[IRCServices] ircservices attacks

Andrew Church achurch at achurch.org
Mon Nov 22 16:52:07 PST 2004 

     There's unfortunately no way to completely stop attacks like these,
unless you can isolate the IP addresses that are causing problems and ban
them from your network.  As others suggested, you could try limiting user
sendq, but if there are too many users all doing it at once that may not
help.  Services' ignore system isn't the best, and I'm hoping to improve it
for version 5.1, but no matter how good it gets, it takes a certain amount
of resources just to determine whether the message should be ignored or
not, and if there are too many messages coming in there's nothing Services
can do.

     Think of this as a new variety of DDoS attack: instead of flooding
your servers with pings, the attacker is flooding your Services with
messages.  In both cases, the only thing you can do is track down the IP
address of every bot and ban them all (or try to contact the attacker
directly, or get the authorities to help).

  --Andrew Church
    achurch at achurch.org
    http://achurch.org/

>--===============0741629271==
>Content-Type: multipart/alternative;
>	boundary="--6C8E23B332313752E4AEE203A92B350A"
>
>----6C8E23B332313752E4AEE203A92B350A
>Content-Type: text/plain; charset="iso-8859-9"
>Content-Transfer-Encoding: 7bit
>
>Hi guys, 
>We are again experiencing attacks on our services and we are having a lot of difficulty in finding a solution to the attacks. We would appreciate any help you could give us. 
>The logs are below: [Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll"
>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P ChanServ :help set"
>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll"
>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll"
>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll"
>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P ChanServ :help set"
>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll"
>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll"
>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P ChanServ :help set"
>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll"
>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P ChanServ :help set"
>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P ChanServ :help set"
>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P ChanServ :help set"
>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll"
>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P ChanServ :help set"
>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll"
>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll"
>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll"
>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P ChanServ :help set" A bot of some sort is sending messages to ChanServ and NickServ. Soon after this, the following messages are seen on the server and in the ircservices logs: (These are 
>the messages in the ircservices logs, and below them are the messages shown on the server) [Oct 24 22:25:31 2004] Network buffer size exceeded inactive threshold (85%), not processing PRIVMSGs
>[Oct 24 22:25:31 2004] Network buffer size dropped below inactive threshold (85%), not processing PRIVMSGs normally
>[Oct 24 22:25:31 2004] Network buffer size exceeded inactive threshold (85%), not processing PRIVMSGs 
>[20:31:09] -irc.teklan.com.tr- *** Routing -- from irc.teklan.com.tr: services.teklan.com.tr has processed user/channel burst, sending topic burst.
>[20:31:10] -irc.teklan.com.tr- *** Routing -- from irc.teklan.com.tr: services.teklan.com.tr has processed topic burst (synched to network data).
>[20:32:11] -irc.teklan.com.tr- *** Global -- from services.teklan.com.tr: Network buffer size exceeded inactive threshold (85%), not processing PRIVMSGs
>[20:32:11] -irc.teklan.com.tr- *** Global -- from services.teklan.com.tr: Network buffer size dropped below inactive threshold (85%), processing PRIVMSGs normally
>[20:32:11] -irc.teklan.com.tr- *** Global -- from services.teklan.com.tr: Network buffer size exceeded inactive threshold (85%), not processing PRIVMSGs
>[20:32:11] -irc.teklan.com.tr- *** Global -- from services.teklan.com.tr: Network buffer size dropped below inactive threshold (85%), processing PRIVMSGs normally
>[20:32:11] -irc.teklan.com.tr- *** Global -- from services.teklan.com.tr: Network buffer size exceeded inactive threshold (85%), not processing PRIVMSGs Straight after these messages, we receive this message: 
>[20:32:41] -irc.teklan.com.tr- *** Notice -- Max SendQ limit exceeded for services.teklan.com.tr: 2560046 > 2560000 [20:32:41] -irc.teklan.com.tr- *** Routing -- from irc.teklan.com.tr: :Max Sendq exceeded for services.teklan.com.tr, closing link And the 
>services appear to terminate. When we connect to the server via ssh, we can see that ircservices is still running. 5 to 10 minutes later, the same attack continues but in a different form: Oct 24 22:24:45 2004] nickserv/main: Nwp registered by tgcdhh at 84.2
>34.138.142 (Uicmvu at hotmail.com)
>[Oct 24 22:25:48 2004] Ignored message from Nwp: ":Nwp P NickServ at services.teklan.com.tr :register alitopuat JagI at hotmail.com
>[Oct 24 22:25:48 2004] Ignored message from Nwp: ":Nwp P NickServ at services.teklan.com.tr :register alitopuat Lszodjh at hotmail.com
>[Oct 24 22:25:48 2004] Ignored message from Nwp: ":Nwp P NickServ at services.teklan.com.tr :register alitopuat Xltdl at hotmail.com
