Browser/Javascript POST attack

News and annoucements about the UnrealIRCd project can be found here.

Browser/Javascript POST attack

Postby Syzop » Sun Feb 28, 2010 6:28 pm

Just wanted to drop a note that if anyone is experiencing problems like this (also called Firefox XPS IRC Attack). Then this is what I suggest you do:
1. If not done so already, then compile UnrealIRCd with NOSPOOF (spoof protection) enabled, on *NIX this is the first question asked during ./Config, on Windows it is always enabled.
2. I've released a nopost module which will kill/zline/etc such connections. http://www.vulnscan.org/UnrealIRCd/modu ... ost.tar.gz
You can do #2 without #1, and #1 without #2, but if you're really under attack then combining them is most effective.
Syzop
UnrealIRCd head coder
 
Posts: 1498
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl

Re: Browser/Javascript POST attack

Postby MightyWings » Sun Feb 28, 2010 11:34 pm

Thank you for posting this, Syzop.

My network hasn't had this problem yet,
but one can't be to careful. Thank you,
for creating the module as well. :)

MightyWings
MightyWings
 
Posts: 19
Joined: Fri Feb 26, 2010 12:06 pm
Location: Portadown, Northern Ireland

Re: Browser/Javascript POST attack

Postby katsklaw » Mon Mar 01, 2010 12:30 am

If I'm not mistaken the /close command would help too as it closes all unknown connections. So if I'm correct, issuing a /close command after a /rehash and loading the module should clean things up.

Perhaps someone that knows for sure can verify my statement.
katsklaw
Official supporter
 
Posts: 1035
Joined: Sun Apr 18, 2004 5:06 pm

Re: Browser/Javascript POST attack

Postby Stealth » Mon Mar 01, 2010 6:02 am

CLOSE will only help if you have NOSPOOF enabled and there are a bunch of these connections stuck in user registration. Also, just loading the module will catch new connections and the old ones will time out after the user registration timeout (IIRC it's 30 seconds)
User avatar
Stealth
Head of Support
 
Posts: 2043
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US

Re: Browser/Javascript POST attack

Postby transacid » Mon Mar 01, 2010 8:17 am

I see alot of
Code: Select all
[nopost] Killed connection from 207.46.195.226
That's a msn bot. Why would msn index irc?
transacid
 
Posts: 0
Joined: Mon Mar 01, 2010 8:14 am

Re: Browser/Javascript POST attack

Postby Jobe1986 » Mon Mar 01, 2010 9:32 am

transacid wrote:I see alot of
Code: Select all
[nopost] Killed connection from 207.46.195.226
That's a msn bot. Why would msn index irc?

Well given that it triggered the [nopost] notice this suggests that somewhere there is a url directed at your IRC server:port that the bot/crawler followed as the only way [nopost] notices are triggered with the nopost module is if the IRCd receives a "POST" "GET" or "PUT" command.
User avatar
Jobe1986
Official supporter
 
Posts: 1172
Joined: Wed May 03, 2006 7:09 pm
Location: United Kingdom

Re: Browser/Javascript POST attack

Postby transacid » Mon Mar 01, 2010 9:51 am

Also the config doesn't seem to work. I get
Code: Select all
*** Notice -- error: unrealircd.conf:949: unknown directive set::nopost
If i dun use the setting at all it works fine.
transacid
 
Posts: 0
Joined: Mon Mar 01, 2010 8:14 am

Re: Browser/Javascript POST attack

Postby Syzop » Mon Mar 01, 2010 10:05 am

transacid wrote:Also the config doesn't seem to work. I get
Code: Select all
*** Notice -- error: unrealircd.conf:949: unknown directive set::nopost
If i dun use the setting at all it works fine.

My bad. I've updated the module to fix this (url still the same).

As for the MSN bot, I (obviously) don't know the MSN bot internals, but it somehow thinks your IRC server is a website :)
Syzop
UnrealIRCd head coder
 
Posts: 1498
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl

Re: Browser/Javascript POST attack

Postby transacid » Mon Mar 01, 2010 11:19 am

Syzop wrote:
transacid wrote:Also the config doesn't seem to work. I get
Code: Select all
*** Notice -- error: unrealircd.conf:949: unknown directive set::nopost
If i dun use the setting at all it works fine.

My bad. I've updated the module to fix this (url still the same).

As for the MSN bot, I (obviously) don't know the MSN bot internals, but it somehow thinks your IRC server is a website :)

Ok thanks, this one works fine ;)
transacid
 
Posts: 0
Joined: Mon Mar 01, 2010 8:14 am

Re: Browser/Javascript POST attack

Postby transacid » Mon Mar 01, 2010 6:28 pm

oh btw, now i dun see any logmessages anymore :/
transacid
 
Posts: 0
Joined: Mon Mar 01, 2010 8:14 am

Re: Browser/Javascript POST attack

Postby Syzop » Mon Mar 01, 2010 7:17 pm

What settings do you use?
I get a message both with kill and with gline (though with anything other than kill it's like '*** G:Line added for ...... the reason..', and not a 'killed connection ..' as well, as that would seem a bit redundant)
Syzop
UnrealIRCd head coder
 
Posts: 1498
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl

Re: Browser/Javascript POST attack

Postby transacid » Mon Mar 01, 2010 7:27 pm

Syzop wrote:What settings do you use?
I get a message both with kill and with gline (though with anything other than kill it's like '*** G:Line added for ...... the reason..', and not a 'killed connection ..' as well, as that would seem a bit redundant)

oh nevermind. Didn't check my snomask ;) Everything good now.
transacid
 
Posts: 0
Joined: Mon Mar 01, 2010 8:14 am


Return to News

Who is online

Users browsing this forum: No registered users and 0 guests

cron