bots flooding in the channels, X protection? Any?

Here is where you can post your comments about the network, give ideas for changes and what live-events you would like to see.
axis0
Posts: 2

bots flooding in the channels, X protection? Any?

Post by axis0 »

Hello,

I maintain a channel in Undernet and just recently. We have encountered some attacks of flooding.

Below is a short list of join/parts. Can X protect this? i mean the channel?

[12:57] (12:57 pm) Enters t6338 (~w1508@bb5dell.mybboc.com) [67]
[12:57] (12:57 pm) Enters v9901 (~i5110@user-24-214-20-141.knology.net) [68]
[12:57] (12:57 pm) Enters |333|t|3UM24 (~z1466@66-90-246-48.dyn.grandenetworks.net) [69]
[12:57] (12:57 pm) Enters c542 (~z3851@pcp090919pcs.audubn01.nj.comcast.net) [70]
[12:57] (12:57 pm) Enters |333|t|3UM55 (~i841@d51A45276.kabel.telenet.be) [71]
[12:57] (12:57 pm) Enters |333|t|3UM19 (~t2326@c-24-19-0-202.client.comcast.net) [72]
[12:57] (12:57 pm) Enters |333|t|3UM32 (~d6343@c-24-19-0-202.client.comcast.net) [73]
[12:57] (12:57 pm) Enters |333|t|3UM25 (~m4435@c-24-19-0-202.client.comcast.net) [74]
[12:57] (12:57 pm) Enters |333|t|3UM30 (~e5038@hnllhi1-ar1-4-64-129-032.hnllhi1.dsl-verizon.net) [75]
[12:57] (12:57 pm) Enters |333|t|3UM26 (~m7968@hnllhi1-ar1-4-64-129-032.hnllhi1.dsl-verizon.net) [76]
[12:57] (12:57 pm) Parts v9901 (~i5110@user-24-214-20-141.knology.net)
[12:57] (12:57 pm) Enters y1529 (~n1815@cm59152.tele2.ee) [76]
[12:57] (12:57 pm) Parts |333|t|3UM55 (~i841@d51A45276.kabel.telenet.be)
[12:57] (12:57 pm) Enters |333|t|3UM55 (~i841@d51A45276.kabel.telenet.be) [76]
[12:57] (12:57 pm) Parts |333|t|3UM26 (~m7968@hnllhi1-ar1-4-64-129-032.hnllhi1.dsl-verizon.net)
[12:57] (12:57 pm) Enters |333|t|3UM26 (~m7968@hnllhi1-ar1-4-64-129-032.hnllhi1.dsl-verizon.net) [76]
[12:57] (12:57 pm) Parts t6338 (~w1508@bb5dell.mybboc.com)
[12:57] (12:57 pm) Enters t6338 (~w1508@bb5dell.mybboc.com) [76]
[12:57] (12:57 pm) Parts t6338 (~w1508@bb5dell.mybboc.com)
[12:57] (12:57 pm) Parts |333|t|3UM24 (~z1466@66-90-246-48.dyn.grandenetworks.net)
[12:57] (12:57 pm) Enters |333|t|3UM24 (~z1466@66-90-246-48.dyn.grandenetworks.net) [75]
[12:57] (12:57 pm) Parts |333|t|3UM24 (~z1466@66-90-246-48.dyn.grandenetworks.net)
[12:57] (12:57 pm) Enters v9901 (~i5110@user-24-214-20-141.knology.net) [75]
[12:57] (12:57 pm) Parts v9901 (~i5110@user-24-214-20-141.knology.net)
[12:57] (12:57 pm) Parts |333|t|3UM19 (~t2326@c-24-19-0-202.client.comcast.net)
[12:57] (12:57 pm) Enters |333|t|3UM19 (~t2326@c-24-19-0-202.client.comcast.net) [74]
[12:57] (12:57 pm) Parts |333|t|3UM19 (~t2326@c-24-19-0-202.client.comcast.net)
[12:57] (12:57 pm) Parts |333|t|3UM32 (~d6343@c-24-19-0-202.client.comcast.net)
[12:57] (12:57 pm) Enters |333|t|3UM32 (~d6343@c-24-19-0-202.client.comcast.net) [73]
[12:57] (12:57 pm) Parts |333|t|3UM32 (~d6343@c-24-19-0-202.client.comcast.net)
[12:57] (12:57 pm) Parts |333|t|3UM30 (~e5038@hnllhi1-ar1-4-64-129-032.hnllhi1.dsl-verizon.net)
[12:57] (12:57 pm) Enters |333|t|3UM30 (~e5038@hnllhi1-ar1-4-64-129-032.hnllhi1.dsl-verizon.net) [72]
[12:57] (12:57 pm) Parts |333|t|3UM30 (~e5038@hnllhi1-ar1-4-64-129-032.hnllhi1.dsl-verizon.net)
[12:57] (12:57 pm) Parts c542 (~z3851@pcp090919pcs.audubn01.nj.comcast.net)
[12:57] (12:57 pm) Enters c542 (~z3851@pcp090919pcs.audubn01.nj.comcast.net) [71]
[12:57] (12:57 pm) Parts c542 (~z3851@pcp090919pcs.audubn01.nj.comcast.net)
[12:57] (12:57 pm) Enters c542 (~z3851@pcp090919pcs.audubn01.nj.comcast.net) [71]
[12:57] (12:57 pm) Parts c542 (~z3851@pcp090919pcs.audubn01.nj.comcast.net)
[12:57] (12:57 pm) Parts |333|t|3UM43 (~j6914@hnllhi1-ar1-4-64-129-032.hnllhi1.dsl-verizon.net)
[12:57] (12:57 pm) Enters |333|t|3UM43 (~j6914@hnllhi1-ar1-4-64-129-032.hnllhi1.dsl-verizon.net) [70]
[12:57] (12:57 pm) Parts |333|t|3UM43 (~j6914@hnllhi1-ar1-4-64-129-032.hnllhi1.dsl-verizon.net)
[12:57] (12:57 pm) Enters |333|t|3UM43 (~j6914@hnllhi1-ar1-4-64-129-032.hnllhi1.dsl-verizon.net) [70]
[12:57] (12:57 pm) Parts |333|t|3UM43 (~j6914@hnllhi1-ar1-4-64-129-032.hnllhi1.dsl-verizon.net)
[12:57] (12:57 pm) Enters v9901 (~i5110@user-24-214-20-141.knology.net) [70]
[12:57] (12:57 pm) Parts v9901 (~i5110@user-24-214-20-141.knology.net)
[12:57] (12:57 pm) Enters v9901 (~i5110@user-24-214-20-141.knology.net) [70]
[12:57] (12:57 pm) Enters |333|t|3UM24 (~z1466@66-90-246-48.dyn.grandenetworks.net) [71]
[12:57] (12:57 pm) Parts |333|t|3UM24 (~z1466@66-90-246-48.dyn.grandenetworks.net)
[12:57] (12:57 pm) Enters |333|t|3UM24 (~z1466@66-90-246-48.dyn.grandenetworks.net) [71]
[12:57] (12:57 pm) Enters |333|t|3UM32 (~d6343@c-24-19-0-202.client.comcast.net) [72]
[12:57] (12:57 pm) Parts |333|t|3UM32 (~d6343@c-24-19-0-202.client.comcast.net)
[12:57] (12:57 pm) Enters |333|t|3UM32 (~d6343@c-24-19-0-202.client.comcast.net) [72]
[12:57] (12:57 pm) Parts |333|t|3UM26 (~m7968@hnllhi1-ar1-4-64-129-032.hnllhi1.dsl-verizon.net)
[12:57] (12:57 pm) Enters |333|t|3UM26 (~m7968@hnllhi1-ar1-4-64-129-032.hnllhi1.dsl-verizon.net) [72]
[12:57] (12:57 pm) Parts |333|t|3UM26 (~m7968@hnllhi1-ar1-4-64-129-032.hnllhi1.dsl-verizon.net)
[12:57] (12:57 pm) Enters |333|t|3UM26 (~m7968@hnllhi1-ar1-4-64-129-032.hnllhi1.dsl-verizon.net) [72]
[12:57] (12:57 pm) Enters |333|t|3UM30 (~e5038@hnllhi1-ar1-4-64-129-032.hnllhi1.dsl-verizon.net) [73]
[12:57] (12:57 pm) Parts |333|t|3UM30 (~e5038@hnllhi1-ar1-4-64-129-032.hnllhi1.dsl-verizon.net)
[12:57] (12:57 pm) Enters |333|t|3UM30 (~e5038@hnllhi1-ar1-4-64-129-032.hnllhi1.dsl-verizon.net) [73]
[12:57] (12:57 pm) Enters c542 (~z3851@pcp090919pcs.audubn01.nj.comcast.net) [74]

