___________________________________________________________



GUIDE TO (mostly) HARMLESS HACKING



Vol. 3 Number 3



How to keep from getting kicked off IRC!

____________________________________________________________



For the first time we have a GTMHH with two primary authors: Patrick

Rutledge and Carolyn Meinel. Also, this GTMHH feels like bungee jumping into

a flame war to me (Carolyn) since I am only just starting to get my toes wet

in the wonderful world of IRC. So don't be surprised if some boo-boos

slipped past the editing process. Please let me (Carolyn) know of any errors

and I'll put out a corrected version. Our thanks to Warlock  (who can be

found on IRC usually with the nick VVarlock -- note the double V instead of

W), Meltdown and k1neTiK, who all provided invaluable information on the

burning question of the IRC world: help, they're nuking meee...



But first, what is IRC?



IRC stands for Internet Relay Chat. It allows a group of people to type

messages back and forth on a screen in almost real time. It's more fun than

Usenet where it can take minutes to hours for people's replies to turn up. 



But in some ways IRC is like CB radio, with lots of folks flaming and making

fools of themselves in unique and irritating ways. But because it is such an

inexpensive way for people from all over the world to quickly exchange

ideas, IRC is widely used by hackers. Also, given the wars you can fight for

control of IRC channels, it can give you a good hacker workout.



To get on IRC you need both an IRC client program and IRC server program. 



***********************

Newbie note: Any program that uses a resource is called a "client."  Any

program that offers a resource is a "server."  Your IRC client program runs

on either your home computer or shell account computer and connects you to

an IRC server program somewhere. The IRC server program passes information

between the client programs of everyone who is participating in chat

sessions on that server.

***********************



You might already have an IRC program available with your shell account. Or,

you can get a PPP connection running on your home computer and bring up a

Mac or Windows IRC program. Some Internet Service Providers such as Netcom

give you software when you sign up that includes an IRC client. Quarterdeck

Internet Suite also includes an IRC program so easy that even a 6-year old

could use it. Even easier yet, if your Web browser is set up to use Java,

you can run IRC straight from your browser once you have surfed into a

Web-based IRC server.



Where are good IRC servers for meeting other hackers?



You can try out our own Happy Hacker IRC channel. If your browser is running

Java, just surf over to http://www.infowar.com, click on chat, and choose

the #hackers (or #hack or whatever looks like some sort of hacker thing)

channel.



But there are other good IRC servers that are usually full of hacker

channels. EFFNet is one of the oldest IRC servers. It is run by the

Electronic Freedom Foundation (eff.org). But it is reputed to be a "war

ground." You are allowed to do anything you want, but you may not like what

others do to you.



Undernet is probably the second largest. The main purpose of Undernet is to

be more friendly. But this means, yes, moderators! The operators of these

IRC servers have permission to kill you not only from a channel but also

from a server. Heck, they can ban you for good. They can even ban your whole

domain. Now if the sysadmins at your ISP were to find out you had managed to

get their entire domain banned on account of your committing ICMP bombing or

whatever, they will be truly mad at you! Bye bye your account.



You can locate other good IRC servers by getting on the Web and searching

for "IRC server."  Some are really elite, for example the l0pht server.



But before you get too excited over trying out IRC, let us warn you. IRC is

not so much phun any more because some d00dz aren't satisfied with using it

to merely say naughty words and cast aspersions on people's ancestry and

grooming habits. They get their laughs by kicking other people off IRC

entirely. This is because they are too chicken to start brawls in bars. So

they beat up on people in cyberspace where they don't have to fret over

getting ouchies.



But we're going to show some simple, effective ways to keep these lusers

from ruining your IRC sessions.



First you'll need to know some of the ways you can get kicked off IRC by

these bullies.



The simplest way to get in trouble is to accidentally give control of your

IRC channel to an impostor whose goal is to kick you and your friends off.



You see, the first person to start up a channel on an IRC server is

automatically the operator (OP). The operator has the power to kick people

off or invite people in. Also, if the operator wants to, he or she may pass

operator status on to someone else. 



Ideally, when you leave the channel you would pass this status on to a

friend your trust. Also, maybe someone who you think is your good buddy is

begging you to please, please give him a turn being the operator. You may

decide to hand over the OP to him or her in order to demonstrate friendship.

