Forums General Discussion Anyone offer any help?

Hey, dunno if this is the right place to post this but maybe someone could help?

I help run a network and for the past 3-4 days have constantly been bot flooded by a botnet it would seem..
Normally we have been able to use our bopm bots to block and catch them but in this instance it seems near impossible and its rapidly filling up the autokill lists. The services are all offered for free so this is not something we would like to continue.
Used to be able to catch the bots by using the freelists that are most commonly banned and blocking the ports used but now the bots/hosts/ips used dont seem to exist and seem to mainly be *.wannado.fr and *.do hosts and a lot of *.ca thrown in also..

Anyone have any ideas of how to help catch the hosts or lookup the hosts so we can put a stop to this?

Thanks in advance for any help offered.

Hm, this sounds like a ddos, in which case the attacks are coming from a lot of random IPs around the globe. There's not much you can do, except change your IP often, which will also require you to update your DNS often.

do you remember angering anyone recently? possibly close all your ports and open an unusual port for irc? or you can just wait it out.

- There's no point changing your IP and then updating your DNS since that will nullify the effect of changing your IP in the first place (unless the people who initiated the DDoS were incredibly stupid and targeted the IP address instead of the hostname).

k:lines on a bot that can repeatedly attack is useless, use z:line instead (on the IP) as this stops the bot even knowing your server exists. A k:line allows a client to connect before being dealt with whereas a z:line is a firewall and disallows the connection initially. I think z:line is also called a d:line on some servers. Better still, if your IRCd offers a seperate command to store z/d:lines permanently then use that and there's a good chance that particular botnet won't be able to reoffend. Once again the list of bans may be big but this is better than being nailed.

People who run botnets to flood with have what is called small penis syndrome, amazing what turns them on ay. One last thing, there is nothing that can be done to stop the attacks but at least with the IP bans you can save your server from reacting to what is thrown at it.

thats a whole lots of ips to ban. on aussiechat we had a botnet of almost 200 all with different hosts. and even then they kept coming back

Quite correct, but it is a case of choosing the better of two evils. A long untidy ban list is better than not existing.