IRC Administration & Defense

There are a lot of things IRC Admins have to deal with in regards to their servers. This tutorial will focus on the protection of the server from malicious attacks and users. First lets have a look at a list of common attacks and problems encountered by IRC servers.

malicious users
bot floods(join-part, idle,ctcp,text)
user/channel floods (text,ctcp,msg etc)

First lets look at malicious users, what they can do, and how to stop them in their tracks. There are many ways individual users can cause problems on servers. Usually its from spamming websites or just generally being an ass. Depending on what kinds of sites are being spammed, a eggdrop bot with a modified badword script can keep people from trying to recruit for sites like Outwar and such. Unfortunately not everyone runs eggdrop bots to maintain chanels, so removing the user has to be done by hand. Here are a few example bans.

#1 /mode #channel +b [email protected]
#2 /mode #channel +b *!*user*!*@AC9EC9BB.ipt.aol.com
#3 /mode #channel +b *!*user*!*@*.ipt.aol.com
#4 /mode #channel +b *!*@AC9EC9BB.ipt.aol.com
#5 /mode #channel +b *!*@*.ipt.aol.com

Ban #1 is okay if you were banning someone who was on a static IP connection such as a T1, or perhaps DSL or Cable. The downfall of this ban is that it requires a specific ident name, so for the user to evade that ban they would just disconnect from the server, change their ident, and reconnect. Also, when using this type of ban on a dialup user like the AOL example, they can disconnect from their ISP, dial back in to recieve a new IP, and then reconnect to get around the ban.

Ban #2 is a bit more useful, it bans all idents from the chanel containing the specified text, so they cant change their ident to get around the ban. Downside is that like the first example is that dialup users can circumvent it rather easily.

Ban #3 covers the downfalls of both #1 and #2 by banning all variations of the ident coming from any AOL address. While this would keep out someone from chaning their ident from JoeUser to JoeUser1, they can still change the entire ident to something random to evade the ban. Also this brings in the chance for users having the banned ident in their hostmask who also come from AOL to be banned by accident.

#4 bans everyone coming from a specific hostmask, which is only useful against someone coming from a static IP, so yet again dialup users can get around this.

#5 is probably the most agressive of the bans, because it blocks everyone from the AOL dialup pool. While this will keep out all the dialup users from that host, it also can potentially keep out users you actually want to talk to. This is best used as a temporary solution to persistant dialup users who dont know how ot use proxies.

And with the mention of proxies, comes the thing that greatly complicates banning malicious users from a IRC server. Those who are really involved with causing havoc on IRC usually have proxies to hide their real IP, or in some cases BNCs or even compromised routers in some cases. As for proxies, the best defense against malicious users is to install a proxy scanner on your server to automatically check users connecting for the use of a proxy, and forbid them to connect.

While banning a user from a channel might prevent the casual annoyance from further trouble, they can still join other channels and continue with their ways. At that point it becomes necessary to take it a step beyond a simple channel ban, and start looking at more capable methods. The first that comes to mind is the Kline, which prevents anyone from the specified hostmask from connecting to that server, but if you have multiple irc servers linked together they can connect to other servers on the network. If said user connects to another server on the network, then a Gline is the next step up, which prevents the specified hostmask from connecting to any server on the network. Another bonus about using Glines is the ablility to give them a time limit, thus allowing temporary bans of users, and removing the need to clear out your Gline list every so often. Also Akill's can be used to prevent users from connecting to networked IRC servers.

Examples
----------------
/kline [email protected] :Reason for the Kline
/gline [email protected] 900 :Reason for Gline (if time is not specified, gline is permenant)
/akill [email protected] :Reason for Akill
/rakill [email protected] (this removes the akill, just as /unkline [email protected] and /gline [email protected] remove klines and glines)
----------------

Also another command that I would like to address is the Shun command. This useful command allows an oper to effectively silence someone from speaking in chanels on a server. Very good for when you need to silence someone who is being a loud mouth but doesnt quite require a ban yet, and like the Gline they can be permenant or timed!

