]>
Commit | Line | Data |
---|---|---|
3bd189cb JR |
1 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> |
2 | <HTML> | |
3 | <HEAD> | |
4 | <TITLE> [IRCServices] ircservices attacks | |
5 | </TITLE> | |
6 | <LINK REL="Index" HREF="index.html" > | |
7 | <LINK REL="made" HREF="mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20ircservices%20attacks&In-Reply-To=8c98c49f69737e106487338e5becdc9f%40teknet.com.tr"> | |
8 | <META NAME="robots" CONTENT="index,nofollow"> | |
9 | <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> | |
10 | <LINK REL="Previous" HREF="004700.html"> | |
11 | <LINK REL="Next" HREF="004705.html"> | |
12 | </HEAD> | |
13 | <BODY BGCOLOR="#ffffff"> | |
14 | <H1>[IRCServices] ircservices attacks</H1> | |
15 | <B>Andrew Church</B> | |
16 | <A HREF="mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20ircservices%20attacks&In-Reply-To=8c98c49f69737e106487338e5becdc9f%40teknet.com.tr" | |
17 | TITLE="[IRCServices] ircservices attacks">achurch at achurch.org | |
18 | </A><BR> | |
19 | <I>Mon Nov 22 16:52:07 PST 2004</I> | |
20 | <P><UL> | |
21 | <LI>Previous message: <A HREF="004700.html">[IRCServices] Lots of AKILLS kill services | |
22 | </A></li> | |
23 | <LI>Next message: <A HREF="004705.html">[IRCServices] Services 5.0.42 released | |
24 | </A></li> | |
25 | <LI> <B>Messages sorted by:</B> | |
26 | <a href="date.html#4701">[ date ]</a> | |
27 | <a href="thread.html#4701">[ thread ]</a> | |
28 | <a href="subject.html#4701">[ subject ]</a> | |
29 | <a href="author.html#4701">[ author ]</a> | |
30 | </LI> | |
31 | </UL> | |
32 | <HR> | |
33 | <!--beginarticle--> | |
34 | <PRE> There's unfortunately no way to completely stop attacks like these, | |
35 | unless you can isolate the IP addresses that are causing problems and ban | |
36 | them from your network. As others suggested, you could try limiting user | |
37 | sendq, but if there are too many users all doing it at once that may not | |
38 | help. Services' ignore system isn't the best, and I'm hoping to improve it | |
39 | for version 5.1, but no matter how good it gets, it takes a certain amount | |
40 | of resources just to determine whether the message should be ignored or | |
41 | not, and if there are too many messages coming in there's nothing Services | |
42 | can do. | |
43 | ||
44 | Think of this as a new variety of DDoS attack: instead of flooding | |
45 | your servers with pings, the attacker is flooding your Services with | |
46 | messages. In both cases, the only thing you can do is track down the IP | |
47 | address of every bot and ban them all (or try to contact the attacker | |
48 | directly, or get the authorities to help). | |
49 | ||
50 | --Andrew Church | |
51 | <A HREF="http://lists.ircservices.za.net/mailman/listinfo/ircservices">achurch at achurch.org</A> | |
52 | <A HREF="http://achurch.org/">http://achurch.org/</A> | |
53 | ||
54 | ><i>--===============0741629271== | |
55 | </I>><i>Content-Type: multipart/alternative; | |
56 | </I>><i> boundary="--6C8E23B332313752E4AEE203A92B350A" | |
57 | </I>><i> | |
58 | </I>><i>----6C8E23B332313752E4AEE203A92B350A | |
59 | </I>><i>Content-Type: text/plain; charset="iso-8859-9" | |
60 | </I>><i>Content-Transfer-Encoding: 7bit | |
61 | </I>><i> | |
62 | </I>><i>Hi guys, | |
63 | </I>><i>We are again experiencing attacks on our services and we are having a lot of difficulty in finding a solution to the attacks. We would appreciate any help you could give us. | |
64 | </I>><i>The logs are below: [Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll" | |
65 | </I>><i>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P ChanServ :help set" | |
66 | </I>><i>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll" | |
67 | </I>><i>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll" | |
68 | </I>><i>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll" | |
69 | </I>><i>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P ChanServ :help set" | |
70 | </I>><i>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll" | |
71 | </I>><i>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll" | |
