D. Bot nets and drones - TalkIRC Blog

D. Bot nets and drones

144 | 12.01.2024 | IRCGuide

A well-run channel where people just chat and mind their own business rarely has to deal with this kind of abuse, but it does happen, especially on channels where there is illegal or controversial activity like file trading, shell trading, pornography, etc. Remember what we said before: you can never be 100% safe, and that is especially true if you got somebody upset enough to turn their bots against you. The best defense against these is to just stay away from trouble in the first place.

A bot net is a linked network of bots or automated clients run by the same person, typically used for channel maintenance or abuse (more on that subject later). Drones are a special type of bot net where the bots are running on innocent, compromised machines owned by unwitting victims out there. The “drone runner” can remote control these many machines to attack you, on IRC in the form of channel or message flooding, or outside IRC in the form of denial of service attacks to disconnect you from the internet. These can be serious problems for channel security.

First let’s consider attacks inside of IRC. If you suddenly get hit by a flood of joins from people you don’t know, just make the channel +im temporarily so they can’t keep coming in and can’t flood in the channel. Note they can still cause flooding such as by rapidly changing their nicknames. Now just kick them without bans since they cannot rejoin while you are +i, that gives you time to set proper bans after you’ve kicked them all out.

Generally you can’t set bans for every single bot, because there may be a limit on the total number of bans per channel (typically 20, some networks may support more). If nothing else, it gets tedious to manage. So first look for patterns in the nick, user, or hostname that are the same for many of them. This is often the case with drones. Example:

    *** lamer1 (|xxx|-4@ACBAD0BA.ipt.aol.com) joined #mychat
    *** yousuck (|xxx|-274@node-c-0db1.a2000.nl) joined #mychat
    *** iwin (|xxx|-824@106.9.252.12.snet.net) joined #mychat
    *** hahaha (|xxx|-86@host217-44-101-246.btcentralplus.com) joined #mychat

In the above case, 4 drones from 4 different ISPs joined, but you notice they all have similar usernames, so instead of wasting 4 ban slots, you can try *!|xxx|*@* instead.

Here’s another example below, where the username is always 4 characters, with no identd and different hostnames/ISPs. For this situation, try *!~????@* where the 4 question marks mean exactly 4 characters.

    *** lamer1 (~ahah@ACBAD0BA.ipt.aol.com) joined #mychat
    *** yousuck (~jfdj@node-c-0db1.a2000.nl) joined #mychat
    *** iwin (~d8jj@106.9.252.12.snet.net) joined #mychat
    *** hahaha (~fdas@host217-44-101-246.btcentralplus.com) joined #mychat

When in doubt, you can temporarily set very general bans such as *!~*@* to block all without identd, or *!*@*.no for everybody from Norway, and refine them later. This may temporarily block some of your friends from joining too, but the most important thing is to keep your channel safe. On some servers/networks, you might be able to use ban exceptions, see our Hybrid IRC Server Guide or consult your local help channel.

If you’re the victim of a denial of service attack, then that technically has nothing to do with IRC - the packets used to flood you off do not originate in or pass through any IRC server. The attacker doesn’t even have to be on IRC to knock you offline. Your options are very limited, see our guide on Reporting Nukes or Denial of Service Attacks. Just remember, nobody is safe against a determined, coordinated attack. Your best defense is once again rule #1 - try to stay out of trouble, and if trouble comes anyway, just hope that you have more bandwidth or patience than the attacker.

Return to top