Page 1 of 2 12 LastLast
Results 1 to 40 of 43
  1. #1

    Why does everyone think small IRC nets will get Dos'd?

    This is pretty lame that no companies allow IRCd anymore because they think they will get Dos'd...

    The only places this is going to happen to is a huge irc network like EFNet, not a small network like most people want to run... I find this frustrating.

  2. #2
    Join Date
    Jul 2002
    Posts
    44

    Experience

    I obviously can't speak for anyone but myself, but in my experience, at least 3/4 of all DOS/DDOS attacks are IRC related.

    While it may be that only a small fraction of irc servers get attacked, a large fraction of the attacks are related to IRC.

    If you're a provider, and the vast majority of your clientelle aren't interested in IRC, then it makes perfect business sense to ban IRC -- reduce the outages and slowness on your network in order to make the vast majority of your clientelle happy. Why suffer for what amounts to peanuts?

  3. #3
    Join Date
    Jan 2003
    Location
    Wisconsin
    Posts
    367
    Have you looked at going with a shell provider? There are plenty that allow IRCD's alot of which are stable as well.

  4. #4
    Join Date
    Jan 2003
    Location
    Canada
    Posts
    4,845
    I had the same problem man. My IRC server is tiny, maybe 40 people, but no one wants to host it. For the size, it wasen't even worth it to get a shell and host it off that.

    In the end, i hit my friends up for older comp parts (a celly 266) and just run my server off my DSL. Tossed UnrealIRCD on it, along side Debian SID. Works great

    ~Francisco
    BuyVM - OpenVZ & KVM Based VPS Servers - Chat with us
    - All popular VPN methods supported
    - Affordable offloaded MySQL & DDoS protection
    - 5GB backup space, unmetered private LAN bandwidth & native IPv6 included. All with a strong serving of pony

  5. #5
    Join Date
    Oct 2002
    Location
    In a house
    Posts
    949

    Re: Why does everyone think small IRC nets will get Dos'd?

    Originally posted by thegreatzeit
    This is pretty lame that no companies allow IRCd anymore because they think they will get Dos'd...
    It's not that we "think it" it's that we *know it*. It's inevitable, if you're allowing IRC, that it's going to happen. 9/10 times a box that gets DDOS'd, is either:
    running IRC (all encompassing bots, etc.)
    hosting a hate / controversial site
    fraudulent activity (stolen CC's, etc.)

    Unfortunately, there's no way for us to prescreen what's going to happen before it does, but, because of its historical nature, most providers are either ALL IN or ALL OUT with IRC. Those that do allow for it, typically provide little - no SLA. Atjeu is a prime example of this, running dual networks, completely independent of themselves, one has an SLA, the other, provides 0 uptime guarantee as to service levels pertaining to the network (from what I have previously read). We wish we could allow for these types of services, however, they run too great of a risk, therefore one that we're not willing to take.

    Thanks,

  6. #6
    Join Date
    Mar 2003
    Location
    Charlotte, NC
    Posts
    2,760
    I absolutely agree with what Matt stated. At my old company, one client decided to run IRC on his server - It wasn't linked to any IRC networks, but it was DOSed anyway, causing around 60Mbps extra bandwidth on a switch during peak hours, and screwing over innocent clients on that same VLAN. Our own box was DOSed twice (with no IRC, and on an unused IP) from random cable and dsl modems around the world, causing up to 80Mbps of traffic. IRC isn't the only thing that gets DOSed, but it is more likely to. Also, hosts can't screen to make sure that the IRC channels aren't linked to large networks. It's much easier to ban IRC all together in order to protect their network and their clients' servers.

    -Josh

  7. #7
    Join Date
    Mar 2003
    Location
    New Jersey
    Posts
    1,277

  8. #8
    Join Date
    Nov 2001
    Location
    The South
    Posts
    5,403
    EV1 still (I believe) lets you run a single IRC server as long as it does not network with other irc servers (making an irc network).
    Gary Harris - the artist formerly known as Dixiesys
    resident grumpy redneck

  9. #9
    Join Date
    Jan 2002
    Location
    UK
    Posts
    1,034
    yeah ircd is the main target for attacks but I dont think its plausable for hosts to be banning it, what would happen if all providers banned irc related hosting?

    would we just be left with sponsored servers only?

    luckily there is a few providers out there that still allow ircd.

