IRC flood: Difference between revisions

Content deleted Content added

Inline

Revision as of 21:18, 26 May 2009

Flooding or scrolling on an IRC network is a method of disconnecting users from an IRC server (a form of Denial of Service), exhausting bandwidth which causes network latency ('lag'), or just annoying users. Floods can either be done by scripts (written for a given client) or by external programs.

It is possible to flood a client off the network simply by sending them data faster than they can receive it and thus cause a quit with the "max sendq exceeded" message, but this is generally only feasible if the user's connection is already slow/lagging and/or the attacker has a very large number of connections to the IRC network. Therefore, more common flooding techniques are based on the fact that the maximum number of messages that can be sent in a specified interval is controlled on the IRC server. Once this value is exceeded messages are stored in a buffer and delayed. If the buffer is filled the client is disconnected with an "Excess Flood" quit message. By sending messages that request an automated reply some IRC clients can be forced to flood themselves off.

Types of floods

A post flood on #wikipedia-en, using the common Internet term "OMG".

Crapflood: This is the simplest type of IRC flooding. It involves posting large amounts of posts or one very long post with repetitive text. It can also involve text with no meaning or no pertinence to the current discussion.^[1] This type of flood is most commonly achieved by copying and pasting one short word repeatedly. Occasionally, when there are a large amount of small words, the entire message will be copied and pasted to produce massive amounts of text. This can, in turn, be done again, creating an exponential rise in the amount of text.

CTCP flood: Since CTCP is implemented in almost every client^{[citation needed]}, most users respond to CTCP requests. By sending too many requests, after a couple of answers they get disconnected from the IRC server. The most widely-used type is CTCP PING, although most clients also implement other CTCP replies.

DCC flood: Initiating many DCC requests simultaneously. Theoretically it can also be used to disconnect users, because the target client sends information back about what port is intended to be used during the DCC session.

ICMP flood: Typically referred to as a ping flood. This attack overloads the victim's bare internet connection with an amount of data exceeding the connection's capacity, causing not only a disconnection from the IRC network (seen by observers as a quit due to "Ping timeout"), but a failure of the victim's internet connection itself, either slowing it down severely or effectively disabling its functionality completely for the duration of the attack. Technically speaking, this is not an IRC flood, as the attack itself doesn't traverse the IRC network at all, but operates entirely independent of anything but the raw internet connection and its IP protocol (of which ICMP is a subset). Even so, the actual IP address to flood (the address of the victim's connection) is frequently obtained by looking at the victim's user information (ie. through the /whois command) on the IRC network, and it is a popular IRC-based means of DoS attack.

Example of a message flood using over 50 clones.

Message flood: Sending lots of private messages to the victim, mainly from different connections called clones (see below). Since clients separate the private conversations into another window, each new message could open a new window for every new user a message is received from. This is exploitable by sending messages from multiple names, causing the target client to open many new windows and potentially swamping the user with boxes. Sometimes the easiest way to close all the windows is to restart the IRC client, although scripts (client extensions) exist to 'validate' unknown nicknames before receiving messages from them.

Notice flood: Similar to the message, but uses the "notice" command.

Invite flood: Sending lot of invites, mostly to fake channels.

Nick flood: Changing the nick as fast as possible, thus making the conversation unenjoyable in the channel. This will often result in a ban.

Connect flood: Connecting and disconnecting from a channel as fast as possible, therefore spamming the channel with dis/connect messages, thus making the conversation unenjoyable. This will also often result in a ban.

Version flood: Sending many requests (usually via clones) for the client's version. The client then responds enough to flood itself off.

Clones

Of course, abusers do not flood from their own nicknames, because of the following reasons:

they can easily be K-Lined by administrators ('IRCops,' 'ServerOPs' or 'SOPs'),
banned from channels by operators ('ChanOPs' or 'OPs'),
from one user the flood is often not effective (The limits apply to the attacker too).

Instead clones are used, which are script or program controlled clients, primary designed to abuse others. When this method is used, it becomes easier to attack a user using many clones at the same time. Generally, the more clones an attacker has, the greater the chance of an attack succeeding. However the maximum connections from any one ip address are generally limited by the IRC network (either at the IRCD level or the services level).

One common way to increase the number of clones is by using open proxies. Basically these proxies are SOCKS or Squid-based, which support IRC connections by default. If one has a list of open proxies, he can use them to connect his clones through them to various IRC servers. Alternatively, compromised systems can be used to make the connections.

