IRC allows anyone to post in a channel, and the concept of usernames allows each member of a botnet to be uniquely identified. However, IRC is not limited to one-way communications. If necessary, a botnet herder can create multiple channels to provide different instructions to subsets of the botnet. This provides a simple solution to botnet C2, since the attacker only needs to maintain an IRC server capable of handling the volume of traffic created by the bots. When a botnet herder posts in a channel that the members of the botnet are listening to, all of them receive a copy of the command. IRC is ideal for botnet C2 because IRC channels act as “broadcast” communications. For example, a botnet herder may need to inform the botnet of the time and target of a DDoS attack. Managing a botnet requires the ability to send commands to each member. A common use of botnets is to perform Distributed Denial of Service (DDoS) attacks, where the botnet tries to overwhelm a target with more traffic and data than it can handle, degrading or destroying its ability to respond to legitimate requests. The features that IRC provides are uniquely suited to command-and-control for botnets.Ī botnet is a collection of computers that is under the control of a “botnet herder.” These machines are typically used to perform a synchronized attack against some target. While legitimate usage of IRC has declined over time, the protocol is not dead. IRC protocol analysis for incident response But like the plaintext version, it can be run on any port. The official convention for encrypted IRC traffic is to run it on 6697. However, it is possible to run IRC while encrypted with TLS/SSL as well.
BEST IRC CHAT CODE
The server will then respond with a response code and optional data regarding the status of the request or containing the information that the user wanted.īy default, IRC is a plaintext protocol, meaning that anyone with access to an organization’s network traffic could read the data flowing over IRC. A client can send a certain command (like NICK) along with a set of optional parameters. However, this cannot be used during live capture (like many protocol-based filters), so it is recommended to filter based on IRC ports (like 6667 instead).Īs shown in the image above, IRC is a text-based protocol.
IRC traffic can be filtered in Wireshark using the irc command. While the presence of IRC on the traffic does not necessarily indicate an attack, it might be worth investigating since IRC is commonly used for communication by botnets. However, its usage has declined over time as alternatives (like Slack) have become popular. IRC is a simple but powerful protocol for text-based chat.