IRC Information

Advanced Users Class - #Class log provided by #CService

Many thanks to the staff at #CService who hold mini-classes on the Undernet providing the following information for an Advanced Users Class. The notes below are from a class held on August 17, 2001. For additional assistance, please visit the official #CService Website.

Topics to be discussed during class:

This session explains the different types of floods and how to combat them. (A1)

Floods are found everywhere you go on IRC. Even though they can disconnect and annoy you, there are very simple ways to combat them. (A2)

There are many different kinds of floods on IRC. Here are some of the more common types. Included after each one is how to combat or prevent that kind. (A3)

CHANNEL TEXT FLOODS - Multiple lines of text sent to a channel - usually in random letters. (A4)

CTCP FLOODS - The flooder sends a ctcp command to you many times, causing your client to respond just as many times, and ending up in a disconnection. (A5)

To combat CTCP and channel text floods, set up an alias key to /silence *!*@*, which will ignore everyone until you take off the command. To take off the command, type /silence -*!*@* (note the -). For information on setting up aliases, consult your clients documentation. (A6)

FLASH FLOODS - Occurs mainly when someone sends specific control characters to another user who is ircing via a unix machine. The results of the flood causes a slight reset of the clients terminal and renders text unreadable. Mostly this is only seen on school networks that are using ancient ircii clients. (A7)

For all UNIX users, simply type "mesg n" (no quotations) at the shell prompt BEFORE using IRC. This command will get rid of the problem. (A8)

DCC FLOODS - A user attempts to hold multiple DCC sessions with you and sends random text to the chat window. (A9)

The best thing to do to combat this type of flood is to not accept any DCC chats from people that you don't know. Otherwise if the DCC is a DCC send, the best thing to do is to close your client, open it again, and set it to auto-ignore DCC Sends until you're sure the flooder stopped. (A10)

ICMP FLOODS - This happens when a user sends multiple packets of information over and over again to your internet dialer, causing the dialing program to become busy. The dialer doesn't have time to respond to the IRC server you're on, so the server thinks you've left. This ends up in a disconnection. (A11)

While there is no major "full proof" way to surpress icmps on a win95 box, you can install programs that could prevent serious attacks and even deny icmps from hitting your box directly. These are known as firewalls and are usually used at most ISPs. If your ISP doesnt have one, download & install (A12)

LOCAL PORT FLOODS - mIRC has a bug in it that lets flooders attack your printer and modem ports. There is an easy fix for this. (A13)

There is a simple fix for mIRC users. Just type /ignore -p <option>. Where option is, type these commands in separately: com1*!*@*, com2*!*@*, com3*!*@*, com4*!*@*, prn!*@*, and lpt!*@*. Be sure to type them SEPARATELY. E.G. /ignore -p com1*!*@*, then /ignore -p com2*!*@*, and so on for all of them. (A14)

FORMAT FLOODS - Because of the recent new color feature in mIRC and other clients, format floods are becoming more common. Format floods are "pictures" drawn on a client using colors. As cute as it sounds, they can flood users off - both accidentally and intentionally. (A15)

Those are all the types, fixes and commands you need to combat floods. Remember to NEVER retaliate against a flooder, it only makes the situation worse. If a flooder persists to flood you, try contacting an IRCop with the nickname and/or the user@host of the flooder by typing /who 0 o or /who -oper for UNIX. (A16)

For a more in depth document about flooding and how combat it, check NudeDude's NoFlood document available at the documents website at (A17)

SESSION B - DoS attacks
Explanation and information on protection against Denial of Service attacks. (B1)

Denial of Service, or Nuke is an attack against computers connected over the internet, especially on IRC. These attacks are illegal in the U.S and many other countries. (B2)

There are many DoS attacks other than Nukes - ssping, winnuke, land, click, smurf, teardrop, and ICMP are some of them. Please note that "nuke" is usually used to refer to any kind of DoS attack, but there is an attack called winnuke. (B3)

Ssping causes your computer to lock up, usually requiring a reboot. After rebooting, the computer should run as normal. There is currently a patch for Windows 95 and NT, and a few other platforms. (B4)

WinNuke only affects Windows systems, and causes a device driver error, resulting in a loss of connection to the internet. This may also require a reboot. There is a patch for this bug. (B5)

Land affects several operating systems including Windows, and causes a freeze and then a crash of the computer. Luckily, there is a patch. (B6)

Click affects just about everybody, and all it causes is a disconnection from IRC. The quit messages are usually "Connection reset by peer," "Connection refused," "Operation timed out," and "Host unreachable." There are no patches to this bug. (B7)

Smurf affects a whole internet provider or IRC server, and everybody connected gets kicked off the server or provider. The attack can last hours, even days. There is no fix to defend yourself. (B8)

Teardrop affects Windows and Linux users, and causes an immediate crash or reboot. There are fixes for most operating systems. (B9)

ICMP is Internet Control Message Protocol, and is very common. ICMP attacks affect anyone with a modem connection, and causes all internet applications to run very slow, and eventually it will disconnect you from your ISP. There are no current patches, except to get a Firewall from your ISP to block ICMP attacks. (B10)

Bonk.c causes attack causes a crash of your dialing program, and the BSoD (Blue Screen of Death) which i'm sure we've all come across. After the screen your net connection will still be active, but most of your programs will be frozen. You must reboot your computer before you can go on. Related to bonk is another new attack called Newtear, with the same results as bonk. There is a fix for all users. (B11)

SMB (Server Message Block) is not an attack in itself, but a weakness in the windows file sharing logic that allows remote attackers to view your files and folders. There are several patches for users, another solution would be to uncheck the Netbios and IPX protocols in your modem connection settings, only leaving tcp/ip in place. (B12)

DoS attacks are very serious. In some cases, a fix is available, and it is strongly reccommended you get the patch. At the end of class URL's will be given for the patches. As with floods, the last thing to do is retaliate. Remember, when you're getting attacked, the first thing you want to know is the IP address so you can report the abuser. (B13)

There are currently lots of virus going around IRC. A user with an infected mIRC .ini file unknowingly sends a backdoored copy of this file to all users entering a channel. People who accept the DCC and then run the infected file have their good files replaced with the infected one, causing many things to go wrong. (B14)

The next time they launch mIRC, the infected file is set up. The file will send all commands you type to a secret channel where infectors are. Infectors look for any passwords that are sent to X/W so they can take over those channels using user's passwords. The file is also sent to everyone who enters any channels you are on, causing the infected file to spread like a virus. (B15)

The most important thing to remember is to NEVER accept a DCC from someone you don't know, especially if they're trying to send .ini, .vbs files etc. And remember most people who send infected files's do it unknowingly. Also remember to never have auto-accept DCC's on. (B16)

For current DoS patch files, check out
For more information, take a look at
For complete protection try Norton's
Conseal Firewall available at
NetworkIce Firewall available at (B17)

How to prevent and report abuse and channel takeovers. (C1)

If you install all of the patches and take all of the precautions in Section A and Section B, you are still likely to be a victim of a flood or a DoS attack. Knowing where to report them is the next step. (C2)

The most important thing you can have is a log. Try and have the log timestamped, so we know the exact time. Also try to cut out all irrelevant lines in the log. Besides the log, it is requested that you have the attacker's nickname and user@host. (C3)

Takeovers happen just as much as abuse. Takeovers are when a person comes into a channel and tries to gain ops. Often the abuser will deop and kick/ban the other ops. (C4)

Takeovers can occur when multiple floodbots are set up to flood everyone in the channel, and backdoored clients can expose X/W passwords and they can be used to gain ops. (C5)

If your channel has been taken over, you can go to #zt. Calmly report the incident to the helpers there. (C6)

Many users start a channel one day, and come back the next day to see that other people are ops in it. This is certainly not considered abuse because the channel is not registered, and does not belong to any one person. (C7)

Users gaining ops by changing their user@hosts and pretending to be an op is NOT considered a takeover, but bad channel management. Many IRCops will not aid channels when this occurs. (C8)

Remember that the most important thing to prevent DoS attacks is to have all of the patches, rather than to rely on #zt. (C9)

We will make further reference on how to Protect your channel in our Protection of your Channel Class. (C10)

Explanation of scripts and online "robots" (D1)

Bots are clients with automated responses to certain commands. These responses can be coded into the client and run on IRC to serve some sort of purpose. (D2)

There are many different kinds of bots - Bar bots, fileserving (f-serve) bots, even casino bots. Each bot is coded to have a specific purpose on IRC. Note - For channel management, maintainance of an oplist and banlist, and to utilize other features that bots can offer, it's best to use CService's X and W. For more info, join #cservice. (D3)

Warbots are bots that are programmed to take over channels by use of flooding and trying to create a netsplit. Warbots are illegal on the Undernet and will get your host/address g-lined, if not k-lined, so it's best NOT to run this type of bot. (D4)

Unlike scripts, bots are run on a separate client then you're using. For example, you would have a second copy of mIRC on your computer. (D5)

A bot works by using a script, comprised of many "on" commands. For example, "on *:JOIN:#:whois $nick" would tell you who a person is when they join a channel. (D6)

An alternative way for running a bot is to obtain an already programmed bot. All you need to do is download the scripts and load it into your client. These bots can be obtained from many popular web sites, and ask for help on your clients channel ie. #mIRC. (D7)

The best way for a beginner to write a bot is to use the scripting language of their client, such as mIRC, pIRCH, ircle, or ircII. More advanced scripters usually use Perl, C, Tcl, etc. To learn how to script in your own client, ask in a bot channel, look on a bot website, or consult your clients documentation. (D8)

A good resource for bots is the Undernet Documents Committee's BotDoc. This document has an FAQ and has many resources for creating your own bot, or getting one off of the web. This document can be found at the Documents website located at (D9)

Scripts are also clients with automated responses to certain commands, in most cases scripts usually run on the same client as you use. (D10)

Scripts are sometimes used to run bots. In bots, scripts are the files that actually have the "on" commands. Scripts tell the client what to do when certain cases come about. (D11)

Other times scripts are used for fun. Fun scripts include automatic greetings when a client joins a channel, different responses to different actions, or to run f-serves or other services. (D12)

For example, you can go to your Remotes in mIRC and type an "on join" line so that your client automatically sends a greeting to every other client joining the channel(s) you're on. (D13)

For more information on creating scripts specifically designed for your client, refer to your client's help files, try #eggdrop, or join a channel specifically for your client (#mIRC, #pirch, etc.). (D14)

Some useful websites for bots are:

A listing of commands to know. (E1)

LUSERS - Options: none. Syntax: /lusers. Use this command to get network information and status. (E2)

WALLCHOPS - Options: none. Syntax: /wallchops <#channel> <message>. If you are an op and would like to send a private message ONLY to the other ops on the channel, use this command. (E3)

WHOWAS - Options: none. Syntax: /whowas <nickname>. Use this command to see if someone was on IRC recently. Useful if you're being flooded and don't know the address of the attacker. (E4)

CTCP - Options: Clientinfo, ping, time, userinfo, version and page. Syntax: /ctcp <nick> <option>. CTCP (Client To Client Protocol) is used in many different ways, to check lag, to see a persons client version, etc. To see all available ctcp commands use the clientinfo option. (E5)

USERHOST - Options: none. Syntax: /userhost <nickname>. Finds the user@host for the specified nickname. (E6)

USERIP - Options: none. Syntax: /userip <nickname>. Similar to Userhost, but this command finds the IP address for the specified nickname. (E7)

SILENCE - Options: none. Syntax: /silence <nickname or user@host>. This command works like ignore, except that it's used to stop CTCP floods. (E8)

USERMODES - Options: i, s, w, d, g. Syntax: /mode <your nickname> <+ or - (option)>. Use this command to set modes on yourself. Option i makes you invisible, s makes you receive server notices, w makes you receive wallops, and d makes you deaf to all channel conversation. Example - /mode <nick> +i. Note - You can use either + or - before the option to choose setting. (E9)

MAP - Options: none. Syntax: /map. Use Map to get information on the current network structure, or routing. (E10)

LINKS - Options: none. Syntax: /links. This is the same command as map, except links displays the structure in a different format. On some networks other than the Undernet, the map command doesn't work. Use this command instead. (E11)

STATS - Options: c, g, H, i, k, l, m, o, u, y. Syntax: /stats <option> (server). Stats lists various information about the server, from ban lists to who is allowed on the server, and various other technical lists. (E12)

c returns a list of servers which your server may connect to
g shows the network-wide banlist
H shows servers that are allowed to act as hubs
i lists the hosts that are allowed to connect as clients
k shows the server banlist
l shows port connections. (E13)
m gives commands supported by the server
o shows server operators
u is the servers uptime, ie. X
y shows lines from the server configuration file. (E14)

TRACE - Options: none. Syntax: /trace <nickname>. Use Trace to look at the path, in servers, between you and another nickname. (E15)

DNS - Options: none. Syntax: /dns <nickname> or <address>. The DNS command is used to find someone's resolved address, or unresolved DNS number. Useful for finding people with unresolved hostnames but for mIRC clients only. (E16)

For all of these commands, when using them, omit the parentheses. For more advanced commands consult your client's help files. Since each client is different, giving more advanced commands would be confusing. (E17)

For more help with any IRC command, try reading the IRC Command Cosmos at (E18)

An explanation on trojans and their fixes. (F1)

Recently there has been an outbreak of Trojan's being sent to unsuspecting users. (F2)

These Trojan's are passed around in disguise as games, enhancements to an IRC client, warez with any extensions such as .exe, .jpg, .gif, .ini, .html etc. (F3)

The result of accepting a file send from anyone could be the compromise of your computer to the writer/owner of the Trojans. (F4)

What does this compromise mean? Well it ranges from allowing access to your computer when you are online, permitting the Trojan writer/owner to get your ISP, e-mail address, passwords, any financial account information that might be on your machine. (F5)

This allows the Trojan writer/owner to use YOUR machine for Denial Of Service attacks, which for example in the United State of America is a felony. (F6)

The only way this problem can be minimized is by YOU the user, NOT accepting ANY file from anyone, for any reason. (F7)

YOU are protecting yourself when you decline a file send from someone, should they ask why, tell them why!!!! You shouldn't be ashamed to tell someone that you don't accept file sends, and you can also set file types to ignore in your mIRC DCC options. (F8)

The best way to prevent getting infected with a virus or a trojan is to never accept files from people you do not know. Also be sure that Auto Accept is OFF for DCC, you can do this by typing /sreq ask after typing this, you should see this line: *** DCC Send requests pop up a dialog that means that anyone who tries to send you files needs your permission to do so. (F8a)

Virus scanners may or may not detect a Trojan in a received file. There are at least two channels dedicated to the eradication of particular Trojans, #backorifice and #dmsetup. (F9)

Users may also try to say they are sending you a 'fix' for these Trojans, they may also be the Trojans itself so do not accept these either. (F10)

To download a cleaner that will check for and clean 150 Trojans go to

It is recommended that you visit #dmsetup first to get the proper information. (F12)

An explanation of what Server Notice Masks are, and how to use them. (G1)

Server Notice Masks, or snomasks, is a feature not widely known by IRC users. This feature enables you to listen to notices, messages, and actions that the server you're on performs. (G2)

In other words, you can set a snomask that will let you know when an IRC operator sets a gline, when there is a netsplit, a nick collision, or even a kill by an IRCop. (G3)

The syntax for the command is /mode <your nickname> +s <value>. Where value is, you enter a number for the type of message you want to recieve. To stop recieving these messages, simply type /mode <your nickname> -s. Note the +s has changed to -s. (G4)

Here is the listings of the different values (numbers), and what they stand for. A copy of the listings is available in the snomask document at the Document Committee's website, located at (G5)

1 - Displays unsorted old messages
2 - Server kills (nick collisions)
4 - IRCop kills.
8 - Desyncs
16 - Temporary desnycs
32 - Unauthorized connections
64 - TCP or socket errors
128 - Too many connections. (G6)
256 - Uworld actions on channels
512 - IRCop Glines
1024 - Net join/break, etc
2048 - IP mismatches
4096 - Host throttle add/remove notices
8192 - Old oper-only messages
16384 - Client connect/exit notices (not recommended). (G7)

How the Undernet network works. (H1)

The Undernet may seem very simple to the common user, but behind the scenes there are many people hard at work for the users. Many people devote their time to performing many necessary tasks for maintaining the Undernet. (H2)

The Undernet is comprised of many different committees and subcommittees. Each committee tries to work with one another to create a better network and to maintain network stability. (H3)

There are a total of five committees, and five subcommittees. (H4)

Channel Service Committee

Provides an easy method for registering channels in order to maintain channel stability, to prevent takeovers, and to manage a banlist and userlist. CService has 3 groups - Registrations, Abuse, and Help Channel. (H5)

The CService home page is located at
CService's main e-mail address is (H5a)

Coder Committee

Concentrates on the continued development of the IRC protocol with the goal of making the Undernet a more efficient chat network. (H6)

The Coder Committee home page is at
Their e-mail address is (H6a)