But if you mess up and accidentally OP a bad guy, your fun chat can become

history.



One way to keep this all this obnoxious stuff from happening is to simply

not OP people you do not know.



So how do you know if someone is the person he or she claims to be on IRC?.

Just because you recognize the nick (nickname), don't assume it's who you

think it is! Check the host address associated with the nick by giving the

command "/whois IRCnick" where "IRCnick" is the nickname of the person you

want to check.  



Now this "/whois" command will give back to you the email address belonging

to the person using that nick. If you see, say, "d***@wannabe.net" instead

of the address you expected, say friend@cool.com, then DO NOT OP him.  Make

the person explain who he or she is and why the email address is different.



But entering a fake nick when entering an IRC server is only the simplest of

ways someone can sabotage an IRC session. Your real trouble comes when

people deploy "nukes" and "ICBMs" against you.



"Nuking" is also known as "ICMP Bombing." This includes forged messages such

as EOF, dead socket, redirect, etc.



ICMP stands for Internet Control Message Protocol. For example, ICMP

redirect messages are used by routers to tell other computers "Hey, quit

sending me that stuff. Send it to routerx.foobar.net instead!" So an ICMP

redirect message could cause your IRC messages to go to bit heaven instead

of your chat channel. EOF stands for "end of file." "Dead socket" refers to

connections such as your PPP session that you would be using with many IRC

clients to connect to the Internet. If your IRC enemy spoofs a message that

your socket is dead, your IRC chat session can't get any more input from

you.  That's what ICMP Host Unreachable Bomber for Windows does.



Probably the most devastating IRC weapon is the flood ping, known as "ICBM

flood." The idea is that a bully will find out what Internet host you are

using, and then give the command "ping-f" to your host computer. Or even to

your home computer. Yes, on IRC it is possible to identify the dynamically

assigned IP address of your home computer and send stuff directly to your

modem! If the bully has a decent computer, he or she may be able to ping

yours badly enough to briefly knock you out of IRC. Then this character can

take over your IRC session and may masquerade as you. 



**********************

Newbie note: When you connect to the Internet with a point-to-point (PPP)

connection, your ISP's host computer assigns you an Internet Protocol (IP)

address which may be different every time you log on. This is called a

"dynamically assigned IP address."

**********************



Now let's consider in more detail the various types of  flooding attacks on IRC.



The purpose of flooding is to send so much garbage to a client that its

connection to the IRC server either becomes useless or gets cut off.



Text flooding is the simplest attack. For example, you could just hold down

the "x" key and hit enter from time to time. This would keep the IRC screen

filled with your junk and scroll the others' comments quickly off the

screen. However, text flooding is almost always unsuccessful because almost

any IRC client has text flood control. Even if it doesn't, text must pass

through an IRC server. Most IRC servers also have text flood filters. 



Client to Client Protocol (CTCP) echo flooding is the most effective type of

flood. This is sort of like the ping you send to determine whether a host

computer is alive. It is a command used within IRC to check to see if

someone is still on your IRC channel. 



How does the echo command work? To check whether someone is still on your

IRC channel, give the command "/ctcp nick ECHO hello out there!" If "nick"

(where "nick" is the IRC nickname of the person you are checking out) is

still there, you get back "nick HELLO OUT THERE."



What has happened is that your victim's IRC client program has automatically

echoed whatever message you sent. 



But someone who wants to boot you off IRC can use the CTCP echo command to

trick your IRC server into thinking you are hogging the channel with too

much talking. This is because most IRC servers will automatically cut you

off if you try text flooding.



So CTCP echo flooding spoofs the IRC into falsely cutting someone off by

causing the victim's IRC client to automatically keep on responding to a

whole bunch of echo requests.



Of course your attacker could also get booted off for making all those CTCP

echo requests.  But a knowledgeable attacker will be connected in several

different ways to that same IRC server. So by having different versions of

him or herself in the form of software bots making those CTCP echo requests,

the attacker stays on while the victim gets booted off.



*********************

Newbie note: A "bot" is a computer program that acts kind of like a robot to

go around and do things for you. Some bots are hard to tell from real

people. For example, some IRC bots wait for someone to use bad language and

respond to these naughty words in annoying ways.

