Page MenuHomePhabricator

Identify bots using AES128-SHA maintainers running on toolforge
Closed, ResolvedPublic

Description

Checking AES128-SHA usage records, we've detected several bots running within toolforge using "cryptic" User-Agents that doesn't help a lot on identifying the maintainers. Discussing the issue with @aborrero he mentioned that maybe they could be identified given toolforge IPs and timestamps of the requests.

List of unidentified UAs:

  • DotNetWikiBot/3.15 (Unix 3.13.0.139; Mono 3.2.8; .NET CLR 2.0.50727.1433). Activity detected: 10.68.18.205 (tools-exec-1426) - 2018-05-04T10:51:36.872Z: matched to @Dmitry89 in toolforge https://tools.wmflabs.org/admin/tool/dibot
  • DotNetWikiBot/3.15 (Unix 3.13.0.139; Mono 3.2.8; .NET CLR 4.0.30319.17020). Activity detected: 10.68.17.209 (tools-exec-1411) - 2018-05-04T04:15:49.643Z
  • DotNetWikiBot/3.15 (Unix 3.13.0.139; Mono 4.8.0; .NET CLR 4.0.30319.42000). Activity detected: 10.68.23.14 (tools-exec-1416) - 2018-05-04T04:30:05.069Z: matched to @MaxBioHazard in toolforge https://tools.wmflabs.org/admin/tool/mbh
  • DotNetWikiBot/3.15 (Unix 3.13.0.141; Mono 3.2.8; .NET CLR 2.0.50727.1433). Activity detected: 10.68.23.103 (tools-exec-1413) - 2018-05-03T18:22:12.959Z: matched to @Dmitry89 in toolforge https://tools.wmflabs.org/admin/tool/dibot
  • DotNetWikiBot/3.15 (Unix 3.13.0.141; Mono 4.8.0; .NET CLR 4.0.30319.42000). Activity detected: 10.68.16.126 (tools-exec-1441) - 2018-05-03T21:00:29.183Z: matched to @MaxBioHazard in toolforge https://tools.wmflabs.org/admin/tool/mbh
  • DotNetWikiBot/3.15 (Unix 3.13.0.147; Mono 3.2.8; .NET CLR 2.0.50727.1433) --> matched to @Dmitry89 in toolforge https://tools.wmflabs.org/admin/tool/dibot
  • DotNetWikiBot/3.15 (Unix 3.13.0.147; Mono 4.8.0; .NET CLR 4.0.30319.42000) --> matched to @MaxBioHazard in toolforge https://tools.wmflabs.org/admin/tool/mbh

Event Timeline

Vgutierrez triaged this task as Medium priority.May 10 2018, 11:03 AM
Vgutierrez created this task.
ema moved this task from Triage to TLS on the Traffic board.May 14 2018, 9:00 AM
Vgutierrez updated the task description. (Show Details)May 14 2018, 9:48 AM
Vgutierrez added a subscriber: Dmitry89.
Vgutierrez updated the task description. (Show Details)May 14 2018, 10:08 AM
Vgutierrez updated the task description. (Show Details)May 14 2018, 10:38 AM
Vgutierrez added a subscriber: MBH.
Vgutierrez updated the task description. (Show Details)May 14 2018, 11:03 AM
Vgutierrez updated the task description. (Show Details)May 14 2018, 12:50 PM
Vgutierrez updated the task description. (Show Details)May 14 2018, 1:05 PM
MBH added a comment.May 14 2018, 1:08 PM

Do we need to stop using DotNetWikiBot framework, because you will disable encryption method, used in it?

It's more likely that DotNetWikiBot just needs to be built against a newer .NET version, or needs .NET configuration tweaks, to support better encryption (or perhaps already is capable and some bots are behind on releases of it or some of its dependencies). I'm not familiar enough with DotNetWikiBot or .NET in general to know, though.

MBH added a comment.May 14 2018, 2:16 PM

E-mail of DNWB author is codedriller@gmail.com . You can write a letter to he and explain, what he should do to fix this problem.

@MaxBioHazard I just tested DotNetWikiBot/3.15 on a docker container with mono 4.8.0 and it's able to use recent TLS ciphersuites, so you should be able to keep using it.
I see from the UserAgent of your bot, that you're not using the default mono version provided on toolforge, did you upload your own mono version? In that case, what is the source of the mono 4.8.0 that is being used to run your bot?

Reedy added a subscriber: Reedy.EditedMay 14 2018, 3:16 PM

AutoWikiBrowser isn't showing in your requests... And that is .NET based, though mostly on Windows, rather than mono (though, there are some users that do..)

DotNetWikiBot looks fairly unmaintained based on it's SVN repo

.NET 4.0 supports up to TLS 1.0 while .NET 4.5 supports up to TLS 1.2

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;

https://msdn.microsoft.com/en-us/library/system.net.servicepointmanager.securityprotocol(v=vs.110).aspx
https://msdn.microsoft.com/en-us/library/system.net.securityprotocoltype(v=vs.110).aspx

^ Those should be doable in the client code to force it to use TLS at a minimum

I wonder if the fallback in Mono it not use the most secure version for some reason, and is taking a less secure one based on what the server is offering

AutoWikiBrowser isn't showing in your requests... And that is .NET based, though mostly on Windows, rather than mono (though, there are some users that do..)

