NoFlood

Version 9.0 by NudeDude

What is a flood?

Good question. Flood attacks are unfortunately not a rare enough occurrence on the Undernet. Flooding comes in several varieties, including:

The alias, if the format flood protect switch is on:

  1. checks to see if only a control code by itself has been sent to the channel. If so, it does not proceed.

  2. checks to see if there are any control codes present. If so, it proceeds.

  3. if the number of control codes exceed the maximum allowable limit you have set, it bans the site and kicks the user, removing the ban 5 minutes later.

  4. if the message is concealed by the use of white text, the alias displays the 'hidden' message text to you.

Once you get a 'feel' for the number of codes carried by formatted messages, you can remove the echo advising you of the control code count --
if ( %diff > 0 ) { echo $chan %diff control codes } | if you wish.

Put this in your popups for easy switching of the format flood protection:

Format Flood Protect...
.Status:echo -a Format flood protection is %ctrlchk - maximum 
permitted control codes is %max^codes
.Enable:set -s %ctrlchk ON
.Disable:set -s %ctrlchk off
.Set Sensitivity:set -s %max^codes $$?="Maximum permitted control 
codes:"
.Reset:set -s %ctrlchk ON | set -s %max^codes 20 | set -s %clrstrip 
off | strip -c | echo -a Format flood protection is active, maximum 
allowable control codes are 20.
.Color...
..Status:echo 2 Color stripping is %clrstrip 
..Strip color:strip +c | set %clrstrip ON | echo -a Colors will NOT 
be displayed - format flood protection does NOT include colors.
..Display color:strip -c | set %clrstrip off | echo -a Colors WILL 
be displayed - format flood protection includes colors.
After installing, be sure to initialize the script by choosing "Reset."

Color controls count for 2 to 3 control codes, depending on the color. I suggest you start with a sensitivity of 20 (the default), run it for a while, and adjust it accordingly.

If you don't like watching colors, then /strip +c will prevent the display of incoming colors; I included a popup command to make it easy. You will still see your own, and will still be able to send color-formatted text. The Format flood protection will continue to protect you from other excess formatting, including alternating bold/unbold floods. These floods can slow screen display considerably, and can impair your cpu's ability to process other tasks, if you are on a slow system.

NUKES -- Another class of Denial of Service attacks (the formal terminology for any action by a user attempting to block or disconnect your system from the Internet) include, but are not limited to, the following:

  • ANUKE, CNUKE -- attacks that send a TCP/IP error protocol to your dialer telling it the connection has been broken and causing it to stop its connection;
  • WINNUKE ("bluenuke" or "muerte") -- sends an invalid code to the Windows netbios on Port 139 (usually an OOB code) and causes Windows systems to freeze up and require rebooting (the dreaded blue screen showing "Fatal Error" is the most common symptom); and
  • ICENUKE, which is actually a form of ICMP flood that uses highly fragmented packets whose individual parts are small enough to sneak past most thresholds of packet sniffers and even many firewalls. Symptoms are a slowdown or total freezeup of your system.


Flood Protection

Fortunately, every user has the tools already available to combat flooders in a responsible way. First of all, never retaliate against a flooder by flooding back. All flooding is wrong and abuses Undernet resources. Here is some advice to stop flooders:

  1. Set up an alias key to /silence *!*@*. When a flooder starts, just hit that alias key. It will stop all CTCP from going to you. Then you can also /ignore *!*userid@host on the offender to silence any channel flooding to you or DCC and /msg. Get their userid@host from a /whois.

    You can /silence -*!*@* to turn off the global silence of CTCP later when the flooder has stopped. Set it up as another alias if you want.

  2. Flood clones or other forms of attack that use up large amounts of server bandwidth should be reported to the adminstrative channel on your IRC network, e.g., Undernet = #zt, Starlink = #Oasis, KidsWorld = #adminland.

    But beyond that, there is also a second effective step to take. Whenever a user floods you or otherwise is abusive beyond simple rudeness, you should contact their Service Provider (e-mail webmaster@domain -- example: webmaster@concentric.net) and give the the userid@port.domain (from a /whois) of the offensive users together with the date and the exact time (together with timezone) that the abuse took place.

    This information is sufficient for the Provider to cross-check against their own logs and identify the exact users that are the cause of the problem (even if they use a fake userid). Summarize the problem (and include a log of it if you can). Request that the provider remove the account of the abusive user. Most providers will be reluctant to do so at first, but be firm, polite, and persistant. Remind them that abuse of bandwidth is costly and may result in the entire provider's site being globally k:lined (banned) from all IRC servers. Also remind them that CTCP and ICMP flooding are "denials of service" and are expressly forbidden under Internet guidelines.

    The ICMP info page includes the latest information on logging, tracing, and reporting flooders. Another useful webpage for finding the administrative and technical contact for any Internic-registered domain (any provider ending in .com, .net, .edu, or .org) is http://www.claimname.com/lookup.sh. Simply enter the domain name, and it will return the e-mail address, location, telephone number, and other information about the site.

    These simple techniques are all any user needs to defend against most flooders. You should also set your DCC file get to "auto refuse" when you see a flood attack start.

    Good luck, and pass this info along to your friends AND enemies. :)


    New CSCPAC Available!

