Channel anti-flood settings

UnrealIRCd comes with an advanced but slightly complex anti-flood mode +f. UnrealIRCd 6.1.0+ also has an easier mode +F.

In UnrealIRCd 6.2.0+ we set a default profile for +F, which means that all channels have this flood protection, even if you don't see a channel mode +F being set.

Channel mode F profiles

Channel mode +F allows easy selection of a predefined anti-flood profile, for example: +F normal

The following anti-flood profiles are available (use +F name-of-profile):

Flood profile	Joins	Messages	Nick changes	CTCP's	Knocks
very-strict	10 in 15 seconds	30 in 15 seconds	5 in 15 seconds	7 in 15 seconds	10 in 15 seconds
strict	15 in 15 seconds	40 in 15 seconds	8 in 15 seconds	7 in 15 seconds	10 in 15 seconds
normal	30 in 15 seconds	40 in 15 seconds	8 in 15 seconds	7 in 15 seconds	10 in 15 seconds
relaxed	45 in 15 seconds	60 in 15 seconds	10 in 15 seconds	7 in 15 seconds	10 in 15 seconds
very-relaxed	60 in 15 seconds	90 in 15 seconds	10 in 15 seconds	7 in 15 seconds	10 in 15 seconds
off	no limit	no limit	no limit	no limit	no limit
If exceeded...	Set +R for 10min	set +M for 10min	Set +N for 15min	Set +C for 15min	Set +K for 15min

The normal profile is the default in UnrealIRCd 6.2.0 and later, if no +F is set.

Guidelines:

• For most channels +F normal should be good.
• For big channels with lots of activity (like the main network channel) +F relaxed may be more suitable.
• For small channels with like 10 people, +F strict may be a good choice if you want the anti flood controls to be set more tight.
• +F off is only useful if a default profile is configured. Otherwise, it is the same as -F.
• The old mode +f also still exists. Any flood settings defined there override +F

When a flood limit is exceeded in the channel:

• For joins/messages/nick-changes:
  • UnrealIRCd will first analyze if the people who triggered the anti flood controls are classified as unknown-users.
  • unknown-users are users who are not identified to services and using an IP that has not been on IRC much (the exact definition is defined by the server administrator)
  • If they are responsible for the flood, then only unknown-users will be prevented from joining/messaging/nick-changing for the specified amount of times.
  • Only if that didn't help enough, next step is taken (setting a channel mode).
• A channel mode will be set, as shown in the table (+R/+M/+N/+C/+K)
• After the specified time in minutes, the channel mode or other countermeasure is removed (eg: -R or -M). Of course, chanops can remove the mode immediately if it was a false alarm.

Customizing profiles

The server admin can customize the profiles or add new ones, this is done via set::anti-flood::channel.

Please note that the default profiles have been carefully chosen:

• See the flood profiles table for a better overview of the default settings
• For message flood and join flood:
  • These are bad if they get triggered needlessly since they prevent users from joining or speaking
  • In all profiles we made sure it requires several people to trigger the flood. Eg a user can max send 15 messages in 15 seconds. If only 1 user is flooding they cannot trigger the message limit of 30 even for profile very-strict
• For nick floods:
  • It is quite annoying if a channel is set +N (no nick changes allowed)
  • In the default configuration an unknown user can do 2 and a known user can do 3 nick changes per 90 seconds via the anti-flood block. So this requires at least 3 or 4 users nick flooding if the limit is set at 8, such as for normal and strict.
• For CTCP flood:
  • A single user can trigger this, but it would result in the channel being +C which is not really a problem.
• For knock floods:
  • This only goes to channel ops, so is really only a convenience thing
• The removal time of 10 minutes or 15 minutes is a trade-off:
  • It should not be too low: otherwise you would see repeated flood, +R, -R, flood, +R, -R, flood, etc.
  • It should not be too high: if the flood is gone, people should be able to talk/join/.. again. Especially if no chanops are around, you don't want it to be set forever.

set {
        anti-flood {
                channel {
                        profile very-strict { flood-mode "[7c#C15,10j#R10,10k#K15,30m#M10,10n#N15]:15"; }
                        profile strict { flood-mode "[7c#C15,15j#R10,10k#K15,40m#M10,10n#N15]:15"; }
                        profile normal { flood-mode "[7c#C15,30j#R10,10k#K15,40m#M10,10n#N15]:15"; }
                        profile relaxed { flood-mode "[7c#C15,45j#R10,10k#K15,60m#M10,10n#N15]:15"; }
                        profile very-relaxed { flood-mode "[7c#C15,60j#R10,10k#K15,90m#M10,10n#N15]:15"; }
                }
        }
}

The value of flood-mode uses the same syntax as channel mode f, except that currently floodtypes 't' and 'r' cannot be used.

Default profile

You can set a default profile that will be used if the channel is -F.

In UnrealIRCd 6.2.0 and higher this is the default:

set {
        anti-flood {
                channel {
                        default-profile normal;
                }
        }
}

This makes it so all channels automatically use the +F profile "normal" by default, even though no mode +F is set. This means all channels are protected by default.

Channel operators can still set +F relaxed or choose any other flood profile (see the list of profiles further up). If chanops don't want any flood protection, they have to explicitly set +F off.

If you as a server admin don't want to use a default profile for channels, then you can use:

set {
        anti-flood {
                channel {
                        default-profile off;
                }
        }
}

Channel mode f

An example +f mode is: +f [10j]:15 which means 10 joins per 15 seconds are allowed in the channel. If the limit is hit, the channel will be set +i (Invite only) automatically.

UnrealIRCd 6.1.0+ also has an easier to use mode +F (see above). Any settings from +f override the ones from the flood profile +F. Type MODE #channel +F to get a server notice back with the currently effective flood settings.

