Translations:Features/15/en

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

Anti-flood features[edit]

Set block[edit]

In the configuration file in the set block you can configure a lot of the anti flood features. Note that UnrealIRCd already ships with good defaults, but you can change them if you wish.

There are many settings available in the set::anti-flood block. For example, set::anti-flood::connect-flood to only allow X connections per YY seconds from the same IP. Other X per Y time settings are: nick-flood, join-flood, away-flood, invite-flood and knock-flood.

The option set::anti-flood::unknown-flood-amount is used to limit the amount of data in the handshake (rarely changed, default is a few KB's).

set::anti-flood::max-concurrent-conversations limits the number of concurrent conversions a user can have, which is another anti-flood feature so a user cannot /MSG tens of users at the same time.

set::max-targets-per-command limits the number of targets the user can specify in a command (eg: JOIN 3 channels at the same time via JOIN #a,#b,#c).

Again, the default settings are probably fine for you already, as we focus on security and do our best to have tight but good defaults.

DNS Blacklists[edit]

While technically not an anti-flood feature, it definitely helps against unwanted bots/drones/users. By using one or more blacklist blocks you can have UnrealIRCd check a DNSBL service to see if an IP was blacklisted due to abuse. This is highly recommended for a server on the internet. See the example section there.

Connthrottle[edit]

This module is highly effective against bot/drone attacks. It will reject most "bad" connections, while still allowing most of your regular users in.

When the connthrottle module in UnrealIRCd detects a high number of users connecting from IP addresses that have not been seen before, then connections from new IP's are rejected above the set rate. For example at 10:60 only 10 users per minute can connect that have not been seen before. Known IP addresses (so: your regular users) can always get in, regardless of the set rate. Same for users who login using SASL.

AntiRandom[edit]

With the antirandom module you can block random nicks like 'fhdshfdhf'.This module is not enabled by default because it may catch innocent users for non-English languages, especially for non-Western-European languages.

Simple channel modes[edit]

There are also some easy to use channel modes which can be quite effective against floods:

  • N: no nick changes
  • C: no CTCP's
  • M: only registered users may talk
  • K: no /KNOCK allowed

You can set these channel modes permanently. But you can also use the very advanced channel mode +f to set these restrictions only when needed (and more), see next.

Channel mode f[edit]

Instead of using scripts and bots to protect against channel floods it is build into the ircd. An example +f mode is:

*** Blah sets mode: +f [10j]:15

This means 10 joins per 15 seconds are allowed in the channel, if the limit is hit, the channel will be set +i (Invite only) automatically.

The following floodtypes are available:

Type Name Default action Other actions Comments
c CTCPs Set channel mode +C (block all CTCP's) m, M
j joins Set channel mode +i (invite only) R
k knocks Set channel mode +K (no /knock's)
m messages/notices Set channel mode +m (regular users cannot speak) M, d
n nick changes Set channel mode +N (no nick-changes permitted)
t text Kick the user b, d Per-user message/notice limit. Action is to kick or kick+ban the user, or to drop the message.
r repeat Kick the user b, d Per-user repeat limit. Action is to kick or kick+ban the user, or to drop the message.

Example:

*** ChanOp sets mode: +f [20j,50m,7n]:15
<ChanOp> lalala
*** Evil1 (~fdsdsfddf@Clk-17B4D84B.blah.net) has joined #test
*** Evil2 (~jcvibhcih@Clk-3472A942.xx.someispcom) has joined #test
*** Evil3 (~toijhlihs@Clk-38D374A3.aol.com) has joined #test
*** Evil4 (~eihjifihi@Clk-5387B42F.dfdfd.blablalba.be) has joined #test
-- snip XX lines --
*** Evil21 (~jiovoihew@Clk-48D826C3.e.something.org) has joined #test
-server1.test.net:#test *** Channel joinflood detected (limit is 20 per 15 seconds), putting +i
*** server1.test.net sets mode: +i
<Evil2> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl
<Evil12> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl
<Evil15> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl
<Evil10> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl
<Evil8> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl
-- snip XX lines --
-server1.test.net:#test *** Channel msg/noticeflood detected (limit is 50 per 15 seconds), putting +m
*** server1.test.net sets mode: +m
*** Evil1 is now known as Hmmm1
*** Evil2 is now known as Hmmm2
*** Evil3 is now known as Hmmm3
*** Evil4 is now known as Hmmm4
*** Evil5 is now known as Hmmm5
*** Evil6 is now known as Hmmm6
*** Evil7 is now known as Hmmm7
*** Evil8 is now known as Hmmm8
-server1.test.net:#test *** Channel nickflood detected (limit is 7 per 15 seconds), putting +N
*** server1.test.net sets mode: +N

In fact, it can get even more advanced/complicated:
Instead of the default action, you can for some floodtypes specify another one, for example: +f [20j#R,50m#M]:15
This will set the channel +R if the joinlimit is reached (>20 joins in 15 seconds), and will set the channel +M if the msg limit is reached (>50 messages in 15 seconds).

There's also a "remove mode after X minutes" feature: +f [20j#R5]:15 will set the channel +R if the limit is reached and will set -R after 5 minutes.
A server can have a default unsettime (set::modef-default-unsettime), so if you type +f [20j]:15 it could get transformed into +f [20j#i10]:15, it's just a default, you can still set [20j#i2]:15 or something like that, and you can also disable the remove-chanmode completely by doing a +f [20j#i0]:15 (an explicit 0).

What the best +f mode is heavily depends on the channel... how many users does it have? do you have a game that makes users msg a lot (eg: trivia) or do users often use popups? is it some kind of mainchannel or in auto-join? etc..

There's no perfect channelmode +f that is good for all channels, but to get you started have a look at the next example and modify it to suit your needs:
+f [30j#i10,40m#m10,7c#C15,10n#N15,30k#K10]:15

  • 30 joins per 15 seconds, if limit is reached set channel +i for 10 minutes
  • 40 messages per 15 seconds, if limit is reached set channel +m for 10 minutes
  • 7 ctcps per 15 seconds, if limit is reached set channel +C for 15 minutes
  • 10 nickchanges per 15 seconds, if limit is reached set channel +N for 15 minutes
  • 30 knocks per 15 seconds, if limit is reached set channel +K for 10 minutes

If it's some kind of large user channel (>75 users?) you will want to increase the join sensitivity (to eg: 50) and the message limit as well (to eg: 60 or 75).
Especially the remove-mode times are a matter of taste.. you should think like.. what if no op is available to handle the situation, do I want to have the channel locked for like 15 minutes (=not nice for users) or 5 minutes (=likely the flooders will just wait 5m and flood again). It also depends on the floodtype, users unable to join (+i) or speak (+m) is worse than having them unable to change their nick (+N) or send ctcps to the channel (+C) so you might want to use different removal times.