software/!RELEASES/ircservices/achurch.org/services/lists/ircservices/2004/004553.html

   1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
   2 <HTML>
   3  <HEAD>
   4    <TITLE> [IRCServices] Attacks on services
   5    </TITLE>
   6    <LINK REL="Index" HREF="index.html" >
   7    <LINK REL="made" HREF="mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20Attacks%20on%20services&In-Reply-To=4107100d.71573%40achurch.org">
   8    <META NAME="robots" CONTENT="index,nofollow">
   9    <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
  10    <LINK REL="Previous"  HREF="004552.html">
  11    <LINK REL="Next"  HREF="004554.html">
  12  </HEAD>
  13  <BODY BGCOLOR="#ffffff">
  14    <H1>[IRCServices] Attacks on services</H1>
  15     <B>Yusuf Iskenderoglu</B>
  16     <A HREF="mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20Attacks%20on%20services&In-Reply-To=4107100d.71573%40achurch.org"
  17        TITLE="[IRCServices] Attacks on services">uhc0 at rz.uni-karlsruhe.de
  18        </A><BR>
  19     <I>Wed Jul 28 02:01:17 PDT 2004</I>
  20     <P><UL>
  21         <LI>Previous message: <A HREF="004552.html">[IRCServices] Attacks on services
  22 </A></li>
  23         <LI>Next message: <A HREF="004554.html">[IRCServices] Attacks on services
  24 </A></li>
  25          <LI> <B>Messages sorted by:</B>
  26               <a href="date.html#4553">[ date ]</a>
  27               <a href="thread.html#4553">[ thread ]</a>
  28               <a href="subject.html#4553">[ subject ]</a>
  29               <a href="author.html#4553">[ author ]</a>
  30          </LI>
  31        </UL>
  32     <HR>
  33 <!--beginarticle-->
  34 <PRE>The problem they have is, that when such an attack starts,
  35 services after some time stop responding, making the ircd quit the link,
  36 and looking at the table of processes shows, that services sits there
  37 with 99% CPU usage, requiring kill -9 to be shut down.
  38
  39 That attack has a simple appearance:
  40 A set of probably trojaned connections, that even reply to simple CTCP
  41 requests, begin connecting, and floodding services with multiple nick
  42 registration commands, changing nicknames, and floodding again,
  43 quitting, reconnecting, and floodding again.
  44
  45 Just before services start responding, notices arrive that it is not
  46 parsing privmsgs anymore, due to network load, but even then it gets
  47 disconnected.
  48
  49 Interestingly, setting it temporarily to readonly mode helped,
  50 apparently it could response.
  51
  52 Currently we have no solution for this kind of attack, those connections
  53 are not detected by the proxy scanner, we assume that these aren't using
  54 proxies at all.
  55
  56 Temporarily /modunload'ing m_nick.so and /close'ing helps to postpone
  57 the issue :-)
  58
  59 Regards;
  60 yusuf.
  61
  62 On Wed, 2004-07-28 at 13:30, Andrew Church wrote:
  63 &gt;<i> &gt;Hi there, my problem is this, services on our server are constantly shut down. When I look at the services logs, I discover that services are shut down by attacks on the services such as this:
  64 </I>&gt;<i> &gt;What can you recommend that we do to prevent this from happening?
  65 </I>&gt;<i>
  66 </I>&gt;<i>      What exactly is the problem?  From the logs you provide it appears
  67 </I>&gt;<i> Services is functioning normally.
  68 </I>&gt;<i>
  69 </I>&gt;<i>   --Andrew Church
  70 </I>&gt;<i>     <A HREF="http://www.ircservices.za.net/mailman/listinfo/ircservices">achurch at achurch.org</A>
  71 </I>&gt;<i>     <A HREF="http://achurch.org/">http://achurch.org/</A>
  72 </I>&gt;<i>
  73 </I>&gt;<i> ------------------------------------------------------------------
  74 </I>&gt;<i> To unsubscribe or change your subscription options, visit:
  75 </I>&gt;<i> <A HREF="http://www.ircservices.za.net/mailman/listinfo/ircservices">http://www.ircservices.za.net/mailman/listinfo/ircservices</A>
  76 </I>--
  77 ------------------------------------------------------------------
  78 |<i> Yusuf Iskenderoglu                | You get to meet all sorts, |
  79 </I>|<i> eMail - <A HREF="http://www.ircservices.za.net/mailman/listinfo/ircservices">uhc0 at stud.uni-karlsruhe.de</A>| in this line of work...    |
  80 </I>|<i> eMail - <A HREF="http://www.ircservices.za.net/mailman/listinfo/ircservices">s_iskend at ira.uka.de</A>       |                            |
  81 </I>|<i> ICQ UIN : 20587464 \ Slytherin    |                            |
  82 </I>------------------------------------------------------------------
  83
  84
  85
  86 </PRE>
  87
  88 <!--endarticle-->
  89     <HR>
  90     <P><UL>
  91         <!--threads-->
  92         <LI>Previous message: <A HREF="004552.html">[IRCServices] Attacks on services
  93 </A></li>
  94         <LI>Next message: <A HREF="004554.html">[IRCServices] Attacks on services
  95 </A></li>
  96          <LI> <B>Messages sorted by:</B>
  97               <a href="date.html#4553">[ date ]</a>
  98               <a href="thread.html#4553">[ thread ]</a>
  99               <a href="subject.html#4553">[ subject ]</a>
 100               <a href="author.html#4553">[ author ]</a>
 101          </LI>
 102        </UL>
 103
 104 </body></html>