Denial of Service or "Nuke" Attacks

By Joseph Lo Ph.D. aka Jolo with help from dracus, wmono, mendel, Dancr, GreyFoxx, wcoast, and many others.
This page is part of IRChelp.org's security section at http://www.irchelp.org/irchelp/security/
revised Jan 6, 2003

Introduction

The purpose of this page is to provide information and defenses against Denial of Service (DoS) attacks, which cause networked computers to disconnect from the network or just outright crash. For example, a teenager using very simple DoS tools managed to cripple the web sites of large companies like Yahoo and Amazon during a series of attacks in February 2000 (see this CNN article). These attacks are sometimes also known as "nukes", "hacking", or "cyber-attacks", but we will use the technically correct term of DoS attacks.

DoS attacks are very common but they are not a joking matter. In the US, they can be a serious federal crime under the National Information Infrastructure Protection Act of 1996 with penalties that include years of imprisonment, and many countries have similar laws. At the very least, offenders routinely lose their Internet Service Provider (ISP) accounts, get suspended if school resources are involved, etc.

Often the victims are people on Internet Relay Chat (IRC), but DoS attacks do not involve IRC servers in any way, so IRC operators (IRC ops) cannot stop or punish the offenders. If you are attacked, try not to take it personally and do not retaliate, or else you will be breaking the law yourself and probably just inviting a much more determined new attack. Instead, read this page to learn more about these attacks, make sure your computer is patched against known weaknesses, and if necessary consider getting some protective "firewall" software. Denial of service should not be confused with other attacks like viruses, Trojan Horses, and cracking or "hacking".

There are two types of DoS attacks, both of which are described in the next major section:

  1. Operating System attacks, which target bugs in specific operating systems and can be fixed with patches.
  2. Networking attacks, which exploit inherent limitations of networking and may require firewall protection.

Operating System Attacks

These attacks exploit bugs in a specific operating system (OS), which is the basic software that your computer runs, such as Windows XP. In general, when these problems are identified, they are promptly fixed by the company such as Microsoft, so if you frequently apply the latest security patches, you greatly reduce this vulnerability. All Windows users should regularly visit Microsoft's Windows Update Site which automatically checks to see if you need any updates.

Networking Attacks

These attacks exploit inherent limitations of networking to disconnect you from the IRC server or your ISP, but don't usually cause your computer to crash. Sometimes it doesn't even matter what kind of operating system you use, and you cannot patch or fix the problem directly. The attacks on Yahoo and Amazon mentioned at the top of this page were large scale networking attacks, and demonstrate how nobody is safe against a very determined attacker. Network attacks include outright floods of data to overwhelm the finite capacity of your connection, spoofed unreach/redirect aka "click" which tricks your computer into thinking there is a network failure and voluntarily breaking the connection, and a whole new generation of distributed denial of service attacks (although these are seldom used against individuals).

Just because you got disconnected with some unusual error message doesn't mean you got attacked. Almost all disconnects are due to natural network failures. On the other hand, you should feel suspicious if you get disconnected repeatedly, especially if it happens only when you frequent certain IRC channels or talk to certain people. (If that's the case, shouldn't you really just avoid these troublemakers?)

What can you do about networking attacks? If the attacker is flooding you, you essentially must have a better connection than he does. Otherwise your only recourse may be a firewall run by your ISP. We do not recommend average users go and download personal software firewalls blindly! The subject of firewalls is covered in our firewall FAQ which includes a detailed discussion on personal software firewalls.


More Information and Help

Microsoft's Windows Update [external link]

Allows you to easily identify, download, and install security patchs for Microsoft Windows operating systems.

CERT Home Security [external link]

Comprehensive information about home computer security. Probably the best home user resource out there - it's complete, and it's accurate, and if users will follow it, they'll avoid 90% of the most common attacks.

Reporting Attacks

Learn about your (limited) options for reporting abusers or seeking revenge.

Tracing & Monitoring

Check out your (limited) options for tracing or monitoring nukers.

Firewall FAQ

Technical discussion of problems involved with using IRC from behind a proxy, firewall, or NAT gateway. Includes links for specific fixes for identd and DCC problems.

BugTraq [external link]

This is the definitive source of information (and misinformation too!) when it comes to attacks, bugs, exploits, etc. It is not intended for typical users because it is extremely technical and can be very hard to sort through even for expert programmers and system administrators. There have been ample examples of outright hoaxes published on this mailing list which have led to a lot of unnecessary panic and confusion.

all pages © IRCHELP.ORG or original authors