|
|
| Author |
Message |
callum
none
Joined: 09 Apr 2006
Posts: 12
|
 Posted: Apr 09, 2006 3:00pm Post subject: clone attacks |
 |
|
As I am new to Anope is there anything services/modules can do/configured to deal with mass clone attacks ?
Over night we had over 100 clones connect and mass flood
* Quits: u1184 (~r5401@4irc--EEEE8C7D.bchsia.telus.net) (Quit: http://clonesx.cjb.net/ ClonesX v1.501b by kRaiX)
* Quits: a9090 (~f2066@4irc--E112952D.dhcp.jcsn.tn.charter.com) (Quit: http://clonesx.cjb.net/ ClonesX v1.501b by kRaiX)
* Quits: q2150 (~d8044@4irc--EEEE8C7D.bchsia.telus.net) (Quit: http://clonesx.cjb.net/ ClonesX v1.501b by kRaiX)
* Quits: b188 (~k9258@CAA01737.13557B43.21428B95.IP) (Quit: http://clonesx.cjb.net/ ClonesX v1.501b by kRaiX)
* Quits: d1176 (~q1222@4irc--6D260E17.tampabay.res.rr.com) (Quit: http://clonesx.cjb.net/ ClonesX v1.501b by kRaiX)
* Quits: r9356 (~n2817@4irc--79A5DCC1.hsd1.in.comcast.net) (Quit: http://clonesx.cjb.net/ ClonesX v1.501b by kRaiX)
* Quits: v3535 (~q2723@4irc--B3BDF4FB.hsd1.wa.comcast.net) (Quit: http://clonesx.cjb.net/ ClonesX v1.501b by kRaiX)
* Quits: d8219 (~e1799@4irc--B3BDF4FB.hsd1.wa.comcast.net) (Quit: http://clonesx.cjb.net/ ClonesX v1.501b by kRaiX)
* Quits: t207 (~k7773@4irc--1789E1F3.paemt300.ipd.brasiltelecom.net.br) (Quit: http://clonesx.cjb.net/ ClonesX v1.501b by kRaiX)
* Quits: d5765 (~a1877@4irc--7F4A4950.rjo.virtua.com.br) (Quit: http://clonesx.cjb.net/ ClonesX v1.501b by kRaiX)
* Quits: d3742 (~a1776@4irc--B25BBC93.bayanat.com.sa) (Quit: http://clonesx.cjb.net/ ClonesX v1.501b by kRaiX)
* Quits: w8107 (~w5433@4irc--1F64DDBE.l.digizap.com.br) (Quit: http://clonesx.cjb.net/ ClonesX v1.501b by kRaiX)
* Quits: c8798 (~s611@4irc--B25BBC93.bayanat.com.sa) (Quit: http://clonesx.cjb.net/ ClonesX v1.501b by kRaiX)
* Quits: a8045 (~p5532@E69C07AA.3AA95FCD.AD903910.IP) (Quit: http://clonesx.cjb.net/ ClonesX v1.501b by kRaiX)
* Quits: k3451 (~g2642@4irc--B78F7E5F.gen.twtelecom.net) (Quit: http://clonesx.cjb.net/ ClonesX v1.501b by kRaiX)
what can I do about that ? |
|
| Back to top |
|
 |
Alek
none
Joined: 14 Aug 2003
Posts: 24
|
| Posted: Apr 09, 2006 4:41pm Post subject: |
|
|
Depends on what they are flooding, what thier version reply is, etc.
Also, it appears that they use one letter then 3-4 numbers, which can also be tracked. Its not too hard to code a module which checks all incoming connections for similiarities. If they all returned a particular version, you can use something like secureserv which versions all incoming connections. If they are flooding a particular string, the ircd/services can kill on that string, etc. |
|
| Back to top |
|
|
ab0rted
Lurker
Joined: 10 Nov 2005
Posts: 208
|
| Posted: Apr 13, 2006 11:36am Post subject: Re: clone attacks |
|
|
| callum wrote: | As I am new to Anope is there anything services/modules can do/configured to deal with mass clone attacks ?
