Bot Attacks

These are old archives. They are kept for historic purposes only.
Post Reply
Guest

Bot Attacks

Post by Guest » Sat Aug 27, 2005 5:15 pm

Hi there

Two days ago some body attacked my server with bots, and i was online but i have not seen any kind of bot connecting to my server.

Two min. later the server was down, and i couldent even login in to my shell.

Than i've send an email to my rooter and asked him for help, and he sent me back a email:

-----------------------------------------------------------------------------------
your server is under attack, over 200,000 attemps to connect have been
made by a series of attack bots.
-----------------------------------------------------------------------------------

I know that i don't have 200,000 users. I even don't have 2000.

So the question is: Is there any trick to stop tham with the spamfilter, or is there any module special for connects. Like setting a limit of connects for a severel time with a mode. Example 20 connects in 10 sec. and the rest to disconnect or zline tham automa...

Plz let me know Thx :)

Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Post by Jason » Sat Aug 27, 2005 6:42 pm

No. The point of this attack is not to flood people on your server, but to use up your server's bandwidth dropping all connections.

If they are actually trying to make full IRC connections, paste us a few examples of their nick!user@hosts.
Why the hell can't my signature be empty?
"Your message contains too few characters."

Guest

Bot Attacks

Post by Guest » Sat Aug 27, 2005 8:06 pm

Jason

Please first of all read carefully what i've posted before. I havent seen any bots connecting to my server and i was online at that time. Thay was trying to connect to my server with 200,000 thausen bots but the server is excepting max 300 users.
There for thay couldent connect at all. Thats what i thing.

I've seen that something was wrong at that time because no one else was connecting or posting any msg's in main channel, like no one of my users was out there.

At that time i knew that, some body is attacking my server. Two min ago i was disconnected from the server, and tried to connect, and the msg was: Connection Timed Out!

Then i tried to log in in the shell to start unreal again, but i even couldent log in to the shell. The msg was the same: Connection Timed Out!

Yes it is trou, thay don't try to flood any channel like beginners, thay know exactly what thay do, but thay are flooding my services due attempting of mass connections.

So, my question is: Is there any module or any way to block or zline mass connections?

Is such module exists where can i download it? Thx

Matridom
Posts: 296
Joined: Fri Jan 07, 2005 3:28 am

Re: Bot Attacks

Post by Matridom » Sat Aug 27, 2005 8:18 pm

Guest wrote:Is such module exists where can i download it? Thx
It looks like it's a Denial Of Service attack, in such a situation, nothing you can do really other then to get your ISP to block the connections from their end.

If it was something the spamfilters could deal with, then you would get connection notices.
Never argue with an idiot. They will bring you down to their level, then beat you with experience.

Guest

Bot Attacks

Post by Guest » Sat Aug 27, 2005 9:14 pm

Matridom wrote:
nothing you can do really other then to get your ISP to block the connections from their end.



Can you explain me a little bit how can i do that? To block tham!

And, if there is no way to stop tham, should i just sit there and wait until thay attack my server? :?

Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Post by Jason » Sat Aug 27, 2005 10:34 pm

Guest. I said what I said because I DID read what you posted. The situation is exactly what I described. Why did you accept this description from others but not me?
Why the hell can't my signature be empty?
"Your message contains too few characters."

Guest

Bot Attacks

Post by Guest » Sun Aug 28, 2005 8:50 am

Jason

I am accepting all descriptions, examples, ideas or purposes from everyone, as long as that can help me stoping this bots connecting to my server. Or at least put a limit for mass connections. That would help also.

Dukat
Posts: 1083
Joined: Tue Mar 16, 2004 5:44 pm
Location: Switzerland

Post by Dukat » Sun Aug 28, 2005 9:05 am

There's nothing you can do to stop it, sorry.

I suggest you read this article:
http://www.esecurityplanet.com/best_pra ... hp/3521706
If you don't make mistakes, you aren't really trying.
- Coleman Hawkins

Guest

Bot Attacks

Post by Guest » Sun Aug 28, 2005 10:16 am

Dukat

I see there is no solution to stop tham, but is there at least a modul for unreal to increas mass connections, or mass connection attempts? Like, setting a limit for connections in several time. Example lets say: mode server max 20 connections in 10 seconds.

Dukat
Posts: 1083
Joined: Tue Mar 16, 2004 5:44 pm
Location: Switzerland

Post by Dukat » Sun Aug 28, 2005 11:11 am

You don't need a module for that - it's already included in UnrealIRCd.
What you want is the set:throttle block ( http://www.vulnscan.org/UnrealIRCd/unre ... l#setblock ).

(But that won't help at all against DDoS attacks... :P)
If you don't make mistakes, you aren't really trying.
- Coleman Hawkins

Guest

Bot Attacks

Post by Guest » Sun Aug 28, 2005 11:18 am

Dukat

Of course it want help, because it is for one user that reconnects to fast. I need another one for more than one user, and not checking if there are reconnecting, but only for mass connection. If there is a mass connection, them stop them.

Any way thx for trying helping me :)

Syzop
UnrealIRCd head coder
Posts: 1889
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop » Sun Aug 28, 2005 4:04 pm

If there is a mass connection, them stop them.
If it's a mass synflood attack (ok, well sorry if you don't know that term.. it basically means half-tcp connections and not real ones), then the OS can handle it via tcp cookies.

And if it are real connects, then the ircd would still not shutdown since you would hit the fd (file descriptor) limit, which is probably something like 1024 or 2048 connections. Naturally nobody would be able to connect then (including legit users), but the ircd would be still up.

If the MAXCONNECTIONS (aka fd limit) would not be hit, then the ircd should still be able to handle it all well... Although I can understand it might not exactly like all those connection attempts *understatement*.

That's how it should go at least :P.


If it are really 200.000 bots then it's probably too much, but otherwise.. it should be possible to firewall them. That would require a competent (firewall) administrator though.
It's also possible to limit connects (syn's) per second at a firewall, which is much easier, but would probably hardly solve your problem (ok, the ircd will be up, but people would have a really hard time connecting).

Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Post by Jason » Sun Aug 28, 2005 7:38 pm

*eagerly awaits FreeBSD 6.0-RELEASE*

I know OpenBSD's pf firewall, and I think IPTABLES too, can rate limit connections, and if they excede whatever, add them to a blacklist table.

Thats what you would have to do, but it would still eat bandwidth
Why the hell can't my signature be empty?
"Your message contains too few characters."

Post Reply