Challenge all assumptions
May 29, 2012 9:46 PM   Subscribe

Where's the profit in DDOS'ing IRC servers?

So for the past few months I've been wondering: in a world where botnets can be converted into cash, why would you waste your resources knocking an IRC network offline?

I know the standard explanation is "antisocial teenage jerks", but that sounds so 1994. For the most part virus software that deletes your files and trashes your system have faded and been replaced by things that steal clicks, pop up ads, or some other profit oriented scheme. There's no profit in smashing computers. Similarly, botnets can be rented by the hour on underground markets. Having read papers and presentations from research on blackhat markets, the intuition I've gathered is that whenever someone does something that makes me think "Why would you do that?" the answer is either PageRank or Profit.

So I'm asking Mefi to challenge commonly accepted wisdom and think creatively. Why do people use large botnets they've gathered and direct them to DDOS'ing IRC networks? The best idea I can come up with thus far is proving to a buyer the scale of your botnet.
posted by pwnguin to Computers & Internet (11 answers total) 1 user marked this as a favorite
Profit can be more than just dollars, in the kiddie world often the profit is the experience and the relationships you build/break in doing this kind of stuff.

They do it because they can, because it's really not that hard and it is a quick, demonstrable and easy way to do *something* to people who are anonymous on the internet for the most part.
posted by iamabot at 10:17 PM on May 29, 2012 [1 favorite]

It happens because some 14 year old gets pissed at somebody else over some stupid teenage crap and decides to take it out on the whole network. Either that or because it's fun to throw a wrench in the works. Or some stupid inter-channel fighting. At least that's how it used to work when I...was on IRC.
posted by wierdo at 4:43 AM on May 30, 2012

Why do people use large botnets they've gathered and direct them to DDOS'ing IRC networks?.

What about inter-botnet aggression? Many botnets use IRC as way for individual nodes to communicate and receive instructions. If one botnet is actively DDOS'ing a particular IRC network, could it be doing so to disrupt the activity of another botnet?

There's also the aforementioned 14 year olds, many of whom are now much older and have access to more resources than the castoff 486 in their bedroom. I've worked with someone who routinely brags about the number and distribution of proxies he has surreptitious access to.
posted by RonButNotStupid at 5:02 AM on May 30, 2012 [1 favorite]

As a hypothetical, one answer might be "extortion". Make an example of someone, either to shake him down for money, or to shake down someone else.
posted by Chocolate Pickle at 5:13 AM on May 30, 2012

I'm leaning towards RonButNotStupid's interpretation. IRC networks aren't just for chat, but also serve as a meeting spot for file sharing (predates p2p). That technology has also been utilized for botnets (in fact, bots has been a common term for non-human IRC accounts for a long while now).

As far as profiting, I'm not entirely sure. I know, from many years ago when I was one of those less upstanding 14 year-olds dabbling with 7th sphere (a warscript mIRC addon), if you were able to kick the ops out of their channel, you could essentially take it over by impersonating the accounts that got kicked off. That's where DDOS'ing and "win-nuke" were popular (win-nuke was a nifty utility that could cause other windows 95 PCs to blue-screen if they were directly accessible via TCP/IP).

My best guess is: taking over those channels could then allow the attacker to gather information that would otherwise be exclusive to the botnet's operator. That information could be profitable (eg. CC numbers, bank accounts, other data that could be sold)
posted by samsara at 5:24 AM on May 30, 2012

Similarly, botnets can be rented by the hour on underground markets

I think one of the main things you are overlooking is that black markets tend not to be the most efficient markets in terms of utilizing resources. Renting by the hour means having over 700 hours per month of botnet time to sell, and it's non-trivial to book 700 hours worth of work from clients. It would be similar to being a hitman for hire, even if you get plenty of work you'll probably also have plenty of downtime. And if you're sitting around with a weapon that's not being used, and someone pisses you off, then you might use that weapon against your enemy for your own satisfaction.
posted by burnmp3s at 7:03 AM on May 30, 2012

Seconding samsara's story that, at least in the olden days, forcing a netsplit by DDOSing a server allowed you to take over channels. Basically you'd arrange things so after the split the channel is empty. You join, automatically get ops, then when things join up again you retain your ops privileges. You could also play some games with nickname collisions. I don't know if the IRC folks ever fixed that design flaw, but judging by the amount of continued effort in registered nicknames and official channel manager bots and the like I'm guessing it's still possible.

IRC is still used for a whole lot of nefarious traffic. Not just file sharing, but also as the command and control channel for botnets. I'm being a bit hand-wavy here but I've got to imagine taking out an IRC server allows some gamesmanship.

Most hosting contracts I've seen still specify you're not allowed to run an IRC server on their network.
posted by Nelson at 7:37 AM on May 30, 2012

I don't know if the IRC folks ever fixed that design flaw, but judging by the amount of continued effort in registered nicknames and official channel manager bots and the like I'm guessing it's still possible.

The registered nicks/channels were in fact the fix for that particular kind of attack. These days attackers have to be more creative than just booting everyone out of the channel and taking it before they can get back in.
posted by burnmp3s at 7:49 AM on May 30, 2012

Nelson: "forcing a netsplit by DDOSing a server allowed you to take over channels"

If you were DDOSing to force a split, you were doing it wrong. A spoofed RST packet would do the trick quite nicely. And even if you did that, you'd more than likely just get a desynced channel where different servers have different user/op lists, presuming the target channel employed a couple of bots to hold ops.

A split was only really necessary if the channel was invite only, since you'd have no other way of gathering a list of users in the channel so you could disconnect them with spoofed RST packets. For a public channel, though, it was blindingly easy. I suppose that's why many servers no longer show the full hostname/ip.

I do vaguely recall some people smurfing servers dead before the tools making for easy RST spoofing were widely available.

Maybe things have changed since the rise of the paid botnet, but in the past, the shenanigans were mostly the result of junk-measuring contests and boredom. The funny thing is that server admins often participated.

Do people really configure their bots to only connect to a single server rather than loading them up with server lists for whatever net? It seems like DDOSing a single server wouldn't be terribly annoying to a botnet owner unless she were an idiot to begin with. (maybe I overestimate the intelligence of botnet owners)
posted by wierdo at 8:30 AM on May 30, 2012 [1 favorite]

Since IRC networks are often used as command and control mechanisms for Botnets, I would think that this could be the case of one Botnet targeting another Botnet. Say you run a large Botnet and you want to disable your competitor's Botnet. Why not target the IRC server that controls the rival Botnet? No honor among thieves.
posted by LightMayo at 9:51 AM on May 30, 2012

I don't think botnet owners are dumb enough to not use a network with multiple servers for c&c. Maybe they are. Or maybe the server ops are better about policing bot use than they used to be. It's possible, but it doesn't strike me as plausible.
posted by wierdo at 5:10 PM on May 30, 2012

« Older Divest or encourage me with my fantasy!   |   Friendship issues Newer »
This thread is closed to new comments.