UnrealIRCd Forums

Welcome to the UnrealIRCd Forums!
https://forums.unrealircd.org/

any idea to block this or what it is ?

https://forums.unrealircd.org/viewtopic.php?t=4006

Page 1 of 1

any idea to block this or what it is ?

Posted: Tue Dec 05, 2006 3:14 pm
by Talustus
today therer are an mass connect on my Network over 1000 Floodbots are connecting in short time. i havent see them join any channels or flood

Code: Select all

[Di 05.12.2006|15:38:03]  *** Notice -- Client connecting on port 6667: abbore ([email protected]) [clients]
[Di 05.12.2006|15:38:03]  *** Notice -- Client connecting on port 6667: w00p ([email protected]) [clients]
[Di 05.12.2006|15:38:03]  *** Notice -- Client connecting on port 6667: f_r_a ([email protected]) [clients]
[Di 05.12.2006|15:38:03]  *** Notice -- Client connecting on port 6667: AeroDream ([email protected]) [clients]
[Di 05.12.2006|15:38:03]  *** Notice -- Client connecting on port 6667: PERMALOSO ([email protected]) [clients]
[Di 05.12.2006|15:38:04]  *** Notice -- Client connecting on port 6667: Lonelygal ([email protected]) [clients]
[Di 05.12.2006|15:38:04]  *** Notice -- Client connecting on port 6667: PIHKAL ([email protected]) [clients]
[Di 05.12.2006|15:38:05]  *** Notice -- Client connecting on port 6667: |nCuBuS ([email protected]) [clients]
[Di 05.12.2006|15:38:05]  *** Notice -- Client connecting on port 6667: [j]o[e] ([email protected]) [clients]
[Di 05.12.2006|15:38:05]  *** Notice -- Client connecting on port 6667: Vicious ([email protected]) [clients]
over 1000 of them i have opsb and bopm running but nothing happens no ban or akill
a whowas of one of them

Code: Select all

-=[  •••••••••••••••••••• -=[  Whowas Start ]=-
-=[  Nickname: -=[  R9 ]
-=[  Realname: -=[  2 future 4 u ]
-=[  Hostmask: -=[  8B7B76B1.750E5F6E.2FC3C20A.IP ]
-=[  Server: -=[  dream-irc.de ]
-=[  •••••••••••••••••••• -=[  Whowas Ende ]=-
and all have the same in theyer quit msgs

Code: Select all

[15:39:45] <@ConnectServ> SIGNOFF egmjnelfo ([email protected] AAAAAA - American Association Against Acronym Abus) signed off at dream-irc.de Quit: th1z iz .:tHa lEEtf0rCe:. dUn f0k wiT eLiTeCr3w
[15:39:45] <@ConnectServ> SIGNOFF R9 ([email protected] 2 future 4 u) signed off at dream-irc.de Quit: th1z iz .:tHa lEEtf0rCe:. dUn f0k wiT eLiTeCr3w
any idea or help to block it will be great

Posted: Tue Dec 05, 2006 3:46 pm
by Stealth
Simple:

Code: Select all

/gzline *@12.190.84.* 0 Flood bots.
When having an issue, always look at the IPs or hosts the attacker is using. A GZLine takes a whole lot less CPU and memory than a Spamfilter would. If you have access to the firewall settings on the system, I would also recommend you block them with the firewall for a while.

The IPs seem to be owned by a private orginization, GGnet.net, a US-based company. It is against federal law for companies to initiate attacks. The IPs seem to be assigned by AT&T Worldnet Services, so you should send an abuse report to them as well. It is also possible that GGNet has been compromised, but that seems unlikely.

For more info:
http://www.dnsstuff.com/tools/whois.ch?ip=12.190.84.103
http://www.dnsstuff.com/tools/whois.ch? ... s.arin.net

AT&T Worldnet Services Abuse Information:
OrgAbuseHandle: ATTAB-ARIN
OrgAbuseName: ATT Abuse
OrgAbusePhone: +1-919-319-8130
OrgAbuseEmail: [email protected]

thx Stealth

Posted: Tue Dec 05, 2006 5:37 pm
by Talustus
thx for your fast answer i have written an abuse mail to ATT Abuse but isnt there an opertunity to block mass connects with same IP ranges like 12.190.84.* or limit them for example only 50 Connections from one IP range (12.190.84.0-12.190.84.255) an modul or so ?

Posted: Tue Dec 05, 2006 6:18 pm
by Jason
To mass block those connects, use a kline, zline, gline, or gzline. You can limit the maximum number of simultanious connections by giving the range its own class and allow block, and setting a maximum number of users in that class.

Posted: Tue Dec 05, 2006 6:22 pm
by Stealth
The gzline command will have the IRCd terminate their connections immediately, so no data is sent. This may stop them faster, people usually stop when they realize none of the bots are connecting at all.

If you want to limit the connections (not recommended), you can use a class and allow block and be sure to limit maxperip and maxclients paramiters.

A small note about using the GZLINE command... You may want to:
/mode yournick +s -cF
before typing it, and
/mode yournick +s +cF
after to prevent being flooded with exit notices.

Posted: Tue Dec 05, 2006 6:46 pm
by Talustus
i have gzlined the ip Ranges and i will see and wait the next days to see what happens if we get attacked i will write an allow block
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited