Floodbots @ Our server (3.2.2b)

These are old archives. They are kept for historic purposes only.
Locked
sMb
Posts: 3
Joined: Wed Mar 16, 2005 7:58 pm

Floodbots @ Our server (3.2.2b)

Post by sMb » Wed Mar 16, 2005 8:07 pm

Ok, so this is the problem.

I'we got server wich holds for about 200-300 users avg all time. Everything works as it should, the only problem is this one flooder / floodbots.

So, the bots (many of them) just connect from different hosts with different idents and then the party begins. They flood to channels, with priv notice, priv msg and ofcourse the join / quit floods when they connect and join channels.

I can say that i'm pretty newbie at keeping irc daemon and that my english is not that good, i undestand well but my "wring language" is not that good :)

So if anyone knows any way to stop this from happening i would preciate. Already did a search on forum and didn't find anything matching my problem (or i just didn't know from where to look). Thanks allready.

Matridom
Posts: 296
Joined: Fri Jan 07, 2005 3:28 am

Re: Floodbots @ Our server (3.2.2b)

Post by Matridom » Wed Mar 16, 2005 8:31 pm

sMb wrote:Ok, so this is the problem.

I'we got server wich holds for about 200-300 users avg all time. Everything works as it should, the only problem is this one flooder / floodbots.

So, the bots (many of them) just connect from different hosts with different idents and then the party begins. They flood to channels, with priv notice, priv msg and ofcourse the join / quit floods when they connect and join channels.

I can say that i'm pretty newbie at keeping irc daemon and that my english is not that good, i undestand well but my "wring language" is not that good :)

So if anyone knows any way to stop this from happening i would preciate. Already did a search on forum and didn't find anything matching my problem (or i just didn't know from where to look). Thanks allready.
I'm not a spamfilter expert, but i think it would help if you gave us some examples of what these flood bots look like when the connect

sMb
Posts: 3
Joined: Wed Mar 16, 2005 7:58 pm

Re: Floodbots @ Our server (3.2.2b)

Post by sMb » Wed Mar 16, 2005 9:07 pm

Matridom wrote:I'm not a spamfilter expert, but i think it would help if you gave us some examples of what these flood bots look like when the connect
Sure thing: here's one

*** Notice -- Client connecting on port 6667: w8122 (w8122@752E2AE6.65B4DB2B.5849F90E.IP) [clients]

Many nicks connect at the same time from different hosts, (most of them are *@*.*.*.IP so didn't wan't to bother c&p'ing many rows of text here, but if you want it i can paste it.

Anyway, most of them are "format" nick1234!nick1234@*.*.*.IP , but also there are some random host formats of hosts like:

*@220-134-241-65.HINET-IP.hinet.net
*@24032.bhz.virtua.com.br
*@h000347cb008a.ne.client2.attbi.com
...etc etc etc...

I think that you all understanded so no need for more examples :wink:

/whowas
[23:07:50]|&| sfd896 (s4614@213.42.2.22)
[23:07:50]|&| was : vufirq
[23:07:50]|&| End of WHOWAS

Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Post by Stealth » Thu Mar 17, 2005 1:31 am

It looks like these are ClonesX clones.

Simple spamfilter to stop them:

Code: Select all

([a-z]+\d+)!~?\1@.+:[a-zA-Z]{6}
This will catch most of them, but it may also catch some innocent users, so be careful with it.

arbiter
Posts: 10
Joined: Mon Feb 28, 2005 1:06 pm

Post by arbiter » Thu Mar 17, 2005 10:01 am

better to take a look on spamfilter section.

seems flooder(s) are using ClonesX script to flood, you can stop one of their method by this regex:

Code: Select all

^[a-z][0-9]{1,4}!~[a-z][0-9]{1,4}@.+:[a-z]{6}$
If you disbaled ident request then simply remove "~" from above regex , as unreal3.2.2(b) does not support back references then you'll encounter problem by using Stealth's regex (you need to upgrade to unreal3.2.3 first to use that regex). also to prevent some wrong matches it's better to add "^" first of regex to show starting point of matching (e.g. Julia1976 will match with that regex and as I know ClonesX random nicks are always $+($r(a,z),$r(1,9999)) ) , and realnames are always 6 chars , then it's better to end matching with "$" to prevent more wrong matches.
see :
http://forums.unrealircd.com/viewtopic.php?t=1605

sMb
Posts: 3
Joined: Wed Mar 16, 2005 7:58 pm

Post by sMb » Thu Mar 17, 2005 2:05 pm

Ok, hopefully these instructions help to my problem, i'll test them as soon as i get home from work and report here if there's more flooding. Thanks :)

Atomy

Post by Atomy » Thu Mar 17, 2005 4:58 pm

use a proxy scanner e.g. http://wiki.blitzed.org/BOPM

RpMz
Posts: 6
Joined: Mon Mar 08, 2004 12:11 am
Contact:

Post by RpMz » Tue Apr 19, 2005 3:33 pm

sMb for this kind of spambots try to use neostats with secureserv.Take a update and try it.Sorry for my terible english :P







RpMz

TigerKatziTatzi
Posts: 36
Joined: Fri Apr 08, 2005 12:10 pm

Post by TigerKatziTatzi » Mon May 23, 2005 12:09 pm

Mainly about floodbots or spambots. I'd been on >10k network before and we weren't able to use opsb. So we startet to script an opm (open proxy monitor). Its a script as mirc addon and do mainly a /stats L or /urserip nickname on join. Meanwhile the used refer ip-file contains 76k ips, used with floodbots. Now running a network with active opsb we still get some proxy connections online, which aren't listed and catch by opsb. So this opm is still usefull.

How to build up such refer file:

- daily checking for avaible open proxies http, sock4, sock5
- whois results

How to recognize bots on a network:

In my expierences (two years dealing with botnets/ floodbots) most of standard avaible floodscripts aren'T joinning any chan, they are connecting just to the network and idling in no chan till the owner think he got enough online to hit a chan. So having 'notinchan' (anope module) running in short terms, would bring them in a defined chan.

But there are two types of bots which are able to flood.
Floodsrcipts using proxy connection and botnets (infected users).
On first named you are able to get rid off mostly easily. On second named mostly no chance, except you are able to identify the botnet and where its been hosted. Mostly these botnets are own by some 'kids' (mirc based botnet) who are doing their first steps with botnets. Besides flooding these bots will be used in first place to spam urls (which contains the trojan and bot code) and if they are grown, running ddos-attacks against networks.

Using spamfilter against floodbot scripts:

In first place, if ur network is being hit by floodbots, u need to try to gain informations about the bots. Means nicks, idents, host, realname. If u find similar settings on the bots, u may can use it to block them from connecting to network. At least this should be done for most avaible floodscripts, so u don't have kiddies on net who are playing with it.
e.g:

/spamfilter add u block - Floodbot \:CentralFlu$


so far for some expierences.

TKT
'fighting against botnets all together'

CoCoRiCo

Post by CoCoRiCo » Sun Jul 24, 2005 9:57 pm

Use antirandom.c unreal module :D
good luck

w00t
Posts: 1136
Joined: Thu Mar 25, 2004 3:31 am
Location: Nowra, Australia

Post by w00t » Mon Jul 25, 2005 1:58 am

I'm a little confused about why everyone's chosen to post a million solutions on a fairly old thread. I believe the problem is long since delt with... Locked.
-ChatSpike IRC Network [http://www.chatspike.net]
-Denora Stats [http://denora.nomadirc.net]
-Omerta [http://www.barafranca.com]

Locked