Clones
Abusers do not typically flood from their own nicknames, because of the following reasons:
- They can easily be K-lined by administrators ('IRCops,' 'ServerOPs' or 'SOPs'),
- Channel bans by operators ('ChanOPs' or 'OPs'),
- From one user the flood is often not effective (the limits apply to the attacker as well).
Instead clones are used, which are script or program controlled clients, primary designed to abuse others. When this method is used, it becomes easier to attack a user using many clones at the same time. Generally, the more clones an attacker has, the greater the chance of an attack succeeding. However the maximum connections from any one ip address are generally limited by the IRC network (either at the IRCD level or the services level).
One common way to increase the number of clones is by using open proxies. Usually, these proxies are SOCKS or Squid-based, which support IRC connections by default. If one has a list of open proxies, he can use them to connect his clones through them to various IRC servers. Alternatively, compromised systems can be used to make the connections.
To prevent this, nowadays some IRC servers are configured to check common proxy ports of the client at the very beginning of the connection. If a successful proxy request can be done, it immediately drops the user (or clone). Many other IRC networks use a separate proxy scanner like BOPM that scans users as they join the network and kills or glines any users it detects an open proxy on. However, this offers no protection against compromised systems or proxies on nonstandard ports (a full 65535 port scan isn't prototypically feasible both for performance reasons and because it risks setting off Intrusion Detection Systems), so most networks that do port scans also check if the connecting client is listed in specific DNSBLs like the TOR DNSBL.
Read more about this topic: Internet Relay Chat Flood