IRC takeover

Last updated

An IRC channel takeover is an acquisition of IRC channel operator status by someone other than the channel's owner. It has largely been eliminated due to the increased use of services on IRC networks.

Contents

Riding the split

The most common variety of channel takeover uses disconnections caused by a netsplit; this is called riding the split. After such mass disconnections, a channel may be left without users, allowing the first rejoining user to recreate the channel and gain operator status. When the servers merge, any pre-existing operators retain their status, allowing the new user to kick out the original operators and take over the channel.

A simple prevention mechanism involves timestamping (abbreviated to TS), or checking the creation dates of the channels being merged. This was first implemented by Undernet (ircu) in November 2000 [1] and is now common in many IRC servers. If both channels were created at the same time, all user statuses are retained when the two are combined; if one is newer than the other, special statuses are removed from those in the newer channel.

Additionally, a newer protection involving timestamping is used when a server splits away from the main network (when it no longer detects that IRC services are available), it disallows anyone creating a channel to be given operator privileges.

Nick collision

Another popular form of channel takeover abuses nickname collision protection, which keeps two users from having the same nickname at once. A user on one side of a netsplit takes the nickname of a target on the other side of the split; when the servers reconnect, the nicks collide and both users are kicked from the server. The attacker then reconnects or switches nicks in a second client while the target reconnects, and proceeds to jupe (or block) the target's nickname for a period of time.

User timestamping is often used to detect these kinds of attacks in a fashion similar to channel timestamping, with the user who selected that nickname later being kicked from the server. Another protection method, called nickhold, disallows the use of recently split nicknames. This causes fewer kicks, but causes more inconvenience to users. For this reason, timestamping is generally more common. Some servers, such as ircd-ratbox, do both. IRC services and bots can also protect against such attacks by requiring that a password be supplied to use a certain nick. Users who do not provide a password are killed after a certain amount of time.

Other methods

Other methods can be used to take over a channel, though they are unrelated to flaws in IRC itself; for example, cracking the computers of channel operators, compromising channel bot shell accounts, or obtaining services passwords through social engineering.

Smurfing

Smurf attacks have been used to take over IRC servers. [2] These exploit ICMP ping responses from broadcast addresses at multiple hosts sharing an Internet address, and forge the ping packet's return address to match a target machine's address. A single malformed packet sent to the "smurf amplifier" will be echoed to the target machine.

Related Research Articles

EFnet or Eris-Free network is a major Internet Relay Chat (IRC) network, with more than 35,000 users. It is the modern-day descendant of the original IRC network.

<span class="mw-page-title-main">Undernet</span>

The Undernet is the third largest publicly monitored Internet Relay Chat (IRC) network, c. 2022, with about 36 client servers serving 47,444 users in ~6000 channels at any given time.

<span class="mw-page-title-main">DALnet</span>

DALnet is an Internet Relay Chat (IRC) network made up of 39 servers, with a stable population of approximately 10,000 users in about 4,000 channels.
DALnet is accessible by connecting with an IRC client to an active DALnet server on ports 6660 through 6669, and 7000. SSL users can connect on port 6697 as well. The generic round-robin address is irc.dal.net.

<span class="mw-page-title-main">Internet Relay Chat</span> Protocol for real-time Internet chat and messaging

Internet Relay Chat (IRC) is a text-based chat system for instant messaging. IRC is designed for group communication in discussion forums, called channels, but also allows one-on-one communication via private messages as well as chat and data transfer, including file sharing.

<span class="mw-page-title-main">QuakeNet</span>

QuakeNet is an Internet Relay Chat (IRC) network, and was one of the largest IRC networks. The network was founded in 1997 by Garfield and Oli as a new home for their respective countries' Quake channels. At its peak on February 8, 2005, the network recorded 243,394 simultaneous connections. As of 2020, there are 9 servers and about 12,000 users remaining.

A Smurf attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim's computer will be flooded with traffic. This can slow down the victim's computer to the point where it becomes impossible to work on.

An IRC operator is a user on an Internet Relay Chat network who has privileged access. IRC operators are charged with the task of enforcing the network's rules, and in many cases, improving the network in various areas. The permissions available to an IRC operator vary according to the server software in use, and the server's configuration.

IRCnet is currently the third largest IRC network with around 25,000 users using it daily. An early 2005 record had approximately 123,110 users simultaneously connected to the network.

Internet Relay Chat services is a name for a set of features implemented on many modern Internet Relay Chat networks. Services are automated bots with special status which are generally used to provide users with access with certain privileges and protection. They usually implement some sort of login system so that only people on the access control list can obtain these services.

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

In computer networking, specifically Internet Relay Chat (IRC), netsplit is a disconnection between two servers. A split between any two servers splits the entire network into two pieces.

An IRC bot is a set of scripts or an independent program that connects to Internet Relay Chat as a client, and so appears to other IRC users as another user. An IRC bot differs from a regular client in that instead of providing interactive access to IRC for a human user, it performs automated functions.

An IRCd, short for Internet Relay Chat daemon, is server software that implements the IRC protocol, enabling people to talk to each other via the Internet. It is distinct from an IRC bot that connects outbound to an IRC channel.

Client-to-client protocol (CTCP) is a special type of communication between Internet Relay Chat (IRC) clients.

A BNC is a piece of software that is used to relay traffic and connections in computer networks, much like a proxy. Using a BNC allows a user to hide the original source of the user's connection, providing privacy as well as the ability to route traffic through a specific location. A BNC can also be used to hide the true target to which a user connects.

SlashNET is a medium-sized, independently operated Internet Relay Chat (IRC) network. Originally sponsored by Slashdot and founded in 1998, in 1999 SlashNET split off to become its own entity. A few well-known communities and projects maintain an IRC presence at SlashNET, including #g7, #totse (Totse), #idiots-club, #mefi, various Penny Arcade-related communities, #Twitterponies, and #rags. As of 2012 it is ranked in the top 40 networks by IRC.Netsplit.de, with an estimated relatively constant 1700 users, and #25/737 by SearchIRC.com.

Flooding or scrolling on an IRC network is a method of disconnecting users from an IRC server, exhausting bandwidth which causes network latency ('lag'), or just disrupting users. Floods can either be done by scripts or by external programs.

An ICMP tunnel establishes a covert connection between two remote computers, using ICMP echo requests and reply packets. An example of this technique is tunneling complete TCP traffic over ping requests and replies.

Freenode, stylized as freenode and formerly known as Open Projects Network, is an IRC network which was previously used to discuss peer-directed projects. Their servers are accessible from the hostname chat.freenode.net, which load balances connections by using round-robin DNS.

References

  1. Add channel creation TS (timestamp) to JOIN protocol messages, Kevin L. Mitchell, November 2nd 2000, undernetc-ircu SVN server - ircu2 - r306, https://github.com/UndernetIRC/ircu2/commit/008a01428ae6d628d31abe35d361b51b3f4f154f
  2. Ganor, Boaz; von Knop, Katharina; Duarte, Carlos A. M. (2007). Hypermedia seduction for terrorist recruiting. IOS Press. ISBN   978-1-58603-761-1