IRC stands for Internet Relay Chat. IRC is a collection of networked servers, to which so-called "clients" can connect and then interact with other clients connected to the same or other IRC servers. Every "person" you see on IRC is a client of some server. Typically, servers run 24 hours a day, 7 days a week, waiting for clients to connect. Clients, on the other hand, typically only run when a user wishes to use IRC, although there are exceptions to this rule, specifically bots. When you type /server irc.charter.net, you are opening a connection to the machine irc.charter.net. (Typically, though not always, the client connects to the server on port 6667. When you type /server irc.charter.net, your client assumes this to be the case. If you actually wanted to connect to port 6665, you can type: /server irc.charter.net6665.) irc.charter.net, in turn, is running a server program which is connected to a large number of other machines running server programs (usually just called servers). It relays what you type to the other servers, and it relays what users on those other servers type to you. Each server keeps a list of what is going on in each channel its users are on, and when a user on any server changes anything on that list, that user's server notifies all the other servers of the change.
Servers link up via the Internet, and send lots of traffic out to each other. When net traffic gets heavy (not just IRC traffic, but all net traffic) then the links get overloaded and break. This is called a "netsplit." When someone netsplits, it looks like this:
*** Signoff: Hutch (irc.charter.net)
This indicates that the connection between SuperChat.org and irc.charter.net is the one that broke down, and that you are on the SuperChat.org side of the netsplit, while Hutch was on the irc.charter.net side. This does NOT mean either that Hutch is necessarily on charter or that you are necessarily on SuperChat.org; just that Hutch was on that side of the split and you were on this side. When a link between your server and another server breaks, then anything done on your server won't be relayed to that server, and anything done on that server won't get back to you -- at least not until the net rejoins.
When a server splits it no longer knows what the other servers have been up to, and other servers don't know what has happened to it while it was split. So, the split server could have new ops that were made while it was split, or new bans, or new users. When the server rejoins, it updates everyone on what has been going on, which is why you will see something like:
*** Mode change "+o Hutch" on channel #IndecentProPosals by irc.charter.net
That was the server irc.charter.net"synching" its information with everyone else's and telling everyone it had a new op. Sometimes, the server updates don't work, and servers persist in seeing their own view of reality. For example, picture this:
*** Mode change "+o Hutch" on channel #IndecentProPosals by irc.charter.net
*** Mode change "-o Hutch" on channel #IndecentProPosals by Lisa5150
A server, in this case charter, opped Hutch. Then Lisa5150 immediately deopped him. Lisa5150 most likely deopped him before her server had a chance to tell Hutch's server that Lisa5150 was an op. If Hutch also tried to deop Lisa5150, from Hutch's perspective, the whole incident looked very different:
*** Mode change "+o Lisa5150" on channel #IndecentProPosals by SuperChat.org
*** Mode change "-o Lisa5150" on channel #IndecentProPosals by Hutch
So, the SuperChat.org side sees Lisa5150 as opped and Hutch as deopped; the charter side sees the exact reverse. The charter side will now ignore anything that Lisa5150 does that requires ops, and the SuperChat.org side will likewise ignore anything Hutch does that requires ops. The message you'll receive will look like this:
Hutch types:
/mode * +b *!*lisa*@*charter.netHutch sees:
