[IRCServices] Attacks on services

Yusuf Iskenderoglu uhc0 at rz.uni-karlsruhe.de
Wed Jul 28 02:01:17 PDT 2004 

The problem they have is, that when such an attack starts,
services after some time stop responding, making the ircd quit the link,
and looking at the table of processes shows, that services sits there
with 99% CPU usage, requiring kill -9 to be shut down.

That attack has a simple appearance:
A set of probably trojaned connections, that even reply to simple CTCP
requests, begin connecting, and floodding services with multiple nick
registration commands, changing nicknames, and floodding again,
quitting, reconnecting, and floodding again.

Just before services start responding, notices arrive that it is not
parsing privmsgs anymore, due to network load, but even then it gets
disconnected.

Interestingly, setting it temporarily to readonly mode helped,
apparently it could response. 

Currently we have no solution for this kind of attack, those connections
are not detected by the proxy scanner, we assume that these aren't using
proxies at all.

Temporarily /modunload'ing m_nick.so and /close'ing helps to postpone
the issue :-)

Regards;
yusuf.

On Wed, 2004-07-28 at 13:30, Andrew Church wrote:
> >Hi there, my problem is this, services on our server are constantly shut down. When I look at the services logs, I discover that services are shut down by attacks on the services such as this:
> >What can you recommend that we do to prevent this from happening?
> 
>      What exactly is the problem?  From the logs you provide it appears
> Services is functioning normally.
> 
>   --Andrew Church
>     achurch at achurch.org
>     http://achurch.org/
> 
> ------------------------------------------------------------------
> To unsubscribe or change your subscription options, visit:
> http://www.ircservices.za.net/mailman/listinfo/ircservices
-- 
------------------------------------------------------------------ 
| Yusuf Iskenderoglu                | You get to meet all sorts, | 
| eMail - uhc0 at stud.uni-karlsruhe.de| in this line of work...    | 
| eMail - s_iskend at ira.uka.de       |                            | 
| ICQ UIN : 20587464 \ Slytherin    |                            | 
------------------------------------------------------------------