Defender results

Ib3N · Lurker Joined: 10 Mar 2004 Posts: 157 Location: ChatSpike

Chatspike had a floodbot attack last night, and like perhaps some of you know, chatspike is the net that the Defender (www.ircdefender.org) is beeing developed on.

Now, Defender worked, and here is the result https://sourceforge.net/docman/display_doc.php?docid=22097&group_id=102825

Jay · none Joined: 14 Jan 2004 Posts: 43

had fun playing around? Smile

well this proves Defender is a great tool for IRC security Smile

good work

Ib3N · Lurker Joined: 10 Mar 2004 Posts: 157 Location: ChatSpike

I opered up a half hour later.. wondering wtf was going on.. Wink

..but I had fun reading the logs, yes

Vorex · none Joined: 04 Apr 2004 Posts: 41

why did it take ~30min to clear the bots?

uchat · Idler Joined: 17 Mar 2004 Posts: 335

30 minutes is most likely the total length of time the bots tried to connect. I doubt that Defender would allow all of those bots to connect before taking action.

Vorex · none Joined: 04 Apr 2004 Posts: 41

I don't know...from the logs, it seems like you have to type an awful lot of commands to remove them...
and they claim 10,000 connections...yet that log isn't even 6000 lines...

Pierce · none Joined: 09 Feb 2004 Posts: 47

i was thinking about that program not so long ago, it kind of seems pointless if you have anope1.6 with operserv chankill, and running neostats with opsb and secureserv you wouldnt have that problem,

Pierce

Vorex · none Joined: 04 Apr 2004 Posts: 41

Exactly, it's pointless to create something that offers no new solution.
And with all these networks running it, glining users who's username and nick match, is effecting alot of there own users...

uchat · Idler Joined: 17 Mar 2004 Posts: 335

and what picture perfect, foolproof ...quarenteed to work everytime solution would you suggest?

Vorex · none Joined: 04 Apr 2004 Posts: 41

Chankill is all you need, if it's something really nasty, defcon in anope is the ultimate solution to any problem Wink

uchat · Idler Joined: 17 Mar 2004 Posts: 335

you wouldn't need to kill any channels with a good proxy bot. you wouldn't need to do anything but watch.

Vorex · none Joined: 04 Apr 2004 Posts: 41

if someone moves a botnet to your network, theres no proxys involved, but a huge surge of clients Wink

thus chankill is needed.

typobox43 · none Joined: 12 Feb 2004 Posts: 8

Defender really just ends up zapping them one step before any sort of operserv akillchan will. There is a module for defender (regexp_akill) that will allow you to specify a regexp that, if matched by a connecting client, will cause the client to be glined. Useful in the case of botnets where the nicks usually follow a pattern, certain types of worm drones, etc. Besides, Defender does a lot more, such as taking out those nasty Fyle pests. Smile

Ib3N · Lurker Joined: 10 Mar 2004 Posts: 157 Location: ChatSpike

Id suggest taking a look at the www.ircdefender.org site before judging...

braindigitalis · Idler Joined: 22 Sep 2003 Posts: 443 Location: IRC

(1) The total length of the attack is 30 minutes from start to finish. Three commands are typed near the start of the attack, and the bots keep coming, and coming (hundreds of them)

(2) Anope is not able to set regular expression akills (maybe in the future it will be able to?)

(3) Since when has three commands been a lot of work to clear 1000 bots?

(4) Just because the log is big, it doesnt mean that it spent all that time emptying the channel. The channel was empty in the first ten seconds, but when clients keep coming, the attack continues. As you might have guessed even a continuing attack doesnt bog down the network and the defender service is still using few enough cpu cycles to do other things.

(5) its stable, and does some things nothing else can, such as the fact that it can kill the 'webcamspam' fyle drones before they even enter your network and join a single channel, or the ability to filter out nickname and channel floods at a network level (similar to to secureserv, only doesnt need neostats).

(6) Sitting watching this is fun and cuts down on admin:

[08:06] <Defender> *SPLAT!* Fyle v2 drone detected - camilla!vivianna@203.131.162.153 (juliann emlynn)

(7) SecureOper module restricts oper-ops to a list of known nicknames, making our network more secure.

As ib3n said, go read the site before judging it to be 'just like everything else' or deciding that simpler tools that are part of services packages do the same task.

[EDIT] At time of going to press, neostats doesnt support IRCu P10 servers: