Michael Buffington

Virus Spam Explained

Monday, September 16 2002

Today, I read an awesome (awesome, as in, wow, this is insane) article on DoS attacks

originating from IRC servers. To those not technically inclined, let me give the skinny:


DoS means denial of service. Picture 500,000 people trying to get through a single door while running. Bad stuff is going to happen, mainly, the door is going to get blocked. This is similar to what a computer experiences during a DoS. A deliberately unhealthy amount of packets are sent to a computer, knocking it off the Internet.


IRC means Internet Relay Chat. IRC servers sit out on the Internet, and allow people to chat with other users who connect to the same server. Sometimes, a lot of servers build bridges to eachother, providing a network of chat servers. If you connect to one server, you can talk to people on other servers within the network without having to jump through a bunch of hoops.


DoS attacks are started by people on IRC servers who have bots to do their bidding. These bots are programs that sit on a server somewhere that can connect to IRC servers just like a human would. They wait for keywords from their owner, and when called to action, unleash a fury of packets against their target (your computer).


The detail of this article is great, the guy goes to incredible lengths to track down and understand why he’s getting attacked by some unknown entity. The best part is when he breaks into a chat room of those who created the bots after spying on them for days. He knows enough about these guys to put them in prison for a long time, and he basically shakes their world up when he stops by for a little chat. It’s fantastic.


Having read this article, I’m a bit worried, namely because the hundreds of infected emails I get a day indicate that the bots know who I am, and consider my servers to be a good place to launch an attack from. My servers are patched, and the infected emails never get anywhere near executing, but it’s still a concern. I’ll be doing an intense security audit tonight, and will report tomorrow.