Difference between revisions of "Proxy"

From MIXXnet Wiki

m (External Links: Fixed NJABL name)
m (Minor formatting edit)
 
(10 intermediate revisions by 8 users not shown)
Line 1: Line 1:
A '''proxy''' is an internet connection that is tunneled through another internet connection. [[MIXXnet]] has certain policies setup for proxy users.
+
MIXXnet allows connections to the network using a proxy. While we do not globally deny access to proxied connections under normal circumstances, we do have mechanisms in place which provide channel operators fine control over what is and what is not allowed in their channels. This article will outline MIXXnet's network-wide proxy policies and how we handle connections made through proxies.
  
==Policies==
+
==General Information==
MIXXnet allows its users to connect to the network using a proxy. There are policies that govern the use of proxies on MIXXnet. If a user's host is found to be listed as a proxy, the user will receive a private message from 'bopmNinjutsu'. The message will say something along the lines of:
+
All connections made to the network are checked against various Domain Name Service Blacklists (DNSBLs) which can identify potential sources of abuse. Port scans may also be performed to check for active open proxies running on your IP address. If the IP address you are connecting from is detected as being a proxy, you will receive a private message from "ProxyGuard" notifying you of this and your hostname will be altered with one of the following appended to the end:
  
[10:22:16] <bopmNinjutsu> Your hostname has been changed to: static-64-115-210-23.isp.broadviewnet.net.dnsbl.proxy because your IP has been blacklisted. For assistance, please see an op in #help. For more information on proxies, see <nowiki>http://mixxnet.net/wiki/?title=Proxy</nowiki>
+
*'''.dnsbl.proxy''' - IP address is on a blacklist that we check against
 +
*'''.tor.proxy''' - Tor Project exit node that allows connections to IRC ports
  
After which the user's hostname is altered to reflect the hostname which is displayed in the private message.
+
If your IP address is on a blacklist, you will be given removal instructions via private message. Please follow these instructions to get your IP removed from the blacklist and reconnect to MIXXnet when the removal process is complete. If the removal process is successful, you should no longer be detected as a proxy and your normal hostname should be shown on the network.
  
Public proxy monitor statistics are available to the public in #bopm. If you need any assistance regarding proxies, you can ask a staff member in #help.
+
Channel operators have the option of banning some or all users that are detected as using a proxy. If you are detected and notified, please be aware that you may not be able to join certain channels on the network until you are removed from the blacklist. This is entirely a channel's decision and we as a network will not override this channel policy.
  
==Types of Proxies==
+
MIXXnet reserves the right to impose temporary global limits or restrictions on proxied connections if a situation warrants.
MIXXnet checks users against three types of proxies.
+
  
===TOR Proxies===
+
If you have any questions about or need help regarding connections through proxies, please ask in #help.
TOR (The Onion Ring project) provides users with free and anonymous proxies that allow users to hide their real host. Connections are routed through multiple TOR hosts which makes it impossible to trace a connection. Users who connect via TOR will have their hostmask chaned to '''originalhostname.tor.proxy'''. For more information on TOR, see the External Links section.
+
  
===DNSBLs===
+
==Channel Implementation==
DNSBLs or '''Domain Name Service Black Lists''' are 3rd party blacklists that MIXXnet queries for every user that connects. If a user's hostmask is listed in the blacklist, then their hostname will be changed to '''originalhostname.dnsbl.proxy'''. If you are wrongfully listed in the DNSBL, there isn't really much we can do as we do not operate the lists.
+
MIXXnet provides the ability for channels to restrict access to users using proxies which can help with potential abuse issues like bot floods or ban evasion. This is not enabled by default in any channels, however it can be set and removed at will by channel operators. Blocking proxied connections is handled through channel mode "b" (ban). The following is a list of hostmasks you can ban to block proxies from your channel:
  
====Blacklists====
+
* '''*!*@*.dnsbl.proxy''' - Block users whose IP is blacklisted as an abusive IP (does not include Tor)
MIXXnet uses the following DNSBLs:
+
* '''*!*@*.tor.proxy''' - Block users who are connecting through the Tor Project
 +
* '''*!*@*.proxy''' - Block all detected proxies
  
*opm.blitzed.org
+
If your channel blocks some or all of the above proxies and a user attempts to join, they will be notified that they are banned. We understand that this might not be the most desired behavior, however we have come up with a couple methods to help the user know why they are banned and how to fix it.
*dnsbl.njabl.org
+
*cbl.abuseat.org
+
*tor.dnsbl.sectoor.de
+
*dnsbl.ahbl.org
+
  
====Whitelists====
+
1) Anytime a user is detected as being a proxy, they will receive a private message notifying them of this which provides a link to this article with the explanation above as well as instructions for removal if possible. This should hopefully clarify why they are banned from your channel, and once they are removed from the blacklist they will be allowed to join immediately upon reconnecting to IRC.
MIXXnet does take into account that some hosts are dynamic IPs. The problem with dynamic IPs is that a user's IP always changes. If a user runs an open proxy, then their IP is listed. The problem is that they will get a new IP soon if their IP is dynamic. A user who doesn't run a proxy might get that user's old blacklisted IP. Due to this, MIXXnet also checks users' IP against a whitelist. The whitelist contains dynamic IP addresses. When the proxy scanner scans an IP, it checks to make sure that the user is not listed in the whitelist. If they are listed as a dynamic IP (they are whitelisted), then any blacklist records are void (Your host is not altered). If you do have a dynamic IP and you're not whitelisted, you can go to the njabl website and have it added. MIXXnet uses '''dynablock.njabl.org''' to check for dynamic IPs.
+
  
