Internet Relay Chat Security Issues By Kelvin Lau and Ming Li
What is IRC? • Internet Relay Chat is one of the most popular and most interactive services on the Internet. • Using an IRC client (program) you can exchange text messages interactively with other people all over the world.
What is IRC? • Benefits • Allows chat and file sharing • Companies can avoid fees from long distance and conference calls • Drawbacks • Consumes bandwidth • Means of spreading worms • Susceptible to flooding • Can be embedded in trojans and act as a hostile server unnoticed
Protocol • Server/Client model • Allows DCC (Direct Computer-to-Computer) connections • DCC connections bypass server for direct chat and file-transfers between clients
Usage • Users connect to a public IRC server • Join channels • Chat with other users • Share files through DCC connections
How is IRC used for malicious purposes? • Malicious users can privately exchange exploit information • Passwords • Warez (Pirated Software) • Vulnerability Information • Attacker Tools • Viruses, Worms, Flooders
Intruder Detection Avoidance • Checking that server administrators are offline • Exploiting backdoors to gain administrator control • Erasing presence from log files. • Uploading tools to hidden directories • Hiding tools in trojans to run processes in background
How is IRC exploited? • Servers have little control over DCC file transfers • IRC is not confined to a specific infrastructure, so completely private networks can be created • Common method for communication between attackers • Sets up an invitation only channel for other intruders.
Distributed Denial of Service • Distributed Denial of Service (DDOS) attacks • Clone/Flood/War bots simulate multiple users connected to a channel • Bots spread and infect hundreds of computers that log into the channel • Attacker sends a command through IRC causing all bots to simultaneously flood packets to a target • Attacks can use UDP, TCP, ICMP and SYN packets
Distributed Denial of Service • Major company servers have been shut down by DDOS attacks (Yahoo, eTrade, Amazon.com, DALnet)
What if your server is being attacked, right now? • If the attacker uses ICMP packets, make sure your server does not reply to ICMP packets or install a firewall • Set the amount of connections per IP Address to 1 connection, or ban the IP Addresses of the bots • Have as few services as possible running, and switch of services such as FTP • Keep your software up to date
IRC Lab Setup • IRC Server • Linux-based Unreal IRC server • Will modify configuration file for own use • IRC Client • PolarisX based on popular mIRC client • Runs on Windows • Kaiten DDoS program • Generates IRC bots • Capable of various flood attacks and spoofing
IRC Lab Goals • What you will do in the lab • Set up Linux IRC server and Windows clients • Initiate chat and file transfers • Perform and analyze IRC DDoS attacks