User avatar
t0xicity
Posts: 17
Location: Cyprus

Post by t0xicity »

well my friend in this kind of situtations i would recommend u to moderate the channel(+m) or +r
embrace me..surround me..

axis0
Posts: 2

Post by axis0 »

in most cases your suggestion is not possible my friend. :)

its better to adjust the FLOAT of the channel.

HTH to you :)

User avatar
ZeroSlashe®
Posts: 238
Location: Netherlands

Post by ZeroSlashe® »

i think you should rephrase that :)
in most cases it is possible what t0xicity wrote.
Also you could put (like some big channels do) a extra bot next to X to use for more protection, for instance eggdrop can use the sentinel tcl or any relevant flood protection script.
[img]http://members.chello.nl/zeroslasher/twat.jpg[/img]

User avatar
Kaac
Posts: 77

Post by Kaac »

Well, Floatlim is a good setting, but does not help at all. As the minimum period (Floatperiod) is 20 seconds, in those 20 seconds a hundred bots can join/part like crazy. I think the period must be shorter. But back to bots floods. Moderating the channel does not really work, as most bots owner know this setting and set part reasons as a flood, so I think +r works better. Just set up and alias. And by the way, *!*@*.comcast.net is the most used by hackers (lamers) host.

gemeau50
Posts: 76
Location: Trois-Rivières, Canada

Post by gemeau50 »

At one time we had such attacks for hours.

We have 2 eggdrops in our channel but they are not set up to ban in such a case since they can fill up a banlist quite fast.

We are combining several methods to slow them down but they cannot be blocked without penalizing regular users.

Set your floatlim between 5 - 10 per 20 seconds. Eventhough you set it to 20 seconds, you will notice that X's minimal time of reaction is 30 seconds if your timestamp is activated and is displaying seconds.

You could set up your channel to either +m, +i and/or +r during a period of flood. Each parameter has advantages and disadvantages. You will find out by using them.

Since flooders are rarely properly identified, Using mIRC, I programmed a Fkey to set up a global ban on users not properly identified, as follow:
F2 mode $chan +b *!~*@* ... This is known as an alias.

This ban will freeze all users not properly identified. It will also give "floatlim" time to react.

When the attack is over, revise it. Check if you are able to identify ISP's which are not supposed to be in your channel and block them. With time, you will reduce the amount of offenders. After a while, they will go to another channel.