DNS Pollution/Cache Tricks

General talk about EFnet

Moderators: Website/Forum Admins, EFnet/General Moderators

kampfire
Posts: 8
Joined: Tue Apr 06, 2004 4:59 pm

DNS Pollution/Cache Tricks

Postby kampfire » Wed Jun 30, 2004 7:14 pm

I would really like to know what EFNet's position on the use of DNS servers designed to trick IRC Servers into allowing a non-qualified hostname to connect is.


I.e. jonny@poopie.net connects to irc.mzima.net and has IP address 1.2.3.4

user /whois's jonny@poopie.net because jonny packets user and user wishes to either, packet back or contact jonny's uplink (whatever the case isn't in dispute here). jonny's IP appears to user as 5.6.7.8, not the same IP he actually is IRCing from.

I personally believe that this kind of DNS pollution should not be tolerated by EFNet. Unlike the silly long hostnames, these hostnames are actually breaking RFC compliance and polluting the internet with confusing DNS caches. There are programs out there that will send certain machines one IP address and others different IP addresses, while they are used by legitimate companies to forward their customers to the closest network possible to increase speed or for geographic reasons, IRC shell hosters have been using them to allow their customers, in essence to 'SPOOF' their ip and point it to someone elses network, making them a target for harassment and attacks.

Some IRC operators have explained to me that they do not tolerate this kind of cache pollution and will ban violators on sight, and wish that the 'actually-is-from' option was integrated network wide.

Well, just curious what you guys think.
User avatar
deww
Posts: 125
Joined: Fri Jul 18, 2003 7:17 pm

Postby deww » Wed Jun 30, 2004 8:28 pm

Like you wrote yourself, it draws the attention away from the actual host. That means that it can potentially draw attention to the IRC server the user is on when an aggressor realizes that attacking the IP address doesn't seem to work or when the realize it's not actually the proper IP address. It's lame, but not as lame as those who believe that they need to resort to attacking people's connections for whatever reason.
kampfire
Posts: 8
Joined: Tue Apr 06, 2004 4:59 pm

Postby kampfire » Wed Jun 30, 2004 9:10 pm

[quote="deww"]Like you wrote yourself, it draws the attention away from the actual host. That means that it can potentially draw attention to the IRC server the user is on when an aggressor realizes that attacking the IP address doesn't seem to work or when the realize it's not actually the proper IP address. It's lame, but not as lame as those who believe that they need to resort to attacking people's connections for whatever reason.[/quote]

That's correct, but what if the offended person wants to use the information about that user for legal purposes, such as filing complaints against his or her account with the ISP that hosts that shell. Without an authentic IP to go by, it would be nearly impossible unless you are friends with an IRC operator on that server that can look up the cache.
Hwy
Posts: 66
Joined: Wed Jul 16, 2003 12:27 pm

Postby Hwy » Wed Jun 30, 2004 9:18 pm

That's the whole reason "whois actually" was written.

If they are on a hybrid 7/ratbox server, with that option enabled (I believe it is by default), you can remote whois them to see their real IP (unless they are spoofed by the server). These "DNS switch tricks" have been going on for many years now.

Also, I believe many of the monitor bots can check for this kind of abuse as well, and will kline (the real ip of) the user.

PS. It looks as if mzima disabled that option, sorry.

PPS. As for the official stance, I can't answer that either.
kampfire
Posts: 8
Joined: Tue Apr 06, 2004 4:59 pm

Postby kampfire » Wed Jun 30, 2004 9:55 pm

[quote="Hwy"]That's the whole reason "whois actually" was written.

If they are on a hybrid 7/ratbox server, with that option enabled (I believe it is by default), you can remote whois them to see their real IP (unless they are spoofed by the server). These "DNS switch tricks" have been going on for many years now.

Also, I believe many of the monitor bots can check for this kind of abuse as well, and will kline (the real ip of) the user.

PS. It looks as if mzima disabled that option, sorry.

PPS. As for the official stance, I can't answer that either.[/quote]

I know they have been going on for many years, but they kind of began to die down when IPv6 came onto the scene and threw a wrench in the mix. When IPv6 came along with IPv6 DNSing, users no longer had to worry about being packeted (as it reduced the chance) until people figured out how to packet over IPv6 and drop tunnels and to find IPv4 endpoints by using the IPv4 addresses of the IPv6's server. And then DNS cache tricks came back into effect. Despite how long it's been going on, its still a problem and needs to be dealt with.

Most servers (I have counted at least 20 of the 53 that I've seen DNS cache spoofed users on) do not have actually-is on their server. Im sure another 10-15 dont either.

If it was implemented network wide like TS, it would save alot of stress and trouble.

PS: As far as I:Line spoofs are concerned, if you want to spoof users, spoof all of the users. Dont half ass do it, all that does is get IRC servers packeted.

Alot of IRC Networks have introduced non-specific masking of IP addresses both for the users and the servers. You connect through a DNS Pool that puts you on the closest server and then you IRC... You would have to packet every server on the network to get any results which would be counter productive to your needs.
Hardy
Site Admin
Posts: 394
Joined: Wed Jul 02, 2003 4:54 pm
Location: Oslo, Norway
Contact:

Postby Hardy » Thu Jul 01, 2004 7:46 am

kampfire wrote:I know they have been going on for many years, but they kind of began to die down when IPv6 came onto the scene and threw a wrench in the mix. When IPv6 came along with IPv6 DNSing, users no longer had to worry about being packeted (as it reduced the chance) until people figured out how to packet over IPv6 and drop tunnels and to find IPv4 endpoints by using the IPv4 addresses of the IPv6's server. And then DNS cache tricks came back into effect. Despite how long it's been going on, its still a problem and needs to be dealt with.