********************* 



A similar attack is CTCP ping. You can give the command "/ping nick" and the

IRC client of the guy using that nick would respond to the IRC server with a

message to be passed on to the guy who made the ping request saying "nick"

is alive and telling how long it took for "nick's" client to respond.



Your attacker can also easily get the dynamically assigned IP (Internet

protocol) address of your home computer and directly flood your modem. But

just about every Unix IRC program has at least some CTCP flood protection in it.



Then there is the old standby, ping flooding. It relies on Internet Control

Message Protocol(ICMP).



So how do you handle ICBMs, Nukes and other sophisticated attacks? There are

several programs that you can run with your Unix IRC program. Examples are

as LiCe and Phoenix.  These scripts will run in the background of your Unix

IRC session and will automatically kick in some sort of protection (ignore,

ban, kick) against attackers.  



If you are running a Windows-based IRC client, may assume that like usual

you are out of luck. In fact, when one of us  (Carolyn) got on the

Infowar.com IRC channel recently using Netscape 3.01 running on Win 95, the

*first* thing the denizens of #hackers did was make fun of Carolyn's

operating system. Yeah, thanks. But in fact there are great IRC war programs

for both Windows 95 and Unix.



**************************

Get your IRC war programs here! 



For Windows 95:

The most user friendly, and powerful, sheer war script (with simple flood

protect) is 7th Sphere. This lacks only ICMP ping floods which are blocked

anyhow by any current mIRC release. You can get it from

http://www.localnet.com/~marcraz/

This is an excellent program by cashmere and precursor that deserves

recognition for being programmed for win95.  The page is hosted by

PhyrKrakr, |MaGuS|, precurser, and Venum.



For Unix:

mIRC is an IRC client program. You can download it from

http://www.super-highway.net/users/govil/mirc40.html

For the programs tick and LiCe, go to ftp://ftp.cibola.net/pub/irc/scripts.

The program /pub/irc/lice will protect you.

But the program /pub/irc/tick is an attack program.

*************************



Us Happy Hacker folks don't recommend attacking people who take over OP

status by force on IRC.  Even if the other guys start it, remember this. If

they were able to sneak into the channel and get OPs just like that, then

chances are they are much more experienced and dangerous than you are.

Until you become an IRC master yourself, we suggest you do no more than ask

politely for OPs back. 



Better yet, "/ignore nick" the loozer and join another channel.  For

instance, if #funchat is taken over, just create #funchat2 and "/invite

IRCfriend" all your friends there, and use what you learned in this Guide

about the IRC whois command so that you DON'T OP people unless you know who

they are.  This might sound like a wimp move, but if you don't have a

fighting chance, don't try - it might be more embarrassing for you in the

long run.



********************

Newbie note: Want to learn more about IRC? Go to Usenet and check out

alt.irc.questions

********************



OK, that's it for now. Hope to see you on the IRC server at

http://www.infowar.com. And don't try any funny stuff, OK? Oh, no, they're

nuking meee...

__________________________________________________

Want to see back issues of Guide to (mostly) Harmless Hacking? See either

http://www.tacd.com/zines/gtmhh/ or 

http://ra.nilenet.com/~mjl/hacks/codez.htm or

http://www3.ns.sympatico.ca/loukas.halo8/HappyHacker/

Subscribe to our email list by emailing to hacker@techbroker.com with

message "subscribe" or join our Hacker forum at

http://www.infowar.com/cgi-shl/login.exe.

Chat with us on the Happy Hacker IRC channel. If your browser can use Java,

just direct your browser to www.infowar.com, click on chat, and choose the

#hackers channel.

Want to share some kewl stuph with the Happy Hacker list? Correct mistakes?

Send your messages to hacker@techbroker.com.  To send me confidential email

(please, no discussions of illegal activities) use cmeinel@techbroker.com

and be sure to state in your message that you want me to keep this

confidential. If you wish your message posted anonymously, please say so!

Direct flames to dev/null@techbroker.com. Happy hacking! 

Copyright 1997 Carolyn P. Meinel. You may forward  or post on your Web site

this GUIDE TO (mostly) HARMLESS HACKING as long as you leave this notice at

the end.

________________________________________________________

Carolyn Meinel

M/B Research -- The Technology Brokers



