|
|
| Author |
Message |
DeMiNe0
Lurker
Joined: 25 Jan 2004
Posts: 195
Location: Westchester, New York
|
 Posted: Jul 07, 2004 3:27pm Post subject: Flood Bots 1000+ |
 |
|
My network has been getting killed with Flood bots. I've glined about 3000+ of them allready but they keep coming.
They join until my servers connection cant take it anymore. All they do is log on and join a random channel. They somtimes spam and somtimes they dont. I think they are all controled from some central control.
They also dont reply to ctcp version or fingers.
Can anyone help me? This is destorying my network. |
|
| Back to top |
|
 |
codemastr
Idler
Joined: 05 Feb 2004
Posts: 353
|
| Posted: Jul 07, 2004 7:07pm Post subject: |
|
|
| I really don't know what you are expecting here. We spent over an hour on IRC trying to help you with this earlier today. No, there is no "click here to stop a botnet attack" feature. You have to kill the bots. If you can't find some characteristic that allows you to ban them all (e.g. nick is 8 chars long, ends in a B and the realname is the same as the nick), then you'll need to kill them manually. There is no simple cure to this. Other than that, I have no clue what you are expecting someone to do for you. |
|
| Back to top |
|
|
DeMiNe0
Lurker
Joined: 25 Jan 2004
Posts: 195
Location: Westchester, New York
|
| Posted: Jul 07, 2004 9:07pm Post subject: |
|
|
I've heard of services that detect floods of users joining. Maybe one of thoughs can help.
Who ever is doing the DOS has thousands of bots. So far i've glined nearly 4k of them. I cant keep glining every flood i see....... |
|
| Back to top |
|
|
codemastr
Idler
Joined: 05 Feb 2004
Posts: 353
|
| Posted: Jul 07, 2004 9:48pm Post subject: |
|
|
| Well, what do you think a bot like you described would do? It would ban them as well. Those kind of floods are really impossible to detect. If 5000 connections occur, 4990 are bots, 10 are users, there is no way for it to tell which 10 are users. It will ban all 5000 of them. So such a bot would be no better than just setting up a script to gline someone whenever they connect until the flood stops. |
|
| Back to top |
|
|
Ib3N
Lurker
Joined: 10 Mar 2004
Posts: 157
Location: ChatSpike
|
| Posted: Jul 08, 2004 1:55am Post subject: |
|
|
| DeMiNe0 wrote: | I've heard of services that detect floods of users joining. Maybe one of thoughs can help.
Who ever is doing the DOS has thousands of bots. So far i've glined nearly 4k of them. I cant keep glining every flood i see....... |
www.ircdefender.org |
|
| Back to top |
|
|
Ib3N
Lurker
Joined: 10 Mar 2004
Posts: 157
Location: ChatSpike
|
| Posted: Jul 08, 2004 1:57am Post subject: |
|
|
we've had our fair share of drones, and defender has killed them all. Ive seen only like 2 or 3 slipped by that I had to kill manually.
You can also define regexp kills for it |
|
| Back to top |
|
|
Ib3N
Lurker
Joined: 10 Mar 2004
Posts: 157
Location: ChatSpike
|
| Posted: Jul 08, 2004 2:17am Post subject: |
|
|
| ps. Your net allow warez, and already have a few warez channels... You might want to concider the fact that drones/DDoS and warez walk hand in hand on ircnets |
|
| Back to top |
|
|
DeMiNe0
Lurker
Joined: 25 Jan 2004
Posts: 195
Location: Westchester, New York
|
| Posted: Jul 08, 2004 3:54am Post subject: |
|
|
ya the warez channels arnt registered. For some reasen i guess the forbid expired.
also when i run irc defender i get:
[digtox@server1 defender]$ perl defender.pl
IRC Defender - Programmed by C.J.Edwards (Brain) - irc.chatspike.net
Loading configuration file...
.pm in @INC (@INC contains: /usr/local/lib/perl5/5.8.2/i386-freebsd /usr/local/lib/perl5/5.8.2 /usr/local/lib/perl5/site_perl/5.8.2/i386-freebsd /usr/local/lib/perl5/site_perl/5.8.2 /usr/local/lib/perl5/site_perl/5.6.1 /usr/local/lib/perl5/site_perl/5.005 /usr/local/lib/perl5/site_perl .) at ./Modules/Main.pm line 193.
[digtox@server1 defender]$
I have the latest perl up. And i allready posted on the IRCdefender forums. |
|
| Back to top |
|
|
snoice
none
Joined: 03 Jul 2004
Posts: 19
|
| Posted: Aug 06, 2004 9:36am Post subject: about the dos attack |
|
|
I might be a little late and well never read all the replys but a quick note i run Anope services, and there's a chankill option, ive had 1000+ bots attack my network, in the run of 2 das kept joining the same channel all i had to do was /os chankill #channel Reason And bamn all users/bots in that channel except IRCops got akilled/Glined. That worked great and atm no bots are around or have been for a while  . |
|
| Back to top |
|
|
Travers
none
Joined: 19 Feb 2005
Posts: 7
|
| Posted: Mar 02, 2005 9:32pm Post subject: |
|
|
You say they all join a channel. On my network on the oper service i coded we have a GOJ command (gline on join) so we could for example add #Help to the GOJ list and anyone who joins #help would be glined with 'reason'. This is a good way of banning them it will ban their *@address noexpire.
Travers
ArqNet IRC Network - irc.arqnet.org
Network Officer
PublicRelations Consultant
sebastian@arqnet.org |
|
| Back to top |
|
|
braindigitalis
Idler
Joined: 22 Sep 2003
Posts: 443
Location: IRC
|
| Posted: Mar 03, 2005 8:56am Post subject: |
|
|
| DeMiNe0 wrote: | ya the warez channels arnt registered. For some reasen i guess the forbid expired.
also when i run irc defender i get:
[digtox@server1 defender]$ perl defender.pl
IRC Defender - Programmed by C.J.Edwards (Brain) - irc.chatspike.net
Loading configuration file...
.pm in @INC (@INC contains: /usr/local/lib/perl5/5.8.2/i386-freebsd /usr/local/lib/perl5/5.8.2 /usr/local/lib/perl5/site_perl/5.8.2/i386-freebsd /usr/local/lib/perl5/site_perl/5.8.2 /usr/local/lib/perl5/site_perl/5.6.1 /usr/local/lib/perl5/site_perl/5.005 /usr/local/lib/perl5/site_perl .) at ./Modules/Main.pm line 193.
[digtox@server1 defender]$
I have the latest perl up. And i allready posted on the IRCdefender forums. |
what you need is the killchan module for defender (comes with it) to gline users on join to a channel.
You need to redo your config file again. this time, edit it in linux, rather than messing up all the linefeeds by editing it in notepad |
|
| Back to top |
|
|
Ashen
Idler
Joined: 05 Jan 2004
Posts: 285
|
| Posted: Mar 06, 2005 5:00pm Post subject: |
|
|
In this sort of situation I would suggest reversing the 'public access' policy of your server.
Mlock all channels +RM, require email authentication for nickserv registration.
Stop non-opers creating new channels, or setup services to auto-akill clients who join the bad channels.
Do CTCP version checks, and akill people with bad/no version.........etc
Generally, when in a bad situation, you have to stop being nice :-(
-Ashen |
|
| Back to top |
|
|
Robert-E-Lee
Idler
Joined: 22 Nov 2004
Posts: 288
Location: in a room with your mum, teaching her how to do certain things....
|
| Posted: Mar 07, 2005 1:03am Post subject: |
|
|
re: config editing wiyh notepad?
use wordpad instead..it actually saves shit in generic unix txt format...
k, thx.
bai |
|
| Back to top |
|
|
pepolez
Lurker
Joined: 05 Oct 2004
Posts: 163
Location: IRC
|
| Posted: Mar 11, 2005 1:06am Post subject: |
|
|
yep, that killchan module is great for dealing with floodbots..just look for a common chan they join and type killchan add #<channel> <reason> in the control chan also, its great for stopping bottlers and xdcc bots with abnormal version replies great work creating that braindigitalis  |
|
| Back to top |
|
|
morax
none
Joined: 25 Jan 2005
Posts: 18
|
| Posted: Mar 12, 2005 12:45am Post subject: heh |
|
|
restrict your class and auth blocks.
if your average userload is 70 over 3 servers, make each server hold about 35 clients as max until you need to add some more. that way, not many of the bots can connect to the network, and you can defcon without having to hunt out a few hundred bots. |
|
| Back to top |
|
|
|
Register
Log in
