Jump to content
IkarosBD

[IMPORTANT] IRC network changes

Recommended Posts

Recently, Kametsu's IRC channel on the Xertion IRC network was subjected to a malicious attack by about 100-200+ spam bots flooding the channel itself. Xertion network staff were able to shut down the attack fairly quickly (*grin*), but the methods we used to do so may have restricted otherwise legitimate users from even joining in the first place. Being a root administrator on Xertion, I decided to create this thread should you find yourself on the receiving end of any of these restrictions we may have to use in the future, should another attack occur.

 

Method 1: Channel Lockdown

The first line of defense to defend the IRC channel from the flooding, is to lock the channel down. By this we mean we set so-called channel 'modes' that implement restrictions that make it really difficult for bots to attack the channel. Unfortunately, some of these modes may also block legitimate users (like the IRC regulars here on Kametsu for example) or otherwise interfere with normal channel activity. When this occurs, you'll usually get a message from the server explaining the exact reason why you can't enter the channel. Other restrictions may also be put into place as well at the same time.

 

Such restrictions we may use to thwart bot attacks include:

  • Setting the channel so that only registered users (that is, people who register with the network's NickServ nickname registration/management service) can enter. If this occurs, you'll be told by the server that you need a registered nickname to join the channel. You could attempt to register with NickServ (we have instructions on the IRC network's website), but bear in mind that usually if the registered-only mode is in effect odds are we aren't allowing new NickServ registrations either (so as to prevent bots from flooding NickServ with fradulent registrations). If you don't already have a NickServ account on the network, your best course of action then is to wait it out. Otherwise you can identify to your account on NickServ, which would then allow you to join.
     
  • Setting the channel so that only registered users can speak - this applies mainly to those of you who are already in the channel when a flood occurs and restrictions are put into effect. It works like the above, except it just stops you from speaking until you are either identified to, or register with, NickServ. Again, like above, the way around this is to identify to NickServ if you have a NickServ account already. Otherwise you're probably going to have to be patient here as well.
     
  • Throttling the amount of people that can join the channel at once - in addition to the above, #Kametsu uses a special channel mode that restricts how many people can join it within a given time period. It is meant to prevent join floods, which large groups of bots all too often do. This will block you from joining if the channel is experiencing a flood of joins from bots. The lockdown time is 1 minute, so try again every so often and you'll probably get in eventually. Again this is also subjected to the above restrictions so keep that in mind too.
     
  • Channel bans - although it is highly unlikely, you MAY find yourself being told by the server you are banned from the channel. If this is the case, and the ban was NOT already there to begin with, please contact either myself or Koby via private message for assistance as you were probably caught up in a wider/broad ban meant to help control the flooding. Again this only applies to the IRC channel, NOT the forums!

 

If you are affected by any of the above, and there is an active attack ongoing on the network affecting #Kametsu, then either Koby or myself will post status updates - located on the right-hand side of the forum's front page. Keep subscribed to these updates for any relevant information.

 

 

Method 2: DNS blocklists

In addition to the above restrictions, we also make use of DNS blocklist checking on connecting users. These lists are used to help prevent potentially malicious users or bots from connecting to the network in the first place, and are in constant use 24/7 on the entire network. While these blocklists operate really well and do a really good job of keeping malicious bots off the network, unfortunately on occasion these checks may also affect an otherwise innocent user. If you find yourself almost immediately disconnected from the network with a message stating you're listed on some RBL/blocklist/DNSBL/etc, then I want you to come here to the forum and send me a private message to let me know. Give me the exact "ERROR:" line your IRC client gives you along with the ban message, and I will happily investigate and see if I can get you connected. It is unfortunate, but it is a necessary security measure. The odds of this actually happening to innocent users is low, but it is definitely not zero, so I want to be sure anyone here that gets hit by one of these DNSBL/RBL network bans notifies me immediately.

 

 

Method 3: Network Lockdown

If channel controls are not sufficient to deal with the flooding, and/or its more widespread, we may have to resort to locking down the network itself, this will usually end up with you being almost immediately disconnected from the IRC network with the message "This network is temporarily not accepting connections, please try again later.". This means we have temporarily blocked all new connections for a little while in an attempt to shut down bot connections. If you receive this error, wait about 5-10 minutes, then try again, as this is never a permanent state. If you continue to get this message, try again every 5-10 minutes or so until you can connect successfully.

 

 

If you have any questions or concerns, feel free to post them here. Given the situation we faced the other day I feel this thread is the least I can do to assist with anyone that might be affected by this should it occur again.

Edited by IkarosBD
  • Like 1

Share this post


Link to post
Share on other sites

So I've removed my school's IP address from CBL (for now) like 2 days ago, and just confirmed it. I'm still banned from IRC. Is there anything else that I can do other than running a VPN?

Share this post


Link to post
Share on other sites
3 hours ago, deanzel said:

So I've removed my school's IP address from CBL (for now) like 2 days ago, and just confirmed it. I'm still banned from IRC. Is there anything else that I can do other than running a VPN?

 

@deanzel I can remove the ban if it's delisted off the CBL, you need only contact me directly.

 

EDIT: Z-Line removed from your university IP. Verify for me please.

Edited by IkarosBD
Updated with confirmation

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×