CTCP Version Bans & Banning Bots

Darvocet · Post by **Darvocet** » Sun Jan 23, 2005 5:55 pm

My IRC network has reciently had a major attack of the bots, both XDCC Catcher, and Bottler. (IRC-Ork has been banned for some time and seems to not be a problem)

However the problems I am having is that the bots that I have banned via CTCP version replies are hammering the network attempting to connect. The servers all do have throttle settings, which DO work, but the bots seem to not be 'discouraged' by that. My SNotice window is handling so many connect attempts that it is impossible to scroll up and check out past connects. The window would just lock up because of incoming connects.

But my real problem is that I feel like all the bot connection attempts could make all 7 of my servers very hard to connect to, since they are all handling hundreds of blocked connect attempts per hour.

Is there any good way to prevent this from happening? (Thanks in advance.)

Darvocet ([email protected])

Dukat · Post by **Dukat** » Sun Jan 23, 2005 6:23 pm

How did you ban the CTCP Version?
Use action gzline, that should do the trick...

Darvocet · Post by **Darvocet** » Sun Jan 23, 2005 6:26 pm

Dukat wrote:How did you ban the CTCP Version?
Use action gzline, that should do the trick...

You know i was considering that! I just used a regular one with no gzlines, I'll give that a shot for the fun of it see if it helps.

hah

Darvocet == Thanks Dukat!!!

Solutech · Post by **Solutech** » Sun Jan 23, 2005 6:27 pm

I think he means that he gets connect attempts . I can see where he's coming from . Even though he has gzlined the botnets they still try to connect . Have you considered swapping connects to a different port ? .

Darvocet · Post by **Darvocet** » Sun Jan 23, 2005 6:32 pm

Solutech wrote:I think he means that he gets connect attempts . I can see where he's coming from . Even though he has gzlined the botnets they still try to connect . Have you considered swapping connects to a different port ? .

Hmm.. nope i havent tried changing connect ports, the problem i have with that is I believe most of the users on my network are... hmm how do you say... irc retards. So whre as many of them may understand the need to connect on 7000 or 6669 for a little while, I feel there will be hundreds that are too stupid to understand that.

I have added:

Code: Select all

ban version {
        mask "*XDCC Catcher*";
        reason "XDCC Catcher bots are forbidden on this network.";
        action gzline;
        ban-time 24h;

};

So hopefully this will help, but I think you are right, that won't stop the actual connection attempts will it? We'll im going live with it right now so we will soon find out. heh

Darvocet

Darvocet · Post by **Darvocet** » Sun Jan 23, 2005 6:35 pm

Well another problem i get with this (though it is tolerable) is now I have like 3,000 Glines.

Although they will all timeout in 24h, so thats not too bad.

Solutech · Post by **Solutech** » Sun Jan 23, 2005 6:50 pm

Luckily we havent had any botnets in our server . One of the main reasons Im happy to keep a small group of users is its easy to manage and you dont attract such attacks . For large networks I can imagine the headaches such things cause . The worst Ive had is a fool who thinks its fun to SYN flood me periodically . Hope you find a good solution to these botnets that works for you

Darvocet · Post by **Darvocet** » Sun Jan 23, 2005 6:52 pm

Darvocet wrote:Well another problem i get with this (though it is tolerable) is now I have like 3,000 Glines. Although they will all timeout in 24h, so thats not too bad.

Ok guys, that gzline did prevent the connect attempts from showing in my SNotice window, which is super nice. It created a ton of glines though, which I guess is ok also. I just usually dont have any.

Im sure the servers are still getting hammered a little, but the fact that the server doesnt have to send out the notices, and connect info as many times has got to be better for the network. So I imagine for the most part, besides the REGISTERED copies of XDCC Catcher that should solve the problem.

Thanks again for all the quick responses. Thats why I like unreal so much.

Darvocet.

Darvocet · Post by **Darvocet** » Sun Jan 23, 2005 6:54 pm

Solutech wrote:Luckily we havent had any botnets in our server . One of the main reasons Im happy to keep a small group of users is its easy to manage and you dont attract such attacks . For large networks I can imagine the headaches such things cause . The worst Ive had is a fool who thinks its fun to SYN flood me periodically . Hope you find a good solution to these botnets that works for you

I agree I enjoy running my small network. Because its small 100-300 users usually there are never server lags, rarely server splits, NEVER server attacks, and it makes for a much more comfortable network.

Darv.

WilliamWIkked · Post by **WilliamWIkked** » Sun Jan 23, 2005 8:11 pm

If you don't like all the glines, possibly just reduce the hours.. 24 hours is a long time if the bots keep getting new hosts.. you'll have too many glines in no time. I would try reducing it to like 10 hours or so, but that's just me.. If 24hrs works for you then by all means keep with it

Darvocet · Post by **Darvocet** » Sun Jan 23, 2005 8:32 pm

WilliamWIkked wrote:If you don't like all the glines, possibly just reduce the hours.. 24 hours is a long time if the bots keep getting new hosts.. you'll have too many glines in no time. I would try reducing it to like 10 hours or so, but that's just me.. If 24hrs works for you then by all means keep with it

Yea that isnt so bad of an idea. I am going to let it pile up for 24hours and see how many it turns out to be.

I am not sure how XDCC catcher works if it does aquire new hosts, or if the bots wouldnt likely change that often. But yes, after 24hours if there are quite a few I will reduce them.

Thanks!