From UnrealIRCd documentation wiki
Jump to navigation Jump to search

When the connthrottle module in UnrealIRCd detects a high number of users connecting from IP addresses that have not been seen before, then connections from new IP's are rejected above the set rate. For example at 10:60 only 10 users per minute can connect that have not been seen before. Known IP addresses (so: your regular users) can always get in, regardless of the set rate. Same for users who login using SASL.

This module is highly effective against bot/drone attacks. It will reject most "bad" connections, while still allowing most of your regular users in.

The system consists of two modules:

  • reputation: this module gives a reputation score for the IP address, based on how long it has been online before on the network
  • connthrottle: this module does the actual limiting (throttling) of the connections

The details are best described by reading the example configuration:

loadmodule "reputation";
loadmodule "connthrottle";

set {
        connthrottle {
                /* First we must configure what we call "known users".
                 * By default these are users on IP addresses that have
                 * a score of 24 or higher. A score of 24 means that the
                 * IP was connected to this network for at least 2 hours
                 * in the past month (or minimum 1 hour if registered).
                 * The sasl-bypass option is another setting. It means
                 * that users who authenticate to services via SASL
                 * are considered known users as well.
                 * The webirc-bypass option is another setting too. It means
                 * that users who connecting via WEBIRC block
                 * are considered known users as well.
                 * Users in the "known-users" group (either by reputation
                 * or by SASL or by WEBIRC) are always allowed in by this module.
                known-users {
                        minimum-reputation-score 24;
                        sasl-bypass yes;
                        webirc-bypass yes;

                /* New users are all users that do not belong in the
                 * known-users group. They are considered "new" and in
                 * case of a high number of such new users connecting
                 * they are subject to connection rate limiting.
                 * By default the rate is 20 new local users per minute
                 * and 30 new global users per minute.
                new-users {
                        local-throttle 20:60;
                        global-throttle 30:60;

                /* This configures when this module will NOT be active.
                 * The default settings will disable the module when:
                 * - The reputation module has been running for less than
                 *   a week. If running less than 1 week then there is
                 *   insufficient data to consider who is a "known user".
                 * - The server has just been booted up (first 3 minutes).
                disabled-when {
                        reputation-gathering 1w;
                        start-delay 3m;

                /* This error reason is shown to users when actively throttling */
                reason "Throttled: Too many users trying to connect, please wait a while and try again";

How reputation works[edit]

  • Every 5 minutes the reputation module will increase the score for all connected IP addresses by +1. If the user is authenticated to services then they receive an additional point (so +2).
  • If the user has not been online for 30 days then the reputation entry expires and is deleted. For very low reputation scores this may happen sooner, to keep the database small. For example reputation scores of less than 7 are already expired after 7 days.
  • The reputation score is capped at a maximum of 10000

An IRCOp can:

  • See the IP reputation score of a user: /WHOIS Nick
  • See the IP reputation score by IP address with: /REPUTATION