any idea to block this or what it is ?

These are old archives. They are kept for historic purposes only.
Post Reply
Talustus
Posts: 13
Joined: Tue Dec 05, 2006 3:00 pm

any idea to block this or what it is ?

Post by Talustus »

today therer are an mass connect on my Network over 1000 Floodbots are connecting in short time. i havent see them join any channels or flood

Code: Select all

[Di 05.12.2006|15:38:03]  *** Notice -- Client connecting on port 6667: abbore ([email protected]) [clients]
[Di 05.12.2006|15:38:03]  *** Notice -- Client connecting on port 6667: w00p ([email protected]) [clients]
[Di 05.12.2006|15:38:03]  *** Notice -- Client connecting on port 6667: f_r_a ([email protected]) [clients]
[Di 05.12.2006|15:38:03]  *** Notice -- Client connecting on port 6667: AeroDream ([email protected]) [clients]
[Di 05.12.2006|15:38:03]  *** Notice -- Client connecting on port 6667: PERMALOSO ([email protected]) [clients]
[Di 05.12.2006|15:38:04]  *** Notice -- Client connecting on port 6667: Lonelygal ([email protected]) [clients]
[Di 05.12.2006|15:38:04]  *** Notice -- Client connecting on port 6667: PIHKAL ([email protected]) [clients]
[Di 05.12.2006|15:38:05]  *** Notice -- Client connecting on port 6667: |nCuBuS ([email protected]) [clients]
[Di 05.12.2006|15:38:05]  *** Notice -- Client connecting on port 6667: [j]o[e] ([email protected]) [clients]
[Di 05.12.2006|15:38:05]  *** Notice -- Client connecting on port 6667: Vicious ([email protected]) [clients]
over 1000 of them i have opsb and bopm running but nothing happens no ban or akill
a whowas of one of them

Code: Select all

-=[  •••••••••••••••••••• -=[  Whowas Start ]=-
-=[  Nickname: -=[  R9 ]
-=[  Realname: -=[  2 future 4 u ]
-=[  Hostmask: -=[  8B7B76B1.750E5F6E.2FC3C20A.IP ]
-=[  Server: -=[  dream-irc.de ]
-=[  •••••••••••••••••••• -=[  Whowas Ende ]=-
and all have the same in theyer quit msgs

Code: Select all

[15:39:45] <@ConnectServ> SIGNOFF egmjnelfo ([email protected] AAAAAA - American Association Against Acronym Abus) signed off at dream-irc.de Quit: th1z iz .:tHa lEEtf0rCe:. dUn f0k wiT eLiTeCr3w
[15:39:45] <@ConnectServ> SIGNOFF R9 ([email protected] 2 future 4 u) signed off at dream-irc.de Quit: th1z iz .:tHa lEEtf0rCe:. dUn f0k wiT eLiTeCr3w
any idea or help to block it will be great
Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Post by Stealth »

Simple:

Code: Select all

/gzline *@12.190.84.* 0 Flood bots.
When having an issue, always look at the IPs or hosts the attacker is using. A GZLine takes a whole lot less CPU and memory than a Spamfilter would. If you have access to the firewall settings on the system, I would also recommend you block them with the firewall for a while.

The IPs seem to be owned by a private orginization, GGnet.net, a US-based company. It is against federal law for companies to initiate attacks. The IPs seem to be assigned by AT&T Worldnet Services, so you should send an abuse report to them as well. It is also possible that GGNet has been compromised, but that seems unlikely.

For more info:
http://www.dnsstuff.com/tools/whois.ch?ip=12.190.84.103
http://www.dnsstuff.com/tools/whois.ch? ... s.arin.net

AT&T Worldnet Services Abuse Information:
OrgAbuseHandle: ATTAB-ARIN
OrgAbuseName: ATT Abuse
OrgAbusePhone: +1-919-319-8130
OrgAbuseEmail: [email protected]
Talustus
Posts: 13
Joined: Tue Dec 05, 2006 3:00 pm

thx Stealth

Post by Talustus »

thx for your fast answer i have written an abuse mail to ATT Abuse but isnt there an opertunity to block mass connects with same IP ranges like 12.190.84.* or limit them for example only 50 Connections from one IP range (12.190.84.0-12.190.84.255) an modul or so ?
Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Post by Jason »

To mass block those connects, use a kline, zline, gline, or gzline. You can limit the maximum number of simultanious connections by giving the range its own class and allow block, and setting a maximum number of users in that class.
Why the hell can't my signature be empty?
"Your message contains too few characters."
Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Post by Stealth »

The gzline command will have the IRCd terminate their connections immediately, so no data is sent. This may stop them faster, people usually stop when they realize none of the bots are connecting at all.

If you want to limit the connections (not recommended), you can use a class and allow block and be sure to limit maxperip and maxclients paramiters.

A small note about using the GZLINE command... You may want to:
/mode yournick +s -cF
before typing it, and
/mode yournick +s +cF
after to prevent being flooded with exit notices.
Talustus
Posts: 13
Joined: Tue Dec 05, 2006 3:00 pm

Post by Talustus »

i have gzlined the ip Ranges and i will see and wait the next days to see what happens if we get attacked i will write an allow block
Post Reply