Fight Botnets with Eggdrop Bot and Blacktools

Blacktools can be downloaded from TCLScripts.net. Be sure to check out the forums for the latest information. If you are not familiar with BlackTools, be sure to read this and other guides. It's incredibly powerful, and can become confusing if you have multiple channels with different users, etc. It makes working with Eggdrop bots very easy.

Eggdrop can be downloaded from EggHeads.org. You will need hosting space that allows IRC software. See the right sidebar for the host I use. Be sure to read the eggdrop docs VERY carefully. Get eggdrop up and working perfectly before adding BlackTools. The Egghelp Forums are very helpful.

As I discussed before in Stopping bot, spammer, flooder attacks on Undernet, channels on Undernet are getting hit with extensive botnet floods. To combat that, I've set up a new bot, specifically tuned for the way this botnet attacks channels. Let's assume the bot's name is guardBot.

This bot intended to be OP'ed during bot attacks. She'll stay in channel, ready to go. I don't leave her Op'ed 24/7 as her bite is very severe.

Please note: No bot can be set up to perfectly defend a channel. It takes human interaction with the bot to protect fully. That's the reason for this guide.

First, do you really want to fight botnets? This depends on the depth of the botnet in question. How many IPs/clients do they have? How long can they keep up the attacks? You may need to simply lock them out and wait for them to stop. If that's the case, simply set mode +r, or +i and wait. Yeah, it sucks having your channel somewhat unusable while waiting, but these fights can go on for a very long time.

Note: you can also do a hybrid: set +i for a while, then drop it to see if the bots are still trying to get in. If some come in, your protections (set below) should handle them. It also lets you copy any new text strings to ban on. Then set the +i and take your time adding those strings. Rinse and repeat.

Setting +m will keep the bots from flooding your channel, but you will still get the CTCPS, messages, notices, quitpart messages, etc. It's not very useful.

Ok, so you DO want to fight! Here's how I set up my defense bot. You are going to use badquitpart and badword to interactively fight the bots. I set banmethod to 3 (ban), banmask to 1 (*!*@ip/host), and bantime to 0 (permaban), though you might want to set a shorter bantime since these are compromised hosts/clients and some vpns. Maybe 10d would be better. in Blacktools, ban durations can use m, h or d or minutes, hours and days, or 0 for forever.

Just watch the bots and see when they change strings, then bang out badword add *your text here* and watch them get banned. It's quite fun. Same for badquitpart. I have a mIRC right-click function (in the channel window) for that, so I just copy some of the new text, right-click in channel and add it. It adds the string to both functions very quickly. Note: this adds the *'s so don't enter them manually:

.BadWords ADD: {
var %badstring
%badstring = $$?=”Enter BadWords:”
/msg guardBot badword add * $+ %badstring $+ *
/msg guardBot badquitpart add * $+ %badstring $+ *
}

I have a quick alias set up to turn off DCCs, change my nick, grab ops (I sit de'oped usually), and set a wide ignore (I have important nicks/hosts defined as exclusions). You can add important nicks to ignore as exclusions by typing /ignore -x nickname. I do all my bots, X, other ops, etc.

/attack {
/ignore -pntdu3600 *!*@*
/dccserver -scf off
/nick mynick63543
//mode # +o $me
//mode # +o guardBot
}

I also have a simple clean-up alias to remove those settings when the attack is over.

Note: you do NOT have to be OP'ed to used your Eggdrop/Blacktools bot. I take ops so I can op my bot. I should probably deop and change my nick again. Or, I could have the alias fire off a message to the another Eggdrop to op my guardBot, or op it through PM. Food for thought. The though here is that if you expose yourself as an Op, you'll likely get hammered. But, I think my setup protects me well enough. Please comment!

Channel Protection Settings

If you need to add text strings to the badquitpart or badword lists, please do so in Private Messages with the bot. You don't want to show the botnet operators what you are doing. They will simply adjust around it before any bans can be set. In fact, everything you do with the bot should be done in PM, except for maybe manual bans and unbans.

note: if you have other eggdrops that respond to the standard bans, kick, etc, you may want to disable those in this bot. Same with admin functions like o, v, and so on. Also, remember to use the botname if you need distinction between this and other bots, like for adding a new user, etc. Or do everything in PM to this or other bots.. It can become confusing 😉

Note: Consider using set +securemode. Securemode will set +Dm, and will send joining users a message with a random text string code. The user will reply back, and the bot will give the user voice. If the bot is able to clear the channel of attackers, this is a great way to leave the channel secured while waiting to see if they come back. Because of +m, users currently in the channel and not voiced will be unable to chat in channel. Consider voicing everyone (expect the bots!).

These are all turned on:

Note: The instructions for Antibadquitpart also apply to Antibadword below.

Antibadquitpart – SEE: man antibadquit part, man badquitpart. Monitors QUIT/PART messages for matching text. Takes words and phrases.

badquitpart list – shows the current QUIT/PART message strings that will result in a ban. Note the list numbers.

badquitpart add *text goes here* – adds a text string to badquitpart. Use *s to allow the text to be anywhere in the QUIT/PART message. Please don't use individual words here – too many users get banned. If the attacking bot changes their text strings, simply copy and paste the new text from the QUIT/PART message and add it. I have added a few individual words to the list, like *pedo*, *ped0*, *pedophile*, *ped0phile* and a few strings like “leaving__” and “quit__”. I base these on text the bots actually use, and that normal users would not use. If a user gets banned for having these words in their quit messages, it's probably a good thing. Also, as mentioned in Antibadword, don't use multiple *'s inside phrases as in *you*are*a*deviant*loser*. Only wrap the text in a single pair of *'s. You CAN use ?'s, as in *ped?phile”.

If you see something like ….,.,,…,…jfhgshkjfhgshkjfhgshkjfhgshkjfhgshkjfhgshk just copy a bit of the jfhgshkjfhgshk and add that as *jfhgshkjfhgshk*.

badquitpart del ListNumber – removes that text string from badquitpart. Use .badquitpart list to find the ID number. Very useful if you make an error in adding a string. When you add a new string, the bot will tell you the list number of that entry. I'll ask the BlackTools author to add a reverse listing flag – listing 30 entries 5 at a time can take a long while.

Antibadword – SEE: man antibadword, man badword. Monitors the channel for matching text. Takes words and phrases. Works in exactly the same way as badquitpart, though this is text in the channel.

badword list – shows the current in-channel – text strings that will result in a ban. badword works exactly like badquitpart, except the text in the channel is considered. If the bot changes the text string just do the .badword add below.

badword add *text here* – adds a new text string to badword. The *s make it a wildcard, so the text can appear anywhere in the line. If you want just the first part of a line, you can use “text here*”. I prefer *text here* always. Much easier and more robust. Do NOT use more than two wildcards per phrase. I just watched an op add words like this: *you*have*a*small*penis*. Guess what? That's going to kick and ban for all those individual words. Not a good plan. Just do: *You have a small penis* and that string can be anywhere in the line.

badword del ListNumber – removes the indicated text string. Use badword list to see the ids. Using text, as in “badword del “*ped0*” will not work. It only works with the list number.

Note: the Man entries sometimes say “badwords” – the actual command is always “badword” – it can be confusing at times.

Antichanflood – SEE: man antichanflood, man chanflood. Bans for flooding the channel with text. This may need to be adjusted during an attack. Try to determine how many lines the bots are flooding with and how fast, and adjust as needed. Applies to individual users, not the total number of bots flooding the channel. Sometimes these bots post 3 lines in a row, sometimes more. 3 will still catch anything over 3, of course. Regular users should not be flooding during an attack. Be careful with the SECONDS setting – setting it too high will kick numerous regular users, say, 3:30, which is perfectly normal behavior.

set chanflood x:y – sets the chanflood limits to the number of user posted lines (x) in a number of seconds (y). Currently set to 3:3 – three lines in 3 seconds. This will result in an immediate ban. Be careful – if the limits are too tight it will ban a number of regular users. 1:3 would ban anyone who posts anything. 2:3 would ban a LOT of users. 3:3 should be good for these bots. Normal usage might be something like 4:10 or 8:30. We're fighting bots, so we tighten this up.

If there's a problem with antichanflood, turn it off with .set -antichanflood (in channel) or set -antichanflood (in a PM to guardBot)

Antictcp – sets immediate bans on any user issuing channel-wide CTCPS

turn on and off:

set +antictcp or set -antictcp

You should never need to turn this off. Anyone using channel-wide CTCPs needs to be banned.

Antinotice – sets immediate permanent bans on anyone using channel-wide Notices

turn on and off:

set +antinotice, set -antinotice

You should never need to turn this off. Anyone using channel-wide notices needs to be banned.

Antirepeat – sets a ban for repeating text in channel – uses number of lines in a number of seconds (x:y:). Current setting is 3:2.

turn on and off:

set +antirepeat, set -antirepeat

This setting seems perfect for these bots. They generally enter the channel, spam the same text 3 times, and leave. Sometimes they'll spam the text more than three times, but they spam them out very quickly. This is similar to CHANFLOOD (above) but it only works on matching lines of text. Normally, this would be used with repeaters like roleplay ad messagers. You could set it to something like 2:1800 and have the bot kick them for repeating twice in 30 minutes. The problem is that a regular user might type “hello” more than once in 30 minutes (or any other normal text). Keep this tight, and always keep watching the bot behaviors – they will change.

That's why I've set it to 3 lines in 2 seconds. That's going to be spam, not a mistake.

showid, showhandle – I turn these on to make it easy to find the ban IDs and to see who did what quickly.

The following functions are turned off:

Mode – we have other bots that handle channel modes, and Ops may want to set modes without having the bot reset them over and over. Simply “disable #chan mode” for this bot in that channel.  Ok – that doesn't work. See the note below.

Note: There is an issue with BlackTools and channel modes. Two Eggdrop bots with BT in the channel may fight over the channel modes. One bot sets +m, the other bot turns it off, etc. Eggdrop has a NODESYNCH setting that is supposed to stop this behavior, but BT doesn't follow it. I've asked the BT author to make the change, so Ops and X and other bots can freely set channel modes as needed, without this bot (or others) immediately changing them. I personally like managing channel modes myself, so have a bot leave them alone is preferable.

Using NODESYNCH would be similar to +Userbans in BlackTools, in that it will allow bans from Ops and X when that is set.

Antijoinflood – I turn this off as it's very easy to catch up regular users. There's really no way to set a good number-of-joins:time ratio for fighting bots. These specifically enter 3 – 4 at a time, so using a mass join defense doesn't work. Sometimes they'll enter at 8 – 10 at once, but that's rare, probably when the botnet operator is becoming frustrated. You can always try it, just be ready to unban regular users 😉

Antibadchan – these bots don't hang out in other channels, so this is not useful. I saw that Hetzner had some compromised hosts the other day, and these drones were all hanging out in a few channels.  Antibadchan would be perfect for those drones. They were in #montreal and #bookz – every one of them. We have those channels blacklisted in other bots, so not needed for this one.

Badnick – they change nicks often, and use regular names like Erick, Harold, etc. It's better to ban the IPs and not catch up regular users.

Anything else not listed here is turned off.

Bans and Kicks

The settings above will not catch everything, so don't forget you can issue manual bans.

Note: BlackTools has many pre-defined ban types. These are effectively clones of .b, with different settings. Ex: .id – sets a ban using only the ident portion of the mask, e.g *!ident@*. You can change all the settings, including the banmethod, bantime, and reasons, etc. You can set these up however you want. You may want to set .dr (drones) for use with these bots, and set banmask to 1 (*!*@ip/host), bantime to 0, and specify your own reason, for example. Then, all you need to do is enter the following in channel:

.dr nick

When you issue a ban, you will get a message showing the ban ID. This can be useful if you made an error and want to remove the ban very easily. You can also get the BanID from the Server/Status window. Here's the message:

[12:04] <OpNick> .b sillynickname test
[12:04] <guardBot> [BT] Added a [LOCAL] ban to #chan with [ID: 37]

And here's the Status/Server window info:

[12:04] * guardBot sets #chan mode: +b *!*@148.72.164.29
[12:04] * sillynickname was kicked by guardBot ([opNick] test [id: 37])

.sb – shows ban status
Example: .sb [NICK|banMask|Ban ID]
.sb sillynickname, .sb *!*@148.72.164.29, .sb 37

Here's what the sb report looks like:

[12:17] <guardBot> [BT] BAN | [ID: 37] | [CHAN]: #chan | *!*@148.72.164.29 | Added by: OpNick| Since: 03/21/2023-11:17:32 | EXP: 1 days, 23:59:55 | Reason: test

.ub – unbans a previously set ban
Example: .ub nick, .ub banmask, .ub BanID
.ub sillynickname, .ub *!*@148.72.164.29, .ub 37

.b [NICK|banmask] <duration><global> reason for ban.
Example: .b badguynick 10m annoying guy!
Duration is optional. You can use m, h and d for durations, e.g. minutes, hours or days. You can set this as a default: set b-bantime 0. (or 24h, or 5d, etc)
The default banmask (when you do b nickname) is *!*@ip/host. The default duration is 1 day (24h).
Also supports GLOBAL, which will set the ban in ANY channel the bot is on. Put it right past the optional duration: b nickname <duration> <global> reason.

.black [NICK|banmask] reason for ban
example: .black badguynick annoying lil feller. Or, .black *!ident@hostaddress|IP etc.
This adds a permanent entry to the bot's channel's blacklist.

.k [NICK|Banmask] reason for kick
Kicks a user with a given reason. Will use a default reason if you leave the reason empty (k-reason – currently: Please stop being annoying – next is a ban)

Note: bans can also use CIDR notation and REGEXs. Looks those up if you want to use them. Too much for this guide 🙂

H and MAN

h and man are how you access the bot's manual. It's very comprehensive. You will only see what your LEVEL allows (manager). Type h for an index – it looks like this for me (OWNER):

[BT] h cmds ; h ban ; h add ; h chaninfo ; h BTinfo ; h module ; h egg ; h owner

Typing h btinfo will show you the current BlackTools settings for the channel. Anything in BOLD is turned on.

The section at the bottom of this display shows changes to the default settings for the turned-on protections.

MAN – use man to show the details of any channel protection feature or ban/kick settings.
Example: man myset or man man or man h
Some man entries have further settings than can be read with man. Ex: mychan under myset. Some can be read using the part after the -, as in Antibadword-banmethod. “Banmethod” is common to many functions, so just use man banmethod.

Some of these seem to be out of date, with some not having any man entries.