March 26: The first raid on UniChat, which we prevented
How we protected everyone and how we'll improve for the future.
How we protected everyone and how we'll improve for the future.
A server raid was recently carried out by a spammer on a server's channels, which included Unified Chat (official Unifier chat) room channels. Fortunately for UniChat, and unfortunately for the attacker, none of their messages made it through our channels, thanks to built-in protection systems.
On March 26, 8:45PM (CET), an attacker started sending invites for a "pornography leak" Discord server. Obviously, this was a scam invite, and we were notified by a server member shortly after. Our team hopped on Discord immediately to investigate the incident, and our investigation concluded that no negative effects were observed on UniChat as part of the raid.
Fortunately, Unifier comes equipped with proactive protection measures to prevent such raids from affecting the chat. One of them is our invite blocker, and this was what prevented this raid from impacting UniChat.
When Unifier's invite blocker is triggered, Unifier alerts the user, then attempts to delete the message from the channel. Even if the deletion fails, Unifier has been programmed so that it will not bother to do anything with the message further, such as actually bridging the message, regardless of whether the message was deleted from the channel or not. This measure helped us prevent the message from being sent to other servers linked to UniChat.
As soon as we confirmed the raid, we notified the server admins about the ongoing raid. The member has been indefinitely banned from Unifier with no appeals possible.
As the raid was limited to one specific attacker and the chat did not face any disruptions, we decided not to ban any servers or lock the bot down.
Although the raid was prevented successfully with virtually no damage on UniChat, we still see room for improvement for our protective systems.
As of March 27, this has been implemented.
One way we can improve is to implement invite detection to RapidPhish. This can easily be achieved by looking for URLs containing discord.gg, discord.com/invite, or discordapp.com/invite, just like how current invite detection looks for invites.
By implementing the same to RapidPhish, we will be able to detect even more invites, as the message content is cleaned pre-scan to remove any possible bypasses. We can make Unifier take advantage of this by implementing invite detection into RapidPhish.
As of March 27, this has been implemented.
To prevent raids in UniChat further, we will be implementing an anti-raid system to Unifier. From now on, Unifier will temporarily suspend users for 10 minutes after two warnings upon a ban caused by invites, and the duration will multiply by 2x per invite. If the duration reaches a certain threshold, the user will be banned indefinitely. To reverse this ban, the user will need to reach out to our team.
However, we will make this threshold dynamic, rather than static. If a user sends many invites within the ban, this threshold can be very short. But if the invites are sent over a long period of time, we can make this threshold longer for the user. Currently, we plan to calculate the threshold using this equation:
In this equation, D is the duration in seconds, while t is the time since the ban in seconds and i is the amount of invites sent during the timeframe. This means that:
If invites were sent across a shorter timeframe, this will be classified as a raid, as messages are more "concentrated" within a specific timeframe.
If invites were sent across a longer timeframe, this won't be classified as a raid, as messages are more "spread-out" to be considered a raid.
This can be also used to combat other types of raids involving longer messages or links. If a long message or a link is detected, then the message content can be hashed. If more messages are sent with the same content hash, then this can also be classified as a raid, and the same anti-raid system (although modded to work with the specific message content) can kick in to protect the chat.
We will fine tune this equation where needed if we feel like we need to, but for now this seems like a reasonable starting point.
You can help us be more prepared for a more sophisticated attack by sharing potential solutions we could implement to us, whether it be through UniChat, through UnifierHQ or through DMs. The more ideas we have, the more we can protect ourselves from possible attacks in the future.