  10. #10
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Last nite i had to deal with a 5000 bot attack on a small irc network for shelltopia. it happens, it happens all the time
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  11. #11
    Join Date
    Jan 2002
    Location
    UK
    Posts
    1,034
    ircd's are the biggest % of attacks there is no denying that but running one doesnt garantuee an attack, for hosts to be banning them before they even ordered is what I feel is going too far.

  12. #12
    Originally posted by thelinuxguy
    Last nite i had to deal with a 5000 bot attack on a small irc network for shelltopia. it happens, it happens all the time
    All different hosts? Many of the power IRCd's such as Hybrid allow you to limit connections based on IP and host.

  13. #13
    Originally posted by thegreatzeit
    All different hosts? Many of the power IRCd's such as Hybrid allow you to limit connections based on IP and host.
    Yes, you never heard of botnets
    Then I don't think you should consider running an IRCD.
    Linux/CPanel/WHM Tutorials & How-Tos
    Dedicated Server Tutorials

  14. #14
    Originally posted by ToddW
    Yes, you never heard of botnets
    Then I don't think you should consider running an IRCD.
    Pfft.. please... I helped run an irc network of 500 users from '96 to '00. Go roll your eyes elsewhere..

    ..I didn't say i've never heard of them, or experienced them.. I simply asked what kind..

  15. #15
    Originally posted by thegreatzeit
    Pfft.. please... I helped run an irc network of 500 users from '96 to '00. Go roll your eyes elsewhere..

    500 yay

    ..I didn't say i've never heard of them, or experienced them.. I simply asked what kind..
    Your reply showed the lack of knowledge of how botnets work and how attacks happen, you simply stated most ircds prevent multiple users from logging in more than once.. well DUH. Do you know how many 'hacks/backdoors/virii' connect a fully controllable irc client to the 'hackers' given network. Apparently you didn't or you wouldn't have had to ask such a rediculous question...

    A lot of networks/ircds can detect quick connections 1 after another no matter the host but they don't auto-disconnect them normaly.
    Linux/CPanel/WHM Tutorials & How-Tos
    Dedicated Server Tutorials

  16. #16
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Originally posted by thegreatzeit
    All different hosts? Many of the power IRCd's such as Hybrid allow you to limit connections based on IP and host.


    yes all different hosts, and yes i know about those features
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  17. #17
    Join Date
    Dec 2002
    Location
    US
    Posts
    517
    As todd said that feature would do no good best thing to do during a dos is make sure server is as up to date as possible and not responding to pings running a software firewall and if possible hardware as well. This coming from a person who runs a 30,000 user network as opposed to a 500 user.

  18. #18
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Nessun, software firewall wont go real far with syn floods. icmp flooding is about gone, lots of routers now adays block icmp floods.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  19. #19
    Join Date
    Dec 2002
    Location
    US
    Posts
    517
    ya we rarely get any icmp anymore and the trouble with syn is they often rape the server processor.

  20. #20
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Well, it depends on what the syn flood is attacking as to how much it will affect processor.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  21. #21
    Join Date
    Nov 2001
    Location
    The South
    Posts
    5,403
    Originally posted by thegreatzeit
    All different hosts? Many of the power IRCd's such as Hybrid allow you to limit connections based on IP and host.
    Limit all the connections you want at the server, if you're hit by 5000 heck even 500 bots and it'll probably halt your network flow.
    Gary Harris - the artist formerly known as Dixiesys
    resident grumpy redneck

  22. #22
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Originally posted by Dixiesys
    Limit all the connections you want at the server, if you're hit by 5000 heck even 500 bots and it'll probably halt your network flow.
    Not always, shelltopia got hit with 5000 last nite, and there was noticable lag but nothing that really lagged shelltopias eggdrops or bncs.

