Spot The Fed: Online Edition

isolating the feds from the fodder

(Uncloaking IP Addresses on IRC)

Name of the Game

The objective of this contest is to uncloak an IP addresses of an individual on IRC to unveil an unusual DNS hostname such as government, military, law enforcement or another rare/obscure fully qualified address or previously unknown subdomain. Numeric IPv4 and IPv6 addresses may qualify if they fall within a specially allocated CIDR block. The winner will be the first participant to submit a thought-provoking address which was discovered by uncloaking an usual client hostname on IRC.

Security Conference Presentations

The presentation slides that were used at Derbycon 3.0: "All in the Family" and Security B-Sides Delaware 2013 can be downloaded here. Vulnerability research materials from other projects I've worked on are mirrored there as well. Those that attended my talk during at least one of the conferences are already aware that circumventing the cryptographic string which is expected to hide IRC client hostnames is more than a possibility--it's a reality.

Severity & Impact


It's quite widespread and has existed for many years as evidenced by CVE numbers from years past. Derek Callaway's research has revealed that many popular IRC networks are affected; in particular the networks which are frequented most by software developers, system administrators, underground hackers and the security community at large. In particular, chat daemons accessible by the following brief list of round robin DNS resource records are vulnerable:,,, and Note that these are only several tested samples and there never will be a comprehensive list due to the global availability and unpredictable nature of contemporary IRC servers.

Vulnerability Analysis


The hole has been able to persist for such an extended period of time without being affected by new software versions because of inherent weaknesses in standardized design and protocol practicalities of Internet Relay Chat's implementation ever since the start of Eris-Free network's notoriety during Operation Desert Shield in the lead up to the First Gulf War. In essence, client host leaks will manifest by nature since the lack of access control is rooted in a long history of architectural insecurity. Moreover, the attack can be carried out discreetly in what I've termed a "hideout" channel. This stealthiness further compounds the attacker's control over the situation.

Exploit Runtime Optimization

Optimal runtime can be achieved by running a binary search algorithm against the CIDR bit part of ban mask strings sent to the daemon when updating channel modes. Maximized efficiency of channel mode updates occurs when channel mode updates are stacked to their upper limit. The combination of the two aforementioned techniques alone allows an attacker to uncloak a target's network address in a relatively short period of time. Once all of the facts that have been described thus far are known and understood, much less effort is needed in order to extend the exploit's base case into a super aggressive cyber-weapon of mass exposure.

If one desires, they can collect tens of thousands of IRC client source addresses from a major network and have a little fun by observing human reactions when the data finds its way to a very public social media posting. Collecting IRC client hosts on such a large scale calls for the introduction of a moderate-sized botnet into the equation. The entire operation needs actions to be executed concurrently. Basically, code-level and network-level parallelism should be utilized to ratchet up the information warfare intensity at every possible juncture. Employ multi-threaded programs, non-blocking I/O, asynchronous function calls, shared memory and other forms of inter-process communication in each stage of the botnet's command-and-control pipeline.

Factors for Consideration

If a well-proportioned and carefully debugged botnet wages infowar against even the largest IRC network, then rest assured that the victory which was sought after has been fulfilled. The only question that remains is what level of victory was gained. The answer lies in the speed, abilities and size of the opposing forces; in other words, all network-wide and server-local IRC operators that weren't idling throughout the entire episode.

Competitive Entry Ideas

Need ideas? Thought about uncloaking the IP addresses for the developers of a large software project? They probably like to all idle in the same channel. Is there an international government or military institution with its own backwaters IRC network? All eye-catching addresses are elegible to be potential contest entries. Trust your intuition, but don't forget to utilize creativity and imagination. There are no tin foil hats anymore.

    Everything you can think of is true. -Tom Waits

Getting Started

The contest officially ends whenever the first submission has been received and vetted. To get started, you'll definitely want to download the tools and maybe even go over the slides for a refresher. Next, it's time to start uncloaking addresses! Once you have uncloaked an address (or multiple addresses) that you feel may be intriguing enough then you're ready for the next step--send an email to with the details listed below to the following address:

<decal (AT) sdf {D0T} org>

What to Submit

  • Numeric IP address and TCP port number of server where target of interest was uncloaked (i.e. the IRC network where the user's hostname cloak was circumvented.)
  • The nickname of the IRC user (or bot) that was uncloaked and a brief description of why their hostname is so interesting if the top-level domain doesn't correspond to a government or military network.
  • Any additional investigative activities conducted such as GeoIP lookups.

Winner Acclaim

Please e-mail your discovery immediately. Not only will it prevent preemptive strike from other contestants, but it allows sufficient time for a judgement confirming the submission's authenticity. Multiple data sets can be entered into the contest by e-mailing another at a later time. The individual with the first quality submission will receive an e-mail response congratulating their efforts. Prizes will be snail mailed within 24 hours. A listing on the contest web site (the page you're looking at now) will declare the winner. An announcement on a public mailing list will also be arranged if and how Mr. or Ms. "Numero Uno" desires.

Derbycon 3.0 "All in the Family"

 [highly technical presentation covering detailed issues over 50 minutes]

Security B-Sides Delaware 2013

 [high-level speech explained using mostly laymen's terms in 40 minutes]