Drone qualification?

General talk about EFnet

Moderators: Website/Forum Admins, EFnet/General Moderators

evil
Posts: 59
Joined: Mon Sep 15, 2003 6:18 pm

Drone qualification?

Postby evil » Sat Mar 03, 2007 2:00 pm

I'm a bit curious as to what constitutes a "drone". There have been a couple of instances where I was building a botnet using the standard eggdrop1.6.18 and the netbots tcl. Each bot had a proper nick, each bot had an ident, each bot had it's own ip, there were no clones, each bot answered to ctcp's, each bot was idle from the time it connected to irc and after being up for 12 hours and idle for 12 hours and in a channel all to theselves they all got k-lined as a drone. This has happened twice. So what exactly did I do wrong? I would like to know so I can correct it.
wundr
Posts: 140
Joined: Sun Jul 06, 2003 11:34 pm
Location: Japan

Re: Drone qualification?

Postby wundr » Sat Mar 03, 2007 2:51 pm

evil wrote:Each bot had a proper nick, each bot had an ident, each bot had it's own ip, there were no clones
I can't answer your question exactly, but I was wondering... you said they all had idents, but did they all have *different* idents? And, they had different IPs, but were they all on the same machine or on the same IP block or /24? If they had the same ident on the same /24, I would think that could trigger the monitor bots.
evil
Posts: 59
Joined: Mon Sep 15, 2003 6:18 pm

Postby evil » Sat Mar 03, 2007 3:00 pm

Thanks for responding,
The bots had a maximum of 5 with the same ident, they were all ipv6 ip's from one shell box but with 3 different subnets from 3 different vendors but each ip was unique. Each of the subnets are /64 with the exception of freenet6 and it was a /48.
User avatar
lucy
Posts: 234
Joined: Wed Jul 02, 2003 6:22 pm
Location: graceland
Contact:

Postby lucy » Mon Mar 05, 2007 1:00 am

were they always changing nicks every minute or so?
its very annoying to see the same hosts changing nicks like that... makes me think they are drones of some sort and thats what i kline them as, unless they have a 'shell' host then i'm pretty sure its just an annoying bot.

or maybe they had the same realname as some common drones.
evil
Posts: 59
Joined: Mon Sep 15, 2003 6:18 pm

Postby evil » Mon Mar 05, 2007 1:57 am

No they had static nicks.
evil
Posts: 59
Joined: Mon Sep 15, 2003 6:18 pm

Postby evil » Wed Mar 14, 2007 10:02 pm

Ok, so by the lack of an answer to my question I can only assume there is no rhyme or reason to k-line a bunch of bots from a shell server other than mass paranoia. Just another black eye for efnet I suppose.
jilles
Posts: 17
Joined: Fri Mar 11, 2005 5:18 pm
Location: The Netherlands
Contact:

Postby jilles » Wed Mar 14, 2007 10:59 pm

you do not need so many bots and certainly not from one box

note that many clients from one /64 or similar can also be considered clones
evil
Posts: 59
Joined: Mon Sep 15, 2003 6:18 pm

Postby evil » Wed Mar 14, 2007 11:22 pm

Well if you read my original post there were 3 subnets involved from 3 different providers and I never said how many bots there were. How many bots are run from other shell servers? My guess would be 100's. What I also said was there was a maximum of 5 on the same login/ident, all had proper idents, nicks, and ctcp responses and there were no clones. So my question still remains.
User avatar
munky
Site Admin
Posts: 826
Joined: Wed Jul 02, 2003 4:54 pm
Location: Phoenix AZ
Contact:

Postby munky » Thu Mar 15, 2007 2:43 pm

so how many were there? was it a channel of 100 bots with 5 each per ident on 3 /64s?

remember: irc, on any network (not just efnet), is a privilege, not a right. it is up to the server or network adminsitrators to allow or deny clients on their server/network.

seeing as there are only 8 ipv6 servers on EFnet, how many of these servers were you using? were there 100 bots on 1 server? if that is the case, i would kline it too just because it looks suspicious and a waste of resources. there is no practical need for more than a couple of bots in a channel. the only uses since TS5/TS6+OCF are 1) vanity, 2) flooding. so which was it, and why should we be concerned?
In God we trust,
Everyone else must have an X.509 certificate.
evil
Posts: 59
Joined: Mon Sep 15, 2003 6:18 pm

