IRC takeover

From Wikipedia, the free encyclopedia

An IRC channel takeover is an acquisition of IRC channel operator status by someone other than the channel's owner. It has largely been eliminated due to the increased use of services on IRC networks.

Riding the split[edit]

The most common variety of channel takeover uses disconnections caused by a netsplit; this is called riding the split. After such mass disconnections, a channel may be left without users, allowing the first rejoining user to recreate the channel and gain operator status. When the servers merge, any pre-existing operators retain their status, allowing the new user to kick out the original operators and take over the channel.

A simple prevention mechanism involves timestamping (abbreviated to TS), or checking the creation dates of the channels being merged. This was first implemented by Undernet (ircu) in November 2000[1] and is now common in many IRC servers. If both channels were created at the same time, all user statuses are retained when the two are combined; if one is newer than the other, special statuses are removed from those in the newer channel.

Additionally, a newer protection involving timestamping is used when a server splits away from the main network (when it no longer detects that IRC services are available), it disallows anyone creating a channel to be given operator privileges.

Nick collision[edit]

Another popular form of channel takeover abuses nickname collision protection, which keeps two users from having the same nickname at once. A user on one side of a netsplit takes the nickname of a target on the other side of the split; when the servers reconnect, the nicks collide and both users are kicked from the server. The attacker then reconnects or switches nicks in a second client while the target reconnects, and proceeds to jupe (or block) the target's nickname for a period of time.

User timestamping is often used to detect these kinds of attacks in a fashion similar to channel timestamping, with the user who selected that nickname later being kicked from the server. Another protection method, called nickhold, disallows the use of recently split nicknames. This causes fewer kicks, but causes more inconvenience to users. For this reason, timestamping is generally more common. Some servers, such as ircd-ratbox, do both. IRC services and bots can also protect against such attacks by requiring that a password be supplied to use a certain nick. Users who do not provide a password are killed after a certain amount of time.

Other methods[edit]

Other methods can be used to take over a channel, though they are unrelated to flaws in IRC itself; for example, cracking the computers of channel operators, compromising channel bot shell accounts, or obtaining services passwords through social engineering.


Smurf attacks have been used to take over IRC servers.[2] These exploit ICMP ping responses from broadcast addresses at multiple hosts sharing an Internet address, and forge the ping packet's return address to match a target machine's address. A single malformed packet sent to the "smurf amplifier" will be echoed to the target machine.


  1. ^ Add channel creation TS (timestamp) to JOIN protocol messages, Kevin L. Mitchell, November 2nd 2000, undernetc-ircu SVN server - ircu2 - r306,
  2. ^ Ganor, Boaz; von Knop, Katharina; Duarte, Carlos A. M. (2007). Hypermedia seduction for terrorist recruiting. IOS Press. ISBN 978-1-58603-761-1