    wanted to post how you can block a dos attack if anyone is interested

    first we determined which ip(s) were getting attacked with

    netstat -n | more

    and then

    netstat -n | grep IP | wc -l

    to find out how many connections
    then we found out what client it was

    netstat -lntpe | grep ip

    then

    ps aux | grep PID
    then we blocked access to port 6667 on the ip that was getting hit

    iptables -A INPUT -i eth0 -d IP -p tcp --dport 6667 -j DROP
    that droped the attack and all was well. Please note this is not the easiest / best way to do it but it shows people various commands, consider it a learning tool
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  23. #23
    Originally posted by ToddW
    Your reply showed the lack of knowledge of how botnets work and how attacks happen, you simply stated most ircds prevent multiple users from logging in more than once.. well DUH. Do you know how many 'hacks/backdoors/virii' connect a fully controllable irc client to the 'hackers' given network. Apparently you didn't or you wouldn't have had to ask such a rediculous question...

    A lot of networks/ircds can detect quick connections 1 after another no matter the host but they don't auto-disconnect them normaly.
    You're right, exuse my ignorance.

    It's very obvious that you are going places in life, with women never far behind. I'm an idiot, a fool, a moron. I really do deserve to die.. I was bested by the best, Todd - and that's you.

    As you continue your quest in world domination, I wish you best, even though you probaly won't lead it.

    You are a born leader, a dictator, someone who commands power, I was moronic to think I could best the illustrious Todd who has riches, fame and woman far beyond my wildest dreams... go forth Todd... command your kingdom!

  24. #24
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    thegreatzeit, ignore people like that it just raises blood pressure =)
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  25. #25
    Join Date
    Jul 2003
    Location
    London UK
    Posts
    327
    Blocking/limiting/dropping the DoS at the server is somewhat missing the point!

    The traffic will still be entering the provider network all the way up to the server.

    For the provider this means:

    * Degraded performance for other customers

    * Potential large bandwidth bill

    * Hassle to get the incoming traffic filtered/nullrouted further upstream

    I once had someone ask me if they could use IRC, and basically saw it would be no problem for us to allow that because "your techs would be on hand 24x7 to null route any traffic".
    Paul Civati
    Rack Sense Ltd UK Managed Services Provider
    Views expressed are my own and not those of the company.

  26. #26
    Join Date
    Mar 2004
    Location
    Belgium
    Posts
    5
    I think it just differs from the datacenter & the host himself. Some datacenters are good firewalled, others have a crappy firewall with constant ddosses, expiernced it enough myself.

  27. #27
    Join Date
    Jan 2002
    Location
    UK
    Posts
    1,034
    the way I have always seen it, no offense intended, is that providers who allow ircd are willing to nullroute or filter traffic when needed and generally have a better network. Providers who dont allow ircd could be 1 of many things.

    1 - they got a poor network, any outage even if 5 mins long will be noticed on a ircd server.

    2 - they are running on a extremely tight profit margin, so a ddos could put them in the red.

    3 - they are lazy, and dont want to be filtering out ddos attacks or nullrouting traffic.

    I am talking about datacentres here and resellers of dedicated boxes, of course someone who is just selling webhosting is a different matter and that I got no problem with.

  28. #28
    Join Date
    Aug 2002
    Location
    DC
    Posts
    3,635
    So you mean to tell me that both ThePlanet/ServerMatrix and EV1 have a poor network? Or maybe a single DOS attack could make them lose all profits? Or maybe they're all just lazy, that must be it. Risk analysis is just a simple part of business.

    - Matt

  29. #29
    Join Date
    Jan 2003
    Location
    Europe
    Posts
    234
    Originally posted by Dixiesys
    EV1 still (I believe) lets you run a single IRC server as long as it does not network with other irc servers (making an irc network).
    nop. no IRS servers at all

  30. #30
    Join Date
    Jun 2003
    Location
    Dallas/Fort worth
    Posts
    57
    The real reason why small IRC networks get a huge amount of DoS is simply because people have egos.

