1 <!DOCTYPE HTML PUBLIC
"-//W3C//DTD HTML 3.2//EN">
4 <TITLE> [IRCServices] ircservices attacks
6 <LINK REL=
"Index" HREF=
"index.html" >
7 <LINK REL=
"made" HREF=
"mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20ircservices%20attacks&In-Reply-To=8c98c49f69737e106487338e5becdc9f%40teknet.com.tr">
8 <META NAME=
"robots" CONTENT=
"index,nofollow">
9 <META http-equiv=
"Content-Type" content=
"text/html; charset=us-ascii">
10 <LINK REL=
"Previous" HREF=
"004700.html">
11 <LINK REL=
"Next" HREF=
"004705.html">
13 <BODY BGCOLOR=
"#ffffff">
14 <H1>[IRCServices] ircservices attacks
</H1>
16 <A HREF=
"mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20ircservices%20attacks&In-Reply-To=8c98c49f69737e106487338e5becdc9f%40teknet.com.tr"
17 TITLE=
"[IRCServices] ircservices attacks">achurch at achurch.org
19 <I>Mon Nov
22 16:
52:
07 PST
2004</I>
21 <LI>Previous message:
<A HREF=
"004700.html">[IRCServices] Lots of AKILLS kill services
23 <LI>Next message:
<A HREF=
"004705.html">[IRCServices] Services
5.0.42 released
25 <LI> <B>Messages sorted by:
</B>
26 <a href=
"date.html#4701">[ date ]
</a>
27 <a href=
"thread.html#4701">[ thread ]
</a>
28 <a href=
"subject.html#4701">[ subject ]
</a>
29 <a href=
"author.html#4701">[ author ]
</a>
34 <PRE> There's unfortunately no way to completely stop attacks like these,
35 unless you can isolate the IP addresses that are causing problems and ban
36 them from your network. As others suggested, you could try limiting user
37 sendq, but if there are too many users all doing it at once that may not
38 help. Services' ignore system isn't the best, and I'm hoping to improve it
39 for version
5.1, but no matter how good it gets, it takes a certain amount
40 of resources just to determine whether the message should be ignored or
41 not, and if there are too many messages coming in there's nothing Services
44 Think of this as a new variety of DDoS attack: instead of flooding
45 your servers with pings, the attacker is flooding your Services with
46 messages. In both cases, the only thing you can do is track down the IP
47 address of every bot and ban them all (or try to contact the attacker
48 directly, or get the authorities to help).
51 <A HREF=
"http://lists.ircservices.za.net/mailman/listinfo/ircservices">achurch at achurch.org
</A>
52 <A HREF=
"http://achurch.org/">http://achurch.org/
</A>
54 ><i>--===============
0741629271==
55 </I>><i>Content-Type: multipart/alternative;
56 </I>><i> boundary=
"--
6C8E23B332313752E4AEE203A92B350A
"
58 </I>><i>----
6C8E23B332313752E4AEE203A92B350A
59 </I>><i>Content-Type: text/plain; charset=
"iso-
8859-
9"
60 </I>><i>Content-Transfer-Encoding:
7bit
63 </I>><i>We are again experiencing attacks on our services and we are having a lot of difficulty in finding a solution to the attacks. We would appreciate any help you could give us.
64 </I>><i>The logs are below: [Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P NickServ :info mrcoll
"
65 </I>><i>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P ChanServ :help set
"
66 </I>><i>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P NickServ :info mrcoll
"
67 </I>><i>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P NickServ :info mrcoll
"
68 </I>><i>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P NickServ :info mrcoll
"
69 </I>><i>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P ChanServ :help set
"
70 </I>><i>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P NickServ :info mrcoll
"
71 </I>><i>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P NickServ :info mrcoll
"
72 </I>><i>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P ChanServ :help set
"
73 </I>><i>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P NickServ :info mrcoll
"
74 </I>><i>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P ChanServ :help set
"
75 </I>><i>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P ChanServ :help set
"
76 </I>><i>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P ChanServ :help set
"
77 </I>><i>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P NickServ :info mrcoll
"
78 </I>><i>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P ChanServ :help set
"
79 </I>><i>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P NickServ :info mrcoll
"
80 </I>><i>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P NickServ :info mrcoll
"
81 </I>><i>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P NickServ :info mrcoll
"
82 </I>><i>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P ChanServ :help set
" A bot of some sort is sending messages to ChanServ and NickServ. Soon after this, the following messages are seen on the server and in the ircservices logs: (These are
83 </I>><i>the messages in the ircservices logs, and below them are the messages shown on the server) [Oct
24 22:
25:
31 2004] Network buffer size exceeded inactive threshold (
85%), not processing PRIVMSGs
84 </I>><i>[Oct
24 22:
25:
31 2004] Network buffer size dropped below inactive threshold (
85%), not processing PRIVMSGs normally
85 </I>><i>[Oct
24 22:
25:
31 2004] Network buffer size exceeded inactive threshold (
85%), not processing PRIVMSGs
86 </I>><i>[
20:
31:
09] -irc.teklan.com.tr- *** Routing -- from irc.teklan.com.tr: services.teklan.com.tr has processed user/channel burst, sending topic burst.