To prevent this, nowadays some IRC servers are configured to check common proxy ports of the client at the very beginning of the connection. If a successful proxy request can be done, it immediately drops the user (or clone). Other IRC networks use a separate proxy scanner that scans users as they join the network and kills or glines any users it detects an open proxy on. However this offers no protection against compromised systems or proxies on nonstandard ports (a full 65535 port scan isn't really feasible both for performance reasons and because it risks setting off Intrusion Detection Systems).

Protection

Almost every IRC client offers some kind of flood protection. These protections are based on the built-in "ignore" feature, which means that a given incoming message, CTCP, invitation, etc. will be blocked if the sender's hostmask matches any of the masks are defined in the ignore list. This is useful as few IRC networks implement the 'silence' command to reject messages by the server. In other words, every message will be posted to the correspondent user, whether it is a normal message or its content is intentionally malicious.

Many clients also limit the number of replies that can be sent in response to any incoming traffic from the network thus avoiding hitting the excess flood limit.

Flood protection in mIRC

There's also flood protection in the popular Windows-based client program, mIRC, in the Options menu. Users can set up some important values about how many incoming bytes are considered to be flooding, maximum incoming lines per user and ignorance time. Note that these settings are not enabled by default.

Despite these possibilities, there are much more sophisticated ways to eliminate flooding using mIRC scripts. These include additional features, such as CTCP cloaking, better message flood control, more adjustable flood triggers, and many others.

Firewalls and floods

Many users believe that installing a firewall will protect them against these attacks. This is not true, because the IRC protocol operates in the application layer, therefore a packet filter firewall cannot examine the incoming data stream to filter the flood. No known application layer firewalls provide such protection at this time.

Notes

^ An example of this would be someone posting the entire contents of a book or poem when the book or poem in question is unrelated to discussion.

