Bot Attacks
Bot Attacks
Hi there
Two days ago some body attacked my server with bots, and i was online but i have not seen any kind of bot connecting to my server.
Two min. later the server was down, and i couldent even login in to my shell.
Than i've send an email to my rooter and asked him for help, and he sent me back a email:
-----------------------------------------------------------------------------------
your server is under attack, over 200,000 attemps to connect have been
made by a series of attack bots.
-----------------------------------------------------------------------------------
I know that i don't have 200,000 users. I even don't have 2000.
So the question is: Is there any trick to stop tham with the spamfilter, or is there any module special for connects. Like setting a limit of connects for a severel time with a mode. Example 20 connects in 10 sec. and the rest to disconnect or zline tham automa...
Plz let me know Thx
Two days ago some body attacked my server with bots, and i was online but i have not seen any kind of bot connecting to my server.
Two min. later the server was down, and i couldent even login in to my shell.
Than i've send an email to my rooter and asked him for help, and he sent me back a email:
-----------------------------------------------------------------------------------
your server is under attack, over 200,000 attemps to connect have been
made by a series of attack bots.
-----------------------------------------------------------------------------------
I know that i don't have 200,000 users. I even don't have 2000.
So the question is: Is there any trick to stop tham with the spamfilter, or is there any module special for connects. Like setting a limit of connects for a severel time with a mode. Example 20 connects in 10 sec. and the rest to disconnect or zline tham automa...
Plz let me know Thx
No. The point of this attack is not to flood people on your server, but to use up your server's bandwidth dropping all connections.
If they are actually trying to make full IRC connections, paste us a few examples of their nick!user@hosts.
If they are actually trying to make full IRC connections, paste us a few examples of their nick!user@hosts.
Why the hell can't my signature be empty?
"Your message contains too few characters."
"Your message contains too few characters."
Bot Attacks
Jason
Please first of all read carefully what i've posted before. I havent seen any bots connecting to my server and i was online at that time. Thay was trying to connect to my server with 200,000 thausen bots but the server is excepting max 300 users.
There for thay couldent connect at all. Thats what i thing.
I've seen that something was wrong at that time because no one else was connecting or posting any msg's in main channel, like no one of my users was out there.
At that time i knew that, some body is attacking my server. Two min ago i was disconnected from the server, and tried to connect, and the msg was: Connection Timed Out!
Then i tried to log in in the shell to start unreal again, but i even couldent log in to the shell. The msg was the same: Connection Timed Out!
Yes it is trou, thay don't try to flood any channel like beginners, thay know exactly what thay do, but thay are flooding my services due attempting of mass connections.
So, my question is: Is there any module or any way to block or zline mass connections?
Is such module exists where can i download it? Thx
Please first of all read carefully what i've posted before. I havent seen any bots connecting to my server and i was online at that time. Thay was trying to connect to my server with 200,000 thausen bots but the server is excepting max 300 users.
There for thay couldent connect at all. Thats what i thing.
I've seen that something was wrong at that time because no one else was connecting or posting any msg's in main channel, like no one of my users was out there.
At that time i knew that, some body is attacking my server. Two min ago i was disconnected from the server, and tried to connect, and the msg was: Connection Timed Out!
Then i tried to log in in the shell to start unreal again, but i even couldent log in to the shell. The msg was the same: Connection Timed Out!
Yes it is trou, thay don't try to flood any channel like beginners, thay know exactly what thay do, but thay are flooding my services due attempting of mass connections.
So, my question is: Is there any module or any way to block or zline mass connections?
Is such module exists where can i download it? Thx
Re: Bot Attacks
It looks like it's a Denial Of Service attack, in such a situation, nothing you can do really other then to get your ISP to block the connections from their end.Guest wrote:Is such module exists where can i download it? Thx
If it was something the spamfilters could deal with, then you would get connection notices.
Never argue with an idiot. They will bring you down to their level, then beat you with experience.
