Detecting fast botnet join with different ips

awyeah · Post by **awyeah** » Thu May 10, 2007 4:07 am

I wanted to accomplish something, which is done through hashes in mIRC scripting. If suppose a fast botnet joins with similar hosts and a bot within that has a different host? how should it be detected?

I can detect the users which have similar ips, but not the users which have only one ip?

example all this botnet joins fast in a channel within a sec

Code: Select all

user1 (a@a.com)
user2 (a@a.com)
user3 (a@a.com)
user4 (b@dfds.org)
user5 (a@a.com)
user6 (a@a.com)
user7 (afgf@fdsgdf.net)

how can i detect user4 and user7? all the rest can be detected for clones, and can be filter kicked. All help would be appreciated thanks. Because I would want to remove all bots who joined, even the ones who have different ip addresses.

Post by **Sir_Fz** » Thu May 10, 2007 4:06 pm

When you're detecting join floods from 1 host you're probably using an array of $chan:$host, well if you just use an array for $chan then you'll be able to detect a join flood from unique hosts, just save the nicks that are joining at every increment.

awyeah · Post by **awyeah** » Fri May 11, 2007 2:53 am

Okay thanks, yes I am using an array for $host:$chan. Thanks I will switch it to $chan only and then see how things work. So basically I'll create a list and then lappend all joining nicks to that list and then ban and kick them. kthx.

Post by **caesar** » Sat May 12, 2007 4:00 pm

This ain't flawless as some innocent people may join and get banned.

Post by **Sir_Fz** » Sat May 12, 2007 4:03 pm

caesar wrote:This ain't flawless as some innocent people may join and get banned.

Exactly, especially after netsplits. IMO it's a bad idea to kick users on mass joins, a channel lock is enough.

awyeah · Post by **awyeah** » Sun May 13, 2007 3:11 am

Yes, i've experienced people getting kicked on netsplit rejoins. I guess tcl is still though limited as compared with mIRC scripting, for accomplishing this.

Post by **Sir_Fz** » Sun May 13, 2007 7:36 am

awyeah wrote:Yes, i've experienced people getting kicked on netsplit rejoins. I guess tcl is still though limited as compared with mIRC scripting, for accomplishing this.

In what way exactly? What does "the extremely advanced" mIRC scripting offer that Tcl cannot accomplish?

Post by **nml375** » Sun May 13, 2007 11:17 am

I believe he's just not thinking what you can accomplish using "bind splt", "bind rejn", "onchansplit", etc..
And if you're a really hardcore coder *j*, I guess you could join your bot to &servers and grab the SERVER and SQUIT notices to try and predict netsplits/netmerges...

In any case, all that is needed to do some fancy netsplit detection/handling is in there, it's just up to the scripters to use it...

awyeah · Post by **awyeah** » Sun May 13, 2007 1:11 pm

I don't beleive I'm a hardcoder. I'm just like all the other people out there. Just that I spend more time trying to analyze and solve the problem myself and then ask help, rather ask people for help from scratch.

Detecting netsplits is not an easy task and to integrate that for a fast botnet join script isn't a trivial task as well. As I am aware the wait-netsplit global var in the .config file also plays a role in detecting netsplits. Since it is an approximation prediction hence I thought it is a difficult task to detect netsplit rejoins, since bind splt and rejn utilize that global var and onchansplit also I guess.

However RAW SJOIN and SQUIT notices would be a good idea to take into consideration, but theres always a different delay for every channel as we know when split rejoins. Anyway I will see what I can come up with, in free time to solve this problem once and for all.

Post by **nml375** » Sun May 13, 2007 1:35 pm

Well, as stated, if you're not the "hardcore coder" (most of us are'nt), there's always "bind splt" and "bind rejn" to help detect netsplits and netmerges..

The splt-binding checks the quit-messages for hints on netsplits, in order to try and determine wether it was a normal quit or a netsplit (in which case we suspect that the user will rejoin once the split merges). The wait-netsplit variable is just a setting for how long we will bother to keep track of already splitted nicks...
The rejn-binding, as well as ischansplit only rely on wait-netsplit in the way that it uses the same list of splitted nicks that was generated by the same mechanisms that generate the split-triggering...

So, wait-netsplit has nothing todo with the actual detection of any netsplits, it only tells us how long we bother to keep track of netsplitted nicks before we assume they've quit'd, changed nicks, or the server was permanently unlinked.

So, getting back on the main subject; being not triggering join-floods on netmerges. This would be a mere issue of checking wether the nick joining was considdered netsplit'd before he joined or not. If (s)he was, then don't count the join, if not, count it...

awyeah · Post by **awyeah** » Sun May 13, 2007 8:25 pm

Thanks for the very detailed info, appreciate it. I will try to imply this and let you know in time what I solution I come up with for this problem.

awyeah · Post by **awyeah** » Tue May 15, 2007 9:27 pm

Here is the script which I have currently made in accordance with the bind splt and rejn mechanisms. I am not sure if it will work or not, since haven't tested it, because netsplits don't occur when you want them too obviously.

So I'm just pasting the code and if anyone can follow up, have a look and browse through to let me know would this work or not. Once more I'll give info:

This script is basically detects fast mass joining hosts from bots, which have more than 1 host and removes all bots which joined the channel.

