Channel anti-flood settings

UnrealIRCd comes with an advanced but slightly complex anti-flood mode. UnrealIRCd 6.1.0+ also has an easier mode.

Channel mode F profiles
This feature only exists in UnrealIRCd 6.1.0 or higher

Channel mode  allows easy selection of a predefined anti-flood profile, for example:

The following anti-flood profiles are available (use ):

Guidelines:

 * For most channels  should be good.
 * For big channels with lots of activity (like the main network channel)  may be more suitable.
 * For small channels with like 10 people,  may be a good choice if you want the anti flood controls to be set more tight.
 * is currently the same as having no

When a flood limit is exceeded in the channel:

 * For joins/messages/nick-changes:
 * UnrealIRCd will first analyze if the people who triggered the anti flood controls are classified as unknown-users.
 * unknown-users are users who are not identified to services and using an IP that has not been on IRC much (the exact definition is defined by the server administrator)
 * If they are responsible for the flood, then only unknown-users will be prevented from joining/messaging/nick-changing for the specified amount of times.
 * Only if that didn't help enough, next step is taken (setting a channel mode).
 * A channel mode will be set, as shown in the table ( / / / / )
 * After the specified time in minutes, the channel mode or other countermeasure is removed (eg:  or  ). Of course, chanops can remove the mode immediately if it was a false alarm.

Customizing profiles
The server admin can customize the profiles or add new ones, this is done via set::anti-flood::channel.

Please note that the default profiles have been carefully chosen:
 * See the flood profiles table for a better overview of the default settings
 * For message flood and join flood:
 * These are bad if they get triggered needlessly since they prevent users from joining or speaking
 * In all profiles we made sure it requires several people to trigger the flood. Eg a user can max send 15 messages in 15 seconds. If only 1 user is flooding they cannot trigger the message limit of 30 even for profile very-strict
 * For nick floods:
 * It is quite annoying if a channel is set  (no nick changes allowed)
 * In the default configuration an unknown user can do 2 and a known user can do 3 nick changes per 90 seconds via the anti-flood block. So this requires at least 3 or 4 users nick flooding if the limit is set at 8, such as for normal and strict.
 * For CTCP flood:
 * A single user can trigger this, but it would result in the channel being  which is not really a problem.
 * For knock floods:
 * This only goes to channel ops, so is really only a convenience thing
 * The removal time of 10 minutes or 15 minutes is a trade-off:
 * It should not be too low: otherwise you would see repeated flood, +R, -R, flood, +R, -R, flood, etc.
 * It should not be too high: if the flood is gone, people should be able to talk/join/.. again. Especially if no chanops are around, you don't want it to be set forever.

set { anti-flood { channel { profile very-strict { flood-mode "[7c#C15,10j#R10,10k#K15,30m#M10,10n#N15]:15"; } profile strict { flood-mode "[7c#C15,15j#R10,10k#K15,40m#M10,10n#N15]:15"; } profile normal { flood-mode "[7c#C15,30j#R10,10k#K15,40m#M10,10n#N15]:15"; } profile relaxed { flood-mode "[7c#C15,45j#R10,10k#K15,60m#M10,10n#N15]:15"; } profile very-relaxed { flood-mode "[7c#C15,60j#R10,10k#K15,90m#M10,10n#N15]:15"; } }       } } The value of flood-mode uses the same syntax as channel mode f, except that currently floodtypes 't' and 'r' cannot be used.

Default profile
You can set a default profile that will be used if the channel is : set { anti-flood { channel { default-profile normal; }       } }

This makes it so all channels automatically use the +F profile "normal" by default.

Users can still set  or choose any other flood profile. If they don't want any flood protection, they have to explicitly set.

Channel mode f
An example +f mode is:  which means 10 joins per 15 seconds are allowed in the channel. If the limit is hit, the channel will be set  (Invite only) automatically.

UnrealIRCd 6.1.0+ also has an easier to use mode  (see above). Any settings from  override the ones from the flood profile. Type  to get a server notice back with the currently effective flood settings.