===Open Proxies===
+
2) Channel operators also have the option of setting a channel to redirect users to if they are banned and attempt to join. In this case, you should direct users who are banned due to using a proxy to #proxyhelp to receive further help on this issue. For example, to block all proxies and redirect proxied users to #proxyhelp:
Our proxy monitor also port scans the user's host for any open proxies. If a connection back to MIXXnet can be established through the user's connection, then the host is marked as an open proxy. There is no way you can mistakenly be marked as using an open proxy. Users who are found to be running an open proxy will have their hostname changed to '''originalhostname.open.proxy'''.
+
  
==How to Implement==
+
/mode #channel +b *!*@*.proxy#proxyhelp
If a user is abusing a channel, a channel operator can ban that user. That's fine, however the user can just reconnect to MIXXnet with a proxy and rejoin since their hostname would be different from the ban that was set on the channel. This creates a problem for the channel's staff. To combat this problem, a channel owner can ban *!*@*.tor.proxy. This effectively bans most TOR proxies in existence. A channel operator also has the ability to ban all proxies no matter what the type. The hostmask he would ban is *!*@*.proxy.
+
  
==External Links==
+
While false positives in our testing have been very low so far, we do recommend carefully thinking about your channel's normal proxy policy as banning based on detections through this system will be placing trust in third party blacklists to be accurate and responsible.  
*[http://njabl.org/ Not Just Another Bogus List]
+
*[http://wiki.blitzed.org/BOPM Blitzed Open Proxy Monitor Software]
+
*[http://en.wikipedia.org/w/Tor_(anonymous_network) TOR Wikipedia Page]
+
  
[[Category:Services]]
+
For any help regarding restricting proxies in your channel, please ask in #help.

Latest revision as of 19:25, 3 October 2009

MIXXnet allows connections to the network using a proxy. While we do not globally deny access to proxied connections under normal circumstances, we do have mechanisms in place which provide channel operators fine control over what is and what is not allowed in their channels. This article will outline MIXXnet's network-wide proxy policies and how we handle connections made through proxies.

General Information

All connections made to the network are checked against various Domain Name Service Blacklists (DNSBLs) which can identify potential sources of abuse. Port scans may also be performed to check for active open proxies running on your IP address. If the IP address you are connecting from is detected as being a proxy, you will receive a private message from "ProxyGuard" notifying you of this and your hostname will be altered with one of the following appended to the end:

  • .dnsbl.proxy - IP address is on a blacklist that we check against
  • .tor.proxy - Tor Project exit node that allows connections to IRC ports

If your IP address is on a blacklist, you will be given removal instructions via private message. Please follow these instructions to get your IP removed from the blacklist and reconnect to MIXXnet when the removal process is complete. If the removal process is successful, you should no longer be detected as a proxy and your normal hostname should be shown on the network.

Channel operators have the option of banning some or all users that are detected as using a proxy. If you are detected and notified, please be aware that you may not be able to join certain channels on the network until you are removed from the blacklist. This is entirely a channel's decision and we as a network will not override this channel policy.

MIXXnet reserves the right to impose temporary global limits or restrictions on proxied connections if a situation warrants.

If you have any questions about or need help regarding connections through proxies, please ask in #help.

Channel Implementation

MIXXnet provides the ability for channels to restrict access to users using proxies which can help with potential abuse issues like bot floods or ban evasion. This is not enabled by default in any channels, however it can be set and removed at will by channel operators. Blocking proxied connections is handled through channel mode "b" (ban). The following is a list of hostmasks you can ban to block proxies from your channel:

  • *!*@*.dnsbl.proxy - Block users whose IP is blacklisted as an abusive IP (does not include Tor)
  • *!*@*.tor.proxy - Block users who are connecting through the Tor Project
  • *!*@*.proxy - Block all detected proxies

If your channel blocks some or all of the above proxies and a user attempts to join, they will be notified that they are banned. We understand that this might not be the most desired behavior, however we have come up with a couple methods to help the user know why they are banned and how to fix it.

1) Anytime a user is detected as being a proxy, they will receive a private message notifying them of this which provides a link to this article with the explanation above as well as instructions for removal if possible. This should hopefully clarify why they are banned from your channel, and once they are removed from the blacklist they will be allowed to join immediately upon reconnecting to IRC.

2) Channel operators also have the option of setting a channel to redirect users to if they are banned and attempt to join. In this case, you should direct users who are banned due to using a proxy to #proxyhelp to receive further help on this issue. For example, to block all proxies and redirect proxied users to #proxyhelp:

/mode #channel +b *!*@*.proxy#proxyhelp

While false positives in our testing have been very low so far, we do recommend carefully thinking about your channel's normal proxy policy as banning based on detections through this system will be placing trust in third party blacklists to be accurate and responsible.

For any help regarding restricting proxies in your channel, please ask in #help.