| Tip of the day: Log files can use JSON logging. You can also send the JSON data to IRCOps on IRC. The JSON is machine readable and contains lots of details about every log event. |
Channel anti-flood settings
UnrealIRCd comes with an advanced but slightly complex anti-flood mode +f. UnrealIRCd 6.1.0+ also has an easier mode +F.
Channel mode F profiles[edit]
This feature only exists in UnrealIRCd 6.1.0 or higher
Channel mode +F allows easy selection of a predefined anti-flood profile, for example: +F normal
The following anti-flood profiles are available (use +F name-of-profile):
| Flood profile | Joins | Messages | Nick changes | CTCP's | Knocks |
|---|---|---|---|---|---|
| very-strict | 10 in 15 seconds | 30 in 15 seconds | 5 in 15 seconds | 7 in 15 seconds | 10 in 15 seconds |
| strict | 15 in 15 seconds | 40 in 15 seconds | 8 in 15 seconds | 7 in 15 seconds | 10 in 15 seconds |
| normal | 30 in 15 seconds | 40 in 15 seconds | 8 in 15 seconds | 7 in 15 seconds | 10 in 15 seconds |
| relaxed | 45 in 15 seconds | 60 in 15 seconds | 10 in 15 seconds | 7 in 15 seconds | 10 in 15 seconds |
| very-relaxed | 60 in 15 seconds | 90 in 15 seconds | 10 in 15 seconds | 7 in 15 seconds | 10 in 15 seconds |
| off | no limit | no limit | no limit | no limit | no limit |
| If exceeded... | Set +R for 10min
|
set +M for 10min
|
Set +N for 15min
|
Set +C for 15min
|
Set +K for 15min
|
Guidelines:[edit]
- For most channels
+F normalshould be good. - For big channels with lots of activity (like the main network channel)
+F relaxedmay be more suitable. - For small channels with like 10 people,
+F strictmay be a good choice if you want the anti flood controls to be set more tight. +F offis only useful if a default profile is configured. Otherwise, it is the same as-F.- The old mode
+falso still exists. Any flood settings defined there override+F
When a flood limit is exceeded in the channel:[edit]
- For joins/messages/nick-changes:
- UnrealIRCd will first analyze if the people who triggered the anti flood controls are classified as unknown-users.
- unknown-users are users who are not identified to services and using an IP that has not been on IRC much (the exact definition is defined by the server administrator)
- If they are responsible for the flood, then only unknown-users will be prevented from joining/messaging/nick-changing for the specified amount of times.
- Only if that didn't help enough, next step is taken (setting a channel mode).
- A channel mode will be set, as shown in the table (
+R/+M/+N/+C/+K) - After the specified time in minutes, the channel mode or other countermeasure is removed (eg:
-Ror-M). Of course, chanops can remove the mode immediately if it was a false alarm.
Customizing profiles[edit]
The server admin can customize the profiles or add new ones, this is done via set::anti-flood::channel.
Please note that the default profiles have been carefully chosen:
- See the flood profiles table for a better overview of the default settings
- For message flood and join flood:
- These are bad if they get triggered needlessly since they prevent users from joining or speaking
- In all profiles we made sure it requires several people to trigger the flood. Eg a user can max send 15 messages in 15 seconds. If only 1 user is flooding they cannot trigger the message limit of 30 even for profile very-strict
- For nick floods:
- It is quite annoying if a channel is set
+N(no nick changes allowed) - In the default configuration an unknown user can do 2 and a known user can do 3 nick changes per 90 seconds via the anti-flood block. So this requires at least 3 or 4 users nick flooding if the limit is set at 8, such as for normal and strict.
- It is quite annoying if a channel is set
- For CTCP flood:
- A single user can trigger this, but it would result in the channel being
+Cwhich is not really a problem.
- A single user can trigger this, but it would result in the channel being
- For knock floods:
- This only goes to channel ops, so is really only a convenience thing
- The removal time of 10 minutes or 15 minutes is a trade-off:
- It should not be too low: otherwise you would see repeated flood, +R, -R, flood, +R, -R, flood, etc.
- It should not be too high: if the flood is gone, people should be able to talk/join/.. again. Especially if no chanops are around, you don't want it to be set forever.
set {
anti-flood {
channel {
profile very-strict { flood-mode "[7c#C15,10j#R10,10k#K15,30m#M10,10n#N15]:15"; }
profile strict { flood-mode "[7c#C15,15j#R10,10k#K15,40m#M10,10n#N15]:15"; }
profile normal { flood-mode "[7c#C15,30j#R10,10k#K15,40m#M10,10n#N15]:15"; }
profile relaxed { flood-mode "[7c#C15,45j#R10,10k#K15,60m#M10,10n#N15]:15"; }
profile very-relaxed { flood-mode "[7c#C15,60j#R10,10k#K15,90m#M10,10n#N15]:15"; }
}
}
}
The value of flood-mode uses the same syntax as channel mode f, except that currently floodtypes 't' and 'r' cannot be used.
Default profile[edit]
You can set a default profile that will be used if the channel is -F:
set {
anti-flood {
channel {
default-profile normal;
}
}
}
This makes it so all channels automatically use the +F profile "normal" by default.
Users can still set +F relaxed or choose any other flood profile. If they don't want any flood protection, they have to explicitly set +F off.
Channel mode f[edit]
An example +f mode is: +f [10j]:15 which means 10 joins per 15 seconds are allowed in the channel. If the limit is hit, the channel will be set +i (Invite only) automatically.
UnrealIRCd 6.1.0+ also has an easier to use mode +F (see above). Any settings from +f override the ones from the flood profile +F. Type MODE #channel +F to get a server notice back with the currently effective flood settings.
