Tip of the day: Use set::restrict-commands to prevent new users from executing certain commands like LIST. Useful against drones/spam.
|
Channel anti-flood settings
UnrealIRCd comes with an advanced but slightly complex anti-flood mode +f. UnrealIRCd 6.1.0+ also has an easier mode +F.
Channel mode F profiles
This feature only exists in UnrealIRCd 6.1.0 or higher
Channel mode +F allows easy selection of a predefined anti-flood profile, for example: +F normal
The following anti-flood profiles are available (use +F name-of-profile):
| Flood profile | Joins | Messages | Nick changes | CTCP's | Knocks |
|---|---|---|---|---|---|
| very-strict | 10 in 15 seconds | 30 in 15 seconds | 5 in 15 seconds | 7 in 15 seconds | 10 in 15 seconds |
| strict | 15 in 15 seconds | 40 in 15 seconds | 8 in 15 seconds | 7 in 15 seconds | 10 in 15 seconds |
| normal | 30 in 15 seconds | 40 in 15 seconds | 8 in 15 seconds | 7 in 15 seconds | 10 in 15 seconds |
| relaxed | 45 in 15 seconds | 60 in 15 seconds | 10 in 15 seconds | 7 in 15 seconds | 10 in 15 seconds |
| very-relaxed | 60 in 15 seconds | 90 in 15 seconds | 10 in 15 seconds | 7 in 15 seconds | 10 in 15 seconds |
| off | no limit | no limit | no limit | no limit | no limit |
| If exceeded... | Set +R for 10min
|
set +M for 10min
|
Set +N for 15min
|
Set +C for 15min
|
Set +K for 15min
|
Guidelines:
- For most channels
+F normalshould be good. - For big channels with lots of activity (like the main network channel)
+F relaxedmay be more suitable. - For small channels with like 10 people,
+F strictmay be a good choice if you want the anti flood controls to be set more tight. +F offis only useful if a default profile is configured. Otherwise, it is the same as-F.- The old mode
+falso still exists. Any flood settings defined there override+F
When a flood limit is exceeded in the channel:
- For joins/messages/nick-changes:
- UnrealIRCd will first analyze if the people who triggered the anti flood controls are classified as unknown-users.
- unknown-users are users who are not identified to services and using an IP that has not been on IRC much (the exact definition is defined by the server administrator)
- If they are responsible for the flood, then only unknown-users will be prevented from joining/messaging/nick-changing for the specified amount of times.
- Only if that didn't help enough, next step is taken (setting a channel mode).
- A channel mode will be set, as shown in the table (
+R/+M/+N/+C/+K) - After the specified time in minutes, the channel mode or other countermeasure is removed (eg:
-Ror-M). Of course, chanops can remove the mode immediately if it was a false alarm.
Customizing profiles
The server admin can customize the profiles or add new ones, this is done via set::anti-flood::channel.
Please note that the default profiles have been carefully chosen:
- See the flood profiles table for a better overview of the default settings
- For message flood and join flood:
- These are bad if they get triggered needlessly since they prevent users from joining or speaking
- In all profiles we made sure it requires several people to trigger the flood. Eg a user can max send 15 messages in 15 seconds. If only 1 user is flooding they cannot trigger the message limit of 30 even for profile very-strict
- For nick floods:
- It is quite annoying if a channel is set
+N(no nick changes allowed) - In the default configuration an unknown user can do 2 and a known user can do 3 nick changes per 90 seconds via the anti-flood block. So this requires at least 3 or 4 users nick flooding if the limit is set at 8, such as for normal and strict.
- It is quite annoying if a channel is set
- For CTCP flood:
- A single user can trigger this, but it would result in the channel being
+Cwhich is not really a problem.
- A single user can trigger this, but it would result in the channel being
- For knock floods:
- This only goes to channel ops, so is really only a convenience thing
- The removal time of 10 minutes or 15 minutes is a trade-off:
- It should not be too low: otherwise you would see repeated flood, +R, -R, flood, +R, -R, flood, etc.
- It should not be too high: if the flood is gone, people should be able to talk/join/.. again. Especially if no chanops are around, you don't want it to be set forever.
set {
anti-flood {
channel {
profile very-strict { flood-mode "[7c#C15,10j#R10,10k#K15,30m#M10,10n#N15]:15"; }
profile strict { flood-mode "[7c#C15,15j#R10,10k#K15,40m#M10,10n#N15]:15"; }
profile normal { flood-mode "[7c#C15,30j#R10,10k#K15,40m#M10,10n#N15]:15"; }
profile relaxed { flood-mode "[7c#C15,45j#R10,10k#K15,60m#M10,10n#N15]:15"; }
profile very-relaxed { flood-mode "[7c#C15,60j#R10,10k#K15,90m#M10,10n#N15]:15"; }
}
}
}
The value of flood-mode uses the same syntax as channel mode f, except that currently floodtypes 't' and 'r' cannot be used.
Default profile
You can set a default profile that will be used if the channel is -F:
set {
anti-flood {
channel {
default-profile normal;
}
}
}
This makes it so all channels automatically use the +F profile "normal" by default.
Users can still set +F relaxed or choose any other flood profile. If they don't want any flood protection, they have to explicitly set +F off.
Channel mode f
An example +f mode is: +f [10j]:15 which means 10 joins per 15 seconds are allowed in the channel. If the limit is hit, the channel will be set +i (Invite only) automatically.
UnrealIRCd 6.1.0+ also has an easier to use mode +F (see above). Any settings from +f override the ones from the flood profile +F. Type MODE #channel +F to get a server notice back with the currently effective flood settings.
