Internet Relay Chat

Security IssuesBy Kelvin Lau and Ming Li

What is IRC?

Internet Relay Chat is one of the most popular and most interactive services on the Internet.

Using an IRC client (program) you can exchange text messages interactively with other people all over the world.

What is IRC?

Benefits Allows chat and file sharing Companies can avoid fees from long distance and

conference calls Drawbacks

Consumes bandwidth Means of spreading worms Susceptible to flooding Can be embedded in trojans and act as a hostile

server unnoticed

Protocol

Server/Client model Allows DCC (Direct Computer-to-

Computer) connectionsDCC connections bypass server for direct

chat and file-transfers between clients

Usage

Users connect to a public IRC server Join channels Chat with other users Share files through DCC connections

How is IRC used for malicious purposes? Malicious users can privately exchange

exploit informationPasswordsWarez (Pirated Software)Vulnerability InformationAttacker Tools

Viruses, Worms, Flooders

Intruder Detection Avoidance

Checking that server administrators are offline Exploiting backdoors to gain administrator

control Erasing presence from log files. Uploading tools to hidden directories Hiding tools in trojans to run processes in

background

How is IRC exploited?

Servers have little control over DCC file transfers IRC is not confined to a specific infrastructure,

so completely private networks can be created Common method for communication between

attackers Sets up an invitation only channel for other intruders.

Distributed Denial of Service

Distributed Denial of Service (DDOS) attacks Clone/Flood/War bots simulate multiple users

connected to a channel Bots spread and infect hundreds of computers that

log into the channel Attacker sends a command through IRC causing all

bots to simultaneously flood packets to a target Attacks can use UDP, TCP, ICMP and SYN packets

Distributed Denial of Service

Major company servers have been shut down by DDOS attacks (Yahoo, eTrade, Amazon.com, DALnet)

What if your server is being attacked, right now? If the attacker uses ICMP packets, make sure

your server does not reply to ICMP packets or install a firewall

Set the amount of connections per IP Address to 1 connection, or ban the IP Addresses of the bots

Have as few services as possible running, and switch of services such as FTP

Keep your software up to date

IRC Lab Setup

IRC Server Linux-based Unreal IRC server Will modify configuration file for own use

IRC Client PolarisX based on popular mIRC client Runs on Windows

Kaiten DDoS program Generates IRC bots Capable of various flood attacks and spoofing

IRC Lab Goals

What you will do in the labSet up Linux IRC server and Windows clients Initiate chat and file transfersPerform and analyze IRC DDoS attacks

Questions?