IRC Servers | Flooding Attacks

Flooding Attacks

Probably the most devastating IRC weapon is the flood ping, known as "ICBM flood or ICMPing." The idea is that a bully will find out what Internet host you are using, and then give the command "ping-f" to your host computer. Or even to your home computer. Yes, on IRC it is possible to identify the dynamically assigned IP address of your home computer and send stuff directly to your modem! If the bully has a decent computer, he or she may be able to ping yours badly enough to briefly knock you out of IRC. Then this character can take over your IRC session and may masquerade as you.

**********************
Newbie note: When you connect to the Internet with a point-to-point (PPP) connection, your ISP's host computer assigns you an Internet Protocol (IP) address which may be different every time you log on. This is called a "dynamically assigned IP address." In some cases, however, the ISP has arranged to assign the uses the same IP address each time.
**********************

 Now let's consider in more detail the various types of  flooding attacks on IRC.

 The purpose of flooding is to send so much garbage to a client that its connection to the IRC server either becomes useless or gets cut off.

 Text flooding is the simplest attack. For example, you could just hold down the "x" key and hit enter from time to time. This would keep the IRC screen filled with your junk and scroll the others' comments quickly off the screen. However, text flooding is almost always unsuccessful because almost any IRC client (the program you run on your computer) has text flood control. Even if it doesn't, text must pass through an IRC server. Most IRC servers also have text flood filters.

 Because text flooding is basically harmless, you are unlikely to suffer anything worse than getting banned or possibly K:lined for doing it.

******************************************
Newbie note: "K:line" means to ban not just you, but anyone who is in your domain from an IRC server. For example, if you are a student at Giant State University with an email address of IRCd00d@giantstate.edu, then every person whose email address ends with "giantstate.edu" will also be banned.
*******************************************

 Client to Client Protocol (CTCP) echo flooding is the most effective type of flood. This is sort of like the ping you send to determine whether a host computer is alive. It is a command used within IRC to check to see if someone is still on your IRC channel.

 How does the echo command work? To check whether someone is still on your IRC channel, give the command "/ctcp nick ECHO hello out there!" If "nick" (where "nick" is the IRC nickname of the person you are checking out) is still there, you get back "nick HELLO OUT THERE."

 What has happened is that your victim's IRC client program has automatically echoed whatever message you sent.

 But someone who wants to boot you off IRC can use the CTCP echo command to trick your IRC server into thinking you are hogging the channel with too much talking. This is because most IRC servers will automatically cut you off if you try text flooding.

 So CTCP echo flooding spoofs the IRC into falsely cutting someone off by causing the victim's IRC client to automatically keep on responding to a whole bunch of echo requests.

 Of course your attacker could also get booted off for making all those CTCP echo requests.  But a knowledgeable attacker will either be working in league with some friends who will be doing the same thing to you or else be connected with several different nicks to that same IRC server. So by having different versions of him or herself in the form of software bots making those CTCP echo requests, the attacker stays on while the victim gets booted off.

 This attack is also fairly harmless, so people who get caught doing this will only get banned or maybe K:lined for their misbehavior.

******************************
Newbie note: A "bot" is a computer program that acts kind of like a robot to go around and do things for you. Some bots are hard to tell from real people. For example, some IRC bots wait for someone to use bad language and respond to these naughty words in annoying ways.
*************************************

*************************************
You can get punched in the nose warning:  Bots are not permitted on the servers of the large networks. The IRC Cops who control hacker wars on these networks love nothing more than killing bots and banning the botrunners that they catch.
**************************************

 A similar attack is CATCH ping. You can give the command "/ping nick" and the IRC client of the guy using that nick would respond to the IRC server with a message to be passed on to the guy who made the ping request saying "nick" is alive, and telling you how long it took for nick's IRC client program to respond. It's useful to know the response time because sometimes the Internet can be so slow it might take ten seconds or more to send an IRC message to other people on that IRC channel. So if someone seems to be taking a long time to reply to you, it may just be a slow Internet.

 Your attacker can also easily get the dynamically assigned IP (Internet protocol) address of your home computer and directly flood your modem. But just about every Unix IRC program has at least some CATCH flood protection in it. Again, we are looking at a fairly harmless kind of attack.

 So how do you handle IRC attacks? There are several programs that you can run with your Unix IRC program. Examples are the programs LiCe and Phoenix.  These scripts will run in the background of your Unix IRC session and will automatically kick in some sort of protection (ignore, ban, kick) against attackers.

 If you are running a Windows-based IRC client, you may assume that like usual you are out of luck. In fact, when I first got on an IRC channel recently using Netscape 3.01 running on Win 95, the *first* thing the denizens of #hackers did was make fun of my operating system. Yeah, thanks. But in fact there are great IRC war programs for both Windows 95 and Unix.

 For Windows 95 you may wish to use the mIRC client program. You can download it from http://www.super-highway.net/users/govil/mirc40.html . It includes protection from ICMP ping flood. But this program isn't enough to handle all the IRC wars you may encounter. So you may wish to add the protection of  the most user-friendly, powerful Windows 95 war script around: 7th Sphere. You can get it from http://www.localnet.com/~marcraz/.

  If you surf IRC from a Unix box, you'll want to try out IRCII. You can download it from ftp.undernet.org , in the directory /pub/irc/clients/unix, or http://www.irchelp.org/ , or ftp://cs-ftp.bu.edu/irc/ . For added protection, you may download LiCe from ftp://ftp.cibola.net/pub/irc/scripts . Ahem, at this same site you can also download the attack program Tick from /pub/irc/tick. But if you get Tick, just remember our "You can get punched in the nose" warning!

*********************************
Newbie note: For detailed instructions on how to run these IRC programs, see
At http://www.irchelp.org/.  Or go to Usenet and check out alt.irc.questions
*********************************

*********************************
Evil genius tip: Want to know every excruciating technical detail about IRC? Check out RFC 1459 (The IRC protocol). You can find many copies of this ever popular RFC (Request for Comments) by doing a Web search.
********************************

 Now let's suppose you are all set up with an industrial strength IRC client program and war scripts. Does this mean you are ready to go to war on IRC?

 Us Happy Hacker folks don't recommend attacking people who take over OP status by force on IRC.  Even if the other guys start it, remember this. If they were able to sneak into the channel and get OPs just like that, then chances are they are much more experienced and dangerous than you are.  Until you become an IRC master yourself, we suggest you do no more than ask politely for OPs back.

 Better yet, "/ignore nick" the l00zer and join another channel.  For instance, if #evilhaxorchat is taken over, just create #evilhaxorchat2 and "/invite IRCfriend" all your friends there. And remember to use what you learned in this Guide about the IRC whois command so that you DON'T OP people unless you know who they are.

 As Patrick Rutledge says, this might sound like a wimp move, but if you don't have a fighting chance, don't try - it might be more embarrassing for you in the long run. And if you start IRC warrioring and get K:lined off the system, just think about that purple nose and black eye you could get when all the other IRC dudes at your ISP or school find out who was the luser who got everyone banned.

 That's it for now. Now don't try any funny stuff, OK? Oh, no, they're nuking meee...

_____________________________________________________

Want to share some kewl stuph with the Happy Hacker list? Correct mistakes?   To send me confidential email (please, no discussions of illegal activities) use cmeinel@techbroker.com and be sure to state in your message that you want me to keep this confidential. If you wish your message posted anonymously, please say so! Direct flames to dev/null@techbroker.com. Happy hacking!
Copyright 1997 Carolyn P. Meinel. You may forward or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave this notice at the end.