1 <!DOCTYPE HTML PUBLIC
"-//W3C//DTD HTML 3.2//EN">
4 <TITLE> [IRCServices] Attacks on services
6 <LINK REL=
"Index" HREF=
"index.html" >
7 <LINK REL=
"made" HREF=
"mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20Attacks%20on%20services&In-Reply-To=4107100d.71573%40achurch.org">
8 <META NAME=
"robots" CONTENT=
"index,nofollow">
9 <META http-equiv=
"Content-Type" content=
"text/html; charset=us-ascii">
10 <LINK REL=
"Previous" HREF=
"004552.html">
11 <LINK REL=
"Next" HREF=
"004554.html">
13 <BODY BGCOLOR=
"#ffffff">
14 <H1>[IRCServices] Attacks on services
</H1>
15 <B>Yusuf Iskenderoglu
</B>
16 <A HREF=
"mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20Attacks%20on%20services&In-Reply-To=4107100d.71573%40achurch.org"
17 TITLE=
"[IRCServices] Attacks on services">uhc0 at rz.uni-karlsruhe.de
19 <I>Wed Jul
28 02:
01:
17 PDT
2004</I>
21 <LI>Previous message:
<A HREF=
"004552.html">[IRCServices] Attacks on services
23 <LI>Next message:
<A HREF=
"004554.html">[IRCServices] Attacks on services
25 <LI> <B>Messages sorted by:
</B>
26 <a href=
"date.html#4553">[ date ]
</a>
27 <a href=
"thread.html#4553">[ thread ]
</a>
28 <a href=
"subject.html#4553">[ subject ]
</a>
29 <a href=
"author.html#4553">[ author ]
</a>
34 <PRE>The problem they have is, that when such an attack starts,
35 services after some time stop responding, making the ircd quit the link,
36 and looking at the table of processes shows, that services sits there
37 with
99% CPU usage, requiring kill -
9 to be shut down.
39 That attack has a simple appearance:
40 A set of probably trojaned connections, that even reply to simple CTCP
41 requests, begin connecting, and floodding services with multiple nick
42 registration commands, changing nicknames, and floodding again,
43 quitting, reconnecting, and floodding again.
45 Just before services start responding, notices arrive that it is not
46 parsing privmsgs anymore, due to network load, but even then it gets
49 Interestingly, setting it temporarily to readonly mode helped,
50 apparently it could response.
52 Currently we have no solution for this kind of attack, those connections
53 are not detected by the proxy scanner, we assume that these aren't using
56 Temporarily /modunload'ing m_nick.so and /close'ing helps to postpone
62 On Wed,
2004-
07-
28 at
13:
30, Andrew Church wrote:
63 ><i> >Hi there, my problem is this, services on our server are constantly shut down. When I look at the services logs, I discover that services are shut down by attacks on the services such as this:
64 </I>><i> >What can you recommend that we do to prevent this from happening?
66 </I>><i> What exactly is the problem? From the logs you provide it appears
67 </I>><i> Services is functioning normally.
69 </I>><i> --Andrew Church
70 </I>><i> <A HREF=
"http://www.ircservices.za.net/mailman/listinfo/ircservices">achurch at achurch.org
</A>
71 </I>><i> <A HREF=
"http://achurch.org/">http://achurch.org/
</A>
73 </I>><i> ------------------------------------------------------------------
74 </I>><i> To unsubscribe or change your subscription options, visit:
75 </I>><i> <A HREF=
"http://www.ircservices.za.net/mailman/listinfo/ircservices">http://www.ircservices.za.net/mailman/listinfo/ircservices
</A>
77 ------------------------------------------------------------------
78 |
<i> Yusuf Iskenderoglu | You get to meet all sorts, |
79 </I>|
<i> eMail -
<A HREF=
"http://www.ircservices.za.net/mailman/listinfo/ircservices">uhc0 at stud.uni-karlsruhe.de
</A>| in this line of work... |
80 </I>|
<i> eMail -
<A HREF=
"http://www.ircservices.za.net/mailman/listinfo/ircservices">s_iskend at ira.uka.de
</A> | |
81 </I>|
<i> ICQ UIN :
20587464 \ Slytherin | |
82 </I>------------------------------------------------------------------
92 <LI>Previous message:
<A HREF=
"004552.html">[IRCServices] Attacks on services
94 <LI>Next message:
<A HREF=
"004554.html">[IRCServices] Attacks on services
96 <LI> <B>Messages sorted by:
</B>
97 <a href=
"date.html#4553">[ date ]
</a>
98 <a href=
"thread.html#4553">[ thread ]
</a>
99 <a href=
"subject.html#4553">[ subject ]
</a>
100 <a href=
"author.html#4553">[ author ]
</a>