Ensor's IRC Extravaganza!


Clones and Flooders and Warbots, Oh My!

By Dennis Holmes

Most IRC users who have been around even a little while have encountered IRC abuse or seen its effects on other channels and users. Here we'll discuss a little about the different types of abuse and what you can do to protect yourself and prevent future occurences.

Types of Abuse

Flooding occurs when a user tries to send large amounts of data to another user or channel in an effort to overwhelm their client or modem and cause them to disconnect. Most IRC servers have a built-in mechanism to limit the rate at which a client can send information; if you exceed this limit, you'll be disconnected yourself.

One type of flood uses CTCP commands to try to reverse this effect. CTCP (Client To Client Protocol) provides a means for client programs to send certain commands and responses to each other; one example is the "ping" command for measuring response time between two clients. Using this flooding technique, an abuser can cause another user's unprotected client to send a large number of CTCP responses and fill up its own buffer. Some abusers even try to take advantage of bugs in some clients that send responses to multiple CTCP commands contained in one request.

Another flooding technique is the use of rapid nickname changes. Since many clients keep track of names that are on your channels, your client must update some data tables in memory whenever you see a user change nickname. If your computer has a slow processor or is low on memory, the extra processing required to process the data and scroll the rapid changes up the screen may cause your client to be unable to handle the data as fast as it's received.

Clonebots (or just clones) are a series of multiple concurrent connections to a network. This type of attack is generally used to increase the apparent number of clients so the abuser can get more server bandwidth for flooding. Along with nickname changes, this type of attack is especially destructive to the network since all new connections and nickname changes must be propagated to every server on the IRC network.

It's worth noting that not every additional connection from a user is a clonebot. Most clonebots follow one of a few recognizable patterns, including randomized nickname, username, and comment fields or particular nicknames, usernames, or comments that are always used by the program.

Flashing has become somewhat less common with the proliferation of PC-based IRC clients, since it only affects people using a terminal emulator to login to a host system (commonly unix) and run a client. This technique sends a series of codes to the user's virtual terminal that causes the terminal emulator to change the terminal mode, thus making any text in the terminal screen or window unreadable.

Reacting to Abuse

So what actions are possible if you find yourself the object of these abuses? If you're being flooded or CTCP flooded, use your client's "ignore" facility (the /ignore command under ircII and some other clients). This will prevent the display of messages from the abuser and prevent your client from responding to his or her CTCP commands. On the Undernet IRC network, you can also use the SILENCE command. This command is used like /ignore but will stop the flood at the server the abuser is using, so that the traffic never crosses the network and doesn't have to be processed by your client. Use your client's /quote or /raw command to send the SILENCE command directly to the server.

If you can't seem to use ignore or silence facilities from your client, you can always hide! First, change nicknames once (only!) to stop the flood and give yourself a few seconds to work. Then change your user mode to +i (invisible) and change your nickname again. The abuser will not be able to track your nickname change unless you're both on the same channel. Of course, this technique won't work if the abuser is flooding an entire channel; you'll need to ban and/or kick the user from the channel in that case.

On the Undernet, nickname change floods are already countered by the server, so there is little chance of you being affected by this type of attack there. On other networks, your best recourse is to quickly kick and then ban the offender. Even if it looks like the abuser is changing nicknames too fast to kick, it's worth a try anyway--if you act quickly enough, the server will make your kick "chase" the changing nickname and kick the user even though the nickname has changed. If you find the need, this will also work on the Undernet, although a channel ban will prevent the abuser from changing nicknames as long as he or she remains on the channel.

Taking over a channel is a common goal of the IRC abuser. If your channel is taken over and you can't resolve the situation, your best bet is probably to just form a new channel by using a new name or by putting a number at the end of the name. Since this option is always available (and since it is very difficult for an outsider to the channel to determine who is the "legitimate" operator of the channel), most server operators won't get involved in this type of situation. If you're extremely careful about who you op on your channel, takeovers can often be avoided. One important thing to remember about takeovers is that you don't need ops to talk. If you think someone has taken over your channel, but they aren't preventing you from talking on it, maybe the situation isn't what you think. Try to work it out with the person, but if not having ops really bothers you that much, just start another channel.

