Tip of the day: Channel mode +H provides Channel history to modern clients. Optionally, it can be stored on-disk to be preserved between server restarts.
|
Connthrottle
Jump to navigation
Jump to search
The connthrottle module in UnrealIRCd protects against bot/drone attacks by limiting unknown users. These are users that have not been seen before and are not identified via SASL. The module has two limits that work together:
- A rate limit on how many unknown users can connect per minute (local and global). For example at
20:60, only 20 unknown users per minute can connect. This protects against fast connection floods. - An IPv6 prefix limit on how many unknown users can be online at the same time from a wider IPv6 range (/56, /48 and /32). This is on top of the per-/64 limit that allow::maxperip already enforces. This protects against slow but persistent attacks from a single IPv6 customer who has many addresses.
Users with a high Reputation score (24+ by default) or who are identified via SASL bypass both limits. So your regular users can always get in, while attackers from new addresses are rejected.
This module is highly effective against bot/drone attacks. It will reject most "bad" connections, while still allowing most of your regular users in.
set {
connthrottle {
/* First we configure which users are exempt from the
* restrictions. These users are always allowed in!
* By default these are users on IP addresses that have
* a score of 24 or higher. A score of 24 means that the
* IP was connected to this network for at least 2 hours
* in the past month (or minimum 1 hour if registered).
* We also allow users who are identified to services via
* SASL to bypass the restrictions.
*/
except {
reputation-score 24;
identified yes;
/* for more options, see
* https://www.unrealircd.org/docs/Mask_item
*/
}
/* New users are all users that do not belong in the
* known-users group. They are considered "new" and in
* case of a high number of such new users connecting
* they are subject to connection rate limiting.
* By default the rate is 20 new local users per minute
* and 30 new global users per minute.
*/
new-users {
local-throttle 20:60;
global-throttle 30:60;
};
/* For IPv6 users, on top of 'maxperip' (which limits
* connections per /64), connthrottle also limits how
* many unknown users can be online from wider IPv6
* prefixes (/56, /48, /32). This is an additional
* security measure, separate from the rate-throttle
* above. People in the security-group "known-users"
* bypass this, as well as set::connthrottle::except.
* The defaults below should fit most networks unchanged.
* Uncomment to tune. Set a cidr-xx item to max 0;
* to disable it.
*/
//ipv6-unknown-users-limit {
// cidr-56 { max 8; }
// cidr-48 { max 32; }
// cidr-32 { max 256; }
//}
/* This configures when the rate limit (new-users) will
* NOT be active. By default this is when:
* - The reputation module has been running for less than
* a week. If running less than 1 week then there is
* insufficient data to consider who is a "known user".
* - The server has just been booted up (first 3 minutes).
*/
disabled-when {
reputation-gathering 1w;
start-delay 3m;
};
/* This error reason is shown to users when actively throttling */
reason "Throttled: Too many users trying to connect, please wait a while and try again";
};
};