simple and fast flood protection script ;)

morfeus · Post by **morfeus** » Thu Jul 04, 2002 4:29 am

Hi, i'm new to tcl scripting and kinda new to flood protection. Been using script made by others but I keep wondering why to make complicated scripts to do this and that (ok ppl need fancy systems).

I was thinking of making (atleast in test purpose&learning) a flood protection script that would mainly use the eggdrops own flood triggers and do the this and that according to that.

As I walked thrue the eggdrop documentation i read that the possible flood types are the pub, msg, join and ctcp. So I assume that pub flood is triggered by whats typed on the channel, msg what is msged to the bot, join (in & out flood) and ctcp by various ctcp commands.

What about the nick, kick and deop floods? as those though are defined in the bots config. Are these binded to the pub flood as they happend on the channel ? and the next question if so, is there a way to know the floods 'sub' type (nick,kick or deop for example). or should this then be done like bind flud - "* -b*" proc ? or is this possible..

If the flood settings are reasonable high (not to be triggered by in relevant floods ie small ones) would the most efficient way to be to react to the flood by ignore user in the bot, flush it, ban the user (and let the other bots do the kicking or should the bot do the kicking too?)

I bet this has been discussed somewhere already but I didn't find it. If you know the topic here or elsewhere pls, let me know it too

Cheers, morfeus

tainted · Post by **tainted** » Thu Jul 04, 2002 5:56 am

I doubt this is much help, but in a flood setting +i and/or +m will work best, and then the bots can get to work kicking and banning the offenders. A lot of times a flood consists of _lots_ of bots, and trying to ban them all will:
1) Lag the bot(s) that are trying to clean the channel to hell and back
2) Most networks' banlists are limited to at most 20-something bans, and I've seen floodnets with over 200 clients.. Quite a mess that would make, since the ban would not be placed and the bot would kick it over, and over, and over.
3) Most bans are ident based, and floodnets get automated klines and kills on floods in some cases, and since the ident is random, it will have a new ident.

Just a few things you might want to put into consideration when decideing exactly how to handle the diffrent types of floods.

morfeus · Post by **morfeus** » Thu Jul 04, 2002 6:23 am

Yeh I have thought that too but how to monitor a huge flood without having a complex script and that using the cpu time etc. Was thinking of something like max bans and after that close the channel and just kick (and let the human ones handle the rest). If i really really wanted to save my time and my brains i prolly would have gone staright to sentinel and loaded it into a few bots.

I don't belive into huge attacks anymore

just the annoying ones live well anymore.. (no this wasn't a challenge).

I've also seen and been the targer of huge floods by flood-botnets but it's been atleast a year when i have seen one last.

If someone can clear my first question i'd appreciate it.

cheers, morfeus

tainted · Post by **tainted** » Thu Jul 04, 2002 4:12 pm

Slennox might not like this all that much, but I would suggest taking a look at his code, and what binds he is using. (sentinel.tcl) A simple way to check for a flood is to bind to pub * and incr a counter every time a user says something. (Do the same on ctcp's, msgs, etc.) Once it hits a certain number, ban the offender. Could also have it count how many flooders there has been in the past XX minutes and if it exceeds a safe amount, then it could lock down the channel. Hope that helps get you started.. Seems to me you are trying to reinvent the wheel though, since there are a whole bunch of scripts out there that already do this.

morfeus · Post by **morfeus** » Thu Jul 04, 2002 4:50 pm

First there at least 2 kinds of ppl, ppl who want to learn and understand and ppl who take what they get for 'granted' and be happy with that..

I want to learn and understand.

tainted wrote:Slennox might not like this all that much, but I would suggest taking a look at his code, and what binds he is using. (sentinel.tcl)

Some folks call it code reusing..

tainted wrote: A simple way to check for a flood is to bind to pub * and incr a counter every time a user says something. (Do the same on ctcp's, msgs, etc.)

As far as I have understod i'd anyways bind to the eggdrops own flud trigger and use it flood types. it's built in and writenin C so it's always better than tcl scripts.

tainted wrote:Once it hits a certain number, ban the offender. Could also have it count how many flooders there has been in the past XX minutes and if it exceeds a safe amount, then it could lock down the channel.