Postby evil » Thu Mar 15, 2007 5:41 pm

There hasn't been 8 working ipv6 servers as long as I can remember.
No they weren't on the same server.
Your two options for having bots doesn't cover what I was doing so the answer to that one is none of the above.
Yes I understand the whole privilege/right catchall response. But I have also been busy with a bit of research on my own and out of the 27 shell providers I researched 11 of them had ipv6 addresses available, they were all of a single subnet each, 6 of the 11 had less than 30 ip's from a single subnet, 3 of them had between 30 and 100 ip's and 2 of them had more than 100 ip's available and again all under a single subnet. On the other hand I had 3 subnets in an effort to keep it from looking like the other shell providers. My question was an effort to correct what ever I was doing wrong in order to satisfy the efnet police. I am willing to accept the fact that somebody got carried away, twice, but don't try to paint over it. There just seems to be no standard unless of course you "know" somebody.
plat0nic
Posts: 8
Joined: Tue Mar 27, 2007 2:50 pm

Postby plat0nic » Sat Mar 17, 2007 5:36 am

I'm disappointed by some of the replies (not all, but I won't point people out).
Don't any of the nicer opers (and I know they exist!) browse these forums?

To answer your question, I can almost guarantee your bot's idle time is the trigger that got them K:Lined, based on the fact you said that the bots were idle for 12 hours from the time they connected to the time they were killed.
I would be positively sure if you said it happened both times after the same 12 hours.

but that's just me.. I'm pretty much pulling this out of my ass.

Maybe someone who knows more than me can come on and give a better answer besides "you don't need that many bots" or "opers/admins can do as they please; Damn all that oppose".
User avatar
lucy
Posts: 234
Joined: Wed Jul 02, 2003 6:22 pm
Location: graceland
Contact:

Postby lucy » Sat Mar 17, 2007 1:03 pm

another thing... if someone browsed back after being away for a while and saw a bunch of clients all connecting at the same time.... that it was obvious they were all 'connected' in some way.. either cause of the ident, real name, channel they were in, ips, that might be why it took 12 hours...
evil
Posts: 59
Joined: Mon Sep 15, 2003 6:18 pm

Postby evil » Sat Mar 17, 2007 1:12 pm

Actually they joined one at a time, never all at once, stretched out over a period of time that it took me to set them up one at a time. But thanks for your reply lucy.
User avatar
munky
Site Admin
Posts: 826
Joined: Wed Jul 02, 2003 4:54 pm
Location: Phoenix AZ
Contact:

Postby munky » Mon Mar 19, 2007 2:37 pm

plat0nic wrote:I'm disappointed by some of the replies (not all, but I won't point people out).
Don't any of the nicer opers (and I know they exist!) browse these forums?

...

Maybe someone who knows more than me can come on and give a better answer besides "you don't need that many bots" or "opers/admins can do as they please; Damn all that oppose".
perhaps if he answered any questions he might get a better answer.

if there were 100 bots, regardless of them being on unique IPs with 5 different idents, being only from 3 different providers they would be deemed clones/drones by most any oper that stumbled upon them. they would be deemed so because there *is*no*need* for that many bots an any single channel, so many sane opers would assume that they are not for channel management, they must be for more nefarious purposes. i have yet to hear any argument for needing that many bots anywhere, other than vanity.
In God we trust,
Everyone else must have an X.509 certificate.
evil
Posts: 59
Joined: Mon Sep 15, 2003 6:18 pm

Postby evil » Mon Mar 19, 2007 4:36 pm

How about reading the original posts, I said " a maximum of 5 on the same ident". How many bots do other shell providers have on the net at one time? This is going nowhere in an attempt to cover up abuse of power. No need to spew more garbage about this, I'll just restrict my users from connecting to efnet which is sad on my part becuse I have always been on efnet for 12+ years but I get sick of the double standards and abuse of power. Makes a person long for the day of July 11 2001.

Who is online

Users browsing this forum: No registered users and 3 guests