*** Mode change "+b *!*lisa*@*charter.net" on channel #IndecentProPosals by Hutch
*** Not channel operator (from SuperChat.org)
*** Lisa5150 has been kicked off channel #IndecentProPosals by Hutch (Be Gone Woman!)
*** Not channel operator (from SuperChat.org)
Lisa5150 would not even see the ban or the kick, since her server doesn't acknowledge Hutch's ops as legitimate. Thus, people who are connected to one server may see bans and ops that people connected to another server can't, even though all those people can see each other and are talking. When that happens the server is said to be "desynched." Note here that Lisa5150 WOULD STILL BE ABLE TO SEE EVERYTHING HUTCH SAYS ON CHANNEL, EVEN THOUGH HUTCH THINKS HE KICKED HER OFF. Because he kicked her off, whenever she tries to send text to channel, she will get a message that says:
*** Can't send to channel (from irc.charter.net)
Since Hutch's server doesn't think she's on the channel, it won't relay what she says to Hutch. But, since Lisa5150's server thinks she's on the channel, it will relay whatever it sees Hutch saying to her. Note also that Lisa5150 can leave the channel on her side and rejoin. From Hutch's perspective, she will join the channel even though he banned her, because her server will inform all other servers that she joined. Hutch's server will simply accept that as a fact without checking the ban list. For more consequences of splitting, see section 3 on "How the hackers take channels" (and what to do about it).
Modes are the parameters of a channel, they define what can and can't be done. Note that both users and channels can have modes, but the effects of a particular mode (say +i) are different. This document deals with channel modes only, for more information, see the files listed at the end of this document.
There are 7 main channel modes. Which ones you set your channel to will depend on what you want to do. You can set modes singly or in clumps:
/mode * +nt
is the same as
/mode * +n
/mode * +t
(NOTE: you can also set using the channel name, e.g.
/mode #channel +nt
but typing * is quicker. However, some clients require you to use the full name.
+n means "no notices". This stops people or bots sending notices or msgs to the channel from outside. Your channel should *always* be set +n, to stop low-lifes from flooding it.
+t means "topic". If this is set, then only operators can change the topic. You don't have to set this, but in my experience if you don't then you will get flooded with topic changes. No idea why, it just seems to happen that way.
+i means "invite only". Anyone who wants to join the channel has to be invited by a channel op. Nice if you don't want drop-ins or as part of a defence against people actively trying to take the channel, but otherwise annoying.
+p means "private". If your channel is set +p. Then if someone does a /whois on anyone on that channel, the fact they are on that channel will not be revealed. However, it will be obvious that they are on *some* channel. The /whois will like like this (provided you are not on the channel yourself):
*** Hutch is ~hutch@charter.net*** on channels: *private*
*** on IRC via server irc.charter.net
NOTE: A channel cannot be both +p and +s
+s means "secret". If your channel is secret, then no answer will be returned if someone does a /names #channel. Of course if they are *on* the channel when they do this they will see all the people on it. A /whois of someone on a secret channel will look like this (provided you are not on the channel yourself):
*** Hutch is ~hutch@charter.net*** on IRC via server irc.charter.net
NOTE: A channel cannot be both +p and +s
A channel set +k requires a keyword to enter. On EFnet (the largest IRC net) this keyword can contain unprintable chars. On UnderNet, only printable chars count.
To set the keyword for channel #Lisa5150 to mykey:/mode #Lisa5150 +k mykey
or
/mode * +k mykey
You also need the key to remove the mode. If you know it:
/mode * -k mykey
if you don't, see below.
If you set the channel +m, then only operators or people who an operator has set +v can talk on channel. This is a useful way of dealing with an attack by floodbots.
The +o mode is set or unset for particular users. Making a user +o gives the user operator status on the channel. Making a user -o removes operator status.
/mode * -n
/mode * -nt
You can combine mode commands too. Supposing the channel was currently +i +n +t (usually written as +int). You can remove the +i by
/mode * -i
But supposing you want it to be -i but +s
/mode * -i+s
You can clear all modes (including a keyword you don't know...) by typing:
/eval mode * -$M
NOTE: eval and $M are both commands specific to the ircII IRC client. If you are not using ircII, the above command may not work for you.
/mode * +o Lisa5150
To de-op them:
/mode * -o Lisa5150
You can op or de-op up to 3 people at once:
/mode * +ooo Lisa5150 Hutch AttaGirl
/mode * -ooo Lisa5150 Hutch AttaGirl
Note that the number of "o"s has to match the number of people.
/kick * Lisa5150
You can add a comment the person will see when they are ejected:
/kick * Lisa5150 Good bye and good riddance!
