Flood Bot Filtering Discussion

Dyndrilliac · April 17, 2004, 04:43 PM

Quote from: Adron on April 17, 2004, 02:59 PM
Are the criteria for who a squelch applies to different from the criteria for who a ban applies to? Did it always use to be that way? I had a feeling they used to work the same..

If squelch and ban have different criteria, I suppose I understand the idea of squelching to trace spammers.

I still don't understand the name pattern matching. If a spammer was picking names like Dyndrilliaa, Dyndrilliab, ..., would the bot ban Dyndrilliac?

No, because I would not be rapidly rejoining and sending several messages, therefore it would automatically do a temporary safelist type measure.

Analyzing is done one attacker at a time. All the criteria is logged in a text file, and all my bots use the same log file, so in this way I prevent doubling up and keep a speedy ban system going using several ops bots, for a cooperative banning system.

Note: The same person is not squelched on all ops bots. So in my clan channel, if I have 4 ops bots running, I can use this system on 4 attackers at once.

iago · April 17, 2004, 04:45 PM

Quote from: Dyndrilliac on April 17, 2004, 04:43 PM
Quote from: Adron on April 17, 2004, 02:59 PM
Are the criteria for who a squelch applies to different from the criteria for who a ban applies to? Did it always use to be that way? I had a feeling they used to work the same..

If squelch and ban have different criteria, I suppose I understand the idea of squelching to trace spammers.

I still don't understand the name pattern matching. If a spammer was picking names like Dyndrilliaa, Dyndrilliab, ..., would the bot ban Dyndrilliac?

No, because I would not be rapidly rejoining and sending several messages, therefore it would automatically do a temporary safelist type measure.

Analyzing is done one attacker at a time. All the criteria is logged in a text file, and all my bots use the same log file, so in this way I prevent doubling up and keep a speedy ban system going using several ops bots, for a cooperative banning system.

Could reading/writing to the same file cause i/o errors, like if somebody was flooding with iagokasfdlasfdkj and it read the file while it only said "iago"? Or do you have a check against that?

Dyndrilliac · April 17, 2004, 04:49 PM

I've never experienced that, but, I don't have a check for it either; The way I did it is, all the bots information is outputted to a text file, then all the bots input the other bots' text files and compare data, double information is removed and appended to the single log file, the other files are wiped clean and the bots reset their information and progress normally.

iago · April 17, 2004, 04:55 PM

It seems like it might have a problem with partially written data/io getting in the way of itself, but if it works it works

o.OV · April 17, 2004, 06:54 PM

Quote from: Dyndrilliac on April 17, 2004, 08:54 AM
If the user is still squelched but the user name is different, it knows not to waste time recording the name, and move on to more useful criteria. If it is the same name, it records it and begins recording other criteria. Criteria the bot uses to decide a ban ..

What if the username was the same but the ip was different?

Quote from: Dyndrilliac on April 17, 2004, 04:43 PM
Analyzing is done one attacker at a time. All the criteria is logged in a text file, and all my bots use the same log file, so in this way I prevent doubling up and keep a speedy ban system going using several ops bots, for a cooperative banning system.

Note: The same person is not squelched on all ops bots. So in my clan channel, if I have 4 ops bots running, I can use this system on 4 attackers at once.

So one of your bot manages to squelch one somehow..
what if the squelched flooder fails to show up?

Dyndrilliac · April 17, 2004, 08:05 PM

Quote from: o.OV on April 17, 2004, 06:54 PM
Quote from: Dyndrilliac on April 17, 2004, 08:54 AM
If the user is still squelched but the user name is different, it knows not to waste time recording the name, and move on to more useful criteria. If it is the same name, it records it and begins recording other criteria. Criteria the bot uses to decide a ban ..

What if the username was the same but the ip was different?
Quote from: Dyndrilliac on April 17, 2004, 04:43 PM
Analyzing is done one attacker at a time. All the criteria is logged in a text file, and all my bots use the same log file, so in this way I prevent doubling up and keep a speedy ban system going using several ops bots, for a cooperative banning system.

Note: The same person is not squelched on all ops bots. So in my clan channel, if I have 4 ops bots running, I can use this system on 4 attackers at once.
So one of your bot manages to squelch one somehow..
what if the squelched flooder fails to show up?

1) The bot will squelch the new IP, record the name, and proceed normally.

2) If the flooder does not return within the next 90 seconds the ban attempt is aborted, and it begins searching for other attackers.

o.OV · April 17, 2004, 10:10 PM

Quote from: Dyndrilliac on April 17, 2004, 08:05 PM
1) The bot will squelch the new IP, record the name, and proceed normally.

So if the attacker were to use the same name
but different ip EVERY reconnect..
your bot would continue to squelch them?

Quote
2) If the flooder does not return within the next 90 seconds the ban attempt is aborted, and it begins searching for other attackers.

So 135 seconds later you found yourself a new target..
What if the flooder that failed to return fast enough..
returns after you found that new target?

In both cases you could have more then one squelched IP assuming that you were able to catch them.
Is the analysis still useable?

Dyndrilliac · April 17, 2004, 10:31 PM

Quote from: o.OV on April 17, 2004, 10:10 PM
Quote from: Dyndrilliac on April 17, 2004, 08:05 PM
1) The bot will squelch the new IP, record the name, and proceed normally.

So if the attacker were to use the same name
but different ip EVERY reconnect..
your bot would continue to squelch them?

Quote
2) If the flooder does not return within the next 90 seconds the ban attempt is aborted, and it begins searching for other attackers.

So 135 seconds later you found yourself a new target..
What if the flooder that failed to return fast enough..
returns after you found that new target?

In both cases you could have more then one squelched IP assuming that you were able to catch them.
Is the analysis still useable?

The bot would continue to squelch them yes. I don't think I ever gave it an action for that scenario.

Upon banning of the new target, if the previous target returns to the channel before another new target is found, it will resume it's analysis of the previous one. Once the 90 seconds is up the bot does an auto reconnect to reset squelches, meaning that in this case, there wouldn't be a second IP squelched.

Lenny · April 17, 2004, 10:57 PM

You would also reset all the bans (if any) that were successful.