[AC-Admins] Recent botnet flooding
Scott Garron
simba at anthrochat.net
Thu Sep 16 17:29:58 EDT 2010
So it turns out that LionOPM was broken and probably has been for
quite some time. I thought it was fixed when it stopped audibly
complaining in #opers about getting lookup errors on efnetrbl.org, but I
never bothered checking it, so I guess my assumption was wrong.
Anyway, a script kiddie thought it would be amusing to connect
several hundred flood bots on open proxies to lion and try to annoy our
network's delicate flowers. While I was poking around to try to get rid
of them, I remembered that someone pointed out this to me at some point:
http://encyclopediadramatica.com/Firefox_XPS_IRC_Attack
(Sorry for the spammy ED link, but it is relevant)
I think it would be beneficial if we all included the iptables
commands mentioned on that page on our servers. Run something like:
http://www.anthrochat.net/iptables_script.txt
I also managed to get LionOPM working again, but I'm not exactly
sure how. I added another efnet check for tor exit servers, and changed
the lookup for the efnetrbl back to rbl.efnetrbl.org from rbl.efnet.org,
connected it via localhost, and ran a few checks on some of the IPs that
it let slide by during the attack. They all tested positive for open
proxies or TOR exit servers when I checked them manually. I guess we'll
see what happens next time around, 'cause I've seen it in action in the
past, and it is usually really effective.
In addition, I don't have access to add/remove admins/opers via
operserv. I'd like to add Fidgetfox, since his server has been fully
adopted at this point.
--
Simba
More information about the Admins
mailing list