UnrealIRCd Forums

Ok, so this is the problem.

I'we got server wich holds for about 200-300 users avg all time. Everything works as it should, the only problem is this one flooder / floodbots.

So, the bots (many of them) just connect from different hosts with different idents and then the party begins. They flood to channels, with priv notice, priv msg and ofcourse the join / quit floods when they connect and join channels.

I can say that i'm pretty newbie at keeping irc daemon and that my english is not that good, i undestand well but my "wring language" is not that good

So if anyone knows any way to stop this from happening i would preciate. Already did a search on forum and didn't find anything matching my problem (or i just didn't know from where to look). Thanks allready.

sMb wrote:Ok, so this is the problem.

I'we got server wich holds for about 200-300 users avg all time. Everything works as it should, the only problem is this one flooder / floodbots.

So, the bots (many of them) just connect from different hosts with different idents and then the party begins. They flood to channels, with priv notice, priv msg and ofcourse the join / quit floods when they connect and join channels.

I can say that i'm pretty newbie at keeping irc daemon and that my english is not that good, i undestand well but my "wring language" is not that good

So if anyone knows any way to stop this from happening i would preciate. Already did a search on forum and didn't find anything matching my problem (or i just didn't know from where to look). Thanks allready.

I'm not a spamfilter expert, but i think it would help if you gave us some examples of what these flood bots look like when the connect

Matridom wrote:I'm not a spamfilter expert, but i think it would help if you gave us some examples of what these flood bots look like when the connect

Sure thing: here's one

*** Notice -- Client connecting on port 6667: w8122 ([email protected]) [clients]

Many nicks connect at the same time from different hosts, (most of them are *@*.*.*.IP so didn't wan't to bother c&p'ing many rows of text here, but if you want it i can paste it.

Anyway, most of them are "format" nick1234!nick1234@*.*.*.IP , but also there are some random host formats of hosts like:

*@220-134-241-65.HINET-IP.hinet.net
*@24032.bhz.virtua.com.br
*@h000347cb008a.ne.client2.attbi.com
...etc etc etc...

I think that you all understanded so no need for more examples

/whowas
[23:07:50]|&| sfd896 ([email protected])
[23:07:50]|&| was : vufirq
[23:07:50]|&| End of WHOWAS

It looks like these are ClonesX clones.

Simple spamfilter to stop them: This will catch most of them, but it may also catch some innocent users, so be careful with it.

better to take a look on spamfilter section.

seems flooder(s) are using ClonesX script to flood, you can stop one of their method by this regex: If you disbaled ident request then simply remove "~" from above regex , as unreal3.2.2(b) does not support back references then you'll encounter problem by using Stealth's regex (you need to upgrade to unreal3.2.3 first to use that regex). also to prevent some wrong matches it's better to add "^" first of regex to show starting point of matching (e.g. Julia1976 will match with that regex and as I know ClonesX random nicks are always $+($r(a,z),$r(1,9999)) ) , and realnames are always 6 chars , then it's better to end matching with "$" to prevent more wrong matches.
see :
http://forums.unrealircd.com/viewtopic.php?t=1605

Ok, hopefully these instructions help to my problem, i'll test them as soon as i get home from work and report here if there's more flooding. Thanks

use a proxy scanner e.g. http://wiki.blitzed.org/BOPM

sMb for this kind of spambots try to use neostats with secureserv.Take a update and try it.Sorry for my terible english







RpMz

Mainly about floodbots or spambots. I'd been on >10k network before and we weren't able to use opsb. So we startet to script an opm (open proxy monitor). Its a script as mirc addon and do mainly a /stats L or /urserip nickname on join. Meanwhile the used refer ip-file contains 76k ips, used with floodbots. Now running a network with active opsb we still get some proxy connections online, which aren't listed and catch by opsb. So this opm is still usefull.

How to build up such refer file:

- daily checking for avaible open proxies http, sock4, sock5
- whois results

How to recognize bots on a network:

In my expierences (two years dealing with botnets/ floodbots) most of standard avaible floodscripts aren'T joinning any chan, they are connecting just to the network and idling in no chan till the owner think he got enough online to hit a chan. So having 'notinchan' (anope module) running in short terms, would bring them in a defined chan.

But there are two types of bots which are able to flood.
Floodsrcipts using proxy connection and botnets (infected users).
On first named you are able to get rid off mostly easily. On second named mostly no chance, except you are able to identify the botnet and where its been hosted. Mostly these botnets are own by some 'kids' (mirc based botnet) who are doing their first steps with botnets. Besides flooding these bots will be used in first place to spam urls (which contains the trojan and bot code) and if they are grown, running ddos-attacks against networks.

Using spamfilter against floodbot scripts:

In first place, if ur network is being hit by floodbots, u need to try to gain informations about the bots. Means nicks, idents, host, realname. If u find similar settings on the bots, u may can use it to block them from connecting to network. At least this should be done for most avaible floodscripts, so u don't have kiddies on net who are playing with it.
e.g:

/spamfilter add u block - Floodbot \:CentralFlu$


so far for some expierences.

TKT
'fighting against botnets all together'

Use antirandom.c unreal module
good luck

I'm a little confused about why everyone's chosen to post a million solutions on a fairly old thread. I believe the problem is long since delt with... Locked.