Could Attack on DALnet Spell End for IRC?

For at least a month, distributed denial of service , or
DDOS, attacks have been crippling DALnet, one of the world’s largest
Internet Relay Chat networks, bringing it to its knees and
raising the possibility that many hosting providers may refuse to host IRC
servers at all.

“DALnet is presently suffering extensive and prolonged Distributed Denial
of Service attacks against our IRC servers, Web server, mail servers and
DNS systems,” DALnet said on its Web site. “These attacks are causing great
inconvenience and financial loss to many of the organizations that host our
services, as such some of them have suspended or discontinued their support
of DALnet.”

IRC, developed by Jarkko Oikarinen of Finland in 1988, allows people
connected anywhere on the Internet to join in live discussions. Each
discussion is on a “channel,” and many people can join at once. DALnet was one of the earliest IRC networks,
formed by users of EFnet (Eris Free Network) in June 1994 because of the
netsplits (caused when the connection of one or more servers in a network
is broken) and lag that were plaguing that network. DALnet pioneered
Services, which allowed users to control their presence online without
being harassed or having channels stolen from under them.


But these days DALnet — which is manned by volunteers and run with
equipment and bandwidth donated as a service to the Internet community —
is hanging on by a thread as sustained DDoS attacks flood its servers and
even threaten the networks that host its servers. The attacks have forced
DALnet’s administrators to take down most of its client servers and leave
them down rather than risk taking down its hosts.

“Yes, as you all know, DALnet has been attacked again by criminals who, for
reasons known only to themselves, choose to spoil the enjoyment of so
many,” Emma/Curve, chief editor of the DALnetizen ezine
and one of DALnet’s administrators, wrote in the January issue of the
ezine. “These latest attacks are worse than any of the server
administrators have seen before, attacks large enough to cripple the
networks which host our servers, let alone the servers themselves.”

The attacks come in the form of ‘botnets,’ whole networks of malicious bots
, created by Trojans , which flood DALnet’s
network with packets. According to Curve, those packets are coming in at a
rate of Gbps .


“It’s no secret that DALnet has suffered massive attacks recently, far
greater than anything we’ve seen before,” she said. “We’ve been ravaged by
DDOS attacks in the Gbps range, attacks which are not just crippling our
IRC servers, but causing disruption to the providers who host those
servers.”

She continued, “Why do I say that more than DALnet is at stake? Well,
because the more these people amass herds of infected computers (botnets)
to attack IRC servers with, the more service providers will quickly come to
the conclusion that hosting an IRC server is a liability. Already many
providers simply won’t countenance hosting an IRC server and if this random
vandalism continues, the harder it will be for non-profit IRC to continue
in any reasonable form at all. That could jeopardize the future for all IRC
networks, not simply DALnet.”


The Trojan spreads through e-mail, or even when a user visits a Web site
with a bit of hidden code, and the users won’t know unless their anti-virus
software is up to snuff. Once the Trojan makes its way onto a machine, the
next time that computer connects to the Internet the Trojan will start up
an IRC client and connect to a server — often an IRC server set up on a
shell account and paid for with a stolen credit card. The Trojan then
creates a bot which is programmed to join a certain channel once it has
connected.


A successful Trojan which has propagated widely can fill a channel with
bots. Curve said she and other members of DALnet’s Exploits Team have seen
channels with as many as 4,000 to 5,000 bots — each a home computer
infected with a Trojan. A collection of such bots in a channel is a botnet.

Once the person who wrote the Trojan comes online, the botnet is waiting
for him, and he can use it for a number of things, the worst being a
DDOS — using hundreds or thousands of bots to send data to a server until
its connection becomes saturated and it crashes. Not only does such an
attack inconvenience chatters using IRC services, it can also affect the
service providers who host IRC servers, preventing their customers — even
ones who don’t use IRC — from going online.

“It could be surmised that people who launch DDOS attacks know their
intended target and can find enough bandwidth to bring the target down,”
Aaron Schultz, a provider of DALnet hosting, wrote in the January issue of
DALnetizen. “The problem that most don’t seem to think about are the
related networks which also get hit. The small ISP which has an infected
customer who suddenly starts using all available bandwidth, the nationwide
latency created on some networks due to the amount of packets or the small
businesses that have servers on a network near the intended target.”

“Another example of innocent targets being hit are when ISPs experience
nationwide latency and regional outages due to these attacks,” he wrote.
“Are the attacks that I receive that have caused such major outages attacks
on me, or the entire U.S.? And should all of the ISP’s Southern California
customers be taken offline just because of someone’s disagreement with
DALnet? No.”

DALnet administrators continue to hold out hope that the situation can be
resolved. DALnet said it is working with a number of law enforcement
agencies to track down those responsible, has lodged complaints with the
ISPs it has been able to trace, and has the help of experts in dealing with
DDOS attacks.

So when will the attacks stop? “We don’t know,” DALnet said. “They will
stop when either the attackers decide to stop attacking, the attackers get
arrested or shut down by their ISPs, or when DALnet runs out of goodwill
from its sponsors and is forced to close.”

Anyone with information about the attacks is asked to submit it to DALnet’s
contact form.

News Around the Web