorizing your city. Yes, at that time i have a network with a rather large number of pricks and gangs, and you cant stop that with playing nice.


That's the nature of IRC, take it or leave it. Being an IRCop is hardly ever glorious, it's quite often "tedious" work. That's just how it is. You will be required to do some hard work occasionally. You should try managing 140,000 users sometime without Services. :)

[Edited on 5-10-2007 by katsklaw]
Logged

Adonis

  • Anope User
  • Offline Offline
  • Posts: 11
(No subject)
« Reply #9 on: October 06, 2007, 01:51:46 PM »

Quote
killclones = Manually use KillClones 100 times X 4 clones = 400


Actually you'd only have to do it 100 times since the other 300 are tied to the first 100. So thats a 75% difference in workload.

Quote
That's the nature of IRC, take it or leave it. Being an IRCop is hardly ever glorious, it's quite often "tedious" work. That's just how it is. You will be required to do some hard work occasionally. You should try managing 140,000 users sometime without Services.


We're only a fraction of that number (quality over quantity), so these botnets once they happen are sticking out like a sore thumb on the network.

We'll take a look at Qakill, thanks :)
Logged

katsklaw

  • Guest
(No subject)
« Reply #10 on: October 06, 2007, 02:15:22 PM »

Quote
Originally posted by Adonis
Quote
killclones = Manually use KillClones 100 times X 4 clones = 400


Actually you'd only have to do it 100 times since the other 300 are tied to the first 100. So thats a 75% difference in workload.


The example states 100 times, please re-read it.

killclones = 100 times x 4 clones = 400 users get banned and killed.
akill = 100 times x 4 clones = 400 users get banned and killed.

You MUST use killclones on each unique IP, which is the exact same as akill, please bear in mind that when you type: killclones nick, all it is actually doing is akill *@host, so they are the exact same.

It is the exact same workload.
Logged

Adonis

  • Anope User
  • Offline Offline
  • Posts: 11
(No subject)
« Reply #11 on: October 06, 2007, 02:46:07 PM »

Okay i misinterpreted it :) We'll take a look at that Qakill, thanks for pointing that out.
Logged

FiXato

  • Guest
(No subject)
« Reply #12 on: October 09, 2007, 10:40:05 PM »

Slightly offtopic perhaps, but since when has Killing become equal to banning aka AKilling?

Just like the ChanKill functionality, which is rather confusing in its description in the results of /os help:
Quote

OperServ: CHANKILL Kill all users on a specific channel

That sounds more like terminating a connection (which I liked from the os_mkill module's functionality), than what is actually does, placing an Akill.

[Edited on 2007.10.9 by FiXato]
Logged

katsklaw

  • Guest
(No subject)
« Reply #13 on: October 09, 2007, 10:54:52 PM »

Quote
Originally posted by FiXato
Slightly offtopic perhaps, but since when has Killing become equal to banning aka AKilling?


If you have ever read the source code for the killclones command you would see that killclones sets an akill on the nicks host before killing them. Actually, the help function also tells you this as well.


Syntax: KILLCLONES nick

Kills all users who have the same hostname as nick. A
temporary AKILL, in the form *@host, is added to
prevent the offending clients from immediately
reconnecting.


[Edited on 9-10-2007 by katsklaw]
Logged

FiXato

  • Guest
(No subject)
« Reply #14 on: October 10, 2007, 08:21:39 PM »

Yes, I know that; and I wasn't referring to that (hence the 'slightly offtopic perhaps' remark).
I was just wondering why some of the functions refer to killing, when infact it would be an akill.
Logged

katsklaw

  • Guest
(No subject)
« Reply #15 on: October 10, 2007, 10:09:44 PM »

it's the same concept as setting a 5 second ban when you kick a user from channel to prevent auto-join, it simply makes it more effective by disrupting clients and scripts. When most normal people think of bans and akills they think of times greater than a few seconds.
Logged
Pages: [1]   Go Up