Translations:Features/15/en
Anti-flood features[edit]
Set block[edit]
In the configuration file in the set block you can configure a lot of the anti flood features. Note that UnrealIRCd already ships with good defaults, but you can change them if you wish.
There are many settings available in the set::anti-flood block. For example, set::anti-flood::connect-flood to only allow X connections per YY seconds from the same IP. Other X per Y time settings are: nick-flood, join-flood, away-flood, invite-flood and knock-flood.
The option set::anti-flood::unknown-flood-amount is used to limit the amount of data in the handshake (rarely changed, default is a few KB's).
set::anti-flood::max-concurrent-conversations limits the number of concurrent conversions a user can have, which is another anti-flood feature so a user cannot /MSG tens of users at the same time.
set::max-targets-per-command limits the number of targets the user can specify in a command (eg: JOIN 3 channels at the same time via JOIN #a,#b,#c
).
Again, the default settings are probably fine for you already, as we focus on security and do our best to have tight but good defaults.
DNS Blacklists[edit]
While technically not an anti-flood feature, it definitely helps against unwanted bots/drones/users. By using one or more blacklist blocks you can have UnrealIRCd check a DNSBL service to see if an IP was blacklisted due to abuse. This is highly recommended for a server on the internet. See the example section there.
Connthrottle[edit]
This module is highly effective against bot/drone attacks. It will reject most "bad" connections, while still allowing most of your regular users in.
When the connthrottle module in UnrealIRCd detects a high number of users connecting from IP addresses that have not been seen before, then connections from new IP's are rejected above the set rate. For example at 10:60 only 10 users per minute can connect that have not been seen before. Known IP addresses (so: your regular users) can always get in, regardless of the set rate. Same for users who login using SASL.
AntiRandom[edit]
With the antirandom module you can block random nicks like 'fhdshfdhf'.This module is not enabled by default because it may catch innocent users for non-English languages, especially for non-Western-European languages.
Simple channel modes[edit]
There are also some easy to use channel modes which can be quite effective against floods:
- N: no nick changes
- C: no CTCP's
- M: only registered users may talk
- K: no /KNOCK allowed
You can set these channel modes permanently. But you can also use the very advanced channel mode +f to set these restrictions only when needed (and more), see next.
Channel mode f[edit]
Instead of using scripts and bots to protect against channel floods it is build into the ircd. An example +f mode is:
*** Blah sets mode: +f [10j]:15
This means 10 joins per 15 seconds are allowed in the channel, if the limit is hit, the channel will be set +i (Invite only) automatically.
The following floodtypes are available:
Type | Name | Default action | Other actions | Comments |
---|---|---|---|---|
c | CTCPs | Set channel mode +C (block all CTCP's)
|
m, M | |
j | joins | Set channel mode +i (invite only)
|
R | |
k | knocks | Set channel mode +K (no /knock's)
|
||
m | messages/notices | Set channel mode +m (regular users cannot speak)
|
M, d | |
n | nick changes | Set channel mode +N (no nick-changes permitted)
|
||
t | text | Kick the user | b, d | Per-user message/notice limit. Action is to kick or kick+ban the user, or to drop the message. |
r | repeat | Kick the user | b, d | Per-user repeat limit. Action is to kick or kick+ban the user, or to drop the message. |
Example:
*** ChanOp sets mode: +f [20j,50m,7n]:15 <ChanOp> lalala *** Evil1 (~fdsdsfddf@Clk-17B4D84B.blah.net) has joined #test *** Evil2 (~jcvibhcih@Clk-3472A942.xx.someispcom) has joined #test *** Evil3 (~toijhlihs@Clk-38D374A3.aol.com) has joined #test *** Evil4 (~eihjifihi@Clk-5387B42F.dfdfd.blablalba.be) has joined #test -- snip XX lines -- *** Evil21 (~jiovoihew@Clk-48D826C3.e.something.org) has joined #test -server1.test.net:#test *** Channel joinflood detected (limit is 20 per 15 seconds), putting +i *** server1.test.net sets mode: +i <Evil2> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl <Evil12> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl <Evil15> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl <Evil10> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl <Evil8> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl -- snip XX lines -- -server1.test.net:#test *** Channel msg/noticeflood detected (limit is 50 per 15 seconds), putting +m *** server1.test.net sets mode: +m *** Evil1 is now known as Hmmm1 *** Evil2 is now known as Hmmm2 *** Evil3 is now known as Hmmm3 *** Evil4 is now known as Hmmm4 *** Evil5 is now known as Hmmm5 *** Evil6 is now known as Hmmm6 *** Evil7 is now known as Hmmm7 *** Evil8 is now known as Hmmm8 -server1.test.net:#test *** Channel nickflood detected (limit is 7 per 15 seconds), putting +N *** server1.test.net sets mode: +N
In fact, it can get even more advanced/complicated:
Instead of the default action, you can for some floodtypes specify another one, for example: +f [20j#R,50m#M]:15
This will set the channel +R if the joinlimit is reached (>20 joins in 15 seconds), and will set the channel +M if the msg limit is reached (>50 messages in 15 seconds).
There's also a "remove mode after X minutes" feature: +f [20j#R5]:15 will set the channel +R if the limit is reached and will set -R after 5 minutes.
A server can have a default unsettime (set::modef-default-unsettime), so if you type +f [20j]:15 it could get transformed into +f [20j#i10]:15, it's just a default, you can still set [20j#i2]:15 or something like that, and you can also disable the remove-chanmode completely by doing a +f [20j#i0]:15 (an explicit 0).
What the best +f mode is heavily depends on the channel... how many users does it have? do you have a game that makes users msg a lot (eg: trivia) or do users often use popups? is it some kind of mainchannel or in auto-join? etc..
There's no perfect channelmode +f that is good for all channels, but to get you started have a look at the next example and modify it to suit your needs:
+f [30j#i10,40m#m10,7c#C15,10n#N15,30k#K10]:15
- 30 joins per 15 seconds, if limit is reached set channel +i for 10 minutes
- 40 messages per 15 seconds, if limit is reached set channel +m for 10 minutes
- 7 ctcps per 15 seconds, if limit is reached set channel +C for 15 minutes
- 10 nickchanges per 15 seconds, if limit is reached set channel +N for 15 minutes
- 30 knocks per 15 seconds, if limit is reached set channel +K for 10 minutes
If it's some kind of large user channel (>75 users?) you will want to increase the join sensitivity (to eg: 50) and the message limit as well (to eg: 60 or 75).
Especially the remove-mode times are a matter of taste.. you should think like.. what if no op is available to handle the situation, do I want to have the channel locked for like 15 minutes (=not nice for users) or 5 minutes (=likely the flooders will just wait 5m and flood again). It also depends on the floodtype, users unable to join (+i) or speak (+m) is worse than having them unable to change their nick (+N) or send ctcps to the channel (+C) so you might want to use different removal times.