Internet Relay Chat flood

From Wikipedia, the free encyclopedia
  (Redirected from Crapflooding)
Jump to: navigation, search

Flooding or scrolling on an IRC network is a method of disconnecting users from an IRC server (a form of Denial of Service), exhausting bandwidth which causes network latency ('lag'), or just annoying users. Floods can either be done by scripts (written for a given client) or by external programs.

It is possible to flood a client off the network simply by sending them data faster than they can receive it and thus cause a quit with the "max sendq exceeded" message, but this is generally only feasible if the user's connection is already slow/lagging and/or the attacker has a very large number of connections to the IRC network. Therefore, more common flooding techniques are based on the fact that the maximum number of messages that can be sent in a specified interval is controlled on the IRC server. Once this value is exceeded messages are stored in a buffer and delayed. If the buffer is filled the client is disconnected with an "Excess Flood" quit message. By sending messages that request an automated reply some IRC clients can be forced to flood themselves off.

Types of floods[edit]

A post flood on an IRC channel, repeating the term "OMG" several hundred times
Connect flood
Connecting and disconnecting from a channel as fast as possible, therefore spamming the channel with dis/connect messages also called q/j flooding.
This is the simplest type of IRC flooding. It involves posting large amounts of posts or one very long post with repetitive text. This type of flood can be achieved, for example, by copying and pasting one short word repeatedly.
CTCP flood
Since CTCP is implemented in almost every client, most users respond to CTCP requests. By sending too many requests, after a couple of answers they get disconnected from the IRC server. The most widely used type is CTCP PING, although most clients also implement other CTCP replies.
DCC flood
Initiating many DCC requests simultaneously. Theoretically it can also be used to disconnect users, because the target client sends information back about what port is intended to be used during the DCC session.
ICMP flood
Typically referred to as a ping flood. This attack overloads the victim's internet connection with an amount of ICMP data exceeding the connection's capacity, potentially causing a disconnection from the IRC network. For the duration of the attack, the user's internet connection remains hindered. Technically speaking, this is not an IRC flood, as the attack itself doesn't traverse the IRC network at all, but operates entirely independent of anything but the raw internet connection and its IP protocol (of which ICMP is a subset). Even so, the actual IP address to flood (the address of the victim's connection) is frequently obtained by looking at the victim's user information (e.g. through the /whois or /dns command) on the IRC network.
Invite flood
Sending disruptive amounts of invites to a certain channel.
Example of a message flood using over 50 clones.
Message flood
Sending massive amounts of private messages to the victim, mainly from different connections called clones (see below). Since some clients separate the private conversations into another window, each new message could open a new window for every new user a message is received from. This is exploitable by sending messages from multiple names, causing the target client to open many new windows and potentially swamping the user with boxes. Sometimes the easiest way to close all the windows is to restart the IRC client, although scripts (client extensions) exist to 'validate' unknown nicknames before receiving messages from them.
Notice flood
Similar to the message, but uses the "notice" command.
Nick flood
Changing the nick as fast as possible, thus disrupting conversation in the channel.


Abusers do not typically flood from their own nicknames, because of the following reasons:

  • They can easily be banned from the server or network by administrators ('IRCops,' 'ServerOPs' or 'SOPs'),
  • Channel bans by operators ('ChanOPs' or 'OPs'),
  • From one user the flood is often not effective (the limits apply to the attacker as well).

Instead clones are used, which are script or program controlled clients, primarily to abuse others. When this method is used, it becomes easier to attack a user using many clones at the same time. Generally, the more clones an attacker has, the greater the chance of an attack succeeding. However the maximum connections from any one IP address are generally limited by the IRC network (either at the IRCD level or the services level).

One common way to increase the number of clones is by using open proxies. Usually, these proxies are SOCKS or Squid-based, which support IRC connections by default. If one has a list of open proxies, he can use them to connect his clones through them to various IRC servers. Alternatively, compromised systems can be used to make the connections.

To prevent this, some IRC servers[1] are configured to check common proxy ports of the clienst at the very beginning of the connection. If a successful proxy request can be done, it immediately drops the user (or clone). Many other IRC networks[2][3][4][5][6][7] use a separate proxy scanner like BOPM[8] that scans users as they join the network and kills or G-lines any users it detects an open proxy on. However, this offers no protection against compromised systems or proxies on non-standard ports (a full 65535 port scan isn't prototypically feasible both for performance reasons and because it risks setting off Intrusion Detection Systems), so most networks that do port scans also check if the connecting client is listed in specific DNSBLs like the TOR DNSBL.[9]

Flood protection[edit]

Almost every IRC client offers some kind of flood protection. These protections are based on the built-in "ignore" feature, which means that a given incoming message, CTCP, invitation, etc. will be blocked if the sender's hostmask matches any of the masks are defined in the ignore list. This is useful as few IRC networks implement the 'silence' command to reject messages by the server. In other words, every message will be posted to the correspondent user, whether it is a normal message or its content is intentionally malicious.

Many clients also limit the number of replies that can be sent in response to any incoming traffic from the network thus avoiding hitting the excess flood limit.


Many users believe that installing a firewall will protect them against these attacks. However, most firewalls do not protect against application-layer denial-of-service attack.


Certain IRC server packages, such as Charybdis and ircd-seven, provide a usermode (+g) which filters private messages on the server- side. A message recipient is notified of the first message, and can then choose to whitelist the sender on a session basis. This protects a client from attempts to flood it off the server.

See also[edit]



External links[edit]