CTM stands for "connect to me", and its a part of the NMDC protocol, in the old hubsoft there was an options that allowed the hubowner to turn off the check if the sender of the CTM request had the same ip, now we all know about the patch that was included in sDC++, the infamous "Someone is trying to use your client to spam x.x.x.x..." didn't have that much effect, users mostly found it annoying, but it was a really good effort by Big_Muscle, since it was one of the first measures in defining this problem on Direct Connect.
Now CTM Checking in NMDC hub software can be turned off for some reason and that is how an attacker can exploit the hub. I'm going to try and explain how its done in a human way so everyone can understand.
Now if that option is turned off, an attacker comes in and requests everyone in the hub connects to him at another ip (the place he wants attacked), now every client is trying to connect to that place so if the hub contains 1000 user these 1000 users are now trying to connect to that site at the rate the attacker wants to set, since he/she is is controlling the rate of the attack with his CTM requests.
Now with the upcoming protocol change for NMDC, the clients will refer to the hub the CTM was sent from, meaning that attacked parties have some means of tracing where the attack came from.
Here are the options that must be checked in order to be listed at hublists these days.
Verlihub 0.9.8C and older
- To determine the hub to ignore wrong CTM's: !set check_ctm 1
To determine the hub to check CTM's and kick the user: !set check_ctm 3
To determine the hub to check active searches: !set check_asearch 1
To determine if the hub is set up correctly: !getconfig
- To determine the hub to check CTM's and kick the user: !set check_ctm 1
To determine the hub to check active searches: !set check_asearch 1
To determine if the hub is set up correctly !getconfig
- go to Security, General Security and enable this option: Check sender ip on ConnectToMe and Search
- go to Settings, Advanced, Advanced security and be sure that the option to Check if user send correct ip in protocol command (DDoS protection) is enabled.
- go to Settings,then Options tab and make sure that the option to 'Check user IP in commands' is enabled.
Now, what can we do for the future? Well, I'm going to give some suggestions at the end of this article, in the meantime we still have a problem with malicious scripts that have been made for Verlihub that allow the hubs to send fake CTM's to users in order to facilitate DDoS attacks.
the loophole that allows the hub to send fake CTM's could be patched so that LUA or Python plugin doesn't have access to call CTM functions, also the protocol change will help pinpoint the hubs in order to shut them down, by abuse complaints.
I'm not sure if Hexhub and Ptokax allows sending of fake CTMs as well, but if they do then NMDC has huge problems ahead and the developers should take care of it if that is the case (this part needs verification).
I know that this bug has been discussed alot and but in the background and there has been a whitepaper written about it and it is a bit crude... of how its done, in any case its just a matter of time before a security advisory number is made of this bug since there are plenty of exploit tools out there right now for users to download and abuse.
These are corrupted hubs in which case some other things need to be done :
- Implement Poys patch into clients
- Implement some protection in the client, as suggested here
- make hubs more secure an option is signing
- hublists should implement the anti CTM system