meeting the client for our annual project tomorrow to show them what we've done so far. been working on my bits so am pretty much bogged down by that for now.
i'd actually emailed the Opers of Galaxynet to ask them if they have any provisions for preventing botnets. that was yesterday night. then they replied me (well one of them actually) and i had a short conversation with him. he was asking me for suggestions (so technically my question wasn't really answered) to which i replied with a particular suggestion. it may not be any more difficult for botnet owners to circumvent this method but at least it'll be an additional step they will have to take. any deterrence is good deterrence.
what i'd suggested was for every client (human) that connects, to be sent a captcha. a captcha is really some form of an image. some of you may have come across it while registering at a website. it's meant to verify that you are human (even though someone can try using a program that recognises characters through OCR) before allowing you to proceed.
on irc it's a bit different. everything is in text. so why not let the ASCII art do it's job. i suggested that each client upon first connection to be sent one such ascii art captcha. they'll be allowed through the "doorway" proxy when they reply with a correct phrase. of course it'll not be 100% foolproof. the network will have to commit that little bit more resources to keep track of user ident/ip address pairs when they first connect.
given the current trend that broadband is available (in singapore at least) quite easily, most people would have less static dynamic ip addresses. this means their ip addresses can change. but only if they turn their computers off and back on after some time. if an irc user stays online all the time, even if the person gets disconnected, the ip address will more likely than not remain the same. the network can keep track of this address to have been "verified" by the human user and not require captcha verification again. it can be therefore assumed that the human users need only do this verification once. and not-so-occasionally when they reboot their (cable/dsl) modems. not that much of a hassle would it?
what about dial-up users? what about them? they've got dynamic ip addresses each time they come in. ah, but they come online only when the user dials up and therefore is using the computer. i can't see how a internet user who had decided on using dial-up over other services of higher bandwidth to stay online indefinitely. the phone bill, for one, will be skyhigh.
for the malicious users, they will have less access to those zombie computers. firstly, the botnet they have control over, will have to wait for input from their owner before they can connect to this irc network. and connections from zombie computers won't get through because they wouldn't know how to verify the captcha prompt. at least until someone decides to install some ASCII art OCR on these zombies that is...
well at least the above was just a thought. i expressed it to cybernaut. not sure if he took me seriously. but at least he bothered replying. that's one step. taking my suggestion into consideration for implementing is another. let's make things better!~ i'm starting to think that my time hanging around in irc machiam a bit like community service HAHAHA... =x
*no more le~*
No comments:
Post a Comment