The following flood types are available:

Type	Name	Default action	Other actions	Comments
c	CTCPs	Set channel mode +C (block all CTCP's)
j	joins	Set channel mode +i (invite only)	R
k	knocks	Set channel mode +K (no /knock's)
m	messages/notices	Set channel mode +m (regular users cannot speak)	M, d
n	nick changes	Set channel mode +N (no nick-changes permitted)
t	text	Kick the user	b, d	Per-user message/notice limit. Action is to kick or kick + ban the user, or to drop the message. This flood type can only be used in +f currently and not in +F profiles.
r	repeat	Kick the user	b, d	Per-user repeated lines limit. Action is to kick or kick + ban the user, or to drop the message. This flood type can only be used in +f currently and not in +F profiles.

Example:

*** ChanOp sets mode: +f [20j,50m,7n]:15
<ChanOp> lalala
*** Evil1 ([email protected]) has joined #test
*** Evil2 ([email protected]) has joined #test
*** Evil3 ([email protected]) has joined #test
*** Evil4 ([email protected]) has joined #test
-- snip XX lines --
*** Evil21 ([email protected]) has joined #test
-server1.test.net:#test *** Channel joinflood detected (limit is 20 per 15 seconds), putting +i
*** server1.test.net sets mode: +i
<Evil2> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl
<Evil12> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl
<Evil15> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl
<Evil10> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl
<Evil8> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl
-- snip XX lines --
-server1.test.net:#test *** Channel msg/noticeflood detected (limit is 50 per 15 seconds), putting +m
*** server1.test.net sets mode: +m
*** Evil1 is now known as Hmmm1
*** Evil2 is now known as Hmmm2
*** Evil3 is now known as Hmmm3
*** Evil4 is now known as Hmmm4
*** Evil5 is now known as Hmmm5
*** Evil6 is now known as Hmmm6
*** Evil7 is now known as Hmmm7
*** Evil8 is now known as Hmmm8
-server1.test.net:#test *** Channel nickflood detected (limit is 7 per 15 seconds), putting +N
*** server1.test.net sets mode: +N

In fact, it can get even more advanced/complicated:
Instead of the default action, you can for some floodtypes specify another one, for example: +f [20j#R,50m#M]:15
This will set the channel +R if the joinlimit is reached (>20 joins in 15 seconds), and will set the channel +M if the msg limit is reached (>50 messages in 15 seconds).

There's also a "remove mode after X minutes" feature: +f [20j#R5]:15 will set the channel +R if the limit is reached and will set -R after 5 minutes.
A server can have a default unsettime (set::modef-default-unsettime), so if you type +f [20j]:15 it could get transformed into +f [20j#i10]:15, it's just a default, you can still set [20j#i2]:15 or something like that, and you can also disable the remove-chanmode completely by doing a +f [20j#i0]:15 (an explicit 0).

What the best +f mode is heavily depends on the channel. How many users does it have? Do you have a game that makes users msg a lot (eg: trivia) or do users often use "popups"? Is it some kind of main channel or in auto-join? etc..

This can be a good example channel mode: +f [30j#i10,40m#m10,7c#C15,10n#N15,30k#K10]:15

• 30 joins per 15 seconds, if limit is reached set channel +i for 10 minutes
• 40 messages per 15 seconds, if limit is reached set channel +m for 10 minutes
• 7 ctcps per 15 seconds, if limit is reached set channel +C for 15 minutes
• 10 nickchanges per 15 seconds, if limit is reached set channel +N for 15 minutes
• 30 knocks per 15 seconds, if limit is reached set channel +K for 10 minutes

Take that example and modify it to suit your needs. If you have a large channel (>75 users?) you will want to increase the join sensitivity (to eg: 50) and the message limit (to eg: 60 or 75). This so +f won't trigger too soon.

The remove-mode times are a matter of taste.. you should think like.. what if no op is available to handle the situation, do I want to have the channel locked for like 15 minutes (=not nice for users) or 5 minutes (=likely the flooders will just wait 5m and flood again). It also depends on the floodtype, users unable to join (+i) or speak (+m) is worse than having them unable to change their nick (+N) or send ctcps to the channel (+C) so you might want to use different removal times.

Exempting users from flood protection

• Messages and other actions from chanops (+h/+o/+a/+q) will not be counted in the flood protection and no action will be taken on them
• You can also use +e ~flood to set exemptions for users, see the ~flood extended ban. This can be useful to give to a bot or a group of users, that you want to exempt from flooding but not want to give ops to.
• IRCOps are exempt as well, to be exact: the operclass privilege is channel:override:flood.

Other configuration settings

Requires UnrealIRCd 6.1.0 or later

set {
        anti-flood {
                channel {
                        boot-delay 75;
                        split-delay 75;
                }
        }
}

The boot-delay disables +f/+F join-flood detection (subtype 'j') when the server has just been (re)started. This because many users are likely to connect rapidly to this server. This makes sure +f/+F does not take action.

The split-delay disables +f/+F join-flood detection (subtype 'j') when any server splits off the network. This because the server may have a network issue or is restarting, which would cause clients from that server to reconnect to other servers, triggering a join flood when it is unneeded. This makes sure +f/+F does not take action. The downside of this is that on any server split, temporarily the join flood protection is off for a short while. We think this downside is acceptable because mode +f/+F needs to be as painless as possible and should not kick in when not needed. If you have a bigger network, eg 5 servers or more, and your clients are equally spread among them, then you could set this setting to 0. This because in such a case it is not too bad when 1 server dies. It would only cause 1/5th (20%) users to reconnect in such a case, which may not be enough to trigger +f. To verify this or to be sure, you would have to try though.