>[Oct 24 22:25:48 2004] Ignored message from Nwp: ":Nwp P NickServ at services.teklan.com.tr :register alitopuat EADnD at hotmail.com
>[Oct 24 22:25:48 2004] Ignored message from Nwp: ":Nwp P NickServ at services.teklan.com.tr :register alitopuat Kqvwiz at hotmail.com This continues for a while and then again the services appear to terminate and later does. How can we prevent this? we currentl
>y have over 7000 nicknames registered, which is highly unusual.
>[22:28:32] -MasteR- Nicknames :  7669 records We would appreciate any help or support that you can give us. 
>Thank you so much for your time and help.      
>----6C8E23B332313752E4AEE203A92B350A
>Content-Type: text/html; charset="iso-8859-9"
>Content-Transfer-Encoding: 7bit
>
><P>Hi guys, <BR>We are again experiencing attacks on our services and we are having a lot of difficulty in finding a solution to the attacks. We would appreciate any help you could give us. <BR>The logs are below:</P> <P>[Oct 24 22:27:08 2004] Ignored mes
>sage from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll"<BR>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P ChanServ :help set"<BR>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll"<BR>[Oct 24 22:27
>:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll"<BR>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll"<BR>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P ChanServ :help 
>set"<BR>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll"<BR>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll"<BR>[Oct 24 22:27:08 2004] Ignored message
>from fgfsdfsd: ":fgfsdfsd P ChanServ :help set"<BR>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll"<BR>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P ChanServ :help set"<BR>[Oct 24 22:27:08 2004
>] Ignored message from fgfsdfsd: ":fgfsdfsd P ChanServ :help set"<BR>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P ChanServ :help set"<BR>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll"<BR>[Oc
>t 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P ChanServ :help set"<BR>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll"<BR>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ
> :info mrcoll"<BR>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P NickServ :info mrcoll"<BR>[Oct 24 22:27:08 2004] Ignored message from fgfsdfsd: ":fgfsdfsd P ChanServ :help set"</P> <P>A bot of some sort is
>sending messages to ChanServ and NickServ. Soon after this, the following messages are seen on the server and in the ircservices logs:</P> <P>(These are the messages in the ircservices logs, and below them are the messages shown on the server)</P> <P>[Oct
> 24 22:25:31 2004] Network buffer size exceeded inactive threshold (85%), not processing PRIVMSGs<BR>[Oct 24 22:25:31 2004] Network buffer size dropped below inactive threshold (85%), not processing PRIVMSGs normally<BR>[Oct 24 22:25:31 2004] Network buff
>er size exceeded inactive threshold (85%), not processing PRIVMSGs</P> <P><BR>[20:31:09] -irc.teklan.com.tr- *** Routing -- from irc.teklan.com.tr: services.teklan.com.tr has processed user/channel burst, sending topic burst.<BR>[20:31:10] -irc.teklan.com
>.tr- *** Routing -- from irc.teklan.com.tr: services.teklan.com.tr has processed topic burst (synched to network data).<BR>[20:32:11] -irc.teklan.com.tr- *** Global -- from services.teklan.com.tr: Network buffer size exceeded
>inactive threshold (85%), not processing PRIVMSGs<BR>[20:32:11] -irc.teklan.com.tr- *** Global -- from services.teklan.com.tr: Network buffer size dropped below inactive threshold (85%), processing PRIVMSGs normally<BR>[20:32:11] -irc.teklan.com.tr- *** G
>lobal -- from services.teklan.com.tr: Network buffer size exceeded inactive threshold (85%), not processing PRIVMSGs<BR>[20:32:11] -irc.teklan.com.tr- *** Global -- from services.teklan.com.tr: Network buffer size dropped below inactive threshold (85%), p
>rocessing PRIVMSGs normally<BR>[20:32:11] -irc.teklan.com.tr- *** Global -- from services.teklan.com.tr: Network buffer size exceeded inactive threshold (85%), not processing PRIVMSGs</P> <P>Straight after these messages, we receive this message:</P> <P><
>BR>[20:32:41] -irc.teklan.com.tr- *** Notice -- Max SendQ limit exceeded for services.teklan.com.tr: 2560046 &gt; 2560000</P> <P>[20:32:41] -irc.teklan.com.tr- *** Routing -- from irc.teklan.com.tr: :Max Sendq exceeded for
>services.teklan.com.tr, closing link</P> <P>And the services appear to terminate. When we connect to the server via ssh, we can see that ircservices is still running.</P> <P>5 to 10 minutes later, the same attack continues but in a different form:</P> <P>
>Oct 24 22:24:45 2004] nickserv/main: Nwp registered by <A href="mailto:tgcdhh at 84.234.138.142">tgcdhh at 84.234.138.142</A> (<A href="mailto:Uicmvu at hotmail.com">Uicmvu at hotmail.com</A>)<BR>[Oct 24 22:25:48 2004] Ignored message from Nwp: ":Nwp P <A href="mailt
>o:NickServ at services.teklan.com.tr">NickServ at services.teklan.com.tr</A> :register alitopuat <A href="mailto:JagI at hotmail.com">JagI at hotmail.com</A><BR>[Oct 24 22:25:48 2004] Ignored message from Nwp: ":Nwp P <A href="mailto:NickServ at services.teklan.com.tr">
>NickServ at services.teklan.com.tr</A> :register alitopuat <A href="mailto:Lszodjh at hotmail.com">Lszodjh at hotmail.com</A><BR>[Oct 24 22:25:48 2004] Ignored message from Nwp: ":Nwp P <A