Yep, something like this would be the logic.

tainted wrote:Hope that helps get you started.. Seems to me you are trying to reinvent the wheel though, since there are a whole bunch of scripts out there that already do this.

Refer to my start line in this post. You propably didn't read or understand my actual question or cannot answer the question, but have the need to comment anyways..

Please re-read my original posts 1st and 2nd paragraphs and read them again. If you understood those procede to paragraph 4 and answer the question(s) if you can.

for tainted don't get this personal, but all i see u increasing your posts, thats all.

If someone can answer my questions please do so.

tainted · Post by **tainted** » Thu Jul 04, 2002 5:11 pm

No I'm not trying to increase my posts, for all I care they could be reset to zero. Forum fame.. OoOoOo. I was just trying to get you started in the right direction. As for the code-reusing, I was in no way suggesting that. I was meaning for you to read how his script does it and from there be able to understand whats bound where and why and how to get it to react how you want for each diffrent flood. You say you want a simple script, but there is no really simple way to stop a flood unless you just lock the chan +im. I know what you are asking in your first post, but like I've said and like I'll say again, why write something thats been written so many times already?

And for the record, I'd rather reuse code than reinvent the wheel and waste time writing something that has been done more times than any other script.

Post by **slennox** » Thu Jul 04, 2002 8:54 pm

morfeus wrote:I don't belive into huge attacks anymore just the annoying ones live well anymore.. (no this wasn't a challenge).

I'd suggest part of the reason huge attacks are less common and annoying ones more so is to a large degree because of sentinel.tcl -- the dangerous floods have become impotent (though this is not a claim that sentinel.tcl is infallible, particularly if pooly configured). Flooders don't want their flood halted and floodbots dispensed with, so they get around it by using "annoying" floods which sentinel.tcl is not designed to detect.

Eggdrop's internal flood detection mechanisms aren't designed to deal with anything much more than individual flooders. They cannot detect what I call "interleaved" floods. That is, multiple flooders each taking their turn at sending their flood text. This is something I discovered early on when I created lockchan.tcl (which later became sentinel.tcl).

The comment you made that people need (or rather want) fancy systems certainly rings true. People (like me

) didn't want a script to just lock the channel on a flood, they wanted it to automatically detect and ban the flooders as well. This is primarily what made sentinel.tcl a monstrosity. In fact, if you simply disable the sl_ban feature the script basically becomes a more modern version of lockchan.tcl.

You might want to take a look at lockchan.tcl for some ideas, since it's a much simpler script, perhaps of the kind you desire. I'll put it up at http://www.egghelp.org/mytcl.htm

morfeus · Post by **morfeus** » Sat Jul 06, 2002 2:20 am

for tainted my humble apologies. maybe i was just too tired when writing and over reacting (i'm new on the forum but not totally new to eggdrops atleast 1.1.5 version.. and certainly my goal isn't to be a troll&lamer at this forum). It just seemed to my point of view that noone understod my goal (perhaps I don't understand it myself either

)

i'll have a look at slennox's lockchan script.

About the huge floods that i'm not so much concerned anymore, well we have made quite good peace with th eppl who are capable of doing ones these days (not your every day lamer can do it even if they get ready scripts (atleast not in ircnet..)).

I'll have to make something concreate and comment here about it and ask my questions cause i'm sure I will have ones. Thanks all.

cheers, morfeus

morfeus · Post by **morfeus** » Mon Jul 08, 2002 4:23 am

Did some preliminary testing with bind flud - * my_proc. The documentation doesn't tell about flood type nick but it though is there, so when there is a nick flood the type of the bind is nick. Is there other undocumented types ? is there a deop and kick type too ? Is teh only way to catch notice 'floods' with bind raw - NOTICE my_proc ?

cheers, morfeus

looked at the irc.mod\chan.c and there they use kick and deop as flood type so I assume i will also have those types in flood event binds.. (nice to talk to myself ;P )

tested and there are the nick, kick and deop flood types that exists in the bind flud - <type> my_proc (anyone, why not documented in the eggdrop tcl commands?

)