Flood Bot Filtering Discussion

[Tuberload]

Is it so impossible to assume that, when a name matching common flood bot names (i.e.: something like ?#?#?#?#?#?#?#@USEast), even though it changes every time it joins, just seeing names like that in and out over a short period of time could be considered one flood bot to attempt something like this and ban it.

You missed it..
His proposed solution was to have precise timing so that it bans on join.. or even before.
That isn't possible versus a random name generating bot.

I think you missed it... He was asking a separate question altogether.

Soul Taker: Yes that could be a good means of protection. I believe you could just have the bot recognize when it is under attack, and then have it just automatically start banning non-members that match certain profiles.

I have not tested this method, but it is one that I planned on working on as soon as I get my bot to that point. Maybe someone with a little more knowledge on the situation can give some better details.

[Dyndrilliac]

Is it so impossible to assume that, when a name matching common flood bot names (i.e.: something like ?#?#?#?#?#?#?#@USEast), even though it changes every time it joins, just seeing names like that in and out over a short period of time could be considered one flood bot to attempt something like this and ban it.

You missed it..
His proposed solution was to have precise timing so that it bans on join.. or even before.
That isn't possible versus a random name generating bot.

You should obviously reread my post, or get hooked on phonics .

I responded to this. Using wildcards, assumptions, and squelch flags, you can EASILY differintiate between randomly named flood bots. Also, using commonly used public floodbot algorithms as references to situations the bot can make a default decision on would easily fix this. For example, say you set the bot to ban any account in the method I described that is made up of nothing but integers and is the same length everytime.

There are several ways of defeating this one feature, as random names can only be so random; Those random name flooders that use the random number names or random letter names can be defeated using the methods I just described rather effectively.

The key is to make the bot learn more about the flooder in question each time it rejoins. Think of this as searching and sieving(researching) in memory locating applications for cheating games - they search for a value, then search for a new value only out of the pool of values found by the previous search. It's quite simple really.

[Adron]

There are several ways of defeating this one feature, as random names can only be so random; Those random name flooders that use the random number names or random letter names can be defeated using the methods I just described rather effectively.

I don't see how this could possibly work out. How could you ever predict a random name at a random time and ban that?

[Dyndrilliac]

There are several ways of defeating this one feature, as random names can only be so random; Those random name flooders that use the random number names or random letter names can be defeated using the methods I just described rather effectively.

I don't see how this could possibly work out. How could you ever predict a random name at a random time and ban that?

It works on assumptions Adron. Basically, if my bot sees rapid reconnects and rejoins, it squelches that IP, and if the offending flooder is squelched on all cases, or comes back several times, the bot then logs what characters make up the name and how many characters long it is, and if it is the same length and same type of charactrs each time, etc, etc, etc. - it uses these qualifiers to assume whther it is a flood or not, and then issues the appropriate action.

Basically is a certain number of certain attirbutes are true or untrue about a user then it decides to ban or not ban depending on the situation.

[Adron]

Basically is a certain number of certain attirbutes are true or untrue about a user then it decides to ban or not ban depending on the situation.

I can agree with that: OK, you know whether you want to ban or not. But now how will you succeed in banning the bot if it's on a new random name each time and disconnecting before you can ban it? I thought your algorithm was about predicting on what name and at what time the bot would appear the next time to time the ban right?

[tA-Kane]

Battle.net should let ops ban people even after they've signed off. Also, being able to have server-side banlists (perhaps using a usermask instead of a specific user) would also be very helpful.

[Dyndrilliac]

To Adron:

No, I do not predict the name that the flooder will appear on next; Instead, I set it up to fill in a sort of Police Sketch Artist type system. Every time the bot notices a flood type activity, it gathers as much information it can on a user, and once it has decided an apporpriate action to take it bans all users entering the channel fitting that description. However, that is only for flooders it has detected are not on the same name - for those who use repeated accounts, it predicts the exact instant as clsoe as it can approximate and sends 3 rapid ban requests for that user as soon as it thinks the user is reconnecting. It depends on what method it believes the flooder is using before deciding what criteria to look for.

[Adron]

No, I do not predict the name that the flooder will appear on next; Instead, I set it up to fill in a sort of Police Sketch Artist type system. Every time the bot notices a flood type activity, it gathers as much information it can on a user, and once it has decided an apporpriate action to take it bans all users entering the channel fitting that description. However, that is only for flooders it has detected are not on the same name - for those who use repeated accounts, it predicts the exact instant as clsoe as it can approximate and sends 3 rapid ban requests for that user as soon as it thinks the user is reconnecting. It depends on what method it believes the flooder is using before deciding what criteria to look for.