The following flood types are available:
| Type | Name | Default action | Other actions | Comments |
|---|---|---|---|---|
| c | CTCPs | Set channel mode +C (block all CTCP's)
|
||
| j | joins | Set channel mode +i (invite only)
|
R | |
| k | knocks | Set channel mode +K (no /knock's)
|
||
| m | messages/notices | Set channel mode +m (regular users cannot speak)
|
M, d | |
| n | nick changes | Set channel mode +N (no nick-changes permitted)
|
||
| t | text | Kick the user | b, d | Per-user message/notice limit. Action is to kick or kick + ban the user, or to drop the message. This flood type can only be used in +f currently and not in +F profiles.
|
| r | repeat | Kick the user | b, d | Per-user repeated lines limit. Action is to kick or kick + ban the user, or to drop the message. This flood type can only be used in +f currently and not in +F profiles.
|
Example:
*** ChanOp sets mode: +f [20j,50m,7n]:15 <ChanOp> lalala *** Evil1 ([email protected]) has joined #test *** Evil2 ([email protected]) has joined #test *** Evil3 ([email protected]) has joined #test *** Evil4 ([email protected]) has joined #test -- snip XX lines -- *** Evil21 ([email protected]) has joined #test -server1.test.net:#test *** Channel joinflood detected (limit is 20 per 15 seconds), putting +i *** server1.test.net sets mode: +i <Evil2> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl <Evil12> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl <Evil15> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl <Evil10> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl <Evil8> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl -- snip XX lines -- -server1.test.net:#test *** Channel msg/noticeflood detected (limit is 50 per 15 seconds), putting +m *** server1.test.net sets mode: +m *** Evil1 is now known as Hmmm1 *** Evil2 is now known as Hmmm2 *** Evil3 is now known as Hmmm3 *** Evil4 is now known as Hmmm4 *** Evil5 is now known as Hmmm5 *** Evil6 is now known as Hmmm6 *** Evil7 is now known as Hmmm7 *** Evil8 is now known as Hmmm8 -server1.test.net:#test *** Channel nickflood detected (limit is 7 per 15 seconds), putting +N *** server1.test.net sets mode: +N
In fact, it can get even more advanced/complicated:
Instead of the default action, you can for some floodtypes specify another one, for example: +f [20j#R,50m#M]:15
This will set the channel +R if the joinlimit is reached (>20 joins in 15 seconds), and will set the channel +M if the msg limit is reached (>50 messages in 15 seconds).
There's also a "remove mode after X minutes" feature: +f [20j#R5]:15 will set the channel +R if the limit is reached and will set -R after 5 minutes.
A server can have a default unsettime (set::modef-default-unsettime), so if you type +f [20j]:15 it could get transformed into +f [20j#i10]:15, it's just a default, you can still set [20j#i2]:15 or something like that, and you can also disable the remove-chanmode completely by doing a +f [20j#i0]:15 (an explicit 0).
What the best +f mode is heavily depends on the channel. How many users does it have? Do you have a game that makes users msg a lot (eg: trivia) or do users often use "popups"? Is it some kind of main channel or in auto-join? etc..
This can be a good example channel mode: +f [30j#i10,40m#m10,7c#C15,10n#N15,30k#K10]:15
- 30 joins per 15 seconds, if limit is reached set channel +i for 10 minutes
- 40 messages per 15 seconds, if limit is reached set channel +m for 10 minutes
- 7 ctcps per 15 seconds, if limit is reached set channel +C for 15 minutes
- 10 nickchanges per 15 seconds, if limit is reached set channel +N for 15 minutes
- 30 knocks per 15 seconds, if limit is reached set channel +K for 10 minutes
Take that example and modify it to suit your needs. If you have a large channel (>75 users?) you will want to increase the join sensitivity (to eg: 50) and the message limit (to eg: 60 or 75). This so +f won't trigger too soon.
The remove-mode times are a matter of taste.. you should think like.. what if no op is available to handle the situation, do I want to have the channel locked for like 15 minutes (=not nice for users) or 5 minutes (=likely the flooders will just wait 5m and flood again). It also depends on the floodtype, users unable to join (+i) or speak (+m) is worse than having them unable to change their nick (+N) or send ctcps to the channel (+C) so you might want to use different removal times.
Exempting users from flood protection
- Messages and other actions from chanops (+h/+o/+a/+q) will not be counted in the flood protection and no action will be taken on them
- You can also use
+e ~floodto set exemptions for users, see the ~flood extended ban. This can be useful to give to a bot or a group of users, that you want to exempt from flooding but not want to give ops to. - IRCOps are exempt as well, to be exact: the operclass privilege is channel:override:flood.
Other configuration settings
Requires UnrealIRCd 6.1.0 or later
set {
anti-flood {
channel {
boot-delay 75;
split-delay 75;
}
}
}
The boot-delay disables +f/+F join-flood detection (subtype 'j') when the server has just been (re)started. This because many users are likely to connect rapidly to this server. This makes sure +f/+F does not take action.
The split-delay disables +f/+F join-flood detection (subtype 'j') when any server splits off the network. This because the server may have a network issue or is restarting, which would cause clients from that server to reconnect to other servers, triggering a join flood when it is unneeded. This makes sure +f/+F does not take action. The downside of this is that on any server split, temporarily the join flood protection is off for a short while. We think this downside is acceptable because mode +f/+F needs to be as painless as possible and should not kick in when not needed. If you have a bigger network, eg 5 servers or more, and your clients are equally spread among them, then you could set this setting to 0. This because in such a case it is not too bad when 1 server dies. It would only cause 1/5th (20%) users to reconnect in such a case, which may not be enough to trigger +f. To verify this or to be sure, you would have to try though.