Incident response

Internet Relay Chat (IRC) protocol with Wireshark

Howard Poston
December 11, 2019 by
Howard Poston

Internet Relay Chat (IRC) uses a client-server model to provide a chatroom. A single IRC server is set up, and users connect to the server via IRC clients. The protocol allows users to set usernames on the server and engage in private chats or group chats via different IRC channels.

IRC is a plaintext protocol that is officially assigned port 194, according to IANA. However, running the service on this port requires running it with root-level permissions, which is inadvisable. As a result, the well-known port for IRC is 6667, which is a high-number port that does not require elevated privileges. However, an IRC server can also be configured to run on other ports as well.

Learn Network Traffic Analysis for Incident Response

Learn Network Traffic Analysis for Incident Response

Get hands-on experience with nine courses covering how to collect, identify, extract and analyze network traffic.

IRC is a simple but powerful protocol for text-based chat. However, its usage has declined over time as alternatives (like Slack) have become popular. While the presence of IRC on the traffic does not necessarily indicate an attack, it might be worth investigating since IRC is commonly used for communication by botnets.

The IRC protocol in Wireshark

IRC traffic can be filtered in Wireshark using the irc command. However, this cannot be used during live capture (like many protocol-based filters), so it is recommended to filter based on IRC ports (like 6667 instead).

As shown in the image above, IRC is a text-based protocol. A client can send a certain command (like NICK) along with a set of optional parameters. The server will then respond with a response code and optional data regarding the status of the request or containing the information that the user wanted.

By default, IRC is a plaintext protocol, meaning that anyone with access to an organization’s network traffic could read the data flowing over IRC. However, it is possible to run IRC while encrypted with TLS/SSL as well. The official convention for encrypted IRC traffic is to run it on 6697. But like the plaintext version, it can be run on any port.

IRC protocol analysis for incident response

While legitimate usage of IRC has declined over time, the protocol is not dead. The features that IRC provides are uniquely suited to command-and-control for botnets.

A botnet is a collection of computers that is under the control of a “botnet herder.” These machines are typically used to perform a synchronized attack against some target. A common use of botnets is to perform Distributed Denial of Service (DDoS) attacks, where the botnet tries to overwhelm a target with more traffic and data than it can handle, degrading or destroying its ability to respond to legitimate requests.

Managing a botnet requires the ability to send commands to each member. For example, a botnet herder may need to inform the botnet of the time and target of a DDoS attack.

IRC is ideal for botnet C2 because IRC channels act as “broadcast” communications. When a botnet herder posts in a channel that the members of the botnet are listening to, all of them receive a copy of the command. This provides a simple solution to botnet C2, since the attacker only needs to maintain an IRC server capable of handling the volume of traffic created by the bots. If necessary, a botnet herder can create multiple channels to provide different instructions to subsets of the botnet.

However, IRC is not limited to one-way communications. IRC allows anyone to post in a channel, and the concept of usernames allows each member of a botnet to be uniquely identified. This allows a botnet herder to programmatically collect and track exfiltrated data or intelligence from different bots based upon the username used in a post.

Botnet herders typically host their C2 server outside of the target network, but compromised systems (like deployed Internet of Things devices) may be inside an organization’s network. Monitoring for IRC traffic on the network can help to detect and remediate these compromised systems.

Monitoring IRC traffic in Wireshark

While IRC is still in use in some organizations, it has largely fallen out of use in favor of more sophisticated chat tools like Slack.  When monitoring network traffic, looking for IRC traffic can be valuable for incident detection and response since it may be an indicator that internal devices have been compromised and are members of a botnet.

Learn Network Traffic Analysis for Incident Response

Learn Network Traffic Analysis for Incident Response

Get hands-on experience with nine courses covering how to collect, identify, extract and analyze network traffic.

Sources

Howard Poston
Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at howard@howardposton.com or via his website at https://www.howardposton.com.