GUIDE TO (mostly) HARMLESS HACKING
Vol. 3 Number 3
How to keep from getting kicked off IRC!
_______________________________________________________
Our thanks to Patrick Rutledge, Warbeast, Meltdown and k1neTiK,
who all provided invaluable information on the burning question
of the IRC world: help, they're nuking meee...
What's the big deal about IRC and hackers? Sheesh, IRC
is sooo easy to use... until you get on a server where hacker
wars reign. What the heck do you do to keep from getting clobbered
over and over again?
Of course you could just decide your enemies can go
to heck. But let's say you'd rather hang in there. You may want
to hang in there because if you want to make friends quickly
in the hacker world, one of the best ways is over Internet Relay
Chat (IRC).
On IRC a group of people type messages back and forth
on a screen in almost real time. It can be more fun than Usenet
where it can take from minutes to hours for people's replies
to turn up. And unlike Usenet, if you say something you regret,
it's soon gone from the screen. Ahem. That is, it will soon be
gone if no one is logging the session.
In some ways IRC is like CB radio, with lots of folks
flaming and making fools of themselves in unique and irritating
ways. So don't expect to see timeless wisdom and wit scrolling
down your computer screen. But because IRC is such an inexpensive
way for people from all over the world to quickly exchange ideas,
it is widely used by hackers. Also, given the wars you can fight
for control of IRC channels, it can give you a good hacker workout.
To get on IRC you need both an IRC client program and
you need to connect to a Web site or Internet Service Provider
(ISP) that is running an IRC server program.
***********************
Newbie note: Any program that uses a resource is called a "client."
Any program that offers a resource is a "server."
Your IRC client program runs on either your home computer or
shell account computer and connects you to an IRC server program
which runs on a remote computer somewhere on the Internet.
***********************
You may already have an IRC server running on your ISP.
Customer service at your ISP should be able to help you with
instructions on how to use it. Even easier yet, if your Web browser
is set up to use Java, you can run IRC straight from your browser
once you have surfed into a Web-based IRC server.
Where are good IRC servers for meeting other hackers?
There are several IRC servers that usually offer hacker
channels. EFNet (Eris-Free Network)links many IRC servers. It
was originally started by the Eris FreeNet (ef.net). It is reputed
to be a "war ground" where you might get a chance to
really practice the IRC techniques we cover below.
Undernet is one of the largest networks of IRC servers.
The main purpose of Undernet is to be a friendly place with IRC
wars under control. But this means, yes, lots of IRC cops! The
operators of these IRC servers have permission to kill you not
only from a channel but also from a server. Heck, they can ban
you for good. They can even ban your whole domain.
************************************
Newbie note: A domain is the last two (or sometimes three or
four) parts of your email address. For example, aol.com is the
domain name for America Online. If an IRC network were to ban
the aol.com domain, that would mean every single person on America
Online would be banned from it.
************************************
************************************
You can get punched in the nose warning: If the sysadmins at
your ISP were to find out that you had managed to get their entire
domain banned from an IRC net on account of committing ICMP bombing
or whatever, they will be truly mad at you! You will be lucky
if the worst that happens is that you lose your account. You'd
better hope that word doesn't get out to all the IRC addicts
on your ISP that you were the dude that got you guys all kicked
out.
************************************
IRCNet is probably the same size if not larger than
Undernet. IRCNet is basically the European/Australian split off
from the old EFNet.
Yes, IRC is a world-wide phenomenon. Get on the right
IRC network and you can be making friends with hackers on any
continent of the planet. There are at least 80 IRC networks in
existence. To learn how to contact them, surf over to: http://www.irchelp.org/.
You can locate additional IRC servers by surfing over to http://hotbot.com
or http://digital.altavista.com and searching for "IRC server."
Some IRC servers are ideal for the elite hacker, for example
the l0pht server. Note that is a "zero" not an "O"
in l0pht.
****************************************
Evil genius tip: Get on an IRC server by telneting straight in
through port 6667 at the domain name for that server.
****************************************
But before you get too excited over trying out IRC,
let us warn you. IRC is not so much phun any more because some
d00dz aren't satisfied with using it to merely say naughty words
and cast aspersions on people's ancestry and grooming habits.
They get their laughs by kicking other people off IRC entirely.
This is because they are too chicken to start brawls in bars.
So they beat up on people in cyberspace where they don't have
to fret over getting ouchies.
But we're going to show some simple, effective ways
to keep these lusers from ruining your IRC sessions. However,
first you'll need to know some of the ways you can get kicked
off IRC by these bullies.
The simplest way to get in trouble is to accidentally
give control of your IRC channel to an impostor whose goal is
to kick you and your friends off.
You see, the first person to start up a channel on an
IRC server is automatically the operator (OP). The operator has
the power to kick people off or invite people in. Also, if the
operator wants to, he or she may pass operator status on to someone
else.