The following flood types are available:

Example:  lalala -- snip XX lines -- -server1.test.net:#test *** Channel joinflood detected (limit is 20 per 15 seconds), putting +i  fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl  fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl  fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl  fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl  fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl -- snip XX lines -- -server1.test.net:#test *** Channel msg/noticeflood detected (limit is 50 per 15 seconds), putting +m -server1.test.net:#test *** Channel nickflood detected (limit is 7 per 15 seconds), putting +N
 * ChanOp sets mode: +f [20j,50m,7n]:15
 * Evil1 (~fdsdsfddf@Clk-17B4D84B.blah.net) has joined #test
 * Evil2 (~jcvibhcih@Clk-3472A942.xx.someispcom) has joined #test
 * Evil3 (~toijhlihs@Clk-38D374A3.aol.com) has joined #test
 * Evil4 (~eihjifihi@Clk-5387B42F.dfdfd.blablalba.be) has joined #test
 * Evil21 (~jiovoihew@Clk-48D826C3.e.something.org) has joined #test
 * server1.test.net sets mode: +i
 * server1.test.net sets mode: +m
 * Evil1 is now known as Hmmm1
 * Evil2 is now known as Hmmm2
 * Evil3 is now known as Hmmm3
 * Evil4 is now known as Hmmm4
 * Evil5 is now known as Hmmm5
 * Evil6 is now known as Hmmm6
 * Evil7 is now known as Hmmm7
 * Evil8 is now known as Hmmm8
 * server1.test.net sets mode: +N

In fact, it can get even more advanced/complicated: Instead of the default action, you can for some floodtypes specify another one, for example: This will set the channel  if the joinlimit is reached (>20 joins in 15 seconds), and will set the channel   if the msg limit is reached (>50 messages in 15 seconds).

There's also a "remove mode after X minutes" feature: +f [20j#R5]:15 will set the channel +R if the limit is reached and will set -R after 5 minutes. A server can have a default unsettime (set::modef-default-unsettime), so if you type +f [20j]:15 it could get transformed into +f [20j#i10]:15, it's just a default, you can still set [20j#i2]:15 or something like that, and you can also disable the remove-chanmode completely by doing a +f [20j#i0]:15 (an explicit 0).

What the best +f mode is heavily depends on the channel. How many users does it have? Do you have a game that makes users msg a lot (eg: trivia) or do users often use "popups"? Is it some kind of main channel or in auto-join? etc..

This can be a good example channel mode:
 * 30 joins per 15 seconds, if limit is reached set channel +i for 10 minutes
 * 40 messages per 15 seconds, if limit is reached set channel +m for 10 minutes
 * 7 ctcps per 15 seconds, if limit is reached set channel +C for 15 minutes
 * 10 nickchanges per 15 seconds, if limit is reached set channel +N for 15 minutes
 * 30 knocks per 15 seconds, if limit is reached set channel +K for 10 minutes

Take that example and modify it to suit your needs. If you have a large channel (>75 users?) you will want to increase the join sensitivity (to eg: 50) and the message limit (to eg: 60 or 75). This so +f won't trigger too soon.

The remove-mode times are a matter of taste.. you should think like.. what if no op is available to handle the situation, do I want to have the channel locked for like 15 minutes (=not nice for users) or 5 minutes (=likely the flooders will just wait 5m and flood again). It also depends on the floodtype, users unable to join (+i) or speak (+m) is worse than having them unable to change their nick (+N) or send ctcps to the channel (+C) so you might want to use different removal times.

Other configuration settings
Requires UnrealIRCd 6.1.0 or later

set { anti-flood { channel { boot-delay 75; split-delay 75; }       } }

The boot-delay disables +f/+F join-flood detection (subtype 'j') when the server has just been (re)started. This because many users are likely to connect rapidly to this server. This makes sure +f/+F does not take action.

The split-delay disables +f/+F join-flood detection (subtype 'j') when any server splits off the network. This because the server may have a network issue or is restarting, which would cause clients from that server to reconnect to other servers, triggering a join flood when it is unneeded. This makes sure +f/+F does not take action. The downside of this is that on any server split, temporarily the join flood protection is off for a short while. We think this downside is acceptable because mode +f/+F needs to be as painless as possible and should not kick in when not needed. If you have a bigger network, eg 5 servers or more, and your clients are equally spread among them, then you could set this setting to. This because in such a case it is not too bad when 1 server dies. It would only cause 1/5th (20%) users to reconnect in such a case, which may not be enough to trigger +f. To verify this or to be sure, you would have to try though.