You can only kick one person at a time. This is one of those commands it is nice to have an alias for -- see the section on scripts for how to write an alias. Also note that it's often adviseable to ban a user before you kick them -- that way they don't jump back on channel during the interval before the ban takes effect. See section 2.6.1.5 for further details.
When banning, the nick and user and host info are written like this:
nick!user@host1.host2.suffix
e.g. Lisa5150!lisa@charter.net
or
Hutch!hutch@charter.net
So, anything to the right of the ! is a nick, anything between the ! and the @ is the user portion (also called account, or account name) and anything to the right of the @ is the host.
You can use wildcards in bans, special characters that stand in for a character or group of chars.
? means "any single char"
* means "any group of chars.
So "L?sa5150" will match "Lisa5150" and "lesa5150" and "losa5150" but not "Lissa5150." "*lisa" will match "Lisa5150". "*.bonehead.com" will match "Ima.bonehead.com" and "luser.bonehead.com" but not "bonehead.com" itself.
Note that some users can change their account name as easily as the rest of us change our nicks. This means you will have to ban their entire host, or possibly their entire domain, to keep them off the channel.
/mode * +b nick!*@*
This bans anyone with the nick "nick." E.g. /mode * +b Lisa5150!*@* will ban anyone with the nick Lisa5150 from the channel. Of course if they change their nick, then they can slide right past the ban. This ban is pretty useless against people, but can be used to get rid of bots, who usually don't change their nicks. Some bots do, though. Incidentally, on EFnet, you can see the bans on any channel, whether you are on the channel or not, by typing /mode # channelname b.) It can also be used to get rid of an idle user you have kicked who has auto-rejoin set on, and immediately comes back on channel. In that case, ban them, then unban about 5 mins later.
/mode * *!*user*@*host.suffix
This is your standard everyday ban. It bans all nicks (*! means "all nicks") from their username (*user* means their username, plus the * at the beginning takes care of the ~ mark you sometimes see, and the * at the end insures that the username you provide "fits" into the space -- no more than nine characters will fit), from all machines in their domain.
E.g., to ban Lisa5150 who is lisa@charter.net you would type:
/mode * +b *!*lisa*@*charter.net
To ban Luser who is bonehead@Ima.luser.com you would type:
/mode * +b *!*bonehead*@*luser.com
Note that for the non-US address (.au means Australia) you leave 3 parts of the host name, for the US one, you only leave 2.
Most scripts would write the ban as:
/mode * +b *!*bonehead*@*.luser.com
This works OK unless you get someone with a 2 part hostname, e.g., luser has another account, Wally@annoying.com, with access to wally@Iam.annoying.com and wally@lamer.com.
/mode *!*wally*@*.annoying.com will ban the first account, but not the third.
/mode * +b *!*@*host.suffix
This bans everyone from a particular domain or machine, no matter who they are, or what their nick. For example, if you wanted to ban Lisa5150 and everyone from Airmail.net, you would type:
/mode * +b *!*@*charter.net
Then it wouldn't matter who the person was, if they were on an charter.net machine, they will be banned. You can also ban users from particular machines, so if you wanted to ban users from charter.net but not snailmail.net, you could type
/mode * +b *!*@charter.net
/mode #IndecentProPosals+b *!*lisa*@203.2.20.1
If the person being banned actually has access to other hosts on that network, or can change to another IP address that they own, it gets more complex. There are three basic types addresses that you can get when you register a network: Class A, Class B, and Class C. A Class C network is a small network - no more than 255 hosts on it, and is the most common you should see. In a class C network address only the last number will change. If I knew Lisa5150 was on a class C network, I could do a site ban on her with:
/mode #IndecentProPosals+b *!*lisa@203.2.20.*
A class B network is larger, up to 65535 hosts, and the last two components of the address can differ. For a class B you would use
/mode #IndecentProPosals+b *!*lisa@203.2.*
Class A is 16777215 hosts and all three of the final compoentents can change. There are only 255 class A networks - all owned by large corporations. Many networks, especially the larger ones, are subnetted, which means that even if the hacker is on a large network, the piece they are on can probably be banned simply by wildcarding the last part of the address.