    Take for instance a 14 year old kid who has nothing better to do than to sit at home on his computer and code a new bot...maybe it's a hobby...or a class project...or whatever the case maybe. They then discover information from services like Bugtraq, Security Focus, and USENET on the latest exploits/hacks/other trojans from these places and think.."Hey, I wonder what it would be like..."

    Then enter in the IRC staff...network admin, server admin...whatever. Scriptkiddie connects to the network and says "I want to be an oper for your server" and the admin politely says "No...we have enough."

    Then Scriptkiddie's feelings are hurt and he feels inferior to the people actually running the network. Scriptkiddie decides he's goign to prove a point and loads up his new little creation and sets the sights directly onto the small IRC network.

    You think this is not a typical case? Meet some of the people I've met in running IRC networks for the last 6 years and you would understand.

    As far as hosting is concerned...no one really wants to take the time to be able to deal with that kind of issue. Whether it be knowledge, staff, or costs, most providers (shell providers included) feel that handling DoS attacks aren't something they really should have to put up with.

    The only company that I've seen to be able to effectively handle denial of service attacks is Foonet. No other company was or is capable of handling that type of filtering...real time...without learning the exact intricacies of how a lot of these bots work.

    I'm not ragging on anyone here...it just seems to me that a lot of people are bashing a medium without really understanding how it works and what its continued potential is.

  31. #31
    Join Date
    Jan 2002
    Location
    UK
    Posts
    1,034
    I remember a few years back when shells were selling bnc's the selling point was let the shell take the attack instead of your connection. now days if your process gets ddos'ed its grounds for account termination.

  32. #32
    whats funny, and what made me decide shell hosting / IRC wasnt worth the hassle, is that the average IRC type client thinks paying more than 1.00 a month for a shell with 10 processes and a full blown IRCd on it is a ripoff. Yet they want 24-7 support, 1000 vhosts and a fully qualified network engineer ready to null route at a moments notice. Supply and demand mean nothing when the demandee isnt willing to pay the suppliers costs.
    www.fxpbackup.com
    www.volohost.net
    Gnax dedicated servers and backup solutions.

  33. #33
    Join Date
    Jan 2002
    Location
    UK
    Posts
    1,034
    well shell hosting and dedicated boxes are two different things, I wouldnt expect much from a 1.00 a month shell account.

    I see your point about cheap shell accounts.

  34. #34
    Join Date
    Jun 2003
    Location
    Dallas/Fort worth
    Posts
    57
    When I started with Phix-Net a long time ago...I was paying $50 a month to have 1 ircd process and a services process.

    You can't expect much from a $1.00 a month shell.

  35. #35
    Join Date
    Oct 2003
    Location
    Chicago, Illinois
    Posts
    110
    There are still quite a few providers who allow IRC, and are fairly good with filtering out Denial of Service attacks.

    Peer1 allow IRC hosting, and they are VERY quick at filtering it out within minutes of the attack. For instance, today, a friend's server got hit with a >100mbps attack, Peer1 had it filtered within a few minutes, and it only cost him 22.something gigabytes.

    There's also Hurricane Electric, however I do not know how quickly they are when filtering out attacks.
    John Kata

  36. #36
    We allow IRC traffic and I'll tell you from a provider perspective - the effort that goes into preventing and managing DoS attacks is far beyond the scope of what most companies have any interest in pursuing.

    Regarding how to secure your box/ shield it a little from DoS- if you try to prevent DoS only at the server, you've already lost. You need a few things - some of which can be handled by your upstream provider on request - some of which are handled at the router/firewall. IP null-routing is one and blocking IRC on the main server keeps the box online. Firewalls catch the stragglers that do creep in and of course - pattern-matching and packet filtering is an awesome addition to any IRC network IMO, but all in all - IRC is a hugely untapped market. I'm not complaining of course. The less providers who offer IRC, the more demand there is for those who do - and that's always a good thing in my book.
    Adam Lawson - AQORN
    OpenStack Professional Services. Commercial Support. Open-Source Cloud Management
    Official OpenStack Foundation Member & Corporate Sponsor
    Our Clients: AT&T | Cisco | Juniper | SAP | Autodesk | SUSE | Ubuntu

  37. #37
    Many companies simply focus on quality enough not to risk even VERY intermittent interuptions to consistency of service. Such interuptions are nearly inevitable even with the most concisely designed response systems.