Examples
----------------
/shun JoeUser 900 :go sit in the corner(shuns username for 15 minutes)
/shun [email protected] :no more talking (permenant shun)
/shun -JoeUser or /shun [email protected] (removes the shun)
----------------

Bots are another problem that often plague IRC servers, and can be quite difficult to deal with. They can bring servers down rather quickly if opers and admins dont react quickly and effectively to the threat. One has to gauge how to deal with the bots based on what they are doing, and how fast they are doing it. Sometimes bots just sit on a server and idle, consuming system resources, and other times they can join and part channels repeatedly in whats known as a join-flood. Also some bots use ctcp pings or other actions to create a kind of Denial of Service to slow down the server and/or users on it. Since alot of bot flooders use proxies and other methods to hide the identity of their bots, it can be nearly impossible to ban a large flood of bots quick enough. On slow bot floods its possible to keep them at bay with Kills and Bans if they arent using spoofed hosts. On faster ones, the best thing to do is set a chanel to +i (invite) and invite in actual users as they join. Another way to limit bot floods is with a chanel limit set maybe 5 or so above your current number, so that any any excess bots over that number will not be allowed to join a channel. In instances where opers and admins arent around often, a bot with some protective scripts can help keep the server or channels save from bot floods.

Examples
--------------
/mode #channel +l 25
/mode #channel +i
--------------

Another variety of floods that dont involve bots are when people paste very large ammounts of text into the channel, clogging it and lagging the server depending on its speed and connection to the internet. They can either be set with a manual ban by an oper/op or simply set +f and a limit of say 30:10 meaning a maximum of 30 lines in 10 seconds can be typed by a user before they are banned. Also bots can be used for channel flood protection when ops or opers arent around. I would go into the various uses for bots and the use of services daemons, that alas that would take even more space.

Example
--------------
/mode #channel +f 30:10
--------------

Some of the examples I've given here might differ slightly from one IRCd to another, so play around with it, though for the most part the commands are the same. Also make sure your Oline has the proper flags to use such commands like gline, kline, shun and others.

I would just like to add that with networked servers, banning a person from a ip gets a bit more complicated. In this example there are two servers linked. Server1 and Server2 if your connected to server1 and op'd or opered, simply clicking on the persons name and banning it with right click menu's and such usually doesnt work. The reason is that both servers give the user a hostmask and it will normally ban the hostmask from the server you are connected to. To effectively ban them, you need to do a /whois on the user (example below) to get the proper hostmask to ban. To ban them, you need the hostmask of the server they are connected to.

Cheech is [email protected] * Cheech
Cheech is connecting from *@cust20.pete.broadband.com
Cheech on #lobby
Cheech using irc.unerror.com irc.unerror.com
CheechEnd of /WHOIS list.

From this you can see that if i was to right click and ban cheech that i would ban the top host mask and not the second one which would be the proper ban. Hope this helps and isnt too confusing. Ive seen many ops get frustrated over this, while frustrating to them its somewhat funny

DS> The /whois doesn't work on every server though....many servers you will not be able to get the entire hostname unless you are an oper (ops can't get it)

syini> +l works great for bot floods, but then you are locking out valid users once the bots fill the channel... then what do you do?

souleman > true, setting a limit prevents them from getting in, its really more of a temporary thing to do just to get things stable to start going about a better solution. After setting a limit, I would think the best thing to do would be set +i, kick/kill the bots from the channel, the start inviting the valid users. Not a very fun thing to do, as it requires someone to be around at all times during the duration of the +i to let people in, unless someone was so inclined to write a script for a eggdrop to invite users who are +r into the channel, but thats provided you even run services on the server.

I should have mentioned that part of the tutorial only really applied to admins and opers, since as you pointed out regular chanops cant seen the full whois on a user.

Depending on the server software thats running the ircd, if a channel is +i'd then a user wishing to enter can knock on the channel with /knock #blah This will send an alert to the op's of the channel and then they can /invite JoeUser into the channel, However some bot floods are getting more and more clever and the bots will knock like mad on a i'd channel, So also if an op sets mode +K then knocks are not allowed on a certain channel