87 </I>><i>[
20:
31:
10] -irc.teklan.com.tr- *** Routing -- from irc.teklan.com.tr: services.teklan.com.tr has processed topic burst (synched to network data).
88 </I>><i>[
20:
32:
11] -irc.teklan.com.tr- *** Global -- from services.teklan.com.tr: Network buffer size exceeded inactive threshold (
85%), not processing PRIVMSGs
89 </I>><i>[
20:
32:
11] -irc.teklan.com.tr- *** Global -- from services.teklan.com.tr: Network buffer size dropped below inactive threshold (
85%), processing PRIVMSGs normally
90 </I>><i>[
20:
32:
11] -irc.teklan.com.tr- *** Global -- from services.teklan.com.tr: Network buffer size exceeded inactive threshold (
85%), not processing PRIVMSGs
91 </I>><i>[
20:
32:
11] -irc.teklan.com.tr- *** Global -- from services.teklan.com.tr: Network buffer size dropped below inactive threshold (
85%), processing PRIVMSGs normally
92 </I>><i>[
20:
32:
11] -irc.teklan.com.tr- *** Global -- from services.teklan.com.tr: Network buffer size exceeded inactive threshold (
85%), not processing PRIVMSGs Straight after these messages, we receive this message:
93 </I>><i>[
20:
32:
41] -irc.teklan.com.tr- *** Notice -- Max SendQ limit exceeded for services.teklan.com.tr:
2560046 > 2560000 [
20:
32:
41] -irc.teklan.com.tr- *** Routing -- from irc.teklan.com.tr: :Max Sendq exceeded for services.teklan.com.tr, closing link And the
94 </I>><i>services appear to terminate. When we connect to the server via ssh, we can see that ircservices is still running.
5 to
10 minutes later, the same attack continues but in a different form: Oct
24 22:
24:
45 2004] nickserv/main: Nwp registered by
<A HREF=
"http://lists.ircservices.za.net/mailman/listinfo/ircservices">tgcdhh at
84.2</A>
95 </I>><i>34.138.142 (
<A HREF=
"http://lists.ircservices.za.net/mailman/listinfo/ircservices">Uicmvu at hotmail.com
</A>)
96 </I>><i>[Oct
24 22:
25:
48 2004] Ignored message from Nwp:
":Nwp P
<A HREF=
"http://lists.ircservices.za.net/mailman/listinfo/ircservices">NickServ at services.teklan.com.tr
</A> :register alitopuat
<A HREF=
"http://lists.ircservices.za.net/mailman/listinfo/ircservices">JagI at hotmail.com
</A>
97 </I>><i>[Oct
24 22:
25:
48 2004] Ignored message from Nwp:
":Nwp P
<A HREF=
"http://lists.ircservices.za.net/mailman/listinfo/ircservices">NickServ at services.teklan.com.tr
</A> :register alitopuat
<A HREF=
"http://lists.ircservices.za.net/mailman/listinfo/ircservices">Lszodjh at hotmail.com
</A>
98 </I>><i>[Oct
24 22:
25:
48 2004] Ignored message from Nwp:
":Nwp P
<A HREF=
"http://lists.ircservices.za.net/mailman/listinfo/ircservices">NickServ at services.teklan.com.tr
</A> :register alitopuat
<A HREF=
"http://lists.ircservices.za.net/mailman/listinfo/ircservices">Xltdl at hotmail.com
</A>
99 </I>><i>[Oct
24 22:
25:
48 2004] Ignored message from Nwp:
":Nwp P
<A HREF=
"http://lists.ircservices.za.net/mailman/listinfo/ircservices">NickServ at services.teklan.com.tr
</A> :register alitopuat
<A HREF=
"http://lists.ircservices.za.net/mailman/listinfo/ircservices">EADnD at hotmail.com
</A>
100 </I>><i>[Oct
24 22:
25:
48 2004] Ignored message from Nwp:
":Nwp P
<A HREF=
"http://lists.ircservices.za.net/mailman/listinfo/ircservices">NickServ at services.teklan.com.tr
</A> :register alitopuat
<A HREF=
"http://lists.ircservices.za.net/mailman/listinfo/ircservices">Kqvwiz at hotmail.com
</A> This continues for a while and then again the services appear to terminate and later does. How can we prevent this? we currentl
101 </I>><i>y have over
7000 nicknames registered, which is highly unusual.