Over night we had over 100 clones connect and mass flood
* Quits: u1184 (~r5401@4irc--EEEE8C7D.bchsia.telus.net) (Quit: http://clonesx.cjb.net/ ClonesX v1.501b by kRaiX)
* Quits: a9090 (~f2066@4irc--E112952D.dhcp.jcsn.tn.charter.com) (Quit: http://clonesx.cjb.net/ ClonesX v1.501b by kRaiX)
* Quits: q2150 (~d8044@4irc--EEEE8C7D.bchsia.telus.net) (Quit: http://clonesx.cjb.net/ ClonesX v1.501b by kRaiX)
* Quits: b188 (~k9258@CAA01737.13557B43.21428B95.IP) (Quit: http://clonesx.cjb.net/ ClonesX v1.501b by kRaiX)
* Quits: d1176 (~q1222@4irc--6D260E17.tampabay.res.rr.com) (Quit: http://clonesx.cjb.net/ ClonesX v1.501b by kRaiX)
* Quits: r9356 (~n2817@4irc--79A5DCC1.hsd1.in.comcast.net) (Quit: http://clonesx.cjb.net/ ClonesX v1.501b by kRaiX)
* Quits: v3535 (~q2723@4irc--B3BDF4FB.hsd1.wa.comcast.net) (Quit: http://clonesx.cjb.net/ ClonesX v1.501b by kRaiX)
* Quits: d8219 (~e1799@4irc--B3BDF4FB.hsd1.wa.comcast.net) (Quit: http://clonesx.cjb.net/ ClonesX v1.501b by kRaiX)
* Quits: t207 (~k7773@4irc--1789E1F3.paemt300.ipd.brasiltelecom.net.br) (Quit: http://clonesx.cjb.net/ ClonesX v1.501b by kRaiX)
* Quits: d5765 (~a1877@4irc--7F4A4950.rjo.virtua.com.br) (Quit: http://clonesx.cjb.net/ ClonesX v1.501b by kRaiX)
* Quits: d3742 (~a1776@4irc--B25BBC93.bayanat.com.sa) (Quit: http://clonesx.cjb.net/ ClonesX v1.501b by kRaiX)
* Quits: w8107 (~w5433@4irc--1F64DDBE.l.digizap.com.br) (Quit: http://clonesx.cjb.net/ ClonesX v1.501b by kRaiX)
* Quits: c8798 (~s611@4irc--B25BBC93.bayanat.com.sa) (Quit: http://clonesx.cjb.net/ ClonesX v1.501b by kRaiX)
* Quits: a8045 (~p5532@E69C07AA.3AA95FCD.AD903910.IP) (Quit: http://clonesx.cjb.net/ ClonesX v1.501b by kRaiX)
* Quits: k3451 (~g2642@4irc--B78F7E5F.gen.twtelecom.net) (Quit: http://clonesx.cjb.net/ ClonesX v1.501b by kRaiX)
what can I do about that ? |
ClonesX uses a proxy script for mass connections, install a proxy scanner on your server
http://wiki.blitzed.org/BOPM
also NeoStats offers a Proxy scanning bot module which is very effective too: http://www.neostats.net/ |
|
| Back to top |
|
|
Scire
Newbie
Joined: 14 Apr 2006
Posts: 84
Location: IRC
|
| Posted: Apr 14, 2006 12:51pm Post subject: |
|
|
| I agree with ab0rted, Neostats OPSB is very effective. |
|
| Back to top |
|
|
SkaterStuff
Lurker
Joined: 11 Oct 2005
Posts: 156
|
| Posted: May 22, 2006 5:00pm Post subject: |
|
|
yes neostats works the best that is all i use  |
|
| Back to top |
|
|
FBI
Guru
Joined: 19 Aug 2005
Posts: 1494
Location: Federation Of Bored IRC'ers
|
| Posted: May 22, 2006 5:34pm Post subject: |
|
|
Just use Anope Defcon 1...
But I perfer NeoStats OPSB Better |
|
| Back to top |
|
|
PingBad
Guru
Joined: 05 Feb 2005
Posts: 2031
Location: New Zealand
|
| Posted: May 22, 2006 8:20pm Post subject: |
|
|
| FBI wrote: | Just use Anope Defcon 1...
