IRCaBot 2.1.0
GPLv3 © acetone, 2021-2022
#i2p-dev
/2023/08/27
@eyedeekay
&eche|on
&kytv
&zzz
+R4SAS
+RN
+RN_
+T3s|4
+acetone
+dr|z3d
+hk
+orignal
+postman
+weko
+wodencafe
An0nm0n
Arch
Danny
DeltaOreo
FreefallHeavens
Irc2PGuest21357
Irc2PGuest21881
Irc2PGuest58867
Leopold_
Nausicaa
Onn4l7h
Onn4|7h
Over
Sisyphus
Sleepy
Soni
T3s|4_
aargh2
anon2
b3t4f4c3
bak83
boonst
cancername
cumlord
dr4wd3
eyedeekay_bnc
hagen_
khb
not_bob_afk
plap
poriori
profetikla
r3med1tz-
rapidash
shiver_
solidx66
tr
u5657
uop23ip
w8rabbit
x74a6
eyedeekay Tor's POW implementation is reminiscent of something in our tunnel build specification
eyedeekay Could be combined with congestion caps as a tunnel spam defense maybe
dr|z3d > Sure, or we could just get better at profiling tunnels that aren't doing anything useful.
dr|z3d Their POW implementation is a direct response to onion services and onion guards being DDoSed. We don't yet have that issue.
eyedeekay Guess I could be putting the cart before the horse there
RN isnt that just proactive vs reactive?
dr|z3d we're already proactive. we have decent throttle controls for services.
dr|z3d if anything, eyedeekay, we could look at improving the tunnel filtering and throttle controls.
eyedeekay On one level maybe but there is the argument that if we do it too early when there's not an attack to test it against we create more problems than we solve, I can see both sides
dr|z3d the tunnel filtering could be extended to auto-block dests requesting prohibited urls, where the user supplies a list of urls they want blocked.
dr|z3d would need to happen in the http server tunnel code, not the tunnel filter, but still, I think it's a good idea to provide out of the box features like this with a default blocklist given the prevalence of exploit scanners on the network.
obscuratus Lets set it up so that the device makes an applause sound everytime we ban a hash, and a cheering-crowd sound when we ban a whole IP.
obscuratus Satisfaction!
dr|z3d eyedeekay: do you want to thump him or shall I? :)
eyedeekay That implies a way to identify the exploit scanners and distribute the blocklists
obscuratus It'll give our users a pleasing endorphin rush, and give them a sense of accomplishment.
eyedeekay That sounds like a whole job by itself
dr|z3d we already have a way to identify the scanners.
eyedeekay Which scanners are we talking about?
RN LOL @ obscuratus
dr|z3d this was something I discussed previously with zzz, just never got around to writing it up past an initial post on his forum.
dr|z3d http exploit scanners. all over the network.
RN I have a list of some keywords that I find in my eepsite request logs that indicate vuln-scanning imho
RN that's what I did with the filter mechanism as it is
RN since the beginning of last month, I have accumulated 40 dests. of course those change but I haven't decided on how long to keep them yet.
RN also, the way I'm set up is a periodic check of the log, not reactive to requests when they come in
RN not ideal, but functional. especially if I tune the retention time and frequency of checking
dr|z3d yeah, ideally we'd intercept the request and ban the dest before it even has chance to solicit a response.
RN blackhole it, not 404
RN imho
dr|z3d it's not a casual thing, either, eyedeekay, these scanners are running 3 at a time.
dr|z3d no, you don't want to 404 it. you want to instantly ban the dest.
RN grep -E 'wp-|.htaccess|.svn|account|adm|admin.php|config.php|controlpanel|cpanel|FCKeditor
RN also recently seen /products
RN the wp-* is looking for wordpress stuff... hence I named it wordpress_scanners but that's just a name, there are several vulerabilities they look for
dr|z3d it's also looking for mysql backups and various other things last time I took note.
RN yup
RN I don't recall it has been a while since I looked at it, do they go in order? like the wp- ones first?
dr|z3d probably, though it's been a while since I've given the scans my full attention. it appears to be a vuln scanner that has a list of pre-defined urls to check.
RN yeah. That's why I worked with a former dev to fix the filtering mechanism we have.
eyedeekay Would be really great if we could id which one/s
RN at one point, I considers serving up each of those requests a screenshot of the corresponding software's login page
RN moment of false success til they try to click in the text box
RN hehe
RN went down a youtube rabit hole the other day watching donair hack the scammers
dr|z3d eyedeekay: which ones? urls you mean or?
eyedeekay Urls yes
eyedeekay Pull from whatever skid tools default list to start with
dr|z3d If we run with this, I'm sure we can put together a reasonable default list.
eyedeekay Suppose it would have to be more complicated than that though
eyedeekay Identifying the tool would be a plus though
RN "GET /wp-uploads/ HTTP/1.1" 404 0
dr|z3d yeah, sure, we can investigate. though for a starting list, webserver logs will over time spill all the urls.
dr|z3d "GET /products/cat HTTP/1.1"
dr|z3d "GET /products HTTP/1.1"
dr|z3d "GET /wp-users/ HTTP/1.1"
RN GET /products/cat HTTP/1.1" 404 0
RN yeah, etc
RN grep -E '
RN wp-|.htaccess|account|admin.php|config.php|controlpanel|cpanel|FCKeditor'
RN previous version had some false positives
RN sorry for any glitches that may have caused anyone
Opicaak geti2p.net's FAQ page lists identiguy.i2p.xyz as a website to check if an eepsite is up/down. This url doesn't exist (anymore?). Might be a good idea to get rid of it, or replace it with something else.
dr|z3d identiguy is a poor recommendation, even if it did work. It still fails to display ECIES only websites.
dr|z3d Elsewise, for inproxy access, xyz is defunct. i2phides.me should replace .xyz hostnames.
obscuratus identiguy.i2p is working fine for me. Is the xyz extension an entry portal from clearnet to i2p?
dr|z3d defunct inproxy. you should not that as stated above, there are no ECIES only hosts listed on identiguy.
dr|z3d *note
dr|z3d eg. skank.i2p
obscuratus So then, just say notbob.i2p is a better choice instead of falsely implying identiguy is dead.
dr|z3d I wasn't implying it was dead, I was stating that .xyz is dead.
dr|z3d If that was less than crystal clear in my response, my bad.
dr|z3d And aside from the failure to list ECIES only hostnames, the query and submit features are also broken.