Ideally, when you leave the channel you would pass this
status on to a friend your trust. Also, maybe someone who you
think is your good buddy is begging you to please, please give
him a turn being the operator. You may decide to hand over the
OP to him or her in order to demonstrate friendship. But if you
mess up and accidentally OP a bad guy who is pretending to be
someone you know and trust, your fun chat can become history.
One way to keep this all this obnoxious stuff from happening
is to simply not OP people you do not know. But this is easier
said than done. It is a friendly thing to give OP to your buddies.
You may not want to appear stuck up by refusing to OP anyone.
So if you are going to OP a friend, how can you really tell that
IRC dude is your friend?
Just because you recognize the nick (nickname), don't
assume it's who you think it is! Check the host address associated
with the nick by giving the command "/whois IRCnick"
where "IRCnick" is the nickname of the person you want
to check.
This "/whois" command will give back to you
the email address belonging to the person using that nick. If
you see, for example, "d***@wannabe.net" instead of
the address you expected, say friend@cool.com, then DO NOT OP
him. Make the person explain who he or she is and why the
email address is different.
But entering a fake nick when entering an IRC server
is only the simplest of ways someone can sabotage an IRC session.
Your real trouble comes when people deploy "nukes"
and "ICBMs" against you.
"Nuking" is also known as "ICMP Bombing."
This includes forged messages such as EOF (end of file), dead
socket, redirect, etc.
**************************************
Newbie note: ICMP stands for Internet Control Message Protocol.
This is an class of IRC attacks that go beyond exploiting quirks
in the IRC server program to take advantage of major league hacking
techniques based upon the way the Internet works.
**************************************
**************************************
You can go to jail warning: ICMP attacks constitute illegal denial
of service attacks. They are not just harmless harassment of
a single person on IRC, but may affect an entire Internet host
computer, disputing service to all who are using it.
***************************************
For example, ICMP redirect messages are used by routers
to tell other computers "Hey, quit sending me that stuff.
Send it to routerx.foobar.net instead!" So an ICMP redirect
message could cause your IRC messages to go to bit heaven instead
of your chat channel.
EOF stands for "end of file." "Dead socket"
refers to connections such as your PPP session that you would
be using with many IRC clients to connect to the Internet. If
your IRC enemy spoofs a message that your socket is dead, your
IRC chat session can't get any more input from you. That's
what the program "ICMP Host Unreachable Bomber for Windows"
does.
Probably the most devastating IRC weapon is the flood
ping, known as "ICBM flood or ICMPing." The idea is
that a bully will find out what Internet host you are using,
and then give the command "ping-f" to your host computer.
Or even to your home computer. Yes, on IRC it is possible to
identify the dynamically assigned IP address of your home computer
and send stuff directly to your modem! If the bully has a decent
computer, he or she may be able to ping yours badly enough to
briefly knock you out of IRC. Then this character can take over
your IRC session and may masquerade as you.
**********************
Newbie note: When you connect to the Internet with a point-to-point
(PPP) connection, your ISP's host computer assigns you an Internet
Protocol (IP) address which may be different every time you log
on. This is called a "dynamically assigned IP address."
In some cases, however, the ISP has arranged to assign the uses
the same IP address each time.
**********************
Now let's consider in more detail the various types
of flooding attacks on IRC.
The purpose of flooding is to send so much garbage to
a client that its connection to the IRC server either becomes
useless or gets cut off.
Text flooding is the simplest attack. For example, you
could just hold down the "x" key and hit enter from
time to time. This would keep the IRC screen filled with your
junk and scroll the others' comments quickly off the screen.
However, text flooding is almost always unsuccessful because
almost any IRC client (the program you run on your computer)
has text flood control. Even if it doesn't, text must pass through
an IRC server. Most IRC servers also have text flood filters.
Because text flooding is basically harmless, you are
unlikely to suffer anything worse than getting banned or possibly
K:lined for doing it.
******************************************
Newbie note: "K:line" means to ban not just you, but
anyone who is in your domain from an IRC server. For example,
if you are a student at Giant State University with an email
address of IRCd00d@giantstate.edu, then every person whose email
address ends with "giantstate.edu" will also be banned.
*******************************************
Client to Client Protocol (CTCP) echo flooding is the
most effective type of flood. This is sort of like the ping you
send to determine whether a host computer is alive. It is a command
used within IRC to check to see if someone is still on your IRC
channel.
How does the echo command work? To check whether someone
is still on your IRC channel, give the command "/ctcp nick
ECHO hello out there!" If "nick" (where "nick"
is the IRC nickname of the person you are checking out) is still
there, you get back "nick HELLO OUT THERE."
What has happened is that your victim's IRC client program
has automatically echoed whatever message you sent.
But someone who wants to boot you off IRC can use the
CTCP echo command to trick your IRC server into thinking you
are hogging the channel with too much talking. This is because
most IRC servers will automatically cut you off if you try text
flooding.
So CTCP echo flooding spoofs the IRC into falsely cutting
someone off by causing the victim's IRC client to automatically
keep on responding to a whole bunch of echo requests.