But I perfer NeoStats OPSB Better |
DefCon level 1 would lock down the entire network, rendering it somewhat "useless" in retrospect...
My suggestion is to use a spamfilter that glines for roughly 30 days to 6 months (depends entirely on how pissed off you get with this crap) that blocks the url from quit messages.
| Code: | | /spamfilter add q gzline - ClonesX clonesx\.cjb\.net |
The regex of clonesx.cjb.net may need some work, but in theory that should automatically ban anyone using ClonesX |
|
| Back to top |
|
|
ARcanUSNUMquam
none
Joined: 25 Mar 2006
Posts: 42
|
| Posted: May 22, 2006 9:35pm Post subject: |
|
|
| you can use a spamfilter on those quit messages. Most clonex bots are like that. |
|
| Back to top |
|
|
Kuplunk
none
Joined: 30 Apr 2006
Posts: 24
|
| Posted: May 23, 2006 12:18am Post subject: |
|
|
| ARcanUSNUMquam wrote: | | you can use a spamfilter on those quit messages. Most clonex bots are like that. |
Just like PingBad said? If you've got anything more to add let us know  |
|
| Back to top |
|
|
MrBurns
Lurker
Joined: 13 Oct 2004
Posts: 169
Location: Netherlands
|
| Posted: Jun 24, 2006 12:09pm Post subject: |
|
|
Best thing to do is a combination of all mentioned methods... a good proxy scanner, a spamfilter and maybe a module or bot that detects similar hosts / nicks / idents and auto-glines them.
Personally I use a anti-bot algoritm identifier that bans all suspicious connections from the network, a proxy scanner that auto-bans open or unsecured proxies, a spamfilter that auto-bans anybody that uses a specific word or combination and a anti-spambot that autokills anybody that uses a specific word in a channel.
Also, the network is configured to only allow one connection every 5 seconds (slowing a floodbot attack down enough to ban them all before they do anything) and doesn't allow any connection to change nick within 1 minute after connecting (anti ban evasion) and doesn't allow any quit messages within 5 minutes after connecting (anti quit spam protection)
Probably got a lot more security features but those are the ones I can remember at this moment without making my head explode |
|
| Back to top |
|
|
katsklaw
Guru
Joined: 28 Jun 2004
Posts: 1098
|
| Posted: Jun 24, 2006 12:17pm Post subject: |
|
|
| MrBurns wrote: | | Personally I use a anti-bot algoritm identifier that bans all suspicious connections from the network, a proxy scanner that auto-bans open or unsecured proxies, a spamfilter that auto-bans anybody that uses a specific word or combination and a anti-spambot that autokills anybody that uses a specific word in a channel. |
No offense, but it's no wonder your network is so small .. especially being 3 years old. Who knows how many innocent users you've banned with all that automation. Ya know .. some things should still be done manually. Auto-gline setting is evil. |
|
| Back to top |
|
|
CyberWar
none
Joined: 13 Jun 2006
Posts: 15
|
| Posted: Jul 28, 2006 1:06am Post subject: |
|
|
| anope and blized stopped the projects? |
|
| Back to top |
|
|
CyberWar
none
Joined: 13 Jun 2006
Posts: 15
|
| Posted: Jul 28, 2006 1:08am Post subject: |
|
|
| my SecureServ is all ready and configured but that not works |
|
| Back to top |
|
|
chaz
Idler
Joined: 15 Jun 2005
Posts: 282
Location: IRC
|
| Posted: Jul 28, 2006 6:17am Post subject: |
|
|
| We (anope) stopped the development of our proxy scanner as it was too load intensive on anope, and was much better done through the use of opsb or bopm. Blitzed have closed their DNSBL, but plenty of others still exist, thus bopm is not _dead_. |
|
| Back to top |
|
|
CyberWar
none
Joined: 13 Jun 2006
Posts: 15
|
| Posted: Jul 28, 2006 8:25am Post subject: |
|
|
| ah ok chaz thx |
|
| Back to top |
|
|
|
Register
Log in
