Re: IRC, IM Proxy Implementations

[Richard Gadsden <gadsden () MUSC EDU>]

On Thu, 2 Sep 2004, Gary Flynn wrote:

> Dave Monnier, IT Security Office, Indiana University wrote:
>
> > As an operational solution to our bot problem, we've blocked all IRC
> > known ports at the border and require users to use the campus VPN should
> > they want to reach IRC networks.
>
> We blocked them last fall and offered an account on one
> of our hosts if IRC access was desired. I don't remember
> any specific complaints last year. We've had two complaints
> this year.
>
> There is a fair bit of IRC traffic to non-standard ports
> which I hope to classify one day.
> (snip)

We've already seen bots using non-standard ports for their IRC traffic.

Blocking of the standard IRC ports by some sites has had an unintended
consequence, namely, it has introduced a selective pressure into the
environment, forcing the bot coders to adapt by adding support for
non-standard ports, in the process making their bots harder to detect.

Having feared (and now having observed) this adaptation, we've resisted
the urge to block the standard IRC ports, believing that any benefit would
likely be short-lived, and not worth the pain.

 --- o ---
 Richard Gadsden
 Chief Information Security Officer
 Medical University of South Carolina

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.