___________________________________________________________

GUIDE TO (mostly) HARMLESS HACKING

Vol. 3 Number 3

How to keep from getting kicked off IRC!
____________________________________________________________

For the first time we have a GTMHH with two primary authors: Patrick
Rutledge and Carolyn Meinel. Also, this GTMHH feels like bungee jumping into
a flame war to me (Carolyn) since I am only just starting to get my toes wet
in the wonderful world of IRC. So don't be surprised if some boo-boos
slipped past the editing process. Please let me (Carolyn) know of any errors
and I'll put out a corrected version. Our thanks to Warlock  (who can be
found on IRC usually with the nick VVarlock -- note the double V instead of
W), Meltdown and k1neTiK, who all provided invaluable information on the
burning question of the IRC world: help, they're nuking meee...

But first, what is IRC?

IRC stands for Internet Relay Chat. It allows a group of people to type
messages back and forth on a screen in almost real time. It's more fun than
Usenet where it can take minutes to hours for people's replies to turn up. 

But in some ways IRC is like CB radio, with lots of folks flaming and making
fools of themselves in unique and irritating ways. But because it is such an
inexpensive way for people from all over the world to quickly exchange
ideas, IRC is widely used by hackers. Also, given the wars you can fight for
control of IRC channels, it can give you a good hacker workout.

To get on IRC you need both an IRC client program and IRC server program. 

***********************
Newbie note: Any program that uses a resource is called a "client."  Any
program that offers a resource is a "server."  Your IRC client program runs
on either your home computer or shell account computer and connects you to
an IRC server program somewhere. The IRC server program passes information
between the client programs of everyone who is participating in chat
sessions on that server.
***********************

You might already have an IRC program available with your shell account. Or,
you can get a PPP connection running on your home computer and bring up a
Mac or Windows IRC program. Some Internet Service Providers such as Netcom
give you software when you sign up that includes an IRC client. Quarterdeck
Internet Suite also includes an IRC program so easy that even a 6-year old
could use it. Even easier yet, if your Web browser is set up to use Java,
you can run IRC straight from your browser once you have surfed into a
Web-based IRC server.

Where are good IRC servers for meeting other hackers?

You can try out our own Happy Hacker IRC channel. If your browser is running
Java, just surf over to http://www.infowar.com, click on chat, and choose
the #hackers (or #hack or whatever looks like some sort of hacker thing)
channel.

But there are other good IRC servers that are usually full of hacker
channels. EFFNet is one of the oldest IRC servers. It is run by the
Electronic Freedom Foundation (eff.org). But it is reputed to be a "war
ground." You are allowed to do anything you want, but you may not like what
others do to you.

Undernet is probably the second largest. The main purpose of Undernet is to
be more friendly. But this means, yes, moderators! The operators of these
IRC servers have permission to kill you not only from a channel but also
from a server. Heck, they can ban you for good. They can even ban your whole
domain. Now if the sysadmins at your ISP were to find out you had managed to
get their entire domain banned on account of your committing ICMP bombing or
whatever, they will be truly mad at you! Bye bye your account.

You can locate other good IRC servers by getting on the Web and searching
for "IRC server."  Some are really elite, for example the l0pht server.

But before you get too excited over trying out IRC, let us warn you. IRC is
not so much phun any more because some d00dz aren't satisfied with using it
to merely say naughty words and cast aspersions on people's ancestry and
grooming habits. They get their laughs by kicking other people off IRC
entirely. This is because they are too chicken to start brawls in bars. So
they beat up on people in cyberspace where they don't have to fret over
getting ouchies.

But we're going to show some simple, effective ways to keep these lusers
from ruining your IRC sessions.

First you'll need to know some of the ways you can get kicked off IRC by
these bullies.

The simplest way to get in trouble is to accidentally give control of your
IRC channel to an impostor whose goal is to kick you and your friends off.

You see, the first person to start up a channel on an IRC server is
automatically the operator (OP). The operator has the power to kick people
off or invite people in. Also, if the operator wants to, he or she may pass
operator status on to someone else. 

Ideally, when you leave the channel you would pass this status on to a
friend your trust. Also, maybe someone who you think is your good buddy is
begging you to please, please give him a turn being the operator. You may
decide to hand over the OP to him or her in order to demonstrate friendship.
But if you mess up and accidentally OP a bad guy, your fun chat can become
history.