Code: Select all

set mjointrigger "3:5"

bind join - "*" mass:join:chan

proc mass:join:chan {nick uhost hand chan} {
 global botnick mjointrigger joinflood kickno net_split
 if {[isbotnick $nick] || [info exists net_split]} { return 0 }
 set host "*!*@[lindex [split [maskhost $uhost] @] 1]"
 set user [string tolower $chan]
 if {[string match -nocase "#*" $chan]} {
 if {![info exists joinflood($user)]} {
   set joinflood($user) 0
  }
  utimer [lindex [split $mjointrigger :] 1] [list mass:join:list $user]
  if {[incr joinflood($user)] >= [lindex [split $mjointrigger :] 0]} {
   if {[botisop $chan]} {
    putquick "MODE $chan +b $host" -next
    set clonenicks [list]; set clonenum 0
    foreach person [chanlist $chan] {
     if {[string match -nocase *$host* "$person![getchanhost $person $chan]"] && ![isop $person $chan] && ![isvoice $person $chan]} {
      incr clonenum; lappend clonenicks $person:$clonenum
      }
    }
    foreach clone $clonenicks {
     putquick "KICK $chan [lindex [split $clone :] 0] :0,1 Clone Mass Join Flood 12,0 - You 2joined with6 [lindex [split $mjointrigger :] 0] clients 2or more 12in less than6 [lindex [split $mjointrigger :] 1] secs 12from the host 6*!*@[lindex [split $uhost @] 1] 12- (Clone2 #[lindex [split $clone :] 1] 12of2 #[llength $clonenicks]12)" -next
    }
    unset clonenicks; unset clonenum
    timer 60 [list putquick "MODE $chan -b $host"]
    }
   if {[info exists joinflood($user)]} { unset joinflood($user) }
  }
 }
}

proc mass:join:list {user} {
 global joinflood
 if {[info exists joinflood($user)]} { incr joinflood($user) -1 }
}


bind splt "*" - mass:join:split
bind rejn "*" - mass:join:rejoin

proc mass:join:split {nick host hand chan} {
 global net_split
  if {[info exists net_split]} { 
   return 0
  } elseif {![info exists net_split] && [onchansplit $nick $chan]} {
   set net_split 1
   }
}

proc mass:join:rejoin {nick host hand chan} {
 global net_split
  if {[info exists net_split]} {
   utimer 5 [list "unset net_split"]
   }
}

Moreover, I searched the forum for rejn and splt and found Wcc gave a small snipplet for detecting netsplits. It basically uses RAW with keyword QUIT. I think bind splt would be more relevant to detect netsplits than just use raw.

Code: Select all

bind raw - QUIT raw:netsplit

proc raw:netsplit {from keyword text} {
 if {![regexp "(.*) (.*)" $text match server1 server2]} { return 0 }
 foreach chan [channels] {
  putserv "PRIVMSG $chan :Netsplit detected: $server1 just split from $server2"
 }
 return 1
}

Here is what I came up with to detect users which have split:

Code: Select all

bind raw - QUIT raw:netsplit

proc raw:netsplit {from keyword text} {
 global detect_netsplit
 if {![info exists detect_netsplit]} {
  if {[string equal "2" [llength $text]] && [regexp {^(.*) (.*)$} $text] && [string is lower [string map {"." "" " " ""} $text]] && [string equal "0" [regexp -all {[0-9]} $text]] && ([regexp -all {\.} [lindex $text 0]] > 3) && ([regexp -all {\.} [lindex $text 1]] > 3)} {
   foreach chan [channels] {
    putserv "PRIVMSG $chan :Netsplit detected: $server1 just split from $server2"
     if {![info exists detect_netsplit]} { set detect_netsplit 1 }
      utimer 10 [list "unset detect_netsplit"]; return 1
      }
    }
  }
}

Also is it NECESSARY to include a bind on SIGN for the nicks which didn't join back from the netsplit on REJN (users which quit IRC after the servers split). And how would I implement that?

Example of a netsplit rejoin:

Code: Select all

* PapaJaHaT- (one@64.18.135.100) has joined #chatzone
* mariahilal (tin@208.98.24.223) has joined #chatzone
* Uk_Dude (vdn@[censored].this.is.an.all-out-war.net) has joined #chatzone
* Toyong^Hasibuan (Toyong@208.98.12.236) has joined #chatzone
* }-|-{ (united@im.coming.back.home.kg) has joined #chatzone
* Ramoo (sam@Harami.org) has joined #chatzone
* brain.hub.eu.dal.net sets mode: +ovo The^Lovely^Slut Forecast[V23] DenDen
* brain.hub.eu.dal.net sets mode: +b *!*@60.53.52.62
* Hong24 (~Hong24_C_@37.248.208.218.klj02-home.tm.net.my) has joined #chatzone

When server sets channel modes, the channel rejoin from the netsplit is complete. Can I also do something like using bind MODE instead of bind REJN, so that I don't need to add a delay to unset the global var net_split. Coz bind rejn will detect the first user joining and for channels with big user counts, lots of people will rejoin, so I have to make the script run after everyone has rejoined from the netsplit.

Code: Select all

bind mode - "*" server:mode:on:rejoin

proc server:mode:on:rejoin {nick uhost hand chan mode arg} {
 global net_split
 if {([regexp -all {\.} $nick] > 3) && [regexp {o|v|b} $arg]} {
 #which will match the nick as the server setting chanmode
 #the only time server sets mode on DALnet is after netsplit rejoins
  if {[info exists net_split]} {
    unset net_split
    }
  }
}

Post by **Sir_Fz** » Tue May 22, 2007 3:44 am

Bind rejn won't help you in your case because it is only triggered if the rejoin occurs during the wait-split duration. As for the modes option, the server doesn't always set a mode after the net rejoin so it is not efficient enough. IMO, it's best to increase the wait-split setting if the splits are taking longer than expected.

awyeah · Post by **awyeah** » Sat May 26, 2007 3:34 am

Yes I forgot to mention that, I increase the wait-netsplit global var, to around about 3hrs or so, the maximum which I think can occur on DALnet. Hope that helps.