References

Pioch, Nicolas (1993-02-28). "A short IRC primer". Retrieved 2009-05-25.
"Logging and Reporting IRC Abuses". Retrieved 2009-05-25.
Brinton, Aaron (1997). "IRC Operators Guide". Retrieved 2009-05-25. {{cite web}}: Unknown parameter |month= ignored (help)
Powers, Ray (1998-07-30). "The myths of opers..." Retrieved 2009-05-25.
Reed, Darren (1992). "A Discussion on Computer Network Conferencing: 5.2.6 Network Friendliness". RFC1324. IETF. Retrieved 2009-05-25. {{cite journal}}: Unknown parameter |month= ignored (help)
Oikarinen, Jarkko (1993). "Internet Relay Chat Protocol: 8.10 Flood control of clients". RFC1459. IETF. Retrieved 2009-05-25. {{cite journal}}: Unknown parameter |coauthors= ignored (|author= suggested) (help); Unknown parameter |month= ignored (help)
Kalt, Christophe (2000). "Internet Relay Chat: Server Protocol: 5.8 Flood control of clients". RFC2813. IETF. Retrieved 2009-05-25. {{cite journal}}: Unknown parameter |month= ignored (help)
Mutton, Paul (2004-07-27). IRC Hacks (1st ed.). Sebastopol, CA: O'Reilly Media. pp. 302, 98, 134, 170–172, 268–269, 300. ISBN 0-596-00687-X.
Grimes, Roger A. (2001). Malicious Mobile Code: Virus Protection for Windows. Sebastopol, CA: O'Reilly Media. pp. 188, 239–240, 242–243. ISBN 1-56592-682-X. {{cite book}}: Unknown parameter |month= ignored (help)
(anonymous) (1997). Maximum Security: A Hacker's Guide to Protecting Your Internet Site and Network. SAMS Publishing. pp. 140–141. ISBN 1575212684. {{cite book}}: Unknown parameter |month= ignored (help)
Crystal, David (2006-09-18). Language and the Internet (2nd ed.). Cambridge University Press. p. 160. ISBN 0521868599.
Rheingold, Howard (1993). The Virtual Community: Homesteading on the Electronic Frontier (1st ed.). Basic Books. p. 185. ISBN 0201608707. {{cite book}}: Unknown parameter |month= ignored (help)
Surratt, Carla G. (1999-08-01). Netaholics?: The Creation of a Pathology. Hauppauge, New York: Nova Science Publishers. p. 156. ISBN 156072675X.
Gibbs, Donna; Krause, Kerri-Lee, eds. (2006-06-01). Cyberlines 2.0: Languages and Cultures of the Internet (2nd ed.). James Nicholas Publishers. pp. 270–271. ISBN 1-875-40842-8.
Piccard, Paul; Baskin, Brian; Edwards, Craig; Spillman, George (2005-05-01). Sachs, Marcus (ed.). Securing IM and P2P Applications for the Enterprise. foreword by Kevin Beaver (1st ed.). Rockland, Massachusetts: Syngress Publishing. ISBN 1597490172.
McClure, Stuart; Scambray, Joel; Kurtz, George (2005-04-19). Hacking Exposed 5th Edition: Network Security Secrets And Solutions (5th ed.). New York, New York: McGraw-Hill Professional. pp. 494–497. ISBN 0072260815.
Scambray, Joel; Shema, Mike; Sima, Caleb (2006-06-05). Hacking Exposed: Web Applications (2nd ed.). New York, New York: McGraw-Hill Professional. pp. 370–373. ISBN 0072262990.
Tipton, Harold F.; Krause, Micki, eds. (2004-12-28). Information Security Management Handbook. Vol. 2 (5th ed.). Auerbach Publications. p. 517. ISBN 0849332109.
Tipton, Harold F.; Krause, Micki, eds. (2007-05-14). Information Security Management Handbook (6th ed.). Auerbach Publications. ISBN 0849374952.
Maynor, David (2006). Emerging Threat Analysis: From Mischief to Malicious. Rockland, Massachusetts: Syngress Publishing. p. 170. ISBN 1-59749-056-3. {{cite book}}: Unknown parameter |coauthors= ignored (|author= suggested) (help); Unknown parameter |month= ignored (help)
Bidgoli, Hossein (2003-12-23). The Internet Encyclopedia (1st ed.). Hoboken, New Jersey: John Wiley & Sons. pp. 209, 213. ISBN 0471222011.
Northcutt, Stephen; Novak, Judy (2002-09-06). Network Intrusion Detection (3rd ed.). SAMS Publishing. ISBN 0735712654.
Douligeris, Christos; Serpanos, Dimitrios N. (2007-06-15). Network Security: Current Status and Future Directions. Hoboken, New Jersey: John Wiley & Sons. ISBN 0471703559.
Skoudis, Ed; Liston, Tom (2006-01-02). Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses (2nd ed.). Prentice Hall. ISBN 0131481045.
King, Todd; Tittel, Ed; Bittlingmeier, David (2003-04-06). Security+ Training Guide. Que Publishing. ISBN 0789728362.
Baskin, Brian; Bradley, Tony; Faircloth, Jeremy; Schiller, Craig A.; Caruso, Ken; Piccard, Paul; James, Lance (2006-09-19). Piltzecker, Tony (ed.). Combating Spyware in the Enterprise (1st ed.). Rockland, Massachusetts: Syngress Publishing. p. 19. ISBN 1597490644.
Höök, Kristina; Benyon, David; Munro, Alan J., eds. (2003-01-31). Designing Information Spaces: The Social Navigation Approach (1st ed.). Germany: Springer Science+Business Media. p. 266. ISBN 1852336617.
Schiller, Craig A.; Binkley, Jim; Harley, David; Evron, Gadi; Bradley, Tony; Willems, Carsten; Cross, Michael (2007-02-15). Botnets: The Killer Web App. Rockland, Massachusetts: Syngress Publishing. p. 80. ISBN 1597491357.

External links

[1] An example of this would be someone posting the entire contents of a book or poem when the book or poem in question is unrelated to discussion.

[1]

@@ Line 15: / Line 15: @@
 [[Image:Private message flood 2006 freenode.PNG|right|300px|thumbnail|Example of a message flood using over 50 clones.]]
-; Message flood : Sending lots of private messages to the victim, mainly from different connections called '''clones''' (see below). Since many clients separate the private conversations into another window, they open a new window for every new user a message is received from. This is exploitable by sending messages from multiple names, causing the target client to open many new windows and potentially swamping the user with boxes. Sometimes the easiest way to close all the windows is to restart the IRC client, although scripts (client extensions) exist to 'validate' unknown nicknames before receiving messages from them.
+; Message flood : Sending lots of private messages to the victim, mainly from different connections called '''clones''' (see below). Since clients separate the private conversations into another window, each new message could open a new window for every new user a message is received from. This is exploitable by sending messages from multiple names, causing the target client to open many new windows and potentially swamping the user with boxes. Sometimes the easiest way to close all the windows is to restart the IRC client, although scripts (client extensions) exist to 'validate' unknown nicknames before receiving messages from them.
 ; Notice flood : Similar to the message, but uses the "notice" command.