Educause Security Discussion mailing list archives
Re: IRC, IM Proxy Implementations
From: "H. Morrow Long" <morrow.long () YALE EDU>
Date: Thu, 2 Sep 2004 18:04:40 -0400
Note that we believe that we have also recently seen another expected evolutionary trend in IRC DDoS "bots" -- not just a use of ports outside the range 6666-7000 -- but the use of encrypted IRC traffic, possibly IRC over SSL (which was going to TCP port 7000 in these cases btw), so as to escape detection by IDSes and human analysis. - H. Morrow Long, CISSP, CISM University Information Security Officer Director -- Information Security Office Yale University, ITS On Sep 2, 2004, at 5:28 PM, Dave Monnier, IT Security Office, Indiana University wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Richard Gadsden wrote:We've already seen bots using non-standard ports for their IRC traffic. Blocking of the standard IRC ports by some sites has had an unintended consequence, namely, it has introduced a selective pressure into the environment, forcing the bot coders to adapt by adding support for non-standard ports, in the process making their bots harder to detect. Having feared (and now having observed) this adaptation, we've resisted the urge to block the standard IRC ports, believing that any benefit would likely be short-lived, and not worth the pain.In our experience we've found the opposite, they're now considerably easier to detect as they're the only traffic. Prior to the block, we also had to sort through the legitimate IRC traffic as well. Cheers, - -Dave - -- | Dave Monnier - dmonnier () iu edu - http://php.indiana.edu/~dmonnier/ | | Lead Security Engineer, Information Technology Security Office | | Office of the VP for Information Technology, Indiana University | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBN5CEBIf6jlONJjIRAhZ7AKCAPHtB4PSffBx9OLCzVqg0s+S3UgCfZKGC IP9vLFN8zLOJnlW+SX02QiU= =1tqS -----END PGP SIGNATURE----- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Attachment:
smime.p7s
Description:
Current thread:
- IRC, IM Proxy Implementations Hearn, David L. (Sep 02)
