James Evans <[EMAIL PROTECTED]> writes: > Sounds like a way to still find out people's hosts.. Maybe not > always doable but it would work in theory. Assuming everyone can > only get one username, why have that in there?
If you want to try to ban *!*@*.isp1 (through ispN) and kick a user to see if it keeps them out (and then refine the ban further once you find a match) you _could_ use it as an oracle to guess someone's hostname. However, a successful attack requires that (a) their client autorejoins on kick, (b) they do not notice or they ignore what you are doing, and (c) you have an enormous amount of time to run the attack, since it takes 6 seconds to run one check (ban, kick, unban must be separate commands). Testing using IP bans is probably an easier way to test than with hostnames, but it still requires dozens of checks, and makes it obvious what the attacker is trying to do. Entrope
