Port 194 (TCP) – IRC (Internet Relay Chat)

What runs on port 194?

Port 194 is the original well-known port for IRC, the Internet Relay Chat protocol that groups users into channels on relay servers for real-time text chat. In practice, modern IRC networks listen on 6667 (plaintext) and 6697 (TLS), but 194 remains the registered assignment. Plain IRC carries messages and logins in cleartext unless TLS is enabled.

Why it matters for security

IRC has a long history as botnet command-and-control. Its simple channel model let malware authors herd thousands of infected hosts that joined a hidden channel and awaited commands — so IRC traffic from servers or workstations is a classic compromise indicator. On the service side, cleartext IRC exposes credentials and messages to sniffing, and IRC servers historically probe ident on port 113 when clients connect.

How it's attacked

Attackers stand up or hijack channels for C2, issuing commands to bot swarms and coordinating DDoS. Cleartext sessions are sniffed for credentials and content. Networks face channel flooding and connection floods, and exposed servers are scanned for open linking that lets an attacker join the network as a rogue server. Defensive monitoring specifically hunts for botnet channel signatures.

Hardening checklist

Require TLS for client and server connections and disable plaintext where feasible. Enforce SASL/NickServ authentication, restrict server linking, and require operator auth. Rate-limit connections to resist flooding. On the network side, monitor for IRC C2 patterns leaving your environment — unexpected outbound IRC is a strong malware signal. The nmap snippet above fingerprints the server and checks for known botnet channels on hosts you are authorized to test.