Educause Security Discussion mailing list archives
Re: IRC, IM Proxy Implementations
From: "Dave Monnier, IT Security Office, Indiana University" <dmonnier () IU EDU>
Date: Fri, 3 Sep 2004 08:53:28 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Richard Gadsden wrote:
Granted, that is true. But what about the "stealthier" bot species that have since, in order to evade the port block countermeasure, moved their IRC traffic flows to non-standard ports? Are you able to detect those IRC traffic flows?
Obviously it's not possible to identify bots by their encrypted IRCD traffic. They're undetectable regardless of what blocks are in place though. In our experience, detection of these hosts is generally done when they misbehave (scanning the rest of the subnet, bruteforcing accounts, or DDoS'ing other hosts) rather than by just communicating. Unfortunately this means that the host has to cause other trouble on the network before they can be identified as malicious. So far, 90%+ of our bots have not been SSL wrapped nor have they used SSL capable IRCD's. None of the major problem networks support SSL, infact, to my knowledge none of the major IRCD codebases support it. Most of the bots we see are used for XDCC. Since it would be difficult to get people to join some random rogue IRCD to get their warez/etc these bots are generally pointed at known IRC networks that don't use SSL wrapped services. So while I agree that blocking these ports does nothing to help detect the rare bot using encryption, I will say that it has been effective for what is 95% of the problem. It only took a few minutes to put the blocks in place, and when SSL capable IRC networks become commonplace we'll have to adjust our method. In the meantime it has reduced our bot problem by easily 90%. Cheers, - -Dave - -- | Dave Monnier - dmonnier () iu edu - http://php.indiana.edu/~dmonnier/ | | Lead Security Engineer, Information Technology Security Office | | Office of the VP for Information Technology, Indiana University | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBOHdYBIf6jlONJjIRAtquAJ9eAyMYV03HX7WhO/Xf8+ifwWw2DgCgmXft K+MZKcY6b6CkAagLn6fJsyE= =cVm9 -----END PGP SIGNATURE----- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: IRC, IM Proxy Implementations, (continued)
- Re: IRC, IM Proxy Implementations Rick Coloccia (Sep 02)
- Re: IRC, IM Proxy Implementations Craig Blaha (Sep 02)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 02)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 02)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 02)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 02)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 02)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 02)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 03)
- Re: IRC, IM Proxy Implementations Brian Eckman (Sep 03)
- Re: IRC, IM Proxy Implementations Mike Iglesias (Sep 03)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 03)
(Thread continues...)