Undernet User Committee

Provides Undernet Users a place to give their thoughts. This committee has six subcommittees - #UserGuide, Webmasters, Documents, Promotions, Newsletter, and Class. (H7)

The User-Com home page is located at
The committee's main e-mail address is (H7a)

North American Routing Committee

Views current IRC Servers and evaluates new applications for servers. The goal of the committee is only to link the most qualified servers. (H8)

European Routing Committee

Acts the same way as the NA Routing Committee, except for focusing only on European Servers. Having separate committees insures the utmost attention is given to this task. (H9)

Both Routing Committee's home pages are at
Their e-mail address is (H10)

The Undernet also consists of volunteers known as IRCops. These people, picked by server administrators have the job of maintaining the network. To find an IRCop for assistance, type /who 0 o or /who -oper for UNIX. Remember these are busy people, don't get mad if they don't respond at first. (H11)

How to retrieve important and useful documents. (I1)

As an Undernet user, you have access to a number of documents that help you have an excellent experience online. There are two main sources of documents, HelpBot on IRC, and the Documents Committee. (I2)

When you are in your web browser, you can go to the Documents Committee Web page. This page is very useful in finding what you need, whether it be the Undernet FAQ, or the History of the Undernet. (I3)

The Undernet Documents Committee can be e-mailed also. E-Mail them if you have any ideas for documents or if you have any comments or suggestions for them. Their address is (I4)

Their web page is located at At this address, you can find various documents including beginner, advanced, technical, and historical documents. (I5)

If you don't want to go to the WWW, there is a bot online on the Undernet, called HelpBot. (I6)

HelpBot has many uses. It holds many files available for your download, it has online help with bots, channel listings, and various services. (I7)

To use HelpBot, type /msg HelpBot help. This will give you a list of commands to choose from. (I8)

A reminder that because the Undernet is run strictly by volunteers working on their spare time, please read all of the appropriate documentation before asking for help from any of the committees. (I9)

There are many help and assistance channels on the Undernet. There are also many knowledgeable people to help you out with problems you may have. Here are some places on The Undernet you can go for help: (J1)

#userguide - Undernet User-Com's help channel, for all general help. (J2)
#user-com - Undernet User Committee's home channel, always staffed with helpful people. (J3)
#winnuke - Technical help and information on nuke attacks. (J4)
#zt - Technical help channel, usually for technical help and channel difficulty. (J5)
#cservice - Undernet Channel Service. Help with X bot and information on how to use them. (J6)
#help - Help available for more experienced users, along with newbies. (J7)
#opschool - A CService Class similar to this. For information on the next class time, check in the channel #OpSchool on the Undernet. They try to schedule at least 1 class per week and do their best to try to cover as many timezones as possibly. If you have any questions regarding OpSchool, please email:

The Undernet also provides e-mail addresses where you can get help. Here are a few which you should know. (J9) - Channel Service mailing list. (J10) - OpSchool mailing list. (J11) - Abuse or misuse of power, e.g. IRC operators, NOT channel affairs. (J12) - For more experienced users along with newbie help. (J13) - User Committee mailing list. (J14)

Like explained before, if absolutely necessary, you can get an IRC Op to assist you. Also, Undernet has a homepage with useful resources at (J15)

Where to find the places mentioned in this class. (K1)

Besides using HelpBot and the Documents Committee, there are many other places to go for help that were mentioned earlier. Many resources are available such as IRC channels, Web sites, and e-mail addresses. (K2)

       Floods - NudeDude's NoFlood Document - Available at Document committee web site - (K3)

SECTION B - DoS Attacks
       For Information -
       Puppets Page (K4)

       ICMP info -
       McAfee Firewall -
       DoS info - (K5)

SECTION D - Scripts and Bots
       Channels - #eggdrop
       BotDoc - (K6)

SECTION E - Advanced Commands
       IRC Command Cosmos - (K7)

SECTION H - Undernet Administration
       CService - Channel Service Committee - -
       Coder-Com - Coding Committee - (K8)
       User-Com - User Committee - -
       NA and EU Routing-Com - Routing Committees - - (K9)

SECTION I - Documentation
       Documents Committee -
       HelpBot - /msg HelpBot Help
       Misc Help Channels - #UserGuide, #help, #mIRC, #pIRCH, #CService, #newbies
       Also for general IRC help, take a look at (K10)

This class is held every Thursday at 7:30PM Eastern. (00:30AM GMT), alternating with the New User Class. (L1)