As part of T193376 I didn't identify AutoWikiBrowser as an UA speaking AES128-SHA, which UA string are you using?

Reedy added a comment.May 14 2018, 3:24 PM

AutoWikiBrowser isn't showing in your requests... And that is .NET based, though mostly on Windows, rather than mono (though, there are some users that do..)

As part of T193376 I didn't identify AutoWikiBrowser as an UA speaking AES128-SHA, which UA string are you using?

Something like

WikiFunctions ApiEdit/{0} ({1}; .NET CLR {2})
bd808 added a subscriber: bd808.May 14 2018, 4:04 PM
MBH added a comment.May 15 2018, 4:06 PM

so you should be able to keep using it.

Did you mean that we can change nothing in our bots, its compilation settings, and when you disable AES128 our bots will continue working?

I compile my mono version from sources from https://download.mono-project.com/sources/mono/mono-4.8.0.382.tar.bz2

In T194380#4208219, @MaxBioHazard wrote:

so you should be able to keep using it.

Did you mean that we can change nothing in our bots, its compilation settings, and when you disable AES128 our bots will continue working?

I compile my mono version from sources from https://download.mono-project.com/sources/mono/mono-4.8.0.382.tar.bz2

in that case, according to http://www.mono-project.com/docs/about-mono/releases/4.8.0/#tls-12-support if you enable btls it should be enough:

export MONO_TLS_PROVIDER=btls
MBH added a comment.EditedMay 15 2018, 4:23 PM

I should execute this string on Toolforge console? And recompile mono after this?

In T194380#4208278, @MaxBioHazard wrote:

I should execute this string on Toolforge console? And recompile mono after this?

If I'm reading the mono instructions correctly, it would be enough to add that line before launching your bot:

export MONO_TLS_PROVIDER=btls
mono bot.exe
MBH added a comment.May 15 2018, 4:32 PM

My bots are launched from cron. I hope, execute this string once would be enough.

Reedy added a comment.May 15 2018, 4:37 PM

It won't be, just single line it

MONO_TLS_PROVIDER=btls mono bot.exe

@MaxBioHazard please let us know when you make the change to check on our side that everything looks good :)

MBH added a comment.May 16 2018, 1:02 PM

usage: jsub [options...] program [args...]
jsub: error: argument program: Program 'MONO_TLS_PROVIDER=btls' not found.

In T194380#4210052, @MaxBioHazard wrote:

usage: jsub [options...] program [args...]
jsub: error: argument program: Program 'MONO_TLS_PROVIDER=btls' not found.

you can set an environment variable using jsub's flag -v, so: jsub -v MONO_TLS_PROVIDER=btls.

MBH added a comment.May 17 2018, 2:44 PM

I did it for all of my bots, except one, that launched permanently. Yet another my bot runs not from Toolforge, but from third-party Windows server, without mono (due to this bug: T147109)

@MaxBioHazard so.. this is one of your bots talking proper TLS 1.2:

-   ReqHeader      X-Connection-Properties: H2=0; SSR=0; SSL=TLSv1.2; C=ECDHE-ECDSA-CHACHA20-POLY1305; EC=X25519;
-   ReqHeader      User-Agent: DotNetWikiBot/3.15 (Unix 3.13.0.147; Mono 4.8.0; .NET CLR 4.0.30319.42000)

For the windows bot it should be the same.. as long as you are able to run it with Mono 4.8 or higher.

@MaxBioHazard I'm still seeing (at least) one bot related to you using AES128-SHA, one using the account Рейму Хакурей

Maybe you didn't add MONO_TLS_PROVIDER=btls there?

MBH added a comment.May 23 2018, 10:51 AM

I re-run this bot with this option.

In T194380#4224611, @MaxBioHazard wrote:

I re-run this bot with this option.

Thanks! I've already seen it behaving properly :)

Vgutierrez closed this task as Resolved.May 28 2018, 1:24 PM
Vgutierrez claimed this task.
Vvjjkkii renamed this task from Identify bots using AES128-SHA maintainers running on toolforge to v7caaaaaaa.Jul 1 2018, 1:10 AM
Vvjjkkii reopened this task as Open.
Vvjjkkii removed Vgutierrez as the assignee of this task.
Vvjjkkii raised the priority of this task from Medium to High.
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed a subscriber: Aklapper.
Vgutierrez renamed this task from v7caaaaaaa to Identify bots using AES128-SHA maintainers running on toolforge.Jul 1 2018, 8:02 AM
Vgutierrez closed this task as Resolved.
Vgutierrez claimed this task.
Vgutierrez lowered the priority of this task from High to Medium.
Vgutierrez updated the task description. (Show Details)
Vgutierrez added a subscriber: Aklapper.