72 | </I>><i>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P ChanServ :help set" | |
73 | </I>><i>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll" | |
74 | </I>><i>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P ChanServ :help set" | |
75 | </I>><i>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P ChanServ :help set" | |
76 | </I>><i>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P ChanServ :help set" | |
77 | </I>><i>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll" | |
78 | </I>><i>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P ChanServ :help set" | |
79 | </I>><i>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll" | |
80 | </I>><i>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll" | |
81 | </I>><i>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll" | |
82 | </I>><i>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P ChanServ :help set" A bot of some sort is sending messages to ChanServ and NickServ. Soon after this, the following messages are seen on the server and in the ircservices logs: (These are | |
83 | </I>><i>the messages in the ircservices logs, and below them are the messages shown on the server) [Oct 24 22:25:31 2004] Network buffer size exceeded inactive threshold (85%), not processing PRIVMSGs | |
84 | </I>><i>[Oct 24 22:25:31 2004] Network buffer size dropped below inactive threshold (85%), not processing PRIVMSGs normally | |
85 | </I>><i>[Oct 24 22:25:31 2004] Network buffer size exceeded inactive threshold (85%), not processing PRIVMSGs | |
86 | </I>><i>[20:31:09] -irc.teklan.com.tr- *** Routing -- from irc.teklan.com.tr: services.teklan.com.tr has processed user/channel burst, sending topic burst. | |
87 | </I>><i>[20:31:10] -irc.teklan.com.tr- *** Routing -- from irc.teklan.com.tr: services.teklan.com.tr has processed topic burst (synched to network data). | |
88 | </I>><i>[20:32:11] -irc.teklan.com.tr- *** Global -- from services.teklan.com.tr: Network buffer size exceeded inactive threshold (85%), not processing PRIVMSGs | |
89 | </I>><i>[20:32:11] -irc.teklan.com.tr- *** Global -- from services.teklan.com.tr: Network buffer size dropped below inactive threshold (85%), processing PRIVMSGs normally | |
90 | </I>><i>[20:32:11] -irc.teklan.com.tr- *** Global -- from services.teklan.com.tr: Network buffer size exceeded inactive threshold (85%), not processing PRIVMSGs | |
91 | </I>><i>[20:32:11] -irc.teklan.com.tr- *** Global -- from services.teklan.com.tr: Network buffer size dropped below inactive threshold (85%), processing PRIVMSGs normally | |
92 | </I>><i>[20:32:11] -irc.teklan.com.tr- *** Global -- from services.teklan.com.tr: Network buffer size exceeded inactive threshold (85%), not processing PRIVMSGs Straight after these messages, we receive this message: | |
93 | </I>><i>[20:32:41] -irc.teklan.com.tr- *** Notice -- Max SendQ limit exceeded for services.teklan.com.tr: 2560046 > 2560000 [20:32:41] -irc.teklan.com.tr- *** Routing -- from irc.teklan.com.tr: :Max Sendq exceeded for services.teklan.com.tr, closing link And the | |
94 | </I>><i>services appear to terminate. When we connect to the server via ssh, we can see that ircservices is still running. 5 to 10 minutes later, the same attack continues but in a different form: Oct 24 22:24:45 2004] nickserv/main: Nwp registered by <A HREF="http://lists.ircservices.za.net/mailman/listinfo/ircservices">tgcdhh at 84.2</A> | |
95 | </I>><i>34.138.142 (<A HREF="http://lists.ircservices.za.net/mailman/listinfo/ircservices">Uicmvu at hotmail.com</A>) | |
96 | </I>><i>[Oct 24 22:25:48 2004] Ignored message from Nwp: ":Nwp P <A HREF="http://lists.ircservices.za.net/mailman/listinfo/ircservices">NickServ at services.teklan.com.tr</A> :register alitopuat <A HREF="http://lists.ircservices.za.net/mailman/listinfo/ircservices">JagI at hotmail.com</A> | |
97 | </I>><i>[Oct 24 22:25:48 2004] Ignored message from Nwp: ":Nwp P <A HREF="http://lists.ircservices.za.net/mailman/listinfo/ircservices">NickServ at services.teklan.com.tr</A> :register alitopuat <A HREF="http://lists.ircservices.za.net/mailman/listinfo/ircservices">Lszodjh at hotmail.com</A> | |
98 | </I>><i>[Oct 24 22:25:48 2004] Ignored message from Nwp: ":Nwp P <A HREF="http://lists.ircservices.za.net/mailman/listinfo/ircservices">NickServ at services.teklan.com.tr</A> :register alitopuat <A HREF="http://lists.ircservices.za.net/mailman/listinfo/ircservices">Xltdl at hotmail.com</A> | |
99 | </I>><i>[Oct 24 22:25:48 2004] Ignored message from Nwp: ":Nwp P <A HREF="http://lists.ircservices.za.net/mailman/listinfo/ircservices">NickServ at services.teklan.com.tr</A> :register alitopuat <A HREF="http://lists.ircservices.za.net/mailman/listinfo/ircservices">EADnD at hotmail.com</A> | |
100 | </I>><i>[Oct 24 22:25:48 2004] Ignored message from Nwp: ":Nwp P <A HREF="http://lists.ircservices.za.net/mailman/listinfo/ircservices">NickServ at services.teklan.com.tr</A> :register alitopuat <A HREF="http://lists.ircservices.za.net/mailman/listinfo/ircservices">Kqvwiz at hotmail.com</A> This continues for a while and then again the services appear to terminate and later does. How can we prevent this? we currentl | |
101 | </I>><i>y have over 7000 nicknames registered, which is highly unusual. | |
102 | </I>><i>[22:28:32] -MasteR- Nicknames : 7669 records We would appreciate any help or support that you can give us. | |
103 | </I>><i>Thank you so much for your time and help. | |
104 | </I>><i>----6C8E23B332313752E4AEE203A92B350A | |
105 | </I>><i>Content-Type: text/html; charset="iso-8859-9" | |
106 | </I>><i>Content-Transfer-Encoding: 7bit | |
107 | </I>><i> | |
108 | </I>><i><P>Hi guys, <BR>We are again experiencing attacks on our services and we are having a lot of difficulty in finding a solution to the attacks. We would appreciate any help you could give us. <BR>The logs are below:</P> <P>[Oct 24 22:27:08 2004] Ignored mes | |
109 | </I>><i>sage from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll"<BR>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P ChanServ :help set"<BR>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll"<BR>[Oct 24 22:27 | |
110 | </I>>:<i>08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll"<BR>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll"<BR>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P ChanServ :help | |
111 | </I>><i>set"<BR>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll"<BR>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll"<BR>[Oct 24 22:27:08 2004] Ignored message | |
112 | </I>><i>from fgfsdfsd: ":fgfsdfsd P ChanServ :help set"<BR>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll"<BR>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P ChanServ :help set"<BR>[Oct 24 22:27:08 2004 | |
113 | </I>><i>] Ignored message from fgfsdfsd: ":fgfsdfsd P ChanServ :help set"<BR>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P ChanServ :help set"<BR>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll"<BR>[Oc | |
114 | </I>><i>t 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P ChanServ :help set"<BR>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll"<BR>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ | |
115 | </I>><i> :info mrcoll"<BR>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll"<BR>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P ChanServ :help set"</P> <P>A bot of some sort is | |
116 | </I>><i>sending messages to ChanServ and NickServ. Soon after this, the following messages are seen on the server and in the ircservices logs:</P> <P>(These are the messages in the ircservices logs, and below them are the messages shown on the server)</P> <P>[Oct | |
117 | </I>><i> 24 22:25:31 2004] Network buffer size exceeded inactive threshold (85%), not processing PRIVMSGs<BR>[Oct 24 22:25:31 2004] Network buffer size dropped below inactive threshold (85%), not processing PRIVMSGs normally<BR>[Oct 24 22:25:31 2004] Network buff | |
118 | </I>><i>er size exceeded inactive threshold (85%), not processing PRIVMSGs</P> <P><BR>[20:31:09] -irc.teklan.com.tr- *** Routing -- from irc.teklan.com.tr: services.teklan.com.tr has processed user/channel burst, sending topic burst.<BR>[20:31:10] -irc.teklan.com | |
119 | </I>><i>.tr- *** Routing -- from irc.teklan.com.tr: services.teklan.com.tr has processed topic burst (synched to network data).<BR>[20:32:11] -irc.teklan.com.tr- *** Global -- from services.teklan.com.tr: Network buffer size exceeded | |
120 | </I>><i>inactive threshold (85%), not processing PRIVMSGs<BR>[20:32:11] -irc.teklan.com.tr- *** Global -- from services.teklan.com.tr: Network buffer size dropped below inactive threshold (85%), processing PRIVMSGs normally<BR>[20:32:11] -irc.teklan.com.tr- *** G | |
121 | </I>><i>lobal -- from services.teklan.com.tr: Network buffer size exceeded inactive threshold (85%), not processing PRIVMSGs<BR>[20:32:11] -irc.teklan.com.tr- *** Global -- from services.teklan.com.tr: Network buffer size dropped below inactive threshold (85%), p | |
122 | </I>><i>rocessing PRIVMSGs normally<BR>[20:32:11] -irc.teklan.com.tr- *** Global -- from services.teklan.com.tr: Network buffer size exceeded inactive threshold (85%), not processing PRIVMSGs</P> <P>Straight after these messages, we receive this message:</P> <P>< | |
123 | </I>><i>BR>[20:32:41] -irc.teklan.com.tr- *** Notice -- Max SendQ limit exceeded for services.teklan.com.tr: 2560046 &gt; 2560000</P> <P>[20:32:41] -irc.teklan.com.tr- *** Routing -- from irc.teklan.com.tr: :Max Sendq exceeded for | |
124 | </I>><i>services.teklan.com.tr, closing link</P> <P>And the services appear to terminate. When we connect to the server via ssh, we can see that ircservices is still running.</P> <P>5 to 10 minutes later, the same attack continues but in a different form:</P> <P> | |
125 | </I>><i>Oct 24 22:24:45 2004] nickserv/main: Nwp registered by <A href="mailto:<A HREF="http://lists.ircservices.za.net/mailman/listinfo/ircservices">tgcdhh at 84.234.138.142</A>"><A HREF="http://lists.ircservices.za.net/mailman/listinfo/ircservices">tgcdhh at 84.234.138.142</A></A> (<A href="mailto:<A HREF="http://lists.ircservices.za.net/mailman/listinfo/ircservices">Uicmvu at hotmail.com</A>"><A HREF="http://lists.ircservices.za.net/mailman/listinfo/ircservices">Uicmvu at hotmail.com</A></A>)<BR>[Oct 24 22:25:48 2004] Ignored message from Nwp: ":Nwp P <A href="mailt | |
126 | </I>><i>o:<A HREF="http://lists.ircservices.za.net/mailman/listinfo/ircservices">NickServ at services.teklan.com.tr</A>"><A HREF="http://lists.ircservices.za.net/mailman/listinfo/ircservices">NickServ at services.teklan.com.tr</A></A> :register alitopuat <A href="mailto:<A HREF="http://lists.ircservices.za.net/mailman/listinfo/ircservices">JagI at hotmail.com</A>"><A HREF="http://lists.ircservices.za.net/mailman/listinfo/ircservices">JagI at hotmail.com</A></A><BR>[Oct 24 22:25:48 2004] Ignored message from Nwp: ":Nwp P <A href="mailto:<A HREF="http://lists.ircservices.za.net/mailman/listinfo/ircservices">NickServ at services.teklan.com.tr</A>"> | |
127 | </I>><i><A HREF="http://lists.ircservices.za.net/mailman/listinfo/ircservices">NickServ at services.teklan.com.tr</A></A> :register alitopuat <A href="mailto:<A HREF="http://lists.ircservices.za.net/mailman/listinfo/ircservices">Lszodjh at hotmail.com</A>"><A HREF="http://lists.ircservices.za.net/mailman/listinfo/ircservices">Lszodjh at hotmail.com</A></A><BR>[Oct 24 22:25:48 2004] Ignored message from Nwp: ":Nwp P <A | |
128 | </I></PRE> | |
129 | ||
130 | ||
131 | ||
132 | ||
133 | ||
134 | ||
135 | ||
136 | ||
137 | <!--endarticle--> | |
138 | <HR> | |
139 | <P><UL> | |
140 | <!--threads--> | |
141 | <LI>Previous message: <A HREF="004700.html">[IRCServices] Lots of AKILLS kill services | |
142 | </A></li> | |
143 | <LI>Next message: <A HREF="004705.html">[IRCServices] Services 5.0.42 released | |
144 | </A></li> | |
145 | <LI> <B>Messages sorted by:</B> | |
146 | <a href="date.html#4701">[ date ]</a> | |
147 | <a href="thread.html#4701">[ thread ]</a> | |
148 | <a href="subject.html#4701">[ subject ]</a> | |
149 | <a href="author.html#4701">[ author ]</a> | |
150 | </LI> | |
151 | </UL> | |
152 | ||
153 | </body></html> |