feat: DCC stripping in both directions to prevent IP leaks

Block all non-ACTION CTCP/DCC from client-to-server (outbound) and add security logging when inbound CTCP/DCC is stripped. Hard boundary with no config toggle -- DCC exposes the client's real IP which defeats the stealth proxy architecture. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-21 19:30:44 +01:00
parent f4f3132b6b
commit 0064e52fee
4 changed files with 77 additions and 0 deletions
--- a/docs/CHEATSHEET.md
+++ b/docs/CHEATSHEET.md
@@ -187,6 +187,12 @@ notify_proxy = false                       # use SOCKS5 for notifications

 Only fires when no clients are attached.

+## Security
+
+- DCC/CTCP stripped both directions (prevents IP leaks). ACTION preserved.
+- All server connections routed through SOCKS5 proxy.
+- Stealth connect: random nick/user/realname on every connection.
+
 ## Hot Reload

 ```bash
--- a/docs/USAGE.md
+++ b/docs/USAGE.md
@@ -651,6 +651,18 @@ Removing a channel also clears its key:
 /msg *bouncer AUTOJOIN libera -#secret
 ```

+## DCC Stripping
+
+DCC requests (`DCC SEND`, `DCC CHAT`) embed the sender's real IP address in the
+protocol payload. The bouncer strips all DCC and non-ACTION CTCP messages in
+both directions:
+
+- **Inbound** (server to client): silently dropped, logged as warning
+- **Outbound** (client to server): blocked before reaching the network
+
+ACTION (`/me`) is preserved. This is a hard security boundary -- there is no
+config toggle to disable it.
+
 ## Hot Reload

 The bouncer reloads its config file on `SIGHUP` or via the `REHASH` command.