DoS attacks

Denial of Service attacks is a term that holds a wide range of separate attacks, some well known attacks are smurf and nuke. But also ping floods, BONK and many other attacks are in this category. All these DoS attacks have one thing in common, they are either crashing your computer, or disconnect it temporarily from the Internet. Once the attacks have stopped, you will be able to connect to the Internet again. DoS attacks do not cause harm to your computer at all, they are not damaging data, formatting your harddisks or anything else. DoS attacks make use of vulnerabilities in the operating system you use, or the network. As soon as such new bugs are known, some people are writing addon scripts for mIRC and other IRC clients making it easier for people without any network, OS or programming knowledge (the so called script kiddies) to perform such an attack to users on IRC.

Some well known DoS attacks are:

* IGMP, also known as Kiss of Death, pimp, or Doom. Affects all Windows based OS computers. The computer will receive a fragmented Internet Group Management Protocol (IGMP) packet which cause the TCP/IP stack to improperly access invalid segments of memory. Result is a hanging computer that needs to be rebooted to fix the problem. A patch should solve the problem.
* Click, also known as ICMP nuke, your computer will disconnect from IRC, but your other Internet protocols like WWW, E-mail etc. still work fine. Usually IRC users attacked with this attack show quit messages like "Connection reset by peer", "Connection refused" etc. Affects all operating systems. A decent firewall should stop these attacks.
* ICMP, also knows as ICMP flood, the attacker sends a massive amount of data your way your modem simply cannot handle. Cause is a disconnect from IRC, and even your ISP. Once the attacks have stopped you can connect again. Not much you can do against it, besides having a faster connection then the attackers, or use a bouncer (explained later).
* WinNuke, also knows as OOB (Out Of Band), WinNuke is a program that sends Out Of Band data to the victim. Windows cant handle the data and the result is a BSOD (Blue Screen Of Death, the standard Windows error screen). You need to restart your computer before network access can be established again. A patch and a decent firewall can stop these attacks.
* Teardrop, another program that crashes Windows based computers. Symptoms and actions to take against it are the same as WinNuke.

Most important way to protect yourself against operating system based DoS attacks is to always have your operating system updated with the latest patches. Operating System developers such as Microsoft are releasing patches to newly discovered bugs and exploits the moment they are discovered.

Another way to protect yourself is with the use of a firewall (in fact, use one AND install all updates on your OS). A firewall is a piece of software that "sits" between the Internet, and your computer. By looking at a set of rules you have setup, it decides what traffic is allowed to enter the computer, and what traffic is allowed to leave it. Firewalls used to require a lot of knowledge about protocols and ports. Luckily for us, firewalls specifically made for the home user are really easy in use and to setup. The firewall you can download for free from Zonelab's website is widely known as a very solid and usable firewall, and did I told you already that is is FREE?

Once you have a firewall you also have the possibility to log all your Internet traffic. Turn this feature on! Once you are under attack, you will have a log file of all traffic, which you can use to track down the ISP (Internet Service Provider) of the attacker, and email them the logs. In a older DoS article on this site I have explained on how to do that.

Firewalls also protect you to a whole wealth of other possible security hazards, especially if you are using a permanent connection like (A)DSL or cable you really cant afford to stay connected to the Internet without one. Everyone who has a permanent connection with firewall can tell you about portscanning people All the portscanners do is simple, they run a small program known as a "portscanner", in which they entered a whole range of IP's and ports to scan. Compare it to a burglar who is simply checking all doors and windows of a whole street with houses to check if someone left a door or window unlocked. Especially if you have a network at home with "file and printer sharing" turned on, you are asking for problems if you are not running some kind of protection, unless you think its save to trust Microsoft's security measurements in Windows ofcourse. But then again, if you trust those, you earn to be hacked ;)

Finally we have one last group of attacks that are taken place over the IRC network, commonly known as floods. Usually they are ctcp's sent to your IRC client, causing it to lock up. Well known attack is the ctcp version, a command that makes your IRC client return information about the client used, like mIRC version 5.82 with airC script 0.82.45 beta. If a few dozen people would all of a sudden send multiple ctcp versions to you, and your IRC client will try to answer them all, it is highly likely you will ping out very soon. Most good full addon scripts have very good protection options against such attacks. Personally I am a big fan of the airC script. Besides very good other options, it gives you a lot of channel and security options you can set. Don't be afraid to set these options high, there isn't any reason for anyone to perform more then say 2 ctcp's to you in 2 seconds. So turning on ctcp flood protection of maximal 2 in 2 seconds would be a good place to start. Besides the ctcp flood, you will find a whole list of other flood protections on (usually) the same panel, slowly go over them, setting the options as you think they will fit. Don't be afraid to set them to high, you can always change them to a lower protection if necessary later on. Final note on scripts: Be sure to pick a well known and save script. Many "war scripts" have build in trojans, so you are infected with a Trojan Horse yourself, but more about Trojans later on.

