Tip of the day: The Security article gives hands-on tips on how to deal with drone attacks, flooding, spammers, (D)DoS and more.

Anti-flood settings (OLD)

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

This page describes the OLD set::anti-flood block, which was used in UnrealIRCd 5.0.x (now no longer supported). For UnrealIRCd 5.2.0 and later, see Anti-flood settings instead!

set::anti-flood::connect-flood

Syntax: set::anti-flood::connect-flood <count>:<period>

Connection flood protection: limits the number of connection attempts from each IP to 'count' per 'period' seconds. Default is 3 per 60. This feature is also referred to as connection throttling.

UnrealIRCd also has Connthrottle which will rate limit the number of connection attempts in total (so not per-IP).

Note that connection throttling is an important security measure. It provides primary and secondary protection against DoS, flood and brute force attacks, both for handshake and fully registered connections. If you disable it or set it very permissive (eg 6 per 60 seconds) then you severely degrade these protections.

If you want to exempt one or more IP's from connect-flood, then check out Except ban block and use type connect-flood there.

set::anti-flood::nick-flood

Syntax: set::anti-flood::nick-flood <count>:<period>

Nickflood protection: limits nickchanges to 'count' per 'period' seconds. For example nick-flood 4:90 means 4 per 90 seconds, the default is 3 per 60.

set::anti-flood::join-flood

Syntax: set::anti-flood::join-flood <count>:<period>

Join flood protection: limits joins (to the same channel) to 'count' per 'period' seconds. For example join-flood 4:90 means 4 per 90 seconds, the default is 3 per 90. Previously this was configured through channel mode +j.

set::anti-flood::away-flood

Syntax: set::anti-flood::away-flood <count>:<period>

Away flood protection: limits /away to 'count' changes per 'period' seconds. Example: away-flood 5:60s means max 5 changes per 60 seconds.

set::anti-flood::invite-flood

Syntax: set::anti-flood::invite-flood <count>:<period>

Invite flood protection: this limits /INVITE to a rate of 'count' per 'period' seconds. The default is 4:60 which means 4 /INVITE's per 60 seconds.

set::anti-flood::knock-flood

Syntax: set::anti-flood::knock-flood <count>:<period>

Knock flood protection: this limits /KNOCK to a rate of 'count' per 'period' seconds. The default is 4:120 which means 4 /KNOCK's per 120 seconds.

set::anti-flood::handshake-data-flood

This setting only exists in UnrealIRCd 5.0.9 and higher

When a TCP/IP connection is accepted, the client sends some data during the IRC protocol "handshake" such as NICK, username and optionally IRCv3 CAP negotiation and SASL. After this handshake the client comes online. If more than the specified amount of data is sent during the handshake then a specified action is taken. This is a security measure to protect against arbitrary data floods, sending lots of bytes and consuming useless CPU and bandwidth. In all known cases less than 4k (4096 bytes) are sent during the handshake, so this allows us to be quite strict.

Example block with the default settings:

set {
    anti-flood {
        handshake-data-flood {
            amount 4k;
            ban-action zline;
            ban-time 5m;
        }
    }
}

In UnrealIRCd 5.0.8 and older this setting was called set::anti-flood::unknown-flood-amount and set::anti-flood::unknown-flood-bantime, in these older versions the ban-action was not configurable.

set::anti-flood::unknown-flood-amount

Syntax: set::anti-flood::unknown-flood-amount <amount>

When we receive a connection from a user and this user sends more than <amount> kilobytes of data BEFORE actually coming online (a so called "unknown connection") then the user will be killed.

Note: in UnrealIRCd 5.0.9 and higher this has been moved to the set::anti-flood::handshake-data-flood block.

set::anti-flood::unknown-flood-bantime

Syntax: set::anti-flood::unknown-flood-bantime <timevalue>

Specifies for how long an unknown connection flooder is banned (see also previous item).

Note: in UnrealIRCd 5.0.9 and higher this has been moved to the set::anti-flood::handshake-data-flood block.

set::anti-flood::max-concurrent-conversations

This configures the maximum number of conversations a user can have with other users at the same time. This is a protection measure against spambots who tend to mass /MSG or /INVITE many different users within a short period of time.

set {
    anti-flood {
        max-concurrent-conversations {
            users 10; /* should be between 1 and 20 */
            new-user-every 15s; /* should be between 1 and 120 */
        };
    };
};

A user may message up to set::anti-flood::max-concurrent-conversations::users different users without any problem. If he/she then messages another user this is only permitted at a rate of 1 every set::anti-flood::max-concurrent-conversations::new-user-every seconds.

For example, with a users set to 10 and new-user-every set to 15:

  • UnrealIRCd will remember up to 10 users that the user is messaging
  • The user can /MSG the first 10 users without any problem (eg: k1, k2, k3, k4, k5, k6, k7, k8, k9, k10)
  • When trying to send a message to the 11th user (eg: k11) the user will have to wait up to 15 seconds before (s)he can do.
  • Then the user can message the 11th user (k11)
  • If the user then wants to send a message to a 12th user (k12, or even user k1 again which has by now dropped of the active 10 users list) then (s)he has to wait 15 seconds again

Since most users don't actively message many different users within a short period of time, this can be used as a way to detect bots/drones that flood users. The goal is to set the limit high enough for normal users to never experience this limit, yet low enough to be meaningful as a spambot countermeasure.

Also, note that this setting only affects user to user messaging and not messages to channels. This is because it is assumed that channel flood controls can take care of channel flooding.

The default setting is as follows:

Version users new-user-every
UnrealIRCd 3.2.x - 4.2.1 20 15 seconds
UnrealIRCd 4.2.2 - now 10 15 seconds
set::anti-flood::target-flood

This functionality was added in UnrealIRCd 5.0.5

This flood countermeasure works differently than all the others. It will limit floods to targets such as channels and persons at a maximum rate. This so, for example a channel, can never see more than X lines per Y seconds.

The goal is to prevent flooding at HIGH rates only. To prevent flooding at such high rates that the client may no longer be capable of handling the traffic in terms of CPU usage (such as leading to a laggy interface) or even bandwidth. This is why the maximum rates are very high. We don't want this to be triggered in normal conditions even for extreme cases, such as channels that have a quiz/trivia bot. Even with this target-flood protection enabled, some IRC clients may still have problems with some types of traffic below the set maximum rate, we only do our best to limit damage to most clients this way.

This countermeasure is NOT for low-rate or medium-rate spamming/floods. If you want more strict channel flood control (and you probably do!), then use the very powerful and customizable channel mode +f as well.

There are 2 possible target types: channels and users. For each of those 2 there are 3 possible message types in IRC: privmsg, notice and tagmsg. Below you can see the default settings:

set {
    anti-flood {
        target-flood {
            channel-privmsg 45:5;
            channel-notice 15:5;
            channel-tagmsg 15:5;
            private-privmsg 30:5;
            private-notice 10:5;
            private-tagmsg 10:5;
        };
    };
};

When the target-flood limit is hit, we will drop the message. We do not kill the user, because the user who sent the 15th/60th/etc message could be a totally innocent user who only said stop this flood!. This is also why we don't offer a configuration option for killing either, since you may very well end up killing good people.

The limits apply to everyone (including channel operators), the only exception are IRCOps which are exempt if they have the immune:target-flood privilege (all IRCOps do, by default).

This anti-flood feature is handled by the targetfloodprot module which is loaded by default. You can use blacklisting in the configuration file to completely remove this anti-flood feature: blacklist-module targetfloodprot;