View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0003862 | unreal | ircd | public | 2009-07-28 09:55 | 2010-02-13 14:13 |
| Reporter | glitch | Assigned To | |||
| Priority | normal | Severity | major | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Platform | unix | OS | DEB | ||
| Product Version | 3.2.8 | ||||
| Summary | 0003862: Unknown connections fix | ||||
| Description | someone has found a neat way to DOS unreal by redirecting a users HTTP post data to the unreal IRCD connection port, this floods out the connections maxing them makign it impossible for additional users to connect.. i suggest that if anything OTHER then NICK / USER / PONG / or PASS should instantly kill the connection (no client should send any data upon connecting except for those commands) my server has been getting dosd like this for the last 7 months. im sick of it and i can't type /close every 30 seconds.. perhaps this cna be a bugfix in the next release of unreal | ||||
| Tags | No tags attached. | ||||
| 3rd party modules | |||||
|
|
the set::anti-flood::unknown-flood options won't work to fix this as the flooders aren't sending enough data to even trigger on 1kb of text but they ARE sending atleast a single line a peice.., i also suggest only giving clients 10 seconds auth before killing them for failure ot register. either way this is somethign important and needs fixing. by the way that someone happens to be motherless.com, they redirect all their traffic to my unreal connection ports by the thousands.. |
|
|
When a browser connects to a website, they do not send much at all. IIRC they send HTTP protocol version, browser version, domain connecting to, and page requested (with POST information if redirected from a form). If there are so many hits on this page that it is filling your unknown connections, the immediately closing the connection may only be a temporary solution. You need to find the websites doing this and send their hosts abuse department an email. Most sites used in such a way are on free hosts and this is definitely a violation of their TOS. |
|
|
> i also suggest only giving clients 10 seconds auth before killing them for failure ot register. You can configure this in include/config.h. Change the value for CONNECTTIMEOUT, but be sure to read the comment above it and choose a value carefully. Once change, re-run make and if needed make install. Restart your IRCd and the new timeout value will be used. |
|
|
We cannot just kill a client if they send some unknown command. I don't know if it's illegal by RFC, but it certainly would frustrate any addition of commands (like HANDSHAKE, and stuff) in the future. So that won't be done. We also cannot close connections too fast if clients are not registered yet, see Stealth's command. Sure, YOU can configure it that way if you want to (feel free to do so), but it's not going to be a default setting to kill any client not registering in 10 seconds. There are plenty of (legit) possibilities why a client does not register in 10 seconds. And, of course, our unknown flood thing protects against large post of data (to some extent). In your case, I would rather suggest a small module that kills any client sending a POST (or GET), perhaps even putting a zline in place. That would be simple to write. And perhaps, we could also integrate that in Unreal. Of course, as Stealth already said, if there are a lot of connection attempts per second, then these solutions might also be insufficient. After all, it's difficult to protect against DDoS. |
|
|
Try http://www.vulnscan.org/tmp/m_banme.c (download to Unreal3.2/src/modules, and then run from Unreal3.2 directory: make custommodule MODULEFILE=m_banme and load the module ofcourse...) |
|
|
solved through 3rd party module // but got no feedback at all |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2009-07-28 09:55 | glitch | New Issue | |
| 2009-07-28 10:20 | glitch | Note Added: 0015903 | |
| 2009-07-28 10:24 | glitch | Note Edited: 0015903 | |
| 2009-07-28 13:26 | Stealth | Note Added: 0015904 | |
| 2009-07-28 13:46 | Stealth | Note Added: 0015905 | |
| 2009-09-12 16:07 | syzop | Note Added: 0015929 | |
| 2009-09-12 16:08 | syzop | QA | => Not touched yet by developer |
| 2009-09-12 16:08 | syzop | U4: Need for upstream patch | => No need for upstream InspIRCd patch |
| 2009-09-12 16:08 | syzop | U4: Upstream notification of bug | => Not decided |
| 2009-09-12 16:08 | syzop | U4: Contributor working on this | => None |
| 2009-09-12 16:08 | syzop | Product Version | 3.2.9-RC1 => 3.2.8 |
| 2009-09-12 17:00 | syzop | Note Added: 0015930 | |
| 2009-09-12 17:00 | syzop | Note Edited: 0015930 | |
| 2010-02-13 14:13 | syzop | Note Added: 0016021 | |
| 2010-02-13 14:13 | syzop | Status | new => closed |
| 2010-02-13 14:13 | syzop | Resolution | open => fixed |