Of course your attacker could also get booted off for
making all those CTCP echo requests. But a knowledgeable
attacker will either be working in league with some friends who
will be doing the same thing to you or else be connected with
several different nicks to that same IRC server. So by having
different versions of him or herself in the form of software
bots making those CTCP echo requests, the attacker stays on while
the victim gets booted off.
This attack is also fairly harmless, so people who get
caught doing this will only get banned or maybe K:lined for their
misbehavior.
******************************
Newbie note: A "bot" is a computer program that acts
kind of like a robot to go around and do things for you. Some
bots are hard to tell from real people. For example, some IRC
bots wait for someone to use bad language and respond to these
naughty words in annoying ways.
*************************************
*************************************
You can get punched in the nose warning: Bots are not permitted
on the servers of the large networks. The IRC Cops who control
hacker wars on these networks love nothing more than killing
bots and banning the botrunners that they catch.
**************************************
A similar attack is CATCH ping. You can give the command
"/ping nick" and the IRC client of the guy using that
nick would respond to the IRC server with a message to be passed
on to the guy who made the ping request saying "nick"
is alive, and telling you how long it took for nick's IRC client
program to respond. It's useful to know the response time because
sometimes the Internet can be so slow it might take ten seconds
or more to send an IRC message to other people on that IRC channel.
So if someone seems to be taking a long time to reply to you,
it may just be a slow Internet.
Your attacker can also easily get the dynamically assigned
IP (Internet protocol) address of your home computer and directly
flood your modem. But just about every Unix IRC program has at
least some CATCH flood protection in it. Again, we are looking
at a fairly harmless kind of attack.
So how do you handle IRC attacks? There are several
programs that you can run with your Unix IRC program. Examples
are the programs LiCe and Phoenix. These scripts will run
in the background of your Unix IRC session and will automatically
kick in some sort of protection (ignore, ban, kick) against attackers.
If you are running a Windows-based IRC client, you may
assume that like usual you are out of luck. In fact, when I first
got on an IRC channel recently using Netscape 3.01 running on
Win 95, the *first* thing the denizens of #hackers did was make
fun of my operating system. Yeah, thanks. But in fact there are
great IRC war programs for both Windows 95 and Unix.
For Windows 95 you may wish to use the mIRC client program.
You can download it from http://www.super-highway.net/users/govil/mirc40.html.
It includes protection from ICMP ping flood. But this program
isn't enough to handle all the IRC wars you may encounter. So
you may wish to add the protection of the most user-friendly,
powerful Windows 95 war script around: 7th Sphere. You can get
it from http://www.localnet.com/~marcraz/.
If you surf IRC from a Unix box, you'll want to try
out IRCII. You can download it from ftp.undernet.org , in the
directory /pub/irc/clients/unix, or http://www.irchelp.org/,
or ftp://cs-ftp.bu.edu/irc/. For added protection, you may download
LiCe from ftp://ftp.cibola.net/pub/irc/scripts. Ahem, at this
same site you can also download the attack program Tick from
/pub/irc/tick. But if you get Tick, just remember our "You
can get punched in the nose" warning!
*********************************
Newbie note: For detailed instructions on how to run these IRC
programs, see
At http://www.irchelp.org/. Or go to Usenet and check out
alt.irc.questions
*********************************
*********************************
Evil genius tip: Want to know every excruciating technical detail
about IRC? Check out RFC 1459 (The IRC protocol). You can find
many copies of this ever popular RFC (Request for Comments) by
doing a Web search.
********************************
Now let's suppose you are all set up with an industrial
strength IRC client program and war scripts. Does this mean you
are ready to go to war on IRC?
Us Happy Hacker folks don't recommend attacking people
who take over OP status by force on IRC. Even if the other
guys start it, remember this. If they were able to sneak into
the channel and get OPs just like that, then chances are they
are much more experienced and dangerous than you are. Until
you become an IRC master yourself, we suggest you do no more
than ask politely for OPs back.
Better yet, "/ignore nick" the l00zer and
join another channel. For instance, if #evilhaxorchat is
taken over, just create #evilhaxorchat2 and "/invite IRCfriend"
all your friends there. And remember to use what you learned
in this Guide about the IRC whois command so that you DON'T OP
people unless you know who they are.
As Patrick Rutledge says, this might sound like a wimp
move, but if you don't have a fighting chance, don't try - it
might be more embarrassing for you in the long run. And if you
start IRC warrioring and get K:lined off the system, just think
about that purple nose and black eye you could get when all the
other IRC dudes at your ISP or school find out who was the luser
who got everyone banned.
That's it for now. Now don't try any funny stuff, OK?
Oh, no, they're nuking meee...
_____________________________________________________
Want to share some kewl stuph with the Happy Hacker list? Correct
mistakes?
To send me confidential email (please, no discussions of illegal
activities) use and be sure to state in
your message that you want me to keep this confidential. If you
wish your message posted anonymously, please say so! Direct flames
to dev/null@techbroker.com. Happy hacking!
© 1997 Carolyn P. Meinel. You may forward or post this
GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as
you leave this notice at the end.