One way to keep this all this obnoxious stuff from happening is to simply
not OP people you do not know.

So how do you know if someone is the person he or she claims to be on IRC?.
Just because you recognize the nick (nickname), don't assume it's who you
think it is! Check the host address associated with the nick by giving the
command "/whois IRCnick" where "IRCnick" is the nickname of the person you
want to check.  

Now this "/whois" command will give back to you the email address belonging
to the person using that nick. If you see, say, "d***@wannabe.net" instead
of the address you expected, say friend@cool.com, then DO NOT OP him.  Make
the person explain who he or she is and why the email address is different.

But entering a fake nick when entering an IRC server is only the simplest of
ways someone can sabotage an IRC session. Your real trouble comes when
people deploy "nukes" and "ICBMs" against you.

"Nuking" is also known as "ICMP Bombing." This includes forged messages such
as EOF, dead socket, redirect, etc.

ICMP stands for Internet Control Message Protocol. For example, ICMP
redirect messages are used by routers to tell other computers "Hey, quit
sending me that stuff. Send it to routerx.foobar.net instead!" So an ICMP
redirect message could cause your IRC messages to go to bit heaven instead
of your chat channel. EOF stands for "end of file." "Dead socket" refers to
connections such as your PPP session that you would be using with many IRC
clients to connect to the Internet. If your IRC enemy spoofs a message that
your socket is dead, your IRC chat session can't get any more input from
you.  That's what ICMP Host Unreachable Bomber for Windows does.

Probably the most devastating IRC weapon is the flood ping, known as "ICBM
flood." The idea is that a bully will find out what Internet host you are
using, and then give the command "ping-f" to your host computer. Or even to
your home computer. Yes, on IRC it is possible to identify the dynamically
assigned IP address of your home computer and send stuff directly to your
modem! If the bully has a decent computer, he or she may be able to ping
yours badly enough to briefly knock you out of IRC. Then this character can
take over your IRC session and may masquerade as you. 

**********************
Newbie note: When you connect to the Internet with a point-to-point (PPP)
connection, your ISP's host computer assigns you an Internet Protocol (IP)
address which may be different every time you log on. This is called a
"dynamically assigned IP address."
**********************

Now let's consider in more detail the various types of  flooding attacks on IRC.

The purpose of flooding is to send so much garbage to a client that its
connection to the IRC server either becomes useless or gets cut off.

Text flooding is the simplest attack. For example, you could just hold down
the "x" key and hit enter from time to time. This would keep the IRC screen
filled with your junk and scroll the others' comments quickly off the
screen. However, text flooding is almost always unsuccessful because almost
any IRC client has text flood control. Even if it doesn't, text must pass
through an IRC server. Most IRC servers also have text flood filters. 

Client to Client Protocol (CTCP) echo flooding is the most effective type of
flood. This is sort of like the ping you send to determine whether a host
computer is alive. It is a command used within IRC to check to see if
someone is still on your IRC channel. 

How does the echo command work? To check whether someone is still on your
IRC channel, give the command "/ctcp nick ECHO hello out there!" If "nick"
(where "nick" is the IRC nickname of the person you are checking out) is
still there, you get back "nick HELLO OUT THERE."

What has happened is that your victim's IRC client program has automatically
echoed whatever message you sent. 

But someone who wants to boot you off IRC can use the CTCP echo command to
trick your IRC server into thinking you are hogging the channel with too
much talking. This is because most IRC servers will automatically cut you
off if you try text flooding.

So CTCP echo flooding spoofs the IRC into falsely cutting someone off by
causing the victim's IRC client to automatically keep on responding to a
whole bunch of echo requests.

Of course your attacker could also get booted off for making all those CTCP
echo requests.  But a knowledgeable attacker will be connected in several
different ways to that same IRC server. So by having different versions of
him or herself in the form of software bots making those CTCP echo requests,
the attacker stays on while the victim gets booted off.