Most servers (I have counted at least 20 of the 53 that I've seen DNS cache spoofed users on) do not have actually-is on their server. Im sure another 10-15 dont either.

If it was implemented network wide like TS, it would save alot of stress and trouble.

PS: As far as I:Line spoofs are concerned, if you want to spoof users, spoof all of the users. Dont half ass do it, all that does is get IRC servers packeted.

Alot of IRC Networks have introduced non-specific masking of IP addresses both for the users and the servers. You connect through a DNS Pool that puts you on the closest server and then you IRC... You would have to packet every server on the network to get any results which would be counter productive to your needs.
I didnt know dns spoofing that way was a issue anymore myself, but i will activate the "see real ip on remote whois" option on mzima when i have the time. I also had the impression most people wanting to hide their ip used ipv6 also.

And i also agree when it comes to user spoofs, they shouldnt be there at all. Spoofs were meant to protect the staff of the server while doing their work, not for users... But there is to many out there that dont agree to that so i think its to late to change what has happend.

When it comes to host hiding of users or servers, using a centralized DNS pool for users to connect, im sure that will never happend either. Mostly because EFnet is a network consiting of several servers, and we arent to have a single point of failure which a domain would be.. this isnt undernet :)
-- Hardy
Administrator: irc.underworld.no
Services Administrator
http://www.efnet.org admin/staff
kampfire
Posts: 8
Joined: Tue Apr 06, 2004 4:59 pm

Postby kampfire » Thu Jul 01, 2004 7:50 am

Hardy wrote:
kampfire wrote:I know they have been going on for many years, but they kind of began to die down when IPv6 came onto the scene and threw a wrench in the mix. When IPv6 came along with IPv6 DNSing, users no longer had to worry about being packeted (as it reduced the chance) until people figured out how to packet over IPv6 and drop tunnels and to find IPv4 endpoints by using the IPv4 addresses of the IPv6's server. And then DNS cache tricks came back into effect. Despite how long it's been going on, its still a problem and needs to be dealt with.

Most servers (I have counted at least 20 of the 53 that I've seen DNS cache spoofed users on) do not have actually-is on their server. Im sure another 10-15 dont either.

If it was implemented network wide like TS, it would save alot of stress and trouble.

PS: As far as I:Line spoofs are concerned, if you want to spoof users, spoof all of the users. Dont half ass do it, all that does is get IRC servers packeted.

Alot of IRC Networks have introduced non-specific masking of IP addresses both for the users and the servers. You connect through a DNS Pool that puts you on the closest server and then you IRC... You would have to packet every server on the network to get any results which would be counter productive to your needs.
I didnt know dns spoofing that way was a issue anymore myself, but i will activate the "see real ip on remote whois" option on mzima when i have the time. I also had the impression most people wanting to hide their ip used ipv6 also.

And i also agree when it comes to user spoofs, they shouldnt be there at all. Spoofs were meant to protect the staff of the server while doing their work, not for users... But there is to many out there that dont agree to that so i think its to late to change what has happend.

When it comes to host hiding of users or servers, using a centralized DNS pool for users to connect, im sure that will never happend either. Mostly because EFnet is a network consiting of several servers, and we arent to have a single point of failure which a domain would be.. this isnt undernet :)
Well, there have been users that have started using it again when it became possible to locate IPv4 endpoints from most IPv6 users and whatnot.

I would name a few people with these 'spoofs' but that would violate posting policy so I wont do it. Hardy if you want names I can provide them to you via IRC as to protect privacy yada yada yada blah blah.

- kamper
foff
Posts: 3
Joined: Thu Jul 01, 2004 3:44 pm

Postby foff » Fri Jul 02, 2004 4:27 pm

osek, a spoof's never stopped you before, why dont you just packet the server like you usually do when you cant get the kids ip
kampfire
Posts: 8
Joined: Tue Apr 06, 2004 4:59 pm

Postby kampfire » Fri Jul 02, 2004 7:05 pm

foff wrote:osek, a spoof's never stopped you before, why dont you just packet the server like you usually do when you cant get the kids ip

First of all, I'm retired, I do not packet anymore and you know it. So stop trying to confuse the issue by quickly signing up on here just to sling mud in people's faces.

Second of all, I never packeted a IRC server to get at a single user, not once.. EVER. So your statement, just like your entire reason for being on this forum, is invalid.

So, i'll requote what you said and give you a definitive answer:
foff wrote:osek, a spoof's never stopped you before, why dont you just packet the server like you usually do when you cant get the kids ip
My answer: Yo Momma

.
foff
Posts: 3
Joined: Thu Jul 01, 2004 3:44 pm

Postby foff » Fri Jul 02, 2004 8:15 pm

aye, retired, I never knew being a kiddie was once your actual profession, whats the salary for that type of anti social idiocy?
foff
Posts: 3
Joined: Thu Jul 01, 2004 3:44 pm

Postby foff » Fri Jul 02, 2004 8:23 pm

kampfire wrote:First of all, I'm retired, I do not packet anymore and you know it. So stop trying to confuse the issue by quickly signing up on here just to sling mud in people's faces.

Second of all, I never packeted a IRC server to get at a single user, not once.. EVER. So your statement, just like your entire reason for being on this forum, is invalid.

.
LOL

* random google search on osek *

http://www.mail-archive.com/nanog@merit ... 20611.html
http://www.merit.edu/mail.archives/nano ... 00687.html

Need I go On?

Game Set Match





.bert for president of united states

Who is online

Users browsing this forum: No registered users and 1 guest