The most important thing to remember when reacting to abuse is not to become an abuser yourself. Chances are you'll only get yourself banned (possibly from the entire network), and your attacker may even go free. There is no excuse for abuse, including revenge. Use the defenses described here and, if necessary, report the abuser to a server operator or to his or her service provider.

Reporting Abuse

When a user repeatedly abuses channels or other users and the above defense methods aren't working, it may be time to report the abuser. If and when you do report abuse, be sure to include a complete identification of the abuser, including his or her username(s), host, and servers used (available with the /whois command) and the time (with time zone!) of the occurence. You should also include a description of the nature of the abuse, with a log file excerpt if possible. The information should be detailed, but not voluminous and full of irrelevant information that will take the recipient hours to read.

While the abuse is occuring, you may be able to report it to an online IRC operator; most networks have a regular operator or help channel where you can find such a person. After the fact, the administrator of the server(s) the abuser was using is a possibility. You can usually find out who the admin is with the /admin servername or /motd servername commands (or sign on to the server and read the message displayed when you connect). Another possibility is the user's Internet service provider (ISP); you can usually determine this from the last part of a user's address displayed by /whois. Some providers have set up addresses such as abuse@provider.com or support@provider.com; for others, try to find an address on the provider's web page or use root@provider.com as a last resort.

Try to be reasonably sure that the person to whom you report the abuse can do something about it. Most of the forms of abuse described above are legitimate cases to present to a server or network administrator. Other forms of abuse occur which are beyond the scope of service that the server administrator or ISP provides, however. For example, cases where a user repeatedly violates an IRC server policy may be of interest to the server administrator, but neither the server administrator or ISP normally want users to send such reports directly to the ISP. Report these cases to the server administrator and let he or she address it with the service provider if necessary. On the other hand, in clear cases of network or host system abuse (such as clonebots or flooding) that likely violate the service provider's own policies it is probably appropriate to report the situation directly to the abuser's ISP.

Keep in mind that neither IRC server administrators or Internet service providers are law enforcement officials. In most cases they support only the communication transport mechanisms (servers and networks) that allow people to communicate. If you feel a user on IRC is violating your rights (by personal harrassment, stalking, or other activity), and especially if you feel your safety is threatened, please contact your local police or other law enforcement office to investigate the situation or individual. Generally speaking, neither the server administrators or ISPs monitor message content or otherwise attempt to act in a censorial or law enforcement capacity (unless the server policy documentation specifically states otherwise).

Fighting IRC Abuse

How can we stop abuse in the long term? First and foremost, by educating others. Help new users to understand the impact of abuse on the network and what their legitimate alternatives are and they will be less inclined to "test" the abuse scripts they see on web pages or included with their clients. The more resource IRC servers have to expend routing flood traffic (at several times the volume per user of regular traffic) over the network, the less resource is available to allow legitimate users to converse.

Another source of the problem is the creators of easy-to-use flood scripts and programs. These people often think it makes them "cool" to have their names associated with destruction. When you see their scripts, write them and tell them what you think of IRC abuse, or encourage them to use their talents toward producing something more constructive. If you encounter abusive responses or find the actions ineffective, you may want to notify the web or site administrators where you find their scripts and programs available; some may not take kindly to having their resources used for distribution of destructive programs

A perhaps less obvious but effective action is to encourage ISPs to provide more cooperation or better automatic means for identifying their users. Providers running unix host systems can run the identd service on their systems (and many do) to allow the server to automatically identify each IRC user's correct username. With dial-up PPP accounts becoming more popular, however, the username field is often useless for identification. Most providers offering this type of service do not provide a means of automatically identifying their users, which makes it more difficult and time-consuming for all involved to track down an individual abuser's account. It also means that an abuser often cannot be specifically identified by the IRC server (and sometimes the operators), so others must sometimes be prevented from using the server until the provider can identify the user and take action.

Article copyright © 1996 by Dennis Holmes. Reproduction or translation is prohibited without permission from the author.

[BACK] Back to the index
Ensor's IRC Extravaganza!
Dennis Holmes - dholmes@email.rahul.net