Re: IRC, IM Proxy Implementations

["Dave Monnier, IT Security Office, Indiana University" <dmonnier () IU EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Richard Gadsden wrote:
> We've already seen bots using non-standard ports for their IRC traffic.
>
> Blocking of the standard IRC ports by some sites has had an unintended
> consequence, namely, it has introduced a selective pressure into the
> environment, forcing the bot coders to adapt by adding support for
> non-standard ports, in the process making their bots harder to detect.
>
> Having feared (and now having observed) this adaptation, we've resisted
> the urge to block the standard IRC ports, believing that any benefit would
> likely be short-lived, and not worth the pain.

In our experience we've found the opposite, they're now considerably
easier to detect as they're the only traffic.  Prior to the block, we
also had to sort through the legitimate IRC traffic as well.

Cheers,
- -Dave

- --
| Dave Monnier - dmonnier () iu edu - http://php.indiana.edu/~dmonnier/ |
|  Lead Security Engineer, Information Technology Security Office    |
|  Office of the VP for Information Technology, Indiana University   |
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBN5CEBIf6jlONJjIRAhZ7AKCAPHtB4PSffBx9OLCzVqg0s+S3UgCfZKGC
IP9vLFN8zLOJnlW+SX02QiU=
=1tqS
-----END PGP SIGNATURE-----

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.