Next Previous Contents

2.1 IRC basics

IRC is an acronym for "Internet Relay Chat". IRC is a standard allowing users to communicate in real time, by passing simple text messages back and forth. The IRC client and server protocols are defined in RFC1459.

The largest chat systems on the Internet are based on the IRC protocol. Each consists of a network of servers, forming a "tree". The servers keep track of who is using the chat system at any given time, keep track of channels and deliver message to users or channels on request. IRC is currently text-based, but client extensions have added sound and even video capabilities.

A client is the program a user uses to access IRC. IRC clients are available for most, if not all, operating systems which can access the Internet.

Clients connect to servers using a single TCP connection, initiated by the client.

IRC feuds

Due to the highly interactive nature of IRC, virtually all aspects of human nature manifest themselves online - people make friends and enemies, have fun and fight amongst themselves.

It is unfortunately rather common for arguements online to escalate until one or both parties (if they have the know-how) attempt to "attack" each other. Some people attack others without any provocation at all. Various methods are used:

  1. Flooding involves sending large amounts of random data to the victim, in order to disrupt his IRC session or even saturate his network connection.
  2. Channel takeovers occur when an unfriendly person takes control of the victim's channel. When this happens the channel usually becomes unusable.
  3. Nick collisions occur when two users try to use the same nickname simultaniously - the IRC protocol doesn't allow this, so both users are usually disconnected.
  4. Clone bots are automated IRC clients, usually used in large numbers to help implement attacks 1, 2 or 3.
  5. Nukes are TCP/IP attacks used to disrupt the IRC network itself, creating an opportunity to launch 2 or 3.
  6. Bugs in various IRC clients are frequently exploited.
  7. Trojans can be sent via DCC, allowing the attacker to gain an essentially arbitrary amount of control over the victim's computer - if the victim can be tricked into accepting and activating the trojan. Bugs occasionally make "social engineering" unnecessary.
  8. The IP address of the client is made available to the attacker by a simple server query, allowing crackers to make abitrary attacks, not limited by the IRC network.
  9. etc. . .

Obviously, only attacks 2 and 3 can be considered entirely harmless, all others constitute security risks (6, 7, 8) or denial of service attacks for the client (1, 6, 7, 8) or the IRC network itself (1, 4, 5).

For these reasons, IRC is generally considered a security risk and is blocked at most firewalls. This is very unfortunate, as IRC can be a very useful, low bandwidth communication tool and has successfully been used for online meetings, lectures, parties, tech support and more.

Tircproxy attempts to address some of the above problems by giving the system administrator finer-grained control over how much access his users have to various IRC features and by protecting the users' privacy.

The DCC protocol

IRC clients use a special protocol, CTCP, which is implemented on top of IRC's basic messaging system to transfer "technical" information from client to client. DCC is a subset of CTCP, which allows clients to establish direct TCP connections, bypassing the IRC network itself. This is the only aspect of IRC communications requiring special attention from Tircproxy.

DCC is mostly used for private discussions (DCC CHAT) and exchanging files (DCC SEND). When user A wants to send user B a file, the clients perform the following steps:

  1. A's client allocates a TCP port and begins to listen for connections to this port.
  2. Next a CTCP (DCC SEND) message is sent to B, which contains A's IP address, the port number from step 1 and information about the file being offered.
  3. B's client tells the user that the file is available. If the user accepts the file (with some clients this happens automatically), the client attempts to make a TCP connection to the IP address and port number contained in the CTCP message.
  4. If all goes well, the connection succeeds and the file is sent.

Note that no verification of who actually connects to the listening data port is usually done, so "hijacking" a DCC connection is relatively trivial. It is also trivial to forge a DCC offer, tricking B into connecting to an arbitrary server/port on the internet.

Other DCC variants, such as DCC CHAT, DCC TSEND, DCC RESEND and more are implemented in basically the same way. The only exception is the DCC RESUME protocol, which incidentally also violates the IRC messaging protocol.

Tircproxy understands the messages involved in the above process, and rewrites them, blocks them or ignores them according to the policies defined by the administrator. It also implements a few features designed to decrease the risks discussed above.


Next Previous Contents