Bot Attacks
Matridom wrote:
Can you explain me a little bit how can i do that? To block tham!
And, if there is no way to stop tham, should i just sit there and wait until thay attack my server?
nothing you can do really other then to get your ISP to block the connections from their end.
Can you explain me a little bit how can i do that? To block tham!
And, if there is no way to stop tham, should i just sit there and wait until thay attack my server?
Bot Attacks
Jason
I am accepting all descriptions, examples, ideas or purposes from everyone, as long as that can help me stoping this bots connecting to my server. Or at least put a limit for mass connections. That would help also.
I am accepting all descriptions, examples, ideas or purposes from everyone, as long as that can help me stoping this bots connecting to my server. Or at least put a limit for mass connections. That would help also.
There's nothing you can do to stop it, sorry.
I suggest you read this article:
http://www.esecurityplanet.com/best_pra ... hp/3521706
I suggest you read this article:
http://www.esecurityplanet.com/best_pra ... hp/3521706
If you don't make mistakes, you aren't really trying.
- Coleman Hawkins
- Coleman Hawkins
Bot Attacks
Dukat
I see there is no solution to stop tham, but is there at least a modul for unreal to increas mass connections, or mass connection attempts? Like, setting a limit for connections in several time. Example lets say: mode server max 20 connections in 10 seconds.
I see there is no solution to stop tham, but is there at least a modul for unreal to increas mass connections, or mass connection attempts? Like, setting a limit for connections in several time. Example lets say: mode server max 20 connections in 10 seconds.
You don't need a module for that - it's already included in UnrealIRCd.
What you want is the set:throttle block ( http://www.vulnscan.org/UnrealIRCd/unre ... l#setblock ).
(But that won't help at all against DDoS attacks... )
What you want is the set:throttle block ( http://www.vulnscan.org/UnrealIRCd/unre ... l#setblock ).
(But that won't help at all against DDoS attacks... )
If you don't make mistakes, you aren't really trying.
- Coleman Hawkins
- Coleman Hawkins
Bot Attacks
Dukat
Of course it want help, because it is for one user that reconnects to fast. I need another one for more than one user, and not checking if there are reconnecting, but only for mass connection. If there is a mass connection, them stop them.
Any way thx for trying helping me
Of course it want help, because it is for one user that reconnects to fast. I need another one for more than one user, and not checking if there are reconnecting, but only for mass connection. If there is a mass connection, them stop them.
Any way thx for trying helping me
If it's a mass synflood attack (ok, well sorry if you don't know that term.. it basically means half-tcp connections and not real ones), then the OS can handle it via tcp cookies.If there is a mass connection, them stop them.
And if it are real connects, then the ircd would still not shutdown since you would hit the fd (file descriptor) limit, which is probably something like 1024 or 2048 connections. Naturally nobody would be able to connect then (including legit users), but the ircd would be still up.
If the MAXCONNECTIONS (aka fd limit) would not be hit, then the ircd should still be able to handle it all well... Although I can understand it might not exactly like all those connection attempts *understatement*.
That's how it should go at least :P.
If it are really 200.000 bots then it's probably too much, but otherwise.. it should be possible to firewall them. That would require a competent (firewall) administrator though.
It's also possible to limit connects (syn's) per second at a firewall, which is much easier, but would probably hardly solve your problem (ok, the ircd will be up, but people would have a really hard time connecting).
*eagerly awaits FreeBSD 6.0-RELEASE*
I know OpenBSD's pf firewall, and I think IPTABLES too, can rate limit connections, and if they excede whatever, add them to a blacklist table.
Thats what you would have to do, but it would still eat bandwidth
I know OpenBSD's pf firewall, and I think IPTABLES too, can rate limit connections, and if they excede whatever, add them to a blacklist table.
Thats what you would have to do, but it would still eat bandwidth
Why the hell can't my signature be empty?
"Your message contains too few characters."
"Your message contains too few characters."