UnrealIRCd Forums

[11:21] -halcyon.banglacafe.com- *** Z:Line added for *@65.94.187.237 on Tue Sep 13 05:30:07 2005 GMT (from halcyon.banglacafe.com to expire at Tue Sep 13 05:40:07 2005 GMT: Flood from unknown connection)

how come a server bans a ip auto ? and why exactly it banned ? i never seen it b4 not even when i had heavy clone attacks .. any idea how and why it happened ?

On thinking about it, sounds like something's opened a connection to a server, but not identified as a user or a server (ie, sending a NICK/USER or a SERVER), but instead flooded with random crap.

Bit strange that it zlined, but meh.

A client sent way too much data (default: 4K, aka: 4096 bytes) before being allow in the irc server (before getting registered). Usually this means something/someone is sending massive amounts of (random) data.
The user is zlined to protect any further attacks from that user.

This is configurable via (quoting from the docs):

set::anti-flood::unknown-flood-bantime <timevalue>;
Specifies how long an unknown connection flooder is banned for.

set::anti-flood::unknown-flood-amount <amount>;
Specifies the amount of data (in KiloBytes) that the unknown connection must send in order for the user to be killed.

Though, I wouldn't suggest changing 'unknown-flood-amount', since it's a good default (that's also why you have never seen it before, it almost never catches innocent users).
'unknown-flood-bantime' you can freely change, the default is 10 minutes (which is very 'friendly' if you ask me ;p).

Thx wOOt & syzop , got it , i was wondering as i never seen or heard that server itself bans users/connections to protect ... anyways i wouldnt bother to change coz 10 mins is ok for these smart a$$'s .

Yeah, was something I've not seen before, I just guessed lucky