One final way to protect yourself is with the use of so called bouncers. Some of the DoS attacks are peer to peer, i.e., they don't take place over the IRC network. In order to let the attacker perform such an attack, he needs to know your IP address (found by typing /dns nick). Usually these attacks are in the form of ICMP ping floods. The attacker sends such a massive amount of data in your way, that your modem simply wont be able to perform any network traffic, and will cause a complete disconnection from the Internet.
A bouncer will sit between the IRC and your computer, and as such, will hide your IP from the rest of the IRC users. Usually users of a bouncer have rent a so called "shell" at a shell provider. It is a server usually running some flavor of UNIX on which you can run bots like a eggdrop bot, and ofcourse in this case, a bouncer. One big bonus of using a bouncer is that usually the shell provider has a large list of cool looking hostmasks (so called vHost's) which will show up in your "whois" such as nick@will.rock.you.with.his.oc3.org, nick@steals.smoke.from.a.old.stoned-hippie.org etc. Another bonus is that these providers are running firewalls that are usually of high quality, which will stop attacks even before they will reach your computer.
There are some disadvantages as well though, for one, it is a extra step in the route your traffic has to go through. And as such they can add to the lag you might experience. A second disadvantage is that many individuals with doubtful intentions are using bouncers to hide their true identity as well, and for this reason many servers have K-Lined many vHosts, which makes it impossible for you to even connect to IRC. Links to bouncers and shell providers can be found on the links page. Check the articles page for a primer in UNIX shell commands, in case you want to setup a bouncer, but have no prior knowledge of how to handle shells.

Trojan Horses, Worms, and other IRC related viruses

Trojan Horses are a special kind of viruses that behave in a special way. They usually need to be activated/installed by the user himself before they can do their harmful effect. Usually this means when you are affected by such a virus, you have accepted a file from someone on IRC which was infected by a Trojan Horse. Usually Trojan Horses pretend to be something completely different. They may be hidden in a exe file called sheep.exe, which makes it look like a funny and harmless program file. While in fact, once you activated the program by double clicking it, it will execute its harmful task. There are even programs that claim to be Trojan removers, that are in fact Trojan viruses themselves.
The most important thing these viruses exploit is trust. The maker of these viruses tries to hide the virus in such a way, that you as the victim will think the file has come from a trust worthy source, or the file is fun to open/execute.

Some symptoms that might show infections:

* Your IRC client automatically DCC send files to people just entering the channel.
* Your IRC client performs commands you haven't typed in yourself, like /msg, /nick changes, deopping, or maybe even /quit
* If someone says specific words in a channel or private message your client starts to perform commands.
* Your computer opens the CD-ROM tray automatically, your computer reboots, programs open out of itself, etc. (Back Orifice virus).
* Files get deleted on your system
* Etc.

Protecting yourself against these viruses is actually really simple. Do not ever accept files you don't fully trust, not even from your trusted friends, before you know it can be trusted. It is really simple actually, once your friend is affected with a Trojan, the Trojan will start spreading itself for example to people entering a channel. So when you enter your favorite channel, the Trojan on your friend's computer will start to DCC send itself to you. And you, ofcourse, you trust your friend, not? You might even have placed him on auto DCC accept! Well, if this has happened, you can congratulate yourself of being another dumbass who could have prevented being infected really easily. Be *sure* to have the next file extensions turned on ignore in your DCC settings (for mIRC, click ALT-o, then goto DCC --> Folders): .bat, .com, .dll, .exe, .ini, .js, .lnk, .shs, .vbs.

And ofcourse, turn OFF DCC auto-accept. It is one of the dumbest options in mIRC. Do not even turn it on for your trusted friends. To make sure it is turned off, goto the mIRC options, then the DCC window, and make sure "On Send Request" is set to "Show get dialog".

Be carefull of "cool full scripts" for mIRC or other IRC clients. Do you really think a guy building in portscanners, nukers, flooders and other lame tools isnt adding a backdoor for himself? This is a perfect example of how a trojan virus might be hidden. Several "War Scripts" have been know to have hidden trojan virusses that can delete files from your harddisk, and other behaviours we have mentioned before.
Actually, if you are so naive to think they wont add such tools, plz stop reading this article. In fact, if you think its cool to have a script full of flooders and nukers, get your ass of IRC, and get a life.

Another well known way to send viruses are by the use of multiple file extensions. Windows has the option to hide known extensions. Extensions are the three letter part after a filename, which shows applications what filetype it is, and with what program they should be executed. Well known example is the .txt file, which on the Windows platform is opened by notepad. What this "feature" does is hide a extension if it is known, so for example "LIFE_STAGES.TXT.vbs" will not show the .vbs file extension, making it look like a harmless text file. The moment you accept this file, it will execute on your Harddisk, and you are infected. Also note how the maker also capitalized the .txt "extension". Even if you do not have this feature enabled in Windows, you might accept the file when you simply overlooked the .vbs extension on the DCC get window.
To turn off this "feature" (I rather call it a bug), open explorer, goto view --> options, check "show all files", and UNcheck "hide MS-DOS file extensions that are registered".
One final tip is to use a not default DCC get folder on your harddrive If you would use a entirely different directory on your harddrive, some viruses might not be able to install/overwrite critical files in your IRC client.

And again, Trojan Horses need some kind of action from the user before they can be activated. So if you get a 2kb file which looks like a .jpg picture, you should be wiser then to simply accept the DCC. One well known virus that was recently spread around IRC is the KOURNIKOVA.JPG.vbs virus. A virus that tried to look like a photo of the popular (OK, and VERY sexy) tennis player.

A tool to protect yourself from getting infected is to use a good virus scanner. And guess what? There is a excellent FREE virus scanner you can download and install from the Internet! eSafe is a really fine virusscanner program that can be downloaded for free use if you are a home user, you can get it from http://www.ealaddin.com/.
One VERY important asset of using virus scanners is that they are ALWAYS outdated. He who trust a virus scanner that is installed and never updated for longer periods then say a few weeks is just as dumb as someone who auto-accepts DCC sends. Once your virusscanner is installed, make it a habit to at least download and install new virus definitions once a week. New viruses are discovered daily, and your virus scanner will not be able to protect you from viruses it doesn't know.

Once you are infected with a Trojan, you can use the excellent The Cleaner from Moosoft to get rid of it. And (the world is a wonderful place for us, really) you can use this program free for the first 30 days! Download it at http://www.moosoft.com