Flooding or scrolling on an IRC network is a method of disconnecting users from the IRC server (like Denial of Service), or just making them slow ('laggy'). Floods can either be done by scripts (written for the given client) or by external programs. IRC redirects here. ... A denial-of-service attack (also, DoS attack) is an attack on a computer system or network that causes a loss of service to users, typically the loss of network connectivity and services by consuming the bandwidth of the victim network or overloading the computational resources of the victim system. ... Lag often refers to delays experienced in computing communications, however it may also apply to written or other forms of communication. ...

It is possible to flood a client off the network simply by sending them data faster than they can receive it and thus cause a quit with the "max sendq exceeded" message but this is generally only feasible if the users connection is already slow/lagging and/or the attacker has a very large number of connections to the irc network.

Therefore more commonly flooding techniques are based on the fact that the maximum number of messages that can be sent in a specified interval is controlled on the IRC server. Once this value is exceeded messages are stored in a buffer and delayed. If the buffer is filled the client is disconnected with an "Excess Flood" quit message. By sending messages that request an automated reply some irc clients can be forced to flood themselves off.

Types of floods

CTCP flood 

These are probably the most common and most efficient. Since CTCP is implemented in almost every client, every user responds to CTCP requests. By sending too many requests, after a couple of answers they get disconnected from the IRC server. The most widely-used type is CTCP PING, although most clients also implement other CTCP replies.

DCC flood 

Initiating many DCC requests simultaneously. Theoretically it can also be used to disconnect users, because the target client sends information back about what port is intended to be used during the DCC session.

ICMP flood 

Typically referred to as a ping flood. This attack overloads the victim's bare internet connection with an amount of data exceeding the connection's capacity, causing not only a disconnection from the IRC network (seen by observers as a quit due to "Ping timeout"), but a failure of the victim's internet connection itself, either slowing it down severely or effectively disabling it's functionality completely for the duration of the attack. Technically speaking, this is not an IRC flood, as the attack itself doesn't traverse the IRC network at all, but operates entirely independent of anything but the raw internet connection and it's IP protocol (of which ICMP is a subset). Even so, the actual IP address to flood (the address of the victim's connection) is frequently obtained by looking at the victim's user information (ie. through the /whois command) on the IRC network, and it's a popular IRC-based means of DoS attack.

Message flood 

Sending lots of private messages to the victim, mainly from different connections called clones (see below). Since many clients separate the private conversations into another window, they open a new window for every new user a message is received from. This is exploitable by sending messages from multiple names, causing the target client to open many new windows and potentially swamping the user with boxes. Sometimes the easiest way to close all the windows is to restart the IRC client, although scripts (client extensions) exist to 'validate' unknown nicknames before receiving messages from them.

Notice flood 

Similar to the message, but uses the "notice" command.

Invite flood 

Sending lot of invites, mostly to fake channels.

Nick flood 

Changing the nick as fast as possible, thus making the conversation unenjoyable in the channel. This will often result in a ban.

Join/part flood 

Joining and parting from a specified channel. The effect is the same as that of the nick flood. Again, this will often result in a ban.

Client-To-Client-Protocol (CTCP) is a special type of communication between Internet Relay Chat (IRC) clients. ... Direct Client-to-Client (DCC) is an IRC-related sub-protocol enabling peers to interconnect using an IRC server for handshaking in order to exchange files or perform non-relayed chats. ... The Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet protocol suite. ... ping in a Windows 2000 command window ping is a computer network tool used to test whether a particular host is reachable across an IP network. ... ‹ The template below has been proposed for deletion. ...

Clones

Of course, abusers do not flood from their own nicknames, because of the following reasons:

• they can easily be K-Lined by administrators ('IRCops,' 'ServerOPs' or 'SOPs'),
• banned from channels by operators ('ChanOPs' or 'OPs'),
• from one user the flood is often not effective (The limits apply to the attacker too).

Instead clones are used, which are script or program controlled clients, primary designed to abuse others. Thanks to this, it's pretty easy to attack a user by many clones at the same time. Generally, the more clones an abuser has, the bigger the chance is of an attack succeeding. However the maximum connections from any one ip address are generally limited by the irc network (either at the IRCD level or the services level). This article refers to a Japanese shipping company. ...

One way to increase the number of clones is using open proxies. Basically these proxies are SOCKS or Squid-based, which support IRC connections by default. If one has a list of open proxies, he can use them to connect his clones through them to various IRC servers. Alternatively compromised systems can be used to make the connections. A diagram of a standard proxy A proxy server is a computer that offers a computer network service to allow clients to make indirect network connections to other network services. ... SOCKS is an Internet protocol that allows client-server applications to transparently use the services of a network firewall. ... Squid is a popular free software proxy server and web caching daemon, released under the GNU General Public License. ...

To prevent this, nowadays some IRC servers are configured to check the proxy ports of the client at the very beginning of the connection. If a successful proxy request can be done, it immediately drops the user (or clone). Other irc networks use a separate proxy scanner that scans users as they join the network and kills or glines any users it detects an open proxy on. However this offers no protection against compromised systems or proxies on nonstandard ports (a full 65535 port scan isn't really feasible both for performance reasons and because it risks setting off network abuse detectors). Gline (sometimes written as G-line or G:Line) is an IRC-related term. ...

Protection

Almost every IRC client offers some kind of flood protection. These protections are based on the built-in "ignore" feature, which means that a given incoming message, CTCP, invitation, etc. will be blocked if the sender's hostmask matches any of the masks are defined in the ignore list. This is useful as few IRC networks implement the 'silence' command to reject messages by the server. In other words, every message will be posted to the correspondent user, whether it is a normal message or its content is intentionally malicious.

Many clients also limit the number of replies that can be sent in response to any incoming traffic from the network thus avoiding hitting the excess flood limit.

Flood protection in mIRC

There's also flood protection in the popular Windows-based client program, mIRC, in the Options menu. Users can setup some important values about how many incoming bytes are considered to be flooding, maximum incoming lines per user and ignorance time. Note that these settings are not enabled by default. Microsoft Windows is a family of operating systems by Microsoft. ... mIRC is a shareware Internet Relay Chat client for Windows, created in 1995 and developed by Khaled Mardam-Bey. ...

Despite these possibilities, there is a much more sophisticated way to eliminate flooding by using mIRC scripts. These include additional features, such as CTCP cloaking, better message flood control, more adjustable flood triggers, and many others. A mIRC script is a piece of code written on the scripting language included on mIRC, a popular IRC client for Windows. ...

Firewalls and floods

Many users believe that installing a firewall will protect them against these attacks. This is not true, because the IRC protocol operates in the application layer, therefore a packet filter firewall cannot examine the incoming data stream to filter the flood. Neither does an application layer firewall provide such protection - it would be too complex to implement such a feature. It has been suggested that Understanding Firewalls be merged into this article or section. ... IRC redirects here. ... Look up Protocol in Wiktionary, the free dictionary. ... The application layer is the seventh level of the seven-layer OSI model. ...

See also

• Computer security
• WinNuke
• Smurf attack

Computer security is a field of computer science concerned with the control of risks related to computer use. ... The term WinNuke refers to a remote denial-of-service attack (DoS) that affected the Microsoft Windows 95, Microsoft Windows NT and Microsoft Windows 3. ... The smurf attack, named after its exploit program, is a denial-of-service attack which uses spoofed broadcast ping messages to flood a target system. ...

External links

• mIRC script database
• Flood protection and ignoring information