Once an IRC connection has been established, Tircproxy monitors the traffic sent between the client and the server, in order to implement support for DCC (and some other things).
As described in the previous chapter, DCC relies on direct connections between clients - which would basically mean that the whole of the Internet would need unhindered access to any of the firewalled machines, for DCC to work. This is obviously unacceptable in many situations, and impossible in others.
Therefore, Tircproxy monitors the IRC connection, and when it sees a DCC request it takes measures to either block the request or facilitate it, depending on the configuration.
Tircproxy, as of version 0.4.0, recognizes and supports the following DCC requests:
If given an unknown DCC request, Tircproxy attempts to handle it in the same way as it handles DCC CHAT.
Tircproxy's DCC proxying algorithm implements source port randomization (even on OSes which don't do this by default), providing a modicrum of protection against DCC session hijacking and related attacks.
In addition the proxy will block bogus DCC requests which try to trick a user into connecting to a potentially dangerous port, such as the character generator, and will refuse DCC requests unless the original client is one of the endpoints. This discrimination signifigantly decreases the chance of Tircproxy being abused to flood the user or attack services running on the internal network.
When a user is offered (via DCC) a file, or offers another user a file, Tircproxy can check the file's name against a list. If the filename is on the local blacklist, Tircproxy will block the transmission. Alternately, the filename can be rewritten and the transmission allowed, forcing the recipient to manually rename the file to make use of it.
This feature was added to slow the spread of the most common trojan horses,
the most famous of which is called script.ini
. In the case of
script.ini
, the filename is critical since it has a special meaning to
the popular Windows IRC client, mIRC.
Filenames currently on the default blacklist:
script.ini
dmsetup.exe
dmsetup2.exe
winhelper.exe
mschv32.exe
mirc.ini
(renamed to 'mirc.in-
').The blacklist can be enlarged on-the-fly by the administrator, using the TCP wrapper support.
Please note that this defense will not block the transmission of trojan horses such as Back Orifice, Netbus or anything which is commonly distributed under unknown filenames.
(As a replacement, a method to take advantage of a full-fledged virus scanner would come in handy here - but due to a lack of time and a complete lack of requests for such a feature nothing like this is planned.)