6 February 2017

Security on IRC

Risks specific to IRC

Everywhere in life, some people will try to destroy stuff that is valuable to you, take stuff that would be valuable to them or wreak havoc just for the hell of it. On IRC, normal users will find themselves attacked over nicknames, channels and opinions or just to steal resources.

Denial of service (DoS) attacks and software vulnerability exploits

The easiest way to take over a nickname or a channel is getting rid of their current user(s), and killing you off IRC may be the only way for an opponent to avoid losing the argument you two are having. Therefore, many tactics strive to break the connection between your client and the server to which it is connected.

Software, such as TCP/IP stacks and IRC clients, may suffer from security-related bugs that allow anyone on the Internet to crash your network connection, or even take over your system.

How can I protect myself?

  • Make sure that your operating system and your IRC client are ‘patched’ up to date. If possible, set updates to be applied automatically and/or subscribe to appropriate announcement mailing lists.
  • Use a virus scanner. Keep both the scanning engine and the virus definitions up to date.
  • Use a firewall. Keep it updated.

‘Security by obscurity’ may offer some additional help by hiding you and your channels from attackers; make yourself invisible (user mode +i) and make your channels secret (channel mode +s). You may also want to restrict access to your channels using one or more channel modes.

How net splits are exploited

Another popular attack tactic involves net splits.

Let us look at how an attacker who wants control of your channel might operate:

First he might recon for IRC servers that are on the same network but usually have no local users on your channel, e.g. if you and the other people from your channel were from Finland, the attacker might select a public access server located in the USA. He might connect to that server right away, or maybe wait until — for some reason — a split occurred between that server and the part of the network to which you and your friends are connected. A particularly nasty and impatient person might even attack IRC servers or networking devices such as routers actively to cause a net split.

When the attacker would notice a suitable split, he would attempt to join your channel, which by then would be empty on his side of the split. On IRCnet, your channel name would not be available right away, but unless the split was very short, the attacker would still after a while be able to join your channel, on which he naturally would receive ops.

When the split would be over and the two parts of the network would reconnect, both the ‘lawful’ ops on your side of the split and the attacking op would have operator status on your channel. From your point of view, the server at the split point would give ops to the attacker, while from his viewpoint a server would op you and any other chanops coming from your side of the split. Since a channel operator always can demote other operators on the same channel, our attacker would very quickly ‘deop’ the good guys. Having done this, he would have full control of the channel and be able to kick, ban, set channel modes etc. — the takeover would be a fact.

Another way to use a split to take over a channel would be to load up the attacker’s side of the split with clients with nicknames matching those of the ‘legal’ ops. At reconnection, the resulting nick collisions would kill all the conflicting nicknames off IRC, leaving the channel empty and ready to be taken over.

You might think that all this is an awful lot of trouble to go through, but actually, it is not. Even ‘law-abiding’ IRC users use net splits as an easy fix for channel problems — after all, channels become ‘opless’ from time to time and therefore need to be taken over from behind a split. Also, there are IRC ‘war scripts’ around that do not even require the rogue user to understand how they work; a couple of mouse clicks is all it takes to start looking for a suitable split, or load IRC with clone bots that overload the victims with so much junk traffic that they become disconnected.

How can I protect myself?

Fortunately, there is software (e.g. eggdrop bots) available for the good guys as well, and even normal IRC clients often include limited anti-takeover functionality, such as automatic deopping of server ops (when the newly-opped attacker joins your channel from behind a recent net split).

Remember, IRC operators or server administrators do not fix channel problems. If you are being hit by clone bots or flood bots, which are outlawed on pretty much any IRC server, an operator might get rid of them for you, but if your channel already has been taken over, do not expect the people who run the servers to give it back to you. A better approach is to simply not care — after all, neither nicknames nor channels are owned, nor is either going to be exhausted in the near future.

When someone snatches my nickname, my client simply switches to another one; when the usurper quits IRC, my clients changes back to my primary nickname. Occasionally, someone also manages to take over a channel I run. Big deal — we just use another channel until our bots regain control. The takeover crew can have the channel for all that we care, and when they notice this, they usually lose interest in a matter of hours. From my point of view, temporarily losing a nickname or a channel is not a big deal; I might not even have the time to notice it...

Social engineering

Often the easiest way of taking over a channel is having a channel operator give you ops. This may be done by simply asking; you probably would not believe how many clue-deficient ops will give in to a little Pleez op me??!! pestering. Even reasonably experienced IRC users often fall for an attacker who changes his nickname and maybe his user and ‘real’ names to match those of a ‘lawful’ op.

How can I protect myself?

Never op anyone on nickname alone. The only scenarios in which you might use WHOIS information (user name and host name) to identify someone for ops would be if you know that the user in question is the only one who is able to use that host, or if he is on a multi-user system with reliable Ident. Personally, on public IRC networks, I never op anyone myself; the bots are there to take care of that.

Harmful files

Together with Internet mail and Usenet news, IRC is one of the most common environments for spreading Trojan horses (files that appear innocent but are harmful) and other dangerous files.

While connected, you may be offered program files or scripts to run. This can be very dangerous; those files may contain code designed to attack your computer, e.g. by installing a program that mails sensitive data to the attacker or even allows him to control your computer remotely. Such programs also often automatically and unnoticed spread themselves further, for instance by mailing themselves to people in the address book of your mail client.

How can I protect myself?

Do not accept file offers from strangers; never agree to receive a file unless you have identified the sender to be a person you trust. Do not allow your client to accept DCC file offers automatically.

Never run any kind of script or program without knowing what it is, even though you may have received it from a trusted person. If you are unsure about how to proceed with a file you have received, contact whomever you turn to for computer support.

‘Real life’ risks on IRC

Unfortunately, criminals exist on IRC as well as in normal life. It is much easier to hide one‘s true identity on IRC than in real life, and for most practical purposes it is impossible to be sure that a new IRC acquaintance really is e.g. a 12-year-old girl rather than a 50-year-old male. This makes the Internet a dream come true for anyone with twisted or otherwise shady intentions.

The seeming anonymity on IRC also tends to make people candidly talk about subjects they would not dream of discussing e.g. in a bar. Were I in the business of performing industrial espionage, one of my favourite tactics would probably be chatting with employees of the target organization on IRC...

Laws apply on the Internet just as in real life, although it may not always be clear which countries’ legislation apply. If a crime is committed, it may be possible for the authorities to trace a user afterwards, but you cannot count on it; it would be relatively easy for a determined person to use the Internet without leaving a trace.

How can I protect myself?

Do not give out any personal information about yourself or anyone else, such as about a friend or a member of your family. Do not give out any confidential information about e.g. your employer, either.

If you decide to meet (in real life) with someone you have become acquainted with on IRC, make sure you will be able to do so in safety. Meet in a public place, maybe together with a real life friend of yours. Make sure you will be able to get away if you do not feel comfortable.