#irchelp

More Nuke Information and Patches

This page is out of date and no longer being maintained. It will continue to be available for historical reference only.

[ introduction | more info & patches | tracing & monitoring ]

This page provides a brief description for all the common denial of service attacks commonly seen in IRC. The following are listed in approximately reverse chronological order (most recent attacks first):

  1. SMB
  2. bonk
  3. land
  4. teardrop
  5. click
  6. ssping
  7. WinNuke
  8. ICMP Flood
  9. smurf

Windows 95/NT users should first read the Introduction section which will show you a series of steps that will protect you against many common nukes.

Macintosh users should rejoice. MacOS is impervious to most OS attacks. Be sure you’re using OpenTransport (not MacTCP) under MacOS 8.x and you should be safe.

Linux users are also in good shape if you’re running a reasonably current kernel (at least 2.0.33 and 2.1.73).

SMB

Aliases/variants: Server Message Block (SMB) logon attack

Affects: Windows NT4

Symptoms: System hang or restart. Widespread attacks especially against .edu and .gov sites in spring of ‘98.

Patches and Info: See the Microsoft help page last updated 4/10/1999.

bonk

Aliases/variants: boink, newtear, teardrop2

Affects: Windows 95 / NT4

Symptoms: Blue screen freeze and crash. If you have been patched since 12/97 against the other nukes below and as of 1/8/98 suddenly started to get the blue screen, you’re probably being “bonked”.

Patches: Microsoft just released a new patch for Win 95 winsock 2 that covers this attack (after nearly 2 months!). Patches already exist for Win NT4 and Win 95 Winsock 1 at the #mIRC nuke information page.

For more info: See Microsoft’s bulletin last updated in late February.

land

Affects: Windows 95 / NT / 3.11, many others

Symptoms: Freeze and crash. You’re probably being “landed” if you were nuke-safe until mid-November or if you’re already patched against the other nukes.

Patches: Windows 95/NT, see the Operating System Attacks in Introduction.

For more info: See the excellent article from Wired News.

teardrop

Aliases/variants: tear, TCP/IP fragment bug, overlapfrag bug

Affects: Windows 3.1/95/NT, Linux (before 2.0.32 and 2.1.63)

Symptoms: Immediate crash or reboot. If you know you’re safe against “winnuke” and “ssping” below and you still crash, you are probably suffering from either “land” or “teardrop”. If you just get disconnected it’s probably “click”.

Patches:

  • Windows 95/NT: see Operating System Attacks in Introduction.
  • Linux: upgrade to 2.0.32 / 2.1.63 or later.

For more info: Visit the teardrop page at WinPlanet.

click

Aliases/variants: [the original] nuke, ICMP nuke, ICMP_REDIRECT or ICMP_DEST_UNREACH spoof, WinNewk/WinNewk-X

Affects: All IRC users unless protected by firewall or other filter.

Symptoms: You are disconnected from the IRC server but otherwise your connection to your ISP is fine. Your computer does not crash. Others will usually see you quit with the message “Connection reset by peer” although other networking related error messages are also possible.

Patches: There is no patch against this networking attack, although certain “personal” firewall products can stop these attacks (see Networking Attacks). Otherwise, you can try using different server ports other than 6667 every time you connect, or try using other servers, since some seem to be less vulnerable than others.

ssping

Aliases/variants: jolt, sPING, ICMP bug, IceNewk, “Ping of Death”.

Affects: Windows 95 / NT, and many others!

Symptoms: Computer locks up, usually requiring a reboot (reset switch such as ctrl+alt+del doesn’t work). After restart, computer runs as usual.

Patches:

For more info: See the ssping pages at WinPlanet and winfiles.com.

WinNuke

Aliases/variants: Windows OOB bug.

Affects: Windows 95 / 3.11 / NT

Symptoms: “Blue Screen” (virtual device driver) error. Computer usually recovers, but Internet connection doesn’t, requiring reboot (usual shutdown procedure should work). May also cause computer to lock up.

Patches:

  • Win95/NT: see Operating System Attacks in Introduction
  • Win 3.1x (courtesy of Tjerk Vonck):
    1. Find SYSTEM.INI on the boot drive of your computer
    2. Directly under the caption [MSTCP] in SYSTEM.INI insert this line: BSDUrgent=0

For more info: See the winnuke pages at WinPlanet and winfiles.com.

ICMP flood

Aliases/variants: ping flood, ICMP_ECHO flood

Affects: all modem connections

Symptoms: Modem lights go berserk indicating overflow of information, Internet applications get very slow, after 15-60 secs you get disconnected (from your server or even your provider). Everything is fine after reconnect (unless you get flooded again), no crash or reboot.

Patches: There are no patches available or possible, since this attack directly exploits the low capacities of your modem. For more information, see the firewall section of Networking Attacks.

smurf

Affects: whole provider or IRC server

Symptoms: Imagine ICMP flooding for an entire provider or server. Everybody connected gets bogged down and kicked off, attack can last for hours or days.

Patches: There is nothing you can do to defend yourself against this, but if you do have any information on who is doing the attack, contact the admins at your ISP or IRC server (whichever is being attacked). Again, no personal firewalls can protect you (see Networking Attacks for explanation).

For more info: See the WinPlanet article which is based on a guide by Craig Huegen .

Hot Links

The following links contain more detailed information about these attacks. Many of these sites contain multiple pages devoted to each type of attack, so take your time and browse around carefully.