Educause Security Discussion mailing list archives

Re: IRC, IM Proxy Implementations

From: "Dave Monnier, IT Security Office, Indiana University" <dmonnier () IU EDU>
Date: Thu, 2 Sep 2004 10:19:19 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hearn, David L. wrote:



Hello all,

With the profusion of IRC related BOT e xploits , we are researching an
IRC \IM proxy implementation. Since the se service s do have legitimate
usage, we are leery of disabling universally . We also believe a proxy
would mitigate some of issues we are experiencing. If an y one out there
has such a solution in production, and has any advice, documentation, or
links regarding the process, issue s and effectiveness, I would
appreciate a jump-start. Thanks for your time and consideration.

David Hearn

I suspect you will find a proxy to be a source of complaint from your
users. Most every legitimate IRC network checks for clones by IP.
Generally they put a limit on how many connections can originate from an
IP. If your user base is all using the proxy, they will find that most
people will be denied access to the IRC network due to all sharing the
same IP.

As an operational solution to our bot problem, we've blocked all IRC
known ports at the border and require users to use the campus VPN should
they want to reach IRC networks. This allows us to ensure that people
who are connecting to IRC networks do so knowingly (not via a bot) and
at the same time allow us to spot rogue IRCD traffic.

We've also considered poisoning our own DNS to tarpit systems trying to
resolve known bad IRC networks (rizon, criton etc). Redirecting these
hosts to our own ircd where they can be handled appropriately.

Cheers,
- -Dave

- --
| Dave Monnier - dmonnier () iu edu - http://php.indiana.edu/~dmonnier/ |
| Lead Security Engineer, Information Technology Security Office |
| Office of the VP for Information Technology, Indiana University |
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBNzn3BIf6jlONJjIRAgVIAKCQYWMRXDTJcQuJxIwkyy0yEKyfpACfdSSe
f+nY0pU0u7eLR8qdVN1XTcQ=
=o+qR
-----END PGP SIGNATURE-----

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/cg/.

Current thread:

IRC, IM Proxy Implementations Hearn, David L. (Sep 02)
- <Possible follow-ups>
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 02)
- Re: IRC, IM Proxy Implementations Rick Coloccia (Sep 02)
- Re: IRC, IM Proxy Implementations Craig Blaha (Sep 02)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 02)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 02)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 02)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 02)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 02)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 02)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)

(Thread continues...)