View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0005550unrealircdpublic2020-02-06 14:052023-06-25 16:04
ReporterLesterClayton Assigned Tosyzop  
PrioritynormalSeverityfeatureReproducibilityalways
Status resolvedResolutionfixed 
PlatformLinuxOSUbuntuOS Version19.10
Product Version5.0.2 
Fixed in Version6.0.4 
Summary0005550: Exempt users from connthrottle
DescriptionThe new ConnThrottle module still activates for IP's which have except ban and/or except throttle in the main unrealircd.conf
Steps To Reproduce1) Install or run UnrealIRCD that has no Reputation database
2) Add config blocks for except throttle and/or except ban for your source IP's
3) Connect multiple clients in quick succession (I've wrtten an IRC Stress Tester client that will connect 1 client every second)
4) Watch ConnThrottle activate.
Additional InformationConnThrottle in action:

[20/02/06 13:28:07 +0100 GMT] -server3- *** Client connecting: SZLWIGLNWXRG ([email protected]) [10.1.128.101] {0}
[20/02/06 13:28:08 +0100 GMT] -server3- *** Client connecting: LZXYMNCLKZSG ([email protected]) [10.1.128.101] {0}
[20/02/06 13:28:08 +0100 GMT] -server2- *** Client connecting: JYUTQGSVTKVW ([email protected]) [185.x.y.z] {0}
[20/02/06 13:28:09 +0100 GMT] -server3- *** Client connecting: WOOYPMYQFFUP ([email protected]) [10.1.128.101] {0}
[20/02/06 13:28:09 +0100 GMT] -server2- *** Client connecting: MOGGWVKQQGGG ([email protected]) [185.x.y.z] {0}
[20/02/06 13:28:09 +0100 GMT] -server1- *** Client connecting: NFARUJVDAMMS ([email protected]) [185.x.y.z] {clients}
[20/02/06 13:28:10 +0100 GMT] -server3- *** Client connecting: YCQPBBVWXXPE ([email protected]) [10.1.128.101] {0}
[20/02/06 13:28:10 +0100 GMT] -server2- *** Client connecting: TMNIXDLWUNKL ([email protected]) [185.x.y.z] {0}
[20/02/06 13:28:10 +0100 GMT] -server1- *** Client connecting: CEEZHJWNELIH ([email protected]) [185.x.y.z] {clients}
[20/02/06 13:28:11 +0100 GMT] -server3- *** Client connecting: RLWJJFCMGCRF ([email protected]) [10.1.128.101] {0}
[20/02/06 13:28:11 +0100 GMT] -server2- *** Client connecting: CUSDSSLXZLCF ([email protected]) [185.x.y.z] {0}
[20/02/06 13:28:11 +0100 GMT] -server1- *** Client connecting: MWTYYKOZPWFO ([email protected]) [185.x.y.z] {clients}
[20/02/06 13:28:12 +0100 GMT] -server3- *** Client connecting: DCRPLHEGKHEQ ([email protected]) [10.1.128.101] {0}
[20/02/06 13:28:12 +0100 GMT] -server2- *** Client connecting: UHKWFUBZTKXM ([email protected]) [185.x.y.z] {0}
[20/02/06 13:28:12 +0100 GMT] -server1- *** Client connecting: RJPMTVDEESJV ([email protected]) [185.x.y.z] {clients}
[20/02/06 13:28:13 +0100 GMT] -server3- *** Client connecting: UABSRJYDPYAG ([email protected]) [10.1.128.101] {0}
[20/02/06 13:28:13 +0100 GMT] -server2- *** Client connecting: EBYHSDGKCJST ([email protected]) [185.x.y.z] {0}
[20/02/06 13:28:14 +0100 GMT] -server1- *** Client connecting: VSFVIRWVLPST ([email protected]) [185.x.y.z] {clients}
[20/02/06 13:28:14 +0100 GMT] -server3- *** Client connecting: YHOSIXHETLLN ([email protected]) [10.1.128.101] {0}
[20/02/06 13:28:14 +0100 GMT] -server2- *** Client connecting: EKBUVIOFWGHD ([email protected]) [185.x.y.z] {0}
[20/02/06 13:28:15 +0100 GMT] -server1- *** Client connecting: SILRBZGVHRHI ([email protected]) [185.x.y.z] {clients}
[20/02/06 13:28:15 +0100 GMT] -server3- *** Client connecting: LAHKOPDYZGHB ([email protected]) [10.1.128.101] {0}
[20/02/06 13:28:15 +0100 GMT] -server2- *** Client connecting: XINTTAQEVUQK ([email protected]) [185.x.y.z] {0}
[20/02/06 13:28:16 +0100 GMT] -server1- *** Client connecting: BIKZHPSJSXSB ([email protected]) [185.x.y.z] {clients}
[20/02/06 13:28:16 +0100 GMT] -server3- *** Client connecting: NAZNJUSHNCQG ([email protected]) [10.1.128.101] {0}
[20/02/06 13:28:16 +0100 GMT] -server2- *** Client connecting: JCHQSZLEIHRO ([email protected]) [185.x.y.z] {0}
[20/02/06 13:28:17 +0100 GMT] -server1- *** Client connecting: GVANJJZKRDBO ([email protected]) [185.x.y.z] {clients}
[20/02/06 13:28:17 +0100 GMT] -server3- *** Client connecting: QZUVPYOSCEZL ([email protected]) [10.1.128.101] {0}
[20/02/06 13:28:17 +0100 GMT] -server2- *** Client connecting: ZFGQWPDHGZGE ([email protected]) [185.x.y.z] {0}
[20/02/06 13:28:18 +0100 GMT] -server1- *** [ConnThrottle] Connection throttling has been ACTIVATED due to a HIGH CONNECTION RATE.

On every server:

except ban {
        mask *@10.0.0.0/8;
        mask *@185.x.y.0/24;
        type all;
};

except throttle {
        mask 10.0.0.0/8;
        mask 185.x.y.0/22;
}

This wouldn't ordinarily be an issue, since IRC administrators don't expect (or want) a large amount of clients coming from the same IP, but "except throttle" is there specifically to ignore connections from specific IP's or blocks.
TagsConnThrottle
3rd party modules

Activities

LesterClayton

2020-02-06 16:11

reporter   ~0021285

I've also added Elines for these IP's and it also doesn't help. /stats except shows these new Elines plus the ones from my configs, but ConnThrottle still ignores.

syzop

2020-02-08 10:25

administrator   ~0021291

I suppose we could not count users if they have an 'c' exemption. Or introduce a new type. I will have to think about it.

Not too important, so a low priority item for me. I suggest you disable the module when you are load testing, like I do. Either interactively via /THROTTLE OFF, or by unloading/blacklisting it.

LesterClayton

2020-03-12 19:45

reporter   ~0021366

Thanks for the /throttle off hint :) I'll be able to use that in my load testing. Agreed veeerrryy low priorioty.

syzop

2020-04-12 15:20

administrator   ~0021441

Due to the lower priority I have renamed it to "Exempt users from connthrottle" and changed it from minor to feature. I will probably not look at it anytime soon.

syzop

2023-06-25 16:04

administrator   ~0022925

Forgot to close this....

Fixed as a by product of other work in UnrealIRCd 6.0.4, released in May 2022: https://github.com/unrealircd/unrealircd/commit/3241338cf31dd9d18fd64034088a4517c2ffda1c

See docs for 6.0.4 and later at https://www.unrealircd.org/docs/Connthrottle
Since 'except' is now a mask item you can use IP ranges there and really any other mask item:
set {
        connthrottle {
                /* First we configure which users are exempt from the
                 * restrictions. These users are always allowed in!
                 * By default these are users on IP addresses that have
                 * a score of 24 or higher. A score of 24 means that the
                 * IP was connected to this network for at least 2 hours
                 * in the past month (or minimum 1 hour if registered).
                 * We also allow users who are identified to services via
                 * SASL to bypass the restrictions.
                 */
                except {
                        reputation-score 24;
                        identified yes;
                        webirc yes;
                        ip { 192.168.*; } // <== like this
                }
}

All possibly mask item options are at https://www.unrealircd.org/docs/Mask_item

Issue History

Date Modified Username Field Change
2020-02-06 14:05 LesterClayton New Issue
2020-02-06 14:05 LesterClayton Tag Attached: ConnThrottle
2020-02-06 16:11 LesterClayton Note Added: 0021285
2020-02-08 10:25 syzop Note Added: 0021291
2020-03-12 19:45 LesterClayton Note Added: 0021366
2020-04-12 15:20 syzop Severity minor => feature
2020-04-12 15:20 syzop Summary [ConnThrottle] ignores except ban and except throttle => Exempt users from connthrottle
2020-04-12 15:20 syzop Note Added: 0021441
2020-04-12 15:20 syzop Status new => acknowledged
2023-06-25 16:04 syzop Assigned To => syzop
2023-06-25 16:04 syzop Status acknowledged => resolved
2023-06-25 16:04 syzop Resolution open => fixed
2023-06-25 16:04 syzop Fixed in Version => 6.0.4
2023-06-25 16:04 syzop Note Added: 0022925