Page 1 of 1

Bot Attacks

Posted: Sat Aug 27, 2005 5:15 pm
by Guest
Hi there

Two days ago some body attacked my server with bots, and i was online but i have not seen any kind of bot connecting to my server.

Two min. later the server was down, and i couldent even login in to my shell.

Than i've send an email to my rooter and asked him for help, and he sent me back a email:

-----------------------------------------------------------------------------------
your server is under attack, over 200,000 attemps to connect have been
made by a series of attack bots.
-----------------------------------------------------------------------------------

I know that i don't have 200,000 users. I even don't have 2000.

So the question is: Is there any trick to stop tham with the spamfilter, or is there any module special for connects. Like setting a limit of connects for a severel time with a mode. Example 20 connects in 10 sec. and the rest to disconnect or zline tham automa...

Plz let me know Thx :)

Posted: Sat Aug 27, 2005 6:42 pm
by Jason
No. The point of this attack is not to flood people on your server, but to use up your server's bandwidth dropping all connections.

If they are actually trying to make full IRC connections, paste us a few examples of their nick!user@hosts.

Bot Attacks

Posted: Sat Aug 27, 2005 8:06 pm
by Guest
Jason

Please first of all read carefully what i've posted before. I havent seen any bots connecting to my server and i was online at that time. Thay was trying to connect to my server with 200,000 thausen bots but the server is excepting max 300 users.
There for thay couldent connect at all. Thats what i thing.

I've seen that something was wrong at that time because no one else was connecting or posting any msg's in main channel, like no one of my users was out there.

At that time i knew that, some body is attacking my server. Two min ago i was disconnected from the server, and tried to connect, and the msg was: Connection Timed Out!

Then i tried to log in in the shell to start unreal again, but i even couldent log in to the shell. The msg was the same: Connection Timed Out!

Yes it is trou, thay don't try to flood any channel like beginners, thay know exactly what thay do, but thay are flooding my services due attempting of mass connections.

So, my question is: Is there any module or any way to block or zline mass connections?

Is such module exists where can i download it? Thx

Re: Bot Attacks

Posted: Sat Aug 27, 2005 8:18 pm
by Matridom
Guest wrote:Is such module exists where can i download it? Thx
It looks like it's a Denial Of Service attack, in such a situation, nothing you can do really other then to get your ISP to block the connections from their end.

If it was something the spamfilters could deal with, then you would get connection notices.

Bot Attacks

Posted: Sat Aug 27, 2005 9:14 pm
by Guest
Matridom wrote:
nothing you can do really other then to get your ISP to block the connections from their end.



Can you explain me a little bit how can i do that? To block tham!

And, if there is no way to stop tham, should i just sit there and wait until thay attack my server? :?

Posted: Sat Aug 27, 2005 10:34 pm
by Jason
Guest. I said what I said because I DID read what you posted. The situation is exactly what I described. Why did you accept this description from others but not me?

Bot Attacks

Posted: Sun Aug 28, 2005 8:50 am
by Guest
Jason

I am accepting all descriptions, examples, ideas or purposes from everyone, as long as that can help me stoping this bots connecting to my server. Or at least put a limit for mass connections. That would help also.

Posted: Sun Aug 28, 2005 9:05 am
by Dukat
There's nothing you can do to stop it, sorry.

I suggest you read this article:
http://www.esecurityplanet.com/best_pra ... hp/3521706

Bot Attacks

Posted: Sun Aug 28, 2005 10:16 am
by Guest
Dukat

I see there is no solution to stop tham, but is there at least a modul for unreal to increas mass connections, or mass connection attempts? Like, setting a limit for connections in several time. Example lets say: mode server max 20 connections in 10 seconds.

Posted: Sun Aug 28, 2005 11:11 am
by Dukat
You don't need a module for that - it's already included in UnrealIRCd.
What you want is the set:throttle block ( http://www.vulnscan.org/UnrealIRCd/unre ... l#setblock ).

(But that won't help at all against DDoS attacks... :P)

Bot Attacks

Posted: Sun Aug 28, 2005 11:18 am
by Guest
Dukat

Of course it want help, because it is for one user that reconnects to fast. I need another one for more than one user, and not checking if there are reconnecting, but only for mass connection. If there is a mass connection, them stop them.

Any way thx for trying helping me :)

Posted: Sun Aug 28, 2005 4:04 pm
by Syzop
If there is a mass connection, them stop them.
If it's a mass synflood attack (ok, well sorry if you don't know that term.. it basically means half-tcp connections and not real ones), then the OS can handle it via tcp cookies.

And if it are real connects, then the ircd would still not shutdown since you would hit the fd (file descriptor) limit, which is probably something like 1024 or 2048 connections. Naturally nobody would be able to connect then (including legit users), but the ircd would be still up.

If the MAXCONNECTIONS (aka fd limit) would not be hit, then the ircd should still be able to handle it all well... Although I can understand it might not exactly like all those connection attempts *understatement*.

That's how it should go at least :P.


If it are really 200.000 bots then it's probably too much, but otherwise.. it should be possible to firewall them. That would require a competent (firewall) administrator though.
It's also possible to limit connects (syn's) per second at a firewall, which is much easier, but would probably hardly solve your problem (ok, the ircd will be up, but people would have a really hard time connecting).

Posted: Sun Aug 28, 2005 7:38 pm
by Jason
*eagerly awaits FreeBSD 6.0-RELEASE*

I know OpenBSD's pf firewall, and I think IPTABLES too, can rate limit connections, and if they excede whatever, add them to a blacklist table.

Thats what you would have to do, but it would still eat bandwidth