    Now there is a new CSCPAC for mIRC that is a one-stop solution for all your needs. It includes sophisticated flood protection, clone detection/protection, all of the X/W commands thru PopUps and aliases, and an extensive PopUp help section for X/W command syntax and other FAQs. You can obtain the latest version of CSCPAC from many of the URLs listed here in the NoFlood*.txt series. Many of the helpers in Cservice also have it available to distribute. Or e-mail me at one of the addresses shown below to request a copy.


Script Examples

Below are some examples of mIRC scripting that I use in my Level 1 flood protection. You can follow the advice above withOUT setting up a script like the one shown below. The following scripts and aliases are a bit more advanced, and you can play with them if/when you feel up to it.

Remember -- you should never run a script you didn't write yourself, or at least run one in which you understand every line of code. The only exception should be the officially approved UUS scripts available from HelpBot and ircIIHelp.

The following lines are from the tools/remote/commands secton of CSCPAC (versions 4.7x, slight modifications need to be made for 5.x). They allow only one CTCP/site each 60 seconds.

[Commands]

1:*:{
  /auser =99 *!*@* $+ $site | /timer 1 60 /ruser *!*@* $+ $site
  if ($chan) { echo 10 -a [[ $+ $nick $parm1 $+ ] to $chan | halt }
}
99:*:{
  /raw silence *!*@* $+ $site | /ignore -pintu60 *!*@* $+ $site | 
echo 10 -s $nick in $chan  | /timer 1 60 /ruser *!*@* $+ $site | 
/timer 1 60 /raw silence -*!*@* $+ $site | echo 4 -a $nick at $site 
on $chan has triggered floodpro for $parm1
  halt
}

Next, here are some alias key setups (from Tools/Aliases):

/f10 /ignore -tu15 *!*@* [sets F10 key to global ignore for 15 seconds]
/f11 /silence *!*@* [sets F11 key to global silence to stop all CTCP sends at the server]
/f12 /silence -*!*@* [turns off the global silence]

Some suggested #channel settings to help avoid flooders, especially clonefloods:

Here are some additional suggestions provided by other users:

From AngelBaby, an mIRC script for channel text flood protection:

Auto Kick ON Channel flood (by AngelBaby):

*1:on text:*:#silverlocke:/auser 2 $nick | /timer 1 6 /ruser $nick
*2:on text:*:#silverlocke:/auser 3 $nick
*3:on text:*:#silverlocke:/auser 4 $nick
*4:on text:*:#silverlocke:/kick $chan $nick Flood detected! Lose 
the screen scroll!!! | /ruser $nick

From |VOID| -- a few other simple flood protect script and alias suggestions (similar to some of the features that are in CSCPAC):

Flood protection that is added to mIRC remote/commands window:

1:*:/ignore -tu25 *!*@* | /away One CTCP reply every 25 seconds
... Wait...The default user level at, say, 10. the default user 
level MUST be the same as the number at the start of the line 
| /timer 1 25 /away :>

(that all goes on a single line)

It ignores everyone after a CTCP, sends an /away msg to the server so that the server can reply to the user CTCP'ing when a limit is in place, so the server does the work, NOT the user. =) A timer is activated and the person who was CTCP'd turns the /away msg off after 25 seconds.

Therefore, the MOST that can happen in 25 seconds is:

Also, a handy popup to have is:

FLooD PRoTeKTioN
.TuRN oN:/creq ignore | /sreq ignore | /silence +*!*@* 
| /ignore *!*@*
.TuRN oFF:/creq auto | /sreq auto | /silence -*!*@* | 
/ignore -r *!*@*

Note from NudeDude: /ignore only works against CTCP in mIRC versions 4.0 and higher. It is a "client" level command and therefore still allows the CTCP info requests to reach you; it just stops the automatic CTCP reply by your client. Also, the global /ignore *!*@* in this particular example will shut off all channel text from reaching your for 25 seconds each time someone sends any CTCP to you.


NoFlood Reference Links

Finally, I'll leave you with some of my favorite reference sites for more information:

ICMP Information page mIRC site
CERT (Computer Emergency Response Team) Nuke info site
C|net - Oakland shareware library Pirch Home Page
DNS info lookup Pirch Scripts site
Ensor's IRC Extravaganza Plisten port sniffer (Skream's homepage)
Herbal_Oasis FAQs Port 139 (Bluenuke) Another good info site
IceNuke (ssping-f) fix (msft patch) Port 139 (Bluenuke) msft fix
IceNuke (ssping-f) test site Port 139 (Bluenuke) yet another fix
McAfee firewall Port 139 (Bluenuke) fix
mIRC -- more scripts Port 139 (Bluenuke) test site
mIRC -- C-script site (award-winning) Security (NIST front page)
mIRC -- yet more scripts Security (NIST 800-7) Network issues
mIRC bot info The #mIRC (+tn) Channel Homepage
mIRC FloodPro info  


I want to thank users that have written to offer their appreciation, suggestions, and comments. Your continued interest and support are appreciated and have inspired the creation of the CSCpac for mIRC.

This advice on making the net safe from flooders has been brought to you by NudeDude (Senior Cservice Admin - Retired; Abuse admin for KidsWorld.org IRC network; Author of the NoFlood*.txt series and the CSCPAC/ OperPac series for mIRC)


Latest Revision: 15 August 1997
© Copyright R. A. Berger
Users may freely copy and distribute this for non-commercial use.
No changes, deletions, or alterations may be made without
the express written consent of the author.
Return to main Documents Project page