*********************
Newbie note: A "bot" is a computer program that acts kind of like a robot to
go around and do things for you. Some bots are hard to tell from real
people. For example, some IRC bots wait for someone to use bad language and
respond to these naughty words in annoying ways.
********************* 

A similar attack is CTCP ping. You can give the command "/ping nick" and the
IRC client of the guy using that nick would respond to the IRC server with a
message to be passed on to the guy who made the ping request saying "nick"
is alive and telling how long it took for "nick's" client to respond.

Your attacker can also easily get the dynamically assigned IP (Internet
protocol) address of your home computer and directly flood your modem. But
just about every Unix IRC program has at least some CTCP flood protection in it.

Then there is the old standby, ping flooding. It relies on Internet Control
Message Protocol(ICMP).

So how do you handle ICBMs, Nukes and other sophisticated attacks? There are
several programs that you can run with your Unix IRC program. Examples are
as LiCe and Phoenix.  These scripts will run in the background of your Unix
IRC session and will automatically kick in some sort of protection (ignore,
ban, kick) against attackers.  

If you are running a Windows-based IRC client, may assume that like usual
you are out of luck. In fact, when one of us  (Carolyn) got on the
Infowar.com IRC channel recently using Netscape 3.01 running on Win 95, the
*first* thing the denizens of #hackers did was make fun of Carolyn's
operating system. Yeah, thanks. But in fact there are great IRC war programs
for both Windows 95 and Unix.

**************************
Get your IRC war programs here! 

For Windows 95:
The most user friendly, and powerful, sheer war script (with simple flood
protect) is 7th Sphere. This lacks only ICMP ping floods which are blocked
anyhow by any current mIRC release. You can get it from
http://www.localnet.com/~marcraz/
This is an excellent program by cashmere and precursor that deserves
recognition for being programmed for win95.  The page is hosted by
PhyrKrakr, |MaGuS|, precurser, and Venum.

For Unix:
mIRC is an IRC client program. You can download it from
http://www.super-highway.net/users/govil/mirc40.html
For the programs tick and LiCe, go to ftp://ftp.cibola.net/pub/irc/scripts.
The program /pub/irc/lice will protect you.
But the program /pub/irc/tick is an attack program.
*************************

Us Happy Hacker folks don't recommend attacking people who take over OP
status by force on IRC.  Even if the other guys start it, remember this. If
they were able to sneak into the channel and get OPs just like that, then
chances are they are much more experienced and dangerous than you are.
Until you become an IRC master yourself, we suggest you do no more than ask
politely for OPs back. 

Better yet, "/ignore nick" the loozer and join another channel.  For
instance, if #funchat is taken over, just create #funchat2 and "/invite
IRCfriend" all your friends there, and use what you learned in this Guide
about the IRC whois command so that you DON'T OP people unless you know who
they are.  This might sound like a wimp move, but if you don't have a
fighting chance, don't try - it might be more embarrassing for you in the
long run.

********************
Newbie note: Want to learn more about IRC? Go to Usenet and check out
alt.irc.questions
********************

OK, that's it for now. Hope to see you on the IRC server at
http://www.infowar.com. And don't try any funny stuff, OK? Oh, no, they're
nuking meee...
__________________________________________________
Want to see back issues of Guide to (mostly) Harmless Hacking? See either
http://www.tacd.com/zines/gtmhh/ or 
http://ra.nilenet.com/~mjl/hacks/codez.htm or
http://www3.ns.sympatico.ca/loukas.halo8/HappyHacker/
Subscribe to our email list by emailing to hacker@techbroker.com with
message "subscribe" or join our Hacker forum at
http://www.infowar.com/cgi-shl/login.exe.
Chat with us on the Happy Hacker IRC channel. If your browser can use Java,
just direct your browser to www.infowar.com, click on chat, and choose the
#hackers channel.
Want to share some kewl stuph with the Happy Hacker list? Correct mistakes?
Send your messages to hacker@techbroker.com.  To send me confidential email
(please, no discussions of illegal activities) use cmeinel@techbroker.com
and be sure to state in your message that you want me to keep this
confidential. If you wish your message posted anonymously, please say so!
Direct flames to dev/null@techbroker.com. Happy hacking! 
Copyright 1997 Carolyn P. Meinel. You may forward  or post on your Web site
this GUIDE TO (mostly) HARMLESS HACKING as long as you leave this notice at
the end.
________________________________________________________
Carolyn Meinel
M/B Research -- The Technology Brokers