    Each company has it's market and focus as well as technical capabilities to combat such incidents, the more competent of which can limit moderate DoS attacks to simple lag spikes and extremely brief network segment interuptions of service.

    Other organizations find even such moderate degradations of service to be unacceptable to their respective client bases.

  38. #38
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,512
    Most IRC DDoS is provoked: The users that get DDoSed are the ones that fight with other users, the ones that don't are the ones that keep to themselves. Granted there is the occasional situation where someone else tries to start the fight, as long as you remain neutral and don't try to fight back against the packet children, they'll usually run off and find someone else to play with at some point or another.

    The DDoS that actually becomes problematic is the DDoS that is continually provoked, whether it be through counter attacks or doing other things like calling authorities, or the kids parents for that matter. Most pre-teens don't take too kindly to such measures

  39. #39
    Originally posted by Chrysalis
    the way I have always seen it, no offense intended, is that providers who allow ircd are willing to nullroute or filter traffic when needed and generally have a better network. Providers who dont allow ircd could be 1 of many things.

    1 - they got a poor network, any outage even if 5 mins long will be noticed on a ircd server.

    2 - they are running on a extremely tight profit margin, so a ddos could put them in the red.

    3 - they are lazy, and dont want to be filtering out ddos attacks or nullrouting traffic.

    I am talking about datacentres here and resellers of dedicated boxes, of course someone who is just selling webhosting is a different matter and that I got no problem with.
    Fascinating.

    This forgets the most important part of the equasion - clients ability to pay.

    If a client can pay for the usage, I am quite certain that any sort of legal usage can be accomodated by any of the providers those network does in fact have multiple gigabits of Internet transit, does in fact use real backbones, does have engineering group that understands design and deployment and does not create pricing plans that are based on the assumption that no one uses the bandwidth that provider advertises.

  40. #40
    Join Date
    Dec 2003
    Location
    Cloudville
    Posts
    149

    Re: Why does everyone think small IRC nets will get Dos'd?

    It's not lame, cithosting got shutdown by the FBI because of good old IRC...

    Dear Customers of FOONET/CIT:

    We regret to inform you that on Saturday February 14, 2004 at approximately 8:35 am EST, FOONET/CIT's data center in Columbus, Ohio temporarily ceased operations.

    Here are the facts of what occurred:

    The FBI executed a search warrant issued by the United States District Court for the Southern District of Ohio regarding the IRC network that we host. According to the warrant, it appears that the Bureau is investigating whether someone hosted on our network hacked and attacked someone else.

    After several hours of attempting to track down, inspect and audit the terabytes of data that we host, the FBI determined that it was more efficient (from their point of view) to remove all of our servers and transport them to the FBI local laboratories for inspection. This was completed at 7:00 pm EST same day.

    The FBI has assured us that as soon as the data has been safely copied and inspected, the equipment will be promptly returned. Unfortunately, the FBI has not been able to tell us when they will be completed with their inspection.

    We have been told by the Special Agent in charge of the investigation that If you need access to your data you are asked to please contact the Bureau via email to [email protected]. Make sure to include in your email your name, mailing address, and telephone number with area code.

    Since we wish to focus 100% of our efforts on restoring services, we would appreciate it very much if you do not attempt to contact us directly. Please rest assured that we are doing everything possible to restore service to you as quickly as possible.
    To the many who have inquired, Paul and family are OK, although shaken by these events. They are at home and awaiting the blessed event of their new child's birth. We thank you for your good wishes and prayers.

    Please check back here often. Through this site, we will keep you informed of ongoing developments as we know them.

    Thanks again for your understanding.

    Originally posted by thegreatzeit
    This is pretty lame that no companies allow IRCd anymore because they think they will get Dos'd...

    The only places this is going to happen to is a huge irc network like EFNet, not a small network like most people want to run... I find this frustrating.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •