#avr Logs
Sep 04 2018
#avr Calendar
04:27 PM vmt: sup avr
04:31 PM polprog: push nothing; call say
04:31 PM vmt: does bss still hang around here?
04:31 PM vmt: or tom? there also was this one guy who was always recollecting his past working with [insert some old tech here]
04:31 PM Emil: Consider joining #avrs
04:31 PM vmt: why?
04:31 PM polprog: tom is still here
04:31 PM vmt: why #avr and #avrs?
04:36 PM polprog: long story
04:36 PM polprog: rue kicked all idlers (half of chan), and emil got upset and made his own cha
04:36 PM polprog: nnel, where most of the discussion takes place
04:37 PM vmt: interesting. rue_ do you still consider irc to be a notepad application?
08:53 PM rue_: vmt, one of the people didn't like the way the avr channel was having the bots flushed out every 3 years and started avrs
08:55 PM rue_: haha, if Emil likes idle bots I could park 22 of them in avrs
08:58 PM rue_: but I'm trying to be mature and not use my fed-up-ed-ness to ban him, and not play silly games like he is
08:59 PM rue_: hes just upset that I cleared the people out right after the gaurdians of the galaxy movie
08:59 PM rue_: mostly bots, accidently hit some people
08:59 PM rue_: se 110 in channel, nobody talking,
08:59 PM rue_: thats cause most of the channel is idle bots
09:01 PM rue_: for example, have you EVER heard crib say ANYTHING?
09:01 PM rue_: the hackers use freenode to park ddos bots
09:01 PM rue_: splatter then across channels to make them look valid
09:03 PM rue_: crib !help
09:04 PM rue_: if their kaiten bots...
09:04 PM rue_: 0/whois Emil
09:04 PM rue_: hmm, I wonder what IP I could have them attack
09:05 PM rue_: !crib HELP
09:05 PM rue_: !crib NICK asdfm9
09:06 PM rue_: !arti NICK asdfm9
09:06 PM rue_: !funky1 NICK asdfm9
09:06 PM rue_: !jaggz NICK asdfm9
09:07 PM rue_: !jaggz VERSION
09:07 PM rue_: gonna hit one eventually
09:08 PM rue_: !jaggz IRC privmsg #avr :I m bot
09:09 PM rue_: !impulse IRC privmsg #avr :I m bot
09:09 PM rue_: !kini IRC privmsg #avr :I m bot
09:09 PM rue_: !lvlinux IRC privmsg #avr :I m bot
09:09 PM rue_: I recon I'm not wrong, I'm just not right
09:09 PM kline: youre mostly wrong
09:10 PM rue_: I'm not gonna beleive there are 100 idlers here who NEVER say anything
09:10 PM kline: your beliefs dont really change reality
09:10 PM rue_: or, is the trigger character different? ;)
09:10 PM rue_: kline, you dont think bots are real?
09:11 PM kline: i dont think any appreciable number are sitting in this channel
09:11 PM rue_: you think their all real people who just happened to forget that they were in this channel
09:11 PM kline: yes, pretty much
09:11 PM kline: maybe one or two are non-malicious bots who ended up here by accident
09:11 PM rue_: that makes sense to you
09:11 PM rue_: really?
09:12 PM kline: well, i have a fair whack of experience so i think thats backed up
09:12 PM rue_: !shifttymike IRC privmsg #avr :I m bot
09:12 PM rue_: I think the bots need me to auth to accept commands...
09:12 PM rue_: @shifttymike IRC privmsg #avr :I m bot
09:12 PM rue_: #shifttymike IRC privmsg #avr :I m bot
09:13 PM rue_: $shifttymike IRC privmsg #avr :I m bot
09:13 PM rue_: %shifttymike IRC privmsg #avr :I m bot
09:13 PM kline: nah, theres just not enough bots here that youre likely to hit it by random sample
09:13 PM rue_: all I have tyo do is go thru all the nicks that ENVER say anyhting
09:14 PM rue_: !troyt IRC privmsg #avr :I m bot
09:14 PM kline: still doesnt make them bots
09:14 PM rue_: !vishwin IRC privmsg #avr :I m bot
09:14 PM kline: theres a way better way in any case
09:14 PM kline: just cycle everyone with a ctcp version
09:15 PM * rue_ twiches his nose and sniffles
09:15 PM kline: obviously im not a bot
09:16 PM rue_: most of them are ZNC
09:16 PM kline: you know znc?
09:16 PM rue_: no
09:16 PM rue_: what is it
09:16 PM rue_: compressed netcat?
09:16 PM kline: its a bouncer
09:16 PM kline: its basically like a smart irc proxy
09:17 PM kline: you can set it up on a server and itll act as a client for you to the network, but act as a server to your end client
09:17 PM kline: in this way the server can stay always on (and idle for years, even) while your pc is off/disconnected while you travel/etc
09:18 PM rue_: and your saying thats not a bot
09:18 PM kline: yes
09:18 PM rue_: so maybe I shoudl kick all the ZNC connections every 4 eyrs
09:18 PM kline: why?
09:18 PM rue_: becasue those peopel aren't here
09:19 PM kline: so?
09:19 PM rue_: it kills the channel
09:19 PM rue_: (so do apammers)
09:19 PM rue_: and Emil :)
09:20 PM kline: how does having idle users kill the channel?
09:20 PM rue_: it does, iv seen it happen for about 20 years
09:20 PM rue_: irc channels hav a life cycle
09:20 PM rue_: sorry you have never noticed
09:21 PM rue_: but its true, and the life of a channel can be extended by killing people who hit 100% idle
09:22 PM kline: well, personally i think youre bonkers in that regard but its your channel to admin
09:22 PM kline: its not something that the staff have observed generally
09:22 PM rue_: so does emil
09:22 PM rue_: but I'm right
09:22 PM kline: ok
09:22 PM rue_: staff dont observe
09:22 PM kline: im here, observing, right now
09:23 PM rue_: thats why the spammers succesfully flood freebnode with spam every year for 16 years now
09:23 PM rue_: mh
09:23 PM rue_: mhm
09:23 PM rue_: sorry.
09:23 PM kline: how many spammers do you think we let through, and how many do we defeat?
09:24 PM rue_: There are a lot of things I'd liek to do that I cant cause I ahve no server access, when I'v asked and tried to help, I'v been told to shut up and go away
09:24 PM kline: im sorry thats been your impression, if theres anything youd like to know, im happy to take questions
09:25 PM kline: as it stands, we block the vast, vast majority of spam, and you can even see in the recent year or so there have been drastic changes in how spammers spam because we're so good at getting them
09:25 PM kline: frustratingly, even only 10 connections getting through can look really disruptive, but we routinely block several thousand a day
09:29 PM rue_: kline, and has anyone tried to do anything about the person behind the spamming?
09:29 PM kline: yes
09:30 PM rue_: this year, or in previous years?
09:30 PM kline: at its peak, we've actually worked with the NCA, the UK policing body equivalent to the US FBI
09:30 PM kline: yes, this year and in previous years
09:30 PM rue_: he started throwing soem pretty personal attacks this year
09:30 PM kline: absolutely, the allegations are as serious as they are untrue
09:30 PM kline: but theyre not even new this year
09:31 PM kline: unfortunately, its quite hard to divert NCA time to step into what would be a challenging, expensive, and multinational investigation against botnet providers and users, especially given the limited "real life" impact
09:31 PM rue_: I got rate limited ont eh /version have to try a different way
09:32 PM rue_: I got into one of the botnets
09:32 PM rue_: but the code was only for arm/mips and I couldn't get the channel key out of it
09:32 PM kline: there are actually some instances where we know the individuals, sometimes even met face to face, behind various spam campaigns
09:32 PM rue_: and it wouldn't run on my android
09:32 PM kline: but that doesnt make bringing the law to bear on them any easier
09:33 PM rue_: know any that go by the handle "light"
09:33 PM rue_: ?
09:34 PM rue_: hah, I should stay quiet if I dont know who's listening
09:34 PM kline: i wouldnt comment either way
09:34 PM rue_: I know a number of the spammers hang out in #freenode, dont know who they are tho
09:34 PM kline: we do for a number of them
09:34 PM rue_: it looks like the channel was muted pretty good
09:35 PM rue_: anyhow I have an anti-spam plan I'm still tuning :)
09:36 PM kline: the problem is that botnet access is sufficiently slippery online, and the people using them are often in hard to reach jurisdictions
09:36 PM kline: so its a hard sell i imagine to the policing body thats already overloaded with "real" crime
09:36 PM kline: would you fill me in?
09:36 PM rue_: hell no ;)
09:36 PM kline: if you have good ideas it would be great to apply them network wide
09:37 PM rue_: did you guys gather data on the client and version that the bots use to connect as?
09:39 PM kline: of coure
09:39 PM kline: course
09:39 PM kline: and not just the info we ask them to report
09:39 PM rue_: that should lead to a few-thousand bot-drops/day
09:39 PM kline: it does, yes
09:40 PM rue_: and has anyone looked at a connection log for a bot? see its behaviour across the network?
09:40 PM kline: yes
09:41 PM kline: well, depends what in full you mean by that, but yes, we have a pretty good idea of how bots act
09:41 PM rue_: I mean to look at everything a bot did since connection, via a log
09:41 PM rue_: till it was identified and banned
09:42 PM rue_: I think they sit idle after having connected, not joined to any channels
09:42 PM rue_: seems to me that if a bunch of nicks have been sitting on the server without having connected to any channels, they should have their conenctions closed, even if replying to pings
09:42 PM kline: we don't routinely log connections from the wild against our production network because that has serious privacy implications (such as recording private discussions, passwords, etc)
09:43 PM kline: however, we do have ways to characterise bot behaviours such as the behaviours your talking about
09:43 PM rue_: could you get a number of how many nicks are not in any channels right now?
09:44 PM kline: thats something we can do, sure
09:44 PM rue_: I'm just asking if you guys can even get that data
09:44 PM kline: yes
09:45 PM rue_: and has anyone ever looked at the nicks that sit there on no-channels for prolonged periods of time?
09:45 PM rue_: it would also make sense if the bots all collect in a hidden control channel where they are triggered from
09:45 PM rue_: so, you need to know what the nicks were up to before they started spamming
09:46 PM rue_: from what i can tell, nobody is interested enough to do that
09:48 PM kline: bots collecting in "hidden" control channels is one of the easiest things we can detect for a number of reasons
09:49 PM rue_: well, the next thing the spammers will do it use registered bots, so I hope someone has started thinking about that one.
09:49 PM kline: its quite hard to automate registration, but yes, we have alerts for that kind of abuse too
09:49 PM * rue_ giggles
09:50 PM kline: we have a number of staff who really specialise in counterabuse and spend a lot of time working through these kinds of attacks
09:50 PM rue_: do they come up with much suspect stuff that often?
09:50 PM kline: the alerts or the staff?
09:51 PM rue_: the staff
09:52 PM kline: yeah, theyre pretty innovative
09:52 PM kline: we probably have one of the best lists of open proxies that exists in the world, we have some software set up that runs just for that
09:53 PM kline: so we can very quickly and cheaply deny connections from proxies as theyre made
09:53 PM rue_: well , it didn't take me long to get into one of the kaiden irc servers
09:54 PM kline: so these bots never even complete the connection, never even starting to talk the protcol
09:54 PM rue_: I didn't find the source code they were using
09:54 PM kline: whos this?
09:54 PM rue_: that big attack week before last?
09:55 PM kline: i was "on leave" so to speak
09:55 PM rue_: set up a machine to watch http requests for login.cgi :)
09:55 PM kline: this is my first week back really after about 2 months away while i finished university and started applying for jobs and stuff
09:55 PM kline: i moved house at the same time
09:56 PM rue_: anyhow, when I did talk to the hacker (light) he seemed to behave as tho nobody ever came to say hello, his response was a bit rude to me turning up on his bot-control network
09:56 PM rue_: hum
09:57 PM rue_: I'm trying to not draw attention tho, so dont tell eh?
09:58 PM rue_: I just wanted to see what a ddos bot-control channel looked like
09:58 PM kline: its not that interesting tbh
09:58 PM rue_: 10 machines/min tho, pretty good pickup
09:59 PM * rue_ fires a watergun into the crowd...
10:00 PM rue_: ok, I have code eto write
10:00 PM rue_: digital servo, here I come!
10:01 PM kline: ace
10:01 PM rue_: force feedback!
10:01 PM kline: rue_, as i mentioned btw, if you ever have any questions about the network, feel free to ask
10:01 PM kline: similarly, if you have any suggestions regarding counterabuse stuff we could do we're happy to listen
10:02 PM rue_: not the reception I'v had
10:03 PM kline: sorry its been that way, feel free to catch me personally
10:03 PM kline: as a sneak peek, here are the timestamps from messages in a channel we use to log some attacks: https://i.imgur.com/EWMnKZK.png
10:04 PM kline: you can see we're often turning down several a second, and these are just the attacks that we believe are interesting enough to warrant an alert
11:57 PM day_ is now known as day