|
|
|
|
|
Irc FloodsFlooding Flooding on an IRC network is a method of disconnecting users from the IRC server (like Denial of Service), or just making them slow ('laggy'). Floods can either be done by scripts (written for the given client) or by external programs. Flooding is based on the fact that the maximum number of messages that can be sent in a specified interval is controlled on the IRC server and if anyone exceeds that value, they are disconnected with an "Excess Flood" quit message. Types of floods CTCP flood: These are probably the most common and most efficient. Since CTCP is implemented in almost every client, every user responds to CTCP requests. By sending too many requests, after a couple of answers they get disconnected from the IRC server. The most widely-used type is CTCP PING, although most clients also implement other CTCP replies. DCC flood: Initiating many DCC requests simultaneously. Theoretically it can also be used to disconnect users, because the target client sends information back about what port is intended to be used during the DCC session. ICMP flood: Typically referred to as a ping flood. This attack sends so much information to the client it causes lag or disconnection; Often caused by either IRC clients working in union or botnets of Eggdrop bots. This is also a simple DDoS attack. Message flood: Sending lots of private messages to the victim, mainly from different connections called clones (see below). Since many clients separate the private conversations into another window, they open a new window for every new user a message is recieved from. This is exploitable by sending messages from multiple names, causing the target client to open many new windows and potentially swamping the user with boxes. Sometimes the easiest way to close all the windows is to restart the IRC client, although scripts (client extentions) exist to 'validate' unknown nicknames before receiving messages from them. Notice flood: similar to the message, but uses the "notice" command. Invite flood: sending lot of invites, mostly to fake channels. Nick flood: changing the nick as fast as possible, thus making the conversation unenjoyable in the channel. This will often result in a ban. Join/part flood: joining and parting from a specified channel. The effect is the same as that of the nick flood. Again, this will often result in a ban. Clones Of course, abusers do not flood from their own nicknames, because of the following reasons: - they can easily be K-Lined by administrators ('ServerOPs' or 'SOPs'),
- banned from channels by operators ('ChanOPs' or 'OPs'),
- from one user the flood is often not effective (The limits apply to the attacker too).
Instead clones are used, which are script or program controlled clients, primary designed to abuse others. Thanks to this, it's pretty easy to attack a user by many clones at the same time. Generally, the more clones an abuser has, the bigger the chance is of an attack succeeding. One way to increase the number of clones is using open proxies. Basically these proxies are SOCKS or squid-based, which support IRC connections by default. If one has a list of open proxies, he can use them to connect his clones through them to various IRC servers. To prevent this, nowadays IRC servers are configured to check the proxy ports of the client at the very beginning of the connection. If a succesful proxy request can be done, it immediately drops the user (or clone). Protection Almost every IRC client offers some kind of flood protection. These protections are based on the built-in "ignore" feature, which means that a given incoming message, CTCP, invitation, etc. will be blocked if the sender's hostmask matches any of the masks are defined in the ignore list. This is useful as few IRC networks impliment the 'silence' command to reject messages by the server. In other words, every message will be posted to the correspondent user, whether it is a normal message or its content is intentionally malicious. Flood protection in mIRC There's also flood protection in the popular Windows-based client program, mIRC, in the Options menu. Users can setup some important values about how many incoming bytes are considered to be flooding, maximum incoming lines per user and ignorance time. Note that these settings are not enabled by default. Despite these possibilities, there is a much more sophisticated way to eliminate flooding by using mIRC scripts. These include additional features, such as CTCP cloaking, better message flood control, more adjustable flood triggers, and many others. Many users believe that installing a firewall will protect them against these attacks. This is not true, because the IRC protocol operates in the application layer, therefore a packet filter firewall cannot examine the incoming data stream to ensure there's no suspicious commands in it. Neither an application layer firewall provides protection - it would be too complex to implement such a feature. See also External links
|
 |
|
| Copyright 2005-2009 OnPedia.com. All Rights Reserved |
|
|