This is the new home of the egghelp.org community forum.
All data has been migrated (including user logins/passwords) to a new phpBB version.


For more information, see this announcement post. Click the X in the top right-corner of this box to dismiss this message.

Big Flood problem.... help me ;-)

Old posts that have not been replied to for several years.
User avatar
caesar
Mint Rubber
Posts: 3778
Joined: Sun Oct 14, 2001 8:00 pm
Location: Mint Factory

Post by caesar »

I got an Unreal irc server and i'm an ircop in there so I can make what @host adress I want, with no clones or something like this. I'll test today 3 bots to 10-15 flooders, all with diferent adresses, on sentinel v2.60 (29 March 2001) and I'll report back what happend. :smile:
User avatar
caesar
Mint Rubber
Posts: 3778
Joined: Sun Oct 14, 2001 8:00 pm
Location: Mint Factory

Post by caesar »

Well.. I tested 1 eggdrop with 10 flooders, with diferent hosts. My test results are: the ctcp flood protection works very fast with +mi and bans + kicks.. the join part flood works very good as the ctcp protection, but the avalanche/tsunami flood is not so good. He only puts a +mi and that notice to the channel.. flooders are still there with no bans at all.
h
hmelo

Post by hmelo »

I'm @ of a big channel in a brazilian irc network. We suffer with attacks like this. When the attacker has many proxys, bncs, and even wingates, with a lot of IPs, is dificult to stop the atack. The best way i've found is to set the channel in +R mode, where only registered users can join the channel, and start banning the IPs in the Bot perm Ban list :smile:
This is not the perfect way, but it handles the attack and prevent further ones with those hosts.

<font size=-1>[ This Message was edited by: hmelo on 2002-01-01 23:00 ]</font>
h
hmelo

Post by hmelo »

I'm @ of a big channel in a brazilian irc network. We suffer with attacks like this. When the attacker has many proxys, bncs, and since wingates, with a lot of IPs, is dificult to stop the atack. The best way i've found is to set the channel in +R mode, where only registered users can join the channel, and start banning the IPs in the Bot perm Ban list :smile:
This is not the perfect way, but it handles the attack and prevent further ones with those hosts.
User avatar
Yourname
Master
Posts: 358
Joined: Mon Sep 24, 2001 8:00 pm
Location: Toronto

Post by Yourname »

caesar, it wud be helpful if you paste the settings of sentinel.
Dormant egghead.
User avatar
caesar
Mint Rubber
Posts: 3778
Joined: Sun Oct 14, 2001 8:00 pm
Location: Mint Factory

Post by caesar »

I'll paste the main setings when I'll get home. :smile:
G
GTM
Voice
Posts: 20
Joined: Sun Sep 30, 2001 8:00 pm

Post by GTM »

Slennox, I will be more then willing to help you with the floodchannel, please contact me on EFnet.
GTM@EFnet
User avatar
caesar
Mint Rubber
Posts: 3778
Joined: Sun Oct 14, 2001 8:00 pm
Location: Mint Factory

Post by caesar »

--- Setings ---
# Bot CTCP flood.
set sl_bcflood 1:60

# Bot MSG flood.
set sl_bmflood 4:20

# Channel CTCP flood.
set sl_ccflood 1:60

# Channel avalanche/tsunami flood.
set sl_avflood 3:60

# Channel text flood.
set sl_txflood 10:60

# Channel bogus username join flood.
set sl_boflood 3:20

# Channel join-part flood.
set sl_jflood 3:20

# Channel nick flood.
set sl_nkflood 3:20

set sl_tsunami 10
set sl_ban 1440
set sl_boban 1440
set sl_globalban 0
set sl_wideban 1
set sl_banmax 100
set sl_igtime 240
set sl_ilocktime 120
set sl_mlocktime 60
set sl_shortlock 1
set sl_bfmaxbans 19

--- Setings ---
k
killer

Post by killer »

I noticed that the flooder has always the same part of the nick
eg. ABCxxxxx (in this case _0wn3d...) so we could code something that
will just ban the first part of the nick in case of flood...

See you
killer :wink:
k
killer

Post by killer »

Slennox, I found the program that makes these clones here it's the url so you can give it a look.

http://clonesx.ezlomaz.com/clonesx.html

bye bye
killer
User avatar
slennox
Owner
Posts: 593
Joined: Sat Sep 22, 2001 8:00 pm
Contact:

Post by slennox »

caesar, thanks for doing what you could, but results/logs from current version aren't really useful to me. In any case, I now have an ircd with some other people helping.

killer, regarding bans on similar nicks(ABCxxxxxx, etc.), it's far too easy to get around such bans using truly random nicks. You can bet every flooder would soon switch to random nicks if they know their semi-random ones will be automatically banned by a script, so its usefulness would be short-lived.
M
Mata Hari

Post by Mata Hari »

slennox, i might have a temporary (few months) testbed for you (fast and multiple servers on fast link)

(I admin a /22 university network)

drop me a line on spy@cafeetje.nl

d
dArKoNe

Post by dArKoNe »

These days the Bulgarian IRC Network (UNIBg) is also suffering attacks like this one showed above. Many big channels got flooded off and even channel #Bulgaria was so badly flooded with abot 200 different bots from different hosts (bncs, proxies). The flood there was about 30 min and no one could do anything to stop it. Even one server got splitted due to the flood. The bots are msg-ing the channel with different msgs, when you set mode +m the begin nick flood. slennox if you want channels to test your script - I suggest you visiting this network:) I found this forum by chance while I was looking for script to prevent this thing happen again. Now I've downloaded sentinel1.54 and I hope to works :smile:
Locked