Tip of the day: The Security article gives hands-on tips on how to deal with drone attacks, flooding, spammers, (D)DoS and more.

Connthrottle

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

When the connthrottle module in UnrealIRCd detects a high number of users connecting from IP addresses that have not been seen before, then connections from new IP's are rejected above the set rate. For example at 10:60 only 10 users per minute can connect that have not been seen before. Known IP addresses (so: your regular users) can always get in, regardless of the set rate. Same for users who login using SASL.

This module is highly effective against bot/drone attacks. It will reject most "bad" connections, while still allowing most of your regular users in.

See the article Reputation score for more information on what a reputation score is.

The details are best described by reading the example configuration below. Jump to your version:

UnrealIRCd 6.0.4 and later

set {
        connthrottle {
                /* First we configure which users are exempt from the
                 * restrictions. These users are always allowed in!
                 * By default these are users on IP addresses that have
                 * a score of 24 or higher. A score of 24 means that the
                 * IP was connected to this network for at least 2 hours
                 * in the past month (or minimum 1 hour if registered).
                 * We also allow users who are identified to services via
                 * SASL to bypass the restrictions.
                 */
                except {
                        reputation-score 24;
                        identified yes;
                        webirc yes;
                        /* for more options, see
                         * https://www.unrealircd.org/docs/Mask_item
                         */
                }

                /* New users are all users that do not belong in the
                 * known-users group. They are considered "new" and in
                 * case of a high number of such new users connecting
                 * they are subject to connection rate limiting.
                 * By default the rate is 20 new local users per minute
                 * and 30 new global users per minute.
                 */
                new-users {
                        local-throttle 20:60;
                        global-throttle 30:60;
                };

                /* This configures when this module will NOT be active.
                 * The default settings will disable the module when:
                 * - The reputation module has been running for less than
                 *   a week. If running less than 1 week then there is
                 *   insufficient data to consider who is a "known user".
                 * - The server has just been booted up (first 3 minutes).
                 */
                disabled-when {
                        reputation-gathering 1w;
                        start-delay 3m;
                };

                /* This error reason is shown to users when actively throttling */
                reason "Throttled: Too many users trying to connect, please wait a while and try again";
        };
};

UnrealIRCd 6.0.3 and earlier

set {
        connthrottle {
                /* First we must configure what we call "known users".
                 * By default these are users on IP addresses that have
                 * a score of 24 or higher. A score of 24 means that the
                 * IP was connected to this network for at least 2 hours
                 * in the past month (or minimum 1 hour if registered).
                 * The sasl-bypass option is another setting. It means
                 * that users who authenticate to services via SASL
                 * are considered known users as well.
                 * The webirc-bypass option is another setting too. It means
                 * that users who connecting via WEBIRC block
                 * are considered known users as well.
                 * Users in the "known-users" group (either by reputation
                 * or by SASL or by WEBIRC) are always allowed in by this module.
                 */
                known-users {
                        minimum-reputation-score 24;
                        sasl-bypass yes;
                        webirc-bypass yes;
                };

                /* New users are all users that do not belong in the
                 * known-users group. They are considered "new" and in
                 * case of a high number of such new users connecting
                 * they are subject to connection rate limiting.
                 * By default the rate is 20 new local users per minute
                 * and 30 new global users per minute.
                 */
                new-users {
                        local-throttle 20:60;
                        global-throttle 30:60;
                };

                /* This configures when this module will NOT be active.
                 * The default settings will disable the module when:
                 * - The reputation module has been running for less than
                 *   a week. If running less than 1 week then there is
                 *   insufficient data to consider who is a "known user".
                 * - The server has just been booted up (first 3 minutes).
                 */
                disabled-when {
                        reputation-gathering 1w;
                        start-delay 3m;
                };

                /* This error reason is shown to users when actively throttling */
                reason "Throttled: Too many users trying to connect, please wait a while and try again";
        };
};
Retrieved from "https://www.unrealircd.org/docwiki/index.php?title=Connthrottle&oldid=10692"