View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0004557unrealircdpublic2016-01-24 17:512018-04-22 09:15
Reporterhayek Assigned Tosyzop  
PrioritynormalSeverityminorReproducibilitysometimes
Status closedResolutionunable to duplicate 
Product Version4.0.1 
Summary0004557: Many IPs listed in my provided Blacklists are not blocked, but BOPM with same configuration does
DescriptionMany IPs which are on the blacklist I provide in the unreal configuration are not blocked. Take these IPs for example. They are recognized by BOPM but not by Unreal 4.0.1:

http://dronebl.org/lookup_branded.do?ip=62.255.82.98&network=Network
http://dronebl.org/lookup_branded.do?ip=31.184.242.173&network=Network
http://dronebl.org/lookup_branded.do?ip=94.245.58.47&network=Network

Configuration Unreal 4.0.1:

blacklist dronebl {
        dns {
                name dnsbl.dronebl.org;
                type record;
                reply { 2; 3; 5; 6; 7; 8; 9; 10; 13; 14; 15; 17; 255; };
        };
        action kline;
        ban-time 0;
        reason "You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup_branded.do?ip=%ip&network=Network";
};

Configuration BOPM:

blacklist {
       name = "dnsbl.dronebl.org";
       type = "A record reply";
       ban_unknown = no;
       reply {
               2 = "Sample";
               3 = "IRC Drone";
               5 = "Bottler";
               6 = "Unknown spambot or drone";
               7 = "DDOS Drone";
               8 = "SOCKS Proxy";
               9 = "HTTP Proxy";
               10 = "ProxyChain";
               13 = "Brute force attackers";
               14 = "Open Wingate Proxy";
               15 = "Compromised router / gateway";
               17 = "Automatically determined botnet IPs (experimental)";
               255 = "Unknown";
           };
       kline = "KLINE *@%h :You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup_branded.do?ip=%i&network=Network";
};

Another issue is, that %ip ist not replaced with the acutal ip, as it should since 4.0.1 as the documentation states.
3rd party modules

Activities

syzop

2016-01-24 22:11

administrator   ~0019072

%ip is my documentation/changelog mistake.. it's $ip -- docs updated :)

As for your real problem, I tried your block but used a local blacklist (one that returns the same values as your problem), and no success. I can look again later, see if I can think of a better test, like with a DNS server that has some real latency for instance.

Any special circumstances when it doesn't work?

hayek

2016-01-24 22:38

reporter   ~0019073

No I cannot figure out special cicurmstances. The blacklist feature is great but approx. 1/15 is not blocked but still banned by bopm.

syzop

2016-01-24 22:46

administrator   ~0019074

Ok thanks for the info

syzop

2016-03-04 13:37

administrator   ~0019123

Hmm I wonder if there's really a bug (could be.. could be not). You understand that the IRCd still lets a user connect/in even if the DNS check is still in progress? I mean, it's possible that DNS for the IRCd was still in progress and BOPM just reacted quicker.
One can only tell by replacing the KILL or *LINE command at BOPM with some PRIVMSG.. to see if the IRCd would have killed the user eventually (I say "eventually" but we are only talking seconds here, if the theory of above is correct).

syzop

2016-05-22 18:43

administrator   ~0019269

I think this is simply -> see previous comment.

syzop

2018-04-22 09:15

administrator   ~0020101

In 4.0.16 I added set::handshake-delay to fix the issue mentioned 2 comments above

The reason I'm commenting on this bug is that I also just fixed another bug (will be in UnrealIRCd 4.0.18) where the code did not parse multiple record replies such as:
;; ANSWER SECTION:
220.89.74.36.dnsbl.dronebl.org. 131 IN A 127.0.0.9
220.89.74.36.dnsbl.dronebl.org. 131 IN A 127.0.0.3

If you only had kills configured for '3' then it would only compare the first result ('9') and if this didn't match a type in the blacklist block then it would stop there, user allowed in.

As said, now fixed in git and will be UnrealIRCd 4.0.18.

Not sure how many people are affected by this, personally I added pretty much all types, but it's easy to miss one - especially if the DNSBL provider added new types later on - and then you can randomly have false negatives for xx%.

Issue History

Date Modified Username Field Change
2016-01-24 17:51 hayek New Issue
2016-01-24 22:11 syzop Note Added: 0019072
2016-01-24 22:38 hayek Note Added: 0019073
2016-01-24 22:46 syzop Note Added: 0019074
2016-03-04 13:37 syzop Note Added: 0019123
2016-05-22 18:43 syzop Note Added: 0019269
2016-05-22 18:43 syzop Status new => closed
2016-05-22 18:43 syzop Assigned To => syzop
2016-05-22 18:43 syzop Resolution open => unable to duplicate
2018-04-22 09:15 syzop Note Added: 0020101