Ok - cut to the chase.
Networks from 128-191 are Class B.
Networks from 192-223 are Class C.
Treat everything else as Class A.
You can ban by /mode * +b *!*lisa*@203.2.20* but that will ban people from 203.2.202.4 for example, quite likely a completely different domain. The moral: include the ending period when banning by IP address. Now you know more than you ever wanted to about IP network addressing.
/mode * -o+b Hutch *!*hutch*@*charter.net
/kick * Hutch Get out you Luser!
*** Mode change "-o+b Hutch *!*hutch*@*charter.net" on channel #IndecentProPosals by Lisa5150
*** Hutch has been kicked off channel #IndecentProPosalsby Lisa5150 (Get out you Luser!)
The mode change command effectively de-opped Hutch first and then instantaneously banned him.
/mode * b
NOTE: This works regardless of whether you are on or off channel, but of course if you are off channel you have to use the channel name as well as /mode #channel b .
To clear old bans you have to remove them *exactly* as they were written - a terminal with cut and paste is invaluable for this. If you make a mistake, the system won't warn you, it will tell you the ban is removed, even when it hasn't been. You must get the ban exactly right.
To clear a ban:
/mode * -b
For example, to clear the ban *!*hutch*@*charter.net:
/mode * -b *!*hutch*@*charter.net
Some general rules:
* There are no absolute rules. Every rule allows for a commonsense exception. Use your judgement -- but on the other hand, be very careful. Think about what you are doing.
* Take your time and do things right. -- But do act with haste. :)
* Don't op someone unless you are sure they are who you think they are. Never op someone solely based on their user@host.
* Always de-op people who come in from splits with ops. You can always re-op them later.
* If you think the channel is under real heavy attack, then make it +i. Make sure all ops are mode +i themselves (/umode +i) and then get them to change nicks. Also, ban all accounts or hosts that you think are dangerous. This will prevent everyone except people who slide in from a split from figuring out who the ops are on channel (unless there's a spy on channel). Why all the effort to prevent people from finding out the nicks of the ops? To prevent nick collisions (see section 3.2). Of course, making the channel +i means that no one can join the channel unless they know the alternate nicks of the ops, so it will disrupt normal life quite a lot.
One of the simplest ways is to take the nick of someone you know is a usual channel op. Then you join, and pretend to be that person. You ask for ops, saying its a borrowed account, or you just wait for someone to op you.
What to do about it:
Yes, it seems incredible, but *lots* of people will op on nick alone. The moral is *always* do a /whois before opping someone. Most scripts op on user@host. Beware of using a script to auto-op people as usernames can be faked.
If you are using the nick Wally, and someone on a split server chooses that nick, when the servers rejoin, you are both always automatically /killed (kicked off of IRC) by each other's server. Hackers are OK with this, because they make sure the thing that is taking your nick is just a bot. They themselves are not killed because you were not expecting them and did not put up a bot that used their nickname. Obviously, when you were killed, you lost ops on whatever channel you were on, so you were no longer in a position to defend the channel. If the nick collider successfully collides every op on the channel, then nobody is around to deop him when he gets opped by the server. Since he's the only op, he wins...sort of.
Why sort of? Well, this kind of thing always happens when the net is unstable. Thus, he may successfully collide everyone, only to split off again. If you can regain ops during that interval and change your nick, you have a chance to avoid getting collided again. The smarter hackers, though, often have spies -- either their own clients or someone else's -- sitting on the channel on your side of the split, telling the hacker who the ops are.
What to do about it:
A server may split and no one from your channel is on that server. If someone joins it while the server is split, they get ops (because as far as that server is concerned, no one was there). When the server rejoins, it will tell all the other server those people have ops.
What to do about it:
Always de-op people who come in opped from split servers. You can always op them later. If you are serious about your channel, you should run a bot that does this, else you can get scripts that can do it.
If someone comes in opped, you de-op them, they leave the channel, and a few minutes later, back they are again, opped...ban them. Once is accident, twice is hacking. To get opped twice like that, they would have either had to deop you on their server, which is bad, or they would have had to leave the channel and rejoin again during the split -- a lot of effort to go to, and for not much good purpose, except to grab ops. [Of course if you know them, use discretion - maybe /msg them see what is going on.]
This basically boils down to you having ops on one half of IRC, and the hackers having ops on the other half or nobody having ops on the other half. **Also see the section on servers.
What to do about it:
The solution is simple (in theory): If you have ops on your side, make the channel +i. Then kick everyone off. Finally, leave and come back (come back QUICKLY!). You will be reopped on all servers, because your server will perceive you as being the only person on the channel (everyone else was kicked off, as far as your server is concerned). The side on which you were not opped will see:
*** Hutch has left channel #IndecentProPosals
*** Mode change "+o Hutch" on channel #IndecentProPosals by irc.charter.net
Can this go wrong? You bet it can. If someone -- anyone, from any connected server -- joins the channel between the time you leave and the time you come back, THEY -- not you -- get opped from your server. Worse, YOU don't get opped. When you join, you see:
*** Hutch (~hutch@charter.net) has joined channel #IndecentProPosals
This is a sure sign you timed it wrong. If the other person is the hacker, you are in deep trouble, if they are a normal user you can try and persuade them to leave. Also, bear in mind that this is not a particularly useful tactic against reasonably competent hackers. Such hackers will simply put up bots that auto-deop server ops. When they see your server op you, they'll deop you and you'll be right back where you started.
2.6.2. Clearing bans
To check what bans are on the channel, type2.6.3. Why a ban may not work
Sometimes you ban someone, and they come right back onto the channel anyway. This could be that you didn't ban them properly in the first place! But if the ban looks OK, then there may be something else.2.6.3.1. Too many bans
A channel can only hold 20 bans at a time. If you try and ban someone and there are already 20 bans up, then you won't get a mode changed message, you won't get anything at all. If that happens, then clear one or more bans, and try again.2.6.3.2. Similar bans
If there is already a ban in place that is similar to the one you are trying to place, then yours won't work. Remove the bad or redundant ban, and try again. How similar is similar, you ask? Well, a ban is deemed "too similar" if the nickname portion or the user and host portion of the ban match the parameters of any other already existing ban.2.6.3.3. Desynched servers
This is a nasty problem. If a server becomes desynched, then a hacker can get on the channel on that server because the ban you just placed won't be in the split server's memory. Thus, the hacker can leave and rejoin at will, and to you, it looks like the hacker joined, ban or no ban. See Section 1.3 What happens when a server splits.2.6.2.4 Split servers
When a split server rejoins, all the people on the split server join the channel on the other server, period. Bans do not matter. You can kick them off once they have joined, of course, but bear in mind that this is not always a good idea, necessarily, especially during a takeover attempt, because they will still be able to see what you say, but you won't see what they are saying! By the way, there is no announcement that the person that just joined did so because of a split -- it looks exactly like a regular join.3. How hackers take channels (and what to do about it)
Time for a little soapbox sermon, on IRC takeovers and counter-strategy. IRC channel takeovers happen. Why? Bored dweebs with way too much free time, looking for "thrills." People who feel the current channel ops have insulted or annoyed them. People just seeing if they can. Your options? Basically, you can try one of three options:3.1. Op/friend impersonation
What it is:3.2. Nick colliding
What it is:3.3. split server
What it is:3.4. desynched server
What it is:
*** Hutch (~hutch@charter.net) has joined channel #IndecentProPosals
*** Users on #IndecentProPosals: Hutch @WallyWorld
Home