The following flood types are available:
| Type | Name | Default action | Other actions | Comments |
|---|---|---|---|---|
| c | CTCPs | Set channel mode +C (block all CTCP's)
|
||
| j | joins | Set channel mode +i (invite only)
|
R | |
| k | knocks | Set channel mode +K (no /knock's)
|
||
| m | messages/notices | Set channel mode +m (regular users cannot speak)
|
M, d | |
| n | nick changes | Set channel mode +N (no nick-changes permitted)
|
||
| t | text | Kick the user | b, d | Per-user message/notice limit. Action is to kick or kick+ban the user, or to drop the message. This flood type can only be used in +f currently and not in +F profiles.
|
| r | repeat | Kick the user | b, d | Per-user repeat limit. Action is to kick or kick+ban the user, or to drop the message. This flood type can only be used in +f currently and not in +F profiles.
|
Example:
*** ChanOp sets mode: +f [20j,50m,7n]:15 <ChanOp> lalala *** Evil1 (~fdsdsfddf@Clk-17B4D84B.blah.net) has joined #test *** Evil2 (~jcvibhcih@Clk-3472A942.xx.someispcom) has joined #test *** Evil3 (~toijhlihs@Clk-38D374A3.aol.com) has joined #test *** Evil4 (~eihjifihi@Clk-5387B42F.dfdfd.blablalba.be) has joined #test -- snip XX lines -- *** Evil21 (~jiovoihew@Clk-48D826C3.e.something.org) has joined #test -server1.test.net:#test *** Channel joinflood detected (limit is 20 per 15 seconds), putting +i *** server1.test.net sets mode: +i <Evil2> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl <Evil12> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl <Evil15> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl <Evil10> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl <Evil8> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl -- snip XX lines -- -server1.test.net:#test *** Channel msg/noticeflood detected (limit is 50 per 15 seconds), putting +m *** server1.test.net sets mode: +m *** Evil1 is now known as Hmmm1 *** Evil2 is now known as Hmmm2 *** Evil3 is now known as Hmmm3 *** Evil4 is now known as Hmmm4 *** Evil5 is now known as Hmmm5 *** Evil6 is now known as Hmmm6 *** Evil7 is now known as Hmmm7 *** Evil8 is now known as Hmmm8 -server1.test.net:#test *** Channel nickflood detected (limit is 7 per 15 seconds), putting +N *** server1.test.net sets mode: +N
In fact, it can get even more advanced/complicated:
Instead of the default action, you can for some floodtypes specify another one, for example: +f [20j#R,50m#M]:15
This will set the channel +R if the joinlimit is reached (>20 joins in 15 seconds), and will set the channel +M if the msg limit is reached (>50 messages in 15 seconds).
There's also a "remove mode after X minutes" feature: +f [20j#R5]:15 will set the channel +R if the limit is reached and will set -R after 5 minutes.
A server can have a default unsettime (set::modef-default-unsettime), so if you type +f [20j]:15 it could get transformed into +f [20j#i10]:15, it's just a default, you can still set [20j#i2]:15 or something like that, and you can also disable the remove-chanmode completely by doing a +f [20j#i0]:15 (an explicit 0).
What the best +f mode is heavily depends on the channel. How many users does it have? Do you have a game that makes users msg a lot (eg: trivia) or do users often use "popups"? Is it some kind of main channel or in auto-join? etc..
This can be a good example channel mode: +f [30j#i10,40m#m10,7c#C15,10n#N15,30k#K10]:15
- 30 joins per 15 seconds, if limit is reached set channel +i for 10 minutes
- 40 messages per 15 seconds, if limit is reached set channel +m for 10 minutes
- 7 ctcps per 15 seconds, if limit is reached set channel +C for 15 minutes
- 10 nickchanges per 15 seconds, if limit is reached set channel +N for 15 minutes
- 30 knocks per 15 seconds, if limit is reached set channel +K for 10 minutes
Take that example and modify it to suit your needs. If you have a large channel (>75 users?) you will want to increase the join sensitivity (to eg: 50) and the message limit (to eg: 60 or 75). This so +f won't trigger too soon.
The remove-mode times are a matter of taste.. you should think like.. what if no op is available to handle the situation, do I want to have the channel locked for like 15 minutes (=not nice for users) or 5 minutes (=likely the flooders will just wait 5m and flood again). It also depends on the floodtype, users unable to join (+i) or speak (+m) is worse than having them unable to change their nick (+N) or send ctcps to the channel (+C) so you might want to use different removal times.
Other configuration settings[edit]
Requires UnrealIRCd 6.1.0 or later
set {
anti-flood {
channel {
boot-delay 75;
split-delay 75;
}
}
}
The boot-delay disables +f/+F join-flood detection (subtype 'j') when the server has just been (re)started. This because many users are likely to connect rapidly to this server. This makes sure +f/+F does not take action.
The split-delay disables +f/+F join-flood detection (subtype 'j') when any server splits off the network. This because the server may have a network issue or is restarting, which would cause clients from that server to reconnect to other servers, triggering a join flood when it is unneeded. This makes sure +f/+F does not take action. The downside of this is that on any server split, temporarily the join flood protection is off for a short while. We think this downside is acceptable because mode +f/+F needs to be as painless as possible and should not kick in when not needed. If you have a bigger network, eg 5 servers or more, and your clients are equally spread among them, then you could set this setting to 0. This because in such a case it is not too bad when 1 server dies. It would only cause 1/5th (20%) users to reconnect in such a case, which may not be enough to trigger +f. To verify this or to be sure, you would have to try though.