Ah. So there are two parts to your algorithm. One is defeated by using random names and the other is defeated by disconnecting quickly.

Wouldn't it be possible to fool your bot into banning legitimate users by using similar names?

[RedPhoenix]

Ok, I'll throw in my two cents here. How about just using a database to store the data?

CurrentStat      -Table
    Username      -Field
    TimeJoined      -Field
    LastChatMsgTime      -Field
         

BanList      -Table
    Username      -Field

Since user names are unique, then you can check the system time when a player joins. And for each chat, store the system time in the database. Then if CurChatMsgTime - LastChatMsgTime >= TimeLimit, ban them, other wise store LastChatMsgTime. Then after the user leaves, just delete them from the database.

[Dyndrilliac]

[Edit] To clarify to everyone - this is exactly what it does [/Edit]

Many floodbots I have seen use set lengths of names for random name creation, even though this could be very easily set to be random as well, the ones that I have seen attacking me most often(FloodBots called "WarBot") use the set name length and it is configurable. So, yes, name length can easily be used.

Also note, that never once did I mention using the users profile or ping to calculate which user to ban. That would be silly considering lots of people use the 0/-1 ping spoof nowadays, that would end up in many misplaced bans.

I never contradicted myself, and in this thread, I was never wrong. I can say that without ego. however, I admitted before your first post here there was a flaw in my method, making your entire argument on reconnects invalidated. The random name thing I have answered, but apparently you did not understand. Allow me to clarify.

I don't calculate the name of a flooder, on flooders the bot has detected to change its name when reconnecting/rejoining. It tells the difference or similarities using squelch flags, and a profile type system. If the user is still squelched but the user name is different, it knows not to waste time recording the name, and move on to more useful criteria. If it is the same name, it records it and begins recording other criteria. Criteria the bot uses to decide a ban includes but is not limited to:

Reconnection Delays/Times
Rejoin Delays/Times
Names(On some cases only, remember)
Name Length
Squelch flags(for telling if a user has random names enabled)
Other Flags(I.E., whether it has the plug icon everytime it rejoins, etc)
Number of rejoins before reconnecting

Now, using that system, there are only 2 cases which I would not be able to stop: Random Names /w Random Proxies on Reconnect, or, Random Reconnect Delays. However, I do not use this system alone. I use this in conjunction with other methods as a back up.

In the end there is no real way to ban every floodbot, it's not possible, I know that; But my "SmartBan", does a damn good job, considering it has stopped every flood attack on my channel within the past 5 months. Maybe I was just lucky, maybe the idiots flooding me weren't smart enough to use their bots properly, I don't know, nor do I care - it works for me. Nuff Said.

To Adron:

I dont know if it would be possible to trick the bot into banning people that are supposed to be there, because more than just name information must be correct before it bans.

Note that I do not use this system alone, this is just the default method; If it fails several times(which has only occurred in testing, also this is configurable) then it defaults to a Stealthbot Style EFP type action. However, this only if the bot after several attmpts cannot get enough information to ban effectively.

[Adron]

Can you squelch a user after it's disconnected? Otherwise, why would you squelch flooding users instead of just banning them?

[FuzZ]

Can you squelch a user after it's disconnected? Otherwise, why would you squelch flooding users instead of just banning them?

I'm assuming by squelching the user and having an autoban for squelched users it's an effective ipban for the proxy or user flooding.

Edit> Added quote.

[Dyndrilliac]

Can you squelch a user after it's disconnected? Otherwise, why would you squelch flooding users instead of just banning them?

No, you cannot - however, the squelch has many purposes. As FuzZ mentioned, it can be used for IP Ban. Also, it works into my SmartBan system to differentiate between flooders and recognize if a flooder is randomly changing names and such. It also is used to protect legitimate channel users from being caught up in the bans by helping the bot sort through flooders and non flooders.

[Adron]

Are the criteria for who a squelch applies to different from the criteria for who a ban applies to? Did it always use to be that way? I had a feeling they used to work the same..

If squelch and ban have different criteria, I suppose I understand the idea of squelching to trace spammers.

I still don't understand the name pattern matching. If a spammer was picking names like Dyndrilliaa, Dyndrilliab, ..., would the bot ban Dyndrilliac?

[o.OV]

Maybe if you believe me to be so wrong, you could contribute a system that you approve?

In my opinion your best bet is speed efficient coding.
That is why I didn't really approve of the name evaluation idea.

I don't believe there is any client side system anyone can design to defeat a floodbot so what is the point of asking me to come up with one?

How do you analyse the attacker if you have more then one IP that is squelched?