Page 1 of 1

connthrottle module issues

Posted: Wed Aug 28, 2019 8:55 pm
by ivp
Wondering how to disable connthrottle module without changing modules.optional.conf?

Tried changing local-throttle and global-throttle numbers without success:

Code: Select all

set {
        connthrottle {
                new-users {
                        local-throttle 20:60;
                        global-throttle 30:60;
                };
        };
};
Also noticed in connthrottle.c that reputation-gathering parameters is not handled:

Code: Select all

if (!strcmp(cepp->ce_varname, "reputation-gathering"))
				{
				}
Is there some more verbose log about its activities:

Code: Select all

[Wed Aug 28 22:32:08 2019] - [ConnThrottle] Connection throttling has been ACTIVATED due to a HIGH CONNECTION RATE.
[Wed Aug 28 22:32:15 2019] - [ConnThrottle] Stats for this server past 60 secs: Connections rejected: 3. Accepted: 6 known user(s), 0 SASL and 22 new user(s)

Re: connthrottle module issues

Posted: Fri Sep 13, 2019 5:43 pm
by Syzop
Connthrottle shouldn't kick in unless needed. What I can see from your log file in your post is that the module is doing exactly what it should do: you have set it to 20 per 60 seconds, and it has indeed allowed 20 (even 22) unknown users in and all the known users / SASL could get in too.

Is it normal for your network to see connections from 20 new IP addresses in a minute that have never been seen before?
If you normally have high unknown connection rates, for example if you have a 10,000 user network, then adjust the set::connthrottle::new-users rates (local-throttle and global-throttle) to suit your network. If 20:60 is not enough, try 40:60, etc...

If the large number of unknown connections is a temporary issue (eg: all your other servers died, and everyone is reconnecting to your server - including many new users), then you can use the following command on IRC (although it only affects the current server where you are connected to as an IRCOp):

Code: Select all

/THROTTLE OFF
If you want to disable a module that is loaded in modules.optional.conf or modules.default.conf without editing that file, you use blacklist-module in your unrealircd.conf, or elsewhere:

Code: Select all

blacklist-module "connthrottle";
Still, I think connthrottle is pretty neat, it shouldn't be necessary to disable it. Best to just make local-throttle and global-throttle higher (eg: 40:60)

Re: connthrottle module issues

Posted: Sat Sep 14, 2019 11:39 am
by ivp
Many thanks for reply.

I find it very odd, too. Is it possible to have more details in log about connthrottle activities? To see what IP addresses are rejected/accepted?

Re: connthrottle module issues

Posted: Sat Sep 14, 2019 4:36 pm
by Syzop
The thing is, figuring out which 3 connections were rejected (it were only 3 in the log you pasted) won't help you. Those are just the 3 last ones in that minute that were rejected. But before that happened, 20 connections were accepted, within that minute.
You should have seen 20+ connection notices, the usual ones that you always see. So, if there's something suspicious, like attackers, they will like show up in the 20+ connection notices too.
The real thing to figure out is why you suddenly had a peak of 20 connections from unknown IP addresses. Who those 20 were you can see in your connection notices or ircd.log :)
It can be a real attack, or it can be some network problem. Like I mentioned earlier, if for example 1 of your server dies and everyone reconnects to another server then this will cause a peak. Similarly, if there is some routing problem at a big ISP in your country and everyone dies, then comes back, it will cause a flood as well. Still, most users should have their IP known so are unaffected by this.

Are all your servers on 4.2.4/4.2.4.1 and are running the reputation module? There was a bug in older versions in the reputation score communication between servers.

As for your direct question: no, we don't show rejected connections. Why? Because that would flood your screen in case of an attack. At high rates it can even kill all IRCOp connections. With the current system, UnrealIRCd can handle attacks of many thousands (even ten thousands) of drones connecting in a minute, otherwise it can fight off less drones and will use more CPU usage. And, just as important, as said, it's generally quite useless, as you already have seen at least 20 connections (IP samples) that were allowed in. Well, basically what I said above

Re: connthrottle module issues

Posted: Sun Sep 15, 2019 9:25 am
by ivp
Running single server on UnrealIRCd 4.2.4.1.

Throttling just happened and there are really 20 new legit IP addresses within 60 seconds.
I assume IP reputation data is not preserved after IRCd restart so that could be one of the reasons?

I've raised allowed connections to:

local-throttle 40:60;
global-throttle 60:60;

Re: connthrottle module issues

Posted: Sat Sep 21, 2019 7:20 am
by Syzop
There have not been any issues in a single server setup (such a case is easy for programmers). The database is saved in data/reputation.db every few minutes (eg: ~/unrealircd/data/reputation.db).

So I don't think anything was incorrect in the detection and it were just really 20 new IP's. Good that you raised the settings when in your situation 20 in 1 minute is considered normal/acceptable. Goal is always to make it not have any false positives while still having it kick in under a real attack, nothing wrong with setting a bit higher like you did :)

Re: connthrottle module issues

Posted: Sat Sep 21, 2019 7:53 am
by ivp
I confirm it works fine with raised settings, many thanks!

So data/reputation.db is not cleared/deleted after the server restart?

Re: connthrottle module issues

Posted: Sat Sep 21, 2019 7:57 am
by Syzop
So data/reputation.db is not cleared/deleted after the server restart?
No, it's not cleared, that would be rather silly :)