From UnrealIRCd documentation wiki
Jump to navigation Jump to search

Anti-flood features[edit]

Set block[edit]

In the configuration file in the set block you can configure a lot of the anti flood features. Note that UnrealIRCd already ships with good defaults, but you can change them if you wish.

There are many settings available in the set::anti-flood block. For example, set::anti-flood::connect-flood to only allow X connections per YY seconds from the same IP. Other X per Y time settings are: nick-flood, join-flood, away-flood, invite-flood and knock-flood.

The option set::anti-flood::unknown-flood-amount is used to limit the amount of data in the handshake (rarely changed, default is a few KB's).

set::anti-flood::max-concurrent-conversations limits the number of concurrent conversions a user can have, which is another anti-flood feature so a user cannot /MSG tens of users at the same time.

set::max-targets-per-command limits the number of targets the user can specify in a command (eg: JOIN 3 channels at the same time via JOIN #a,#b,#c).

Again, the default settings are probably fine for you already, as we focus on security and do our best to have tight but good defaults.

DNS Blacklists[edit]

While technically not an anti-flood feature, it definitely helps against unwanted bots/drones/users. By using one or more blacklist blocks you can have UnrealIRCd check a DNSBL service to see if an IP was blacklisted due to abuse. This is highly recommended for a server on the internet. See the example section there.


This module is highly effective against bot/drone attacks. It will reject most "bad" connections, while still allowing most of your regular users in.

When the connthrottle module in UnrealIRCd detects a high number of users connecting from IP addresses that have not been seen before, then connections from new IP's are rejected above the set rate. For example at 10:60 only 10 users per minute can connect that have not been seen before. Known IP addresses (so: your regular users) can always get in, regardless of the set rate. Same for users who login using SASL.


With the antirandom module you can block random nicks like 'fhdshfdhf'.This module is not enabled by default because it may catch innocent users for non-English languages, especially for non-Western-European languages.

Simple channel modes[edit]

There are also some easy to use channel modes which can be quite effective against floods:

  • N: no nick changes
  • C: no CTCP's
  • M: only registered users may talk
  • K: no /KNOCK allowed

You can set these channel modes permanently. But you can also use the very advanced channel mode +f to set these restrictions only when needed (and more), see next.

Channel mode f[edit]

Instead of using scripts and bots to protect against channel floods it is build into the ircd. An example +f mode is:

*** Blah sets mode: +f [10j]:15

This means 10 joins per 15 seconds are allowed in the channel, if the limit is hit, the channel will be set +i (Invite only) automatically.

The following floodtypes are available:

Type Name Default action Other actions Comments
c CTCPs Set channel mode +C (block all CTCP's) m, M
j joins Set channel mode +i (invite only) R
k knocks Set channel mode +K (no /knock's)
m messages/notices Set channel mode +m (regular users cannot speak) M, d
n nick changes Set channel mode +N (no nick-changes permitted)
t text Kick the user b, d Per-user message/notice limit. Action is to kick or kick+ban the user, or to drop the message.
r repeat Kick the user b, d Per-user repeat limit. Action is to kick or kick+ban the user, or to drop the message.


*** ChanOp sets mode: +f [20j,50m,7n]:15
<ChanOp> lalala
*** Evil1 ( has joined #test
*** Evil2 (~jcvibhcih@Clk-3472A942.xx.someispcom) has joined #test
*** Evil3 ( has joined #test
*** Evil4 ( has joined #test
-- snip XX lines --
*** Evil21 ( has joined #test *** Channel joinflood detected (limit is 20 per 15 seconds), putting +i
*** sets mode: +i
<Evil2> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl
<Evil12> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl
<Evil15> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl
<Evil10> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl
<Evil8> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl
-- snip XX lines -- *** Channel msg/noticeflood detected (limit is 50 per 15 seconds), putting +m
*** sets mode: +m
*** Evil1 is now known as Hmmm1
*** Evil2 is now known as Hmmm2
*** Evil3 is now known as Hmmm3
*** Evil4 is now known as Hmmm4
*** Evil5 is now known as Hmmm5
*** Evil6 is now known as Hmmm6
*** Evil7 is now known as Hmmm7
*** Evil8 is now known as Hmmm8 *** Channel nickflood detected (limit is 7 per 15 seconds), putting +N
*** sets mode: +N

In fact, it can get even more advanced/complicated:
Instead of the default action, you can for some floodtypes specify another one, for example: +f [20j#R,50m#M]:15
This will set the channel +R if the joinlimit is reached (>20 joins in 15 seconds), and will set the channel +M if the msg limit is reached (>50 messages in 15 seconds).

There's also a "remove mode after X minutes" feature: +f [20j#R5]:15 will set the channel +R if the limit is reached and will set -R after 5 minutes.
A server can have a default unsettime (set::modef-default-unsettime), so if you type +f [20j]:15 it could get transformed into +f [20j#i10]:15, it's just a default, you can still set [20j#i2]:15 or something like that, and you can also disable the remove-chanmode completely by doing a +f [20j#i0]:15 (an explicit 0).

What the best +f mode is heavily depends on the channel... how many users does it have? do you have a game that makes users msg a lot (eg: trivia) or do users often use popups? is it some kind of mainchannel or in auto-join? etc..

There's no perfect channelmode +f that is good for all channels, but to get you started have a look at the next example and modify it to suit your needs:
+f [30j#i10,40m#m10,7c#C15,10n#N15,30k#K10]:15

  • 30 joins per 15 seconds, if limit is reached set channel +i for 10 minutes
  • 40 messages per 15 seconds, if limit is reached set channel +m for 10 minutes
  • 7 ctcps per 15 seconds, if limit is reached set channel +C for 15 minutes
  • 10 nickchanges per 15 seconds, if limit is reached set channel +N for 15 minutes
  • 30 knocks per 15 seconds, if limit is reached set channel +K for 10 minutes

If it's some kind of large user channel (>75 users?) you will want to increase the join sensitivity (to eg: 50) and the message limit as well (to eg: 60 or 75).
Especially the remove-mode times are a matter of taste.. you should think like.. what if no op is available to handle the situation, do I want to have the channel locked for like 15 minutes (=not nice for users) or 5 minutes (=likely the flooders will just wait 5m and flood again). It also depends on the floodtype, users unable to join (+i) or speak (+m) is worse than having them unable to change their nick (+N) or send ctcps to the channel (+C) so you might want to use different removal times.