102 </I>><i>[
22:
28:
32] -MasteR- Nicknames :
7669 records We would appreciate any help or support that you can give us.
103 </I>><i>Thank you so much for your time and help.
104 </I>><i>----
6C8E23B332313752E4AEE203A92B350A
105 </I>><i>Content-Type: text/html; charset=
"iso-
8859-
9"
106 </I>><i>Content-Transfer-Encoding:
7bit
108 </I>><i><P
>Hi guys,
<BR
>We are again experiencing attacks on our services and we are having a lot of difficulty in finding a solution to the attacks. We would appreciate any help you could give us.
<BR
>The logs are below:
</P
> <P
>[Oct
24 22:
27:
08 2004] Ignored mes
109 </I>><i>sage from fgfsdfsd:
":fgfsdfsd P NickServ :info mrcoll
"<BR
>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P ChanServ :help set
"<BR
>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P NickServ :info mrcoll
"<BR
>[Oct
24 22:
27
110 </I>>:
<i>08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P NickServ :info mrcoll
"<BR
>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P NickServ :info mrcoll
"<BR
>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P ChanServ :help
111 </I>><i>set
"<BR
>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P NickServ :info mrcoll
"<BR
>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P NickServ :info mrcoll
"<BR
>[Oct
24 22:
27:
08 2004] Ignored message
112 </I>><i>from fgfsdfsd:
":fgfsdfsd P ChanServ :help set
"<BR
>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P NickServ :info mrcoll
"<BR
>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P ChanServ :help set
"<BR
>[Oct
24 22:
27:
08 2004
113 </I>><i>] Ignored message from fgfsdfsd:
":fgfsdfsd P ChanServ :help set
"<BR
>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P ChanServ :help set
"<BR
>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P NickServ :info mrcoll
"<BR
>[Oc
114 </I>><i>t
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P ChanServ :help set
"<BR
>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P NickServ :info mrcoll
"<BR
>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P NickServ
115 </I>><i> :info mrcoll
"<BR
>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P NickServ :info mrcoll
"<BR
>[Oct
24 22:
27:
08 2004] Ignored message from fgfsdfsd:
":fgfsdfsd P ChanServ :help set
"</P
> <P
>A bot of some sort is
116 </I>><i>sending messages to ChanServ and NickServ. Soon after this, the following messages are seen on the server and in the ircservices logs:
</P
> <P
>(These are the messages in the ircservices logs, and below them are the messages shown on the server)
</P
> <P
>[Oct
117 </I>><i> 24 22:
25:
31 2004] Network buffer size exceeded inactive threshold (
85%), not processing PRIVMSGs
<BR
>[Oct
24 22:
25:
31 2004] Network buffer size dropped below inactive threshold (
85%), not processing PRIVMSGs normally
<BR
>[Oct
24 22:
25:
31 2004] Network buff
118 </I>><i>er size exceeded inactive threshold (
85%), not processing PRIVMSGs
</P
> <P
><BR
>[
20:
31:
09] -irc.teklan.com.tr- *** Routing -- from irc.teklan.com.tr: services.teklan.com.tr has processed user/channel burst, sending topic burst.
<BR
>[
20:
31:
10] -irc.teklan.com
119 </I>><i>.tr- *** Routing -- from irc.teklan.com.tr: services.teklan.com.tr has processed topic burst (synched to network data).
<BR
>[
20:
32:
11] -irc.teklan.com.tr- *** Global -- from services.teklan.com.tr: Network buffer size exceeded
120 </I>><i>inactive threshold (
85%), not processing PRIVMSGs
<BR
>[
20:
32:
11] -irc.teklan.com.tr- *** Global -- from services.teklan.com.tr: Network buffer size dropped below inactive threshold (
85%), processing PRIVMSGs normally
<BR
>[
20:
32:
11] -irc.teklan.com.tr- *** G
121 </I>><i>lobal -- from services.teklan.com.tr: Network buffer size exceeded inactive threshold (
85%), not processing PRIVMSGs
<BR
>[
20:
32:
11] -irc.teklan.com.tr- *** Global -- from services.teklan.com.tr: Network buffer size dropped below inactive threshold (
85%), p
122 </I>><i>rocessing PRIVMSGs normally
<BR
>[
20:
32:
11] -irc.teklan.com.tr- *** Global -- from services.teklan.com.tr: Network buffer size exceeded inactive threshold (
85%), not processing PRIVMSGs
</P
> <P
>Straight after these messages, we receive this message:
</P
> <P
><
123 </I>><i>BR
>[
20:
32:
41] -irc.teklan.com.tr- *** Notice -- Max SendQ limit exceeded for services.teklan.com.tr:
2560046 &gt;
2560000</P
> <P
>[
20:
32:
41] -irc.teklan.com.tr- *** Routing -- from irc.teklan.com.tr: :Max Sendq exceeded for
124 </I>><i>services.teklan.com.tr, closing link
</P
> <P
>And the services appear to terminate. When we connect to the server via ssh, we can see that ircservices is still running.
</P
> <P
>5 to
10 minutes later, the same attack continues but in a different form:
</P
> <P
>
125 </I>><i>Oct
24 22:
24:
45 2004] nickserv/main: Nwp registered by
<A href=
"mailto:
<A HREF=
"http://lists.ircservices.za.net/mailman/listinfo/ircservices">tgcdhh at
84.234.138.142</A>"><A HREF=
"http://lists.ircservices.za.net/mailman/listinfo/ircservices">tgcdhh at
84.234.138.142</A></A
> (
<A href=
"mailto:
<A HREF=
"http://lists.ircservices.za.net/mailman/listinfo/ircservices">Uicmvu at hotmail.com
</A>"><A HREF=
"http://lists.ircservices.za.net/mailman/listinfo/ircservices">Uicmvu at hotmail.com
</A></A
>)
<BR
>[Oct
24 22:
25:
48 2004] Ignored message from Nwp:
":Nwp P
<A href=
"mailt
126 </I>><i>o:
<A HREF=
"http://lists.ircservices.za.net/mailman/listinfo/ircservices">NickServ at services.teklan.com.tr
</A>"><A HREF=
"http://lists.ircservices.za.net/mailman/listinfo/ircservices">NickServ at services.teklan.com.tr
</A></A
> :register alitopuat
<A href=
"mailto:
<A HREF=
"http://lists.ircservices.za.net/mailman/listinfo/ircservices">JagI at hotmail.com
</A>"><A HREF=
"http://lists.ircservices.za.net/mailman/listinfo/ircservices">JagI at hotmail.com
</A></A
><BR
>[Oct
24 22:
25:
48 2004] Ignored message from Nwp:
":Nwp P
<A href=
"mailto:
<A HREF=
"http://lists.ircservices.za.net/mailman/listinfo/ircservices">NickServ at services.teklan.com.tr
</A>">
127 </I>><i><A HREF=
"http://lists.ircservices.za.net/mailman/listinfo/ircservices">NickServ at services.teklan.com.tr
</A></A
> :register alitopuat
<A href=
"mailto:
<A HREF=
"http://lists.ircservices.za.net/mailman/listinfo/ircservices">Lszodjh at hotmail.com
</A>"><A HREF=
"http://lists.ircservices.za.net/mailman/listinfo/ircservices">Lszodjh at hotmail.com
</A></A
><BR
>[Oct
24 22:
25:
48 2004] Ignored message from Nwp:
":Nwp P
<A
141 <LI>Previous message:
<A HREF=
"004700.html">[IRCServices] Lots of AKILLS kill services
143 <LI>Next message:
<A HREF=
"004705.html">[IRCServices] Services
5.0.42 released
145 <LI> <B>Messages sorted by:
</B>
146 <a href=
"date.html#4701">[ date ]
</a>
147 <a href=
"thread.html#4701">[ thread ]
</a>
148 <a href=
"subject.html#4701">[ subject ]
</a>
149 <a href=
"author.html#4701">[ author ]
</a>