Port 6667: IRC — Where the Internet Learned to Talk

Port 6667 carries IRC traffic. Internet Relay Chat. When you connect to an IRC server, your client opens a TCP connection to this port, sends a NICK command with your chosen name, a USER command with your identity, and suddenly you exist in a distributed network of conversations spanning the globe.

This is how the Internet learned to be social.

The Protocol

IRC operates on a client-server model with a twist: servers connect to each other in a spanning tree architecture, forming a network.¹ When you send a message to a channel, your server relays it to connected servers, which relay it to their connected servers, until every user in that channel on every server receives your words.

The commands are beautifully simple. JOIN #channel. PART #channel. PRIVMSG #channel :Hello, world. QUIT :Goodbye.² Text flows through the tree. No fancy encoding. No rich media. Just characters on a wire.

NICK doctor
USER doctor 0 * :The Doctor
JOIN #tardis
PRIVMSG #tardis :Hello, I'm the Doctor.

That is all it takes to enter a conversation. The protocol trusts you to identify yourself. The server trusts other servers to relay accurately. The spanning tree trusts that messages will find their way. This simplicity is both IRC's greatest strength and its fatal vulnerability.

The Origin

In August 1988, a Finnish computer science student named Jarkko Oikarinen was working at the University of Oulu, administering a Sun-3 Unix server called tolsun.oulu.fi.³ He did not have much work to do. The server ran a BBS called OuluBox, which had a broken multi-user chat program called MUT (MultiUser Talk). Rather than fix it, Oikarinen decided to write something better.

He borrowed code from friends. Jyrki Kuoppala had written a program called rmsg for sending messages between machines. Jukka Pihl had written the original MUT. Oikarinen combined their ideas with inspiration from Bitnet Relay Chat and wrote the first IRC server and client.⁴

The exact birthday is unknown. According to Oikarinen: "The birthday of IRC was in August 1988. The exact date is unknown, at the end of the month anyways."⁵

The first IRC server was tolsun.oulu.fi. Within months, IRC had spread across Funet (the Finnish university network), then to Nordunet (the Scandinavian Internet), then to the rest of the world. By mid-1989, forty servers were online. A summer project had become infrastructure.

Why Port 6667?

IANA officially assigned port 194 to IRC.⁶ Almost nobody uses it.

The reason is Unix privilege. On Unix-like systems, ports below 1024 are privileged: only root can bind to them. Running an IRC server as root is a security nightmare. So administrators chose unprivileged ports instead. Port 6667 became the de facto standard through early community adoption, with neighboring ports 6660-6669 and 7000 commonly used for additional connections.⁷

This pragmatic choice became permanent. RFC 7194, published in 2014, acknowledged reality and formally registered port 6697 for IRC over TLS/SSL.⁸ But 6667 for plaintext remains the port that matters.

How IRC Changed History

On August 18, 1991, hardline Communist Party members attempted to overthrow Mikhail Gorbachev and reverse his reforms. They imposed a media blackout. Traditional news channels went dark.

IRC did not.⁹

Users inside the Soviet Union connected to IRC and reported what they were seeing in real time. The coup attempt was broadcast to the world through port 6667 while state media showed nothing. When the coup failed three days later, IRC had proven that distributed communication could route around censorship.

The same pattern repeated during the Gulf War. IRC logs from January 1991 document real-time discussions as events unfolded.¹⁰ Before Twitter, before live-streaming, there was a Finnish student's chat protocol carrying the news.

The Netsplit

IRC's spanning tree architecture has a failure mode called a netsplit. When the connection between two servers breaks, the network fractures into isolated segments. Users on different sides of the split cannot see each other. When servers reconnect, chaos ensues: nickname collisions, channel state conflicts, desynced permissions.¹¹

Attackers learned to exploit this. "Split riding" involves joining a private channel during a split, then gaining illegitimate access when servers reconnect. DDoS attacks can deliberately cause splits. The spanning tree that enables IRC's distributed nature also creates its greatest vulnerability.¹²

Networks developed countermeasures. Split mode prevents channel creation during detected splits. Timestamp protocols resolve conflicts. But the fundamental architecture remains: a tree can always be cut.

The Dark Side

IRC's simplicity made it perfect for botnets.

An IRC botnet works like this: malware infects machines and programs them to connect to a specific IRC server and channel. The bot herder sends commands through that channel. Thousands of compromised machines execute in unison.¹³

DorkBot, one of the most sophisticated IRC botnets, could steal credentials, spread via USB drives and social networks, launch DDoS attacks, and download additional payloads.¹⁴ The same protocol that enabled open source collaboration enabled coordinated cybercrime.

Defenders learned to monitor port 6667 for suspicious traffic patterns: non-human behavioral characteristics, automated responses, coordinated activity.¹⁵ But by then, attackers had moved to more sophisticated command-and-control infrastructure. IRC botnets still exist, but they are considered primitive compared to peer-to-peer architectures that have no single point of failure.

The Cathedral of Open Source

For two decades, IRC was where open source happened.

Freenode, the largest IRC network dedicated to free and open source software, hosted thousands of channels.¹⁶ Linux kernel developers gathered on #kernelnewbies.¹⁷ Every major project had its channel: Ubuntu, Debian, Fedora, FreeBSD, Python, Ruby, Perl. Bug reports, design decisions, code reviews, flame wars, friendships: all of it flowed through port 6667.

The network was not supposed to belong to anyone. It belonged to the community. That perception shattered in 2021 when ownership disputes led to mass resignations of volunteer staff.¹⁸ Over a thousand projects migrated to a new network called Libera Chat.¹⁹ The old network took control of hundreds of channels that had announced migration plans, an act the Gentoo project called "open hostility."²⁰

IRC survived. But the world had moved on. Slack offered integrations. Discord offered voice chat and rich media. Matrix offered end-to-end encryption. The features IRC never added were the features everyone wanted.

The Protocol Today

IRC still runs. Libera Chat serves the free software community.²¹ OFTC hosts Linux kernel discussions. Smaller networks serve niche communities. Some estimate a quarter million users remain active across networks.²²

But the glory days are over. The protocol that carried real-time news from collapsing empires, that coordinated open source development, that taught a generation how to exist online together, has been superseded by platforms with better user experience and worse principles.

IRC was designed for resilience, not profit. It has no algorithmic feed. No engagement optimization. No advertising. No data harvesting. No lock-in. Any client can connect to any server. The protocol is documented in public RFCs. Everything is text.

These are features, not limitations. They just are not features the market values.

Related Ports

Security Considerations

Plaintext by Default: IRC traffic on port 6667 is unencrypted. Nicknames, messages, and passwords travel in cleartext. Use port 6697 with TLS for any sensitive communication.

No Native Authentication: IRC's identity model is based on trust. Anyone can claim any nickname unless the network implements registration services. Nickname collisions during netsplits can be exploited.

Command and Control: Port 6667 is commonly associated with botnet traffic. Unexpected outbound connections to this port warrant investigation.

No End-to-End Encryption: Even with TLS, messages are decrypted at the server. Server operators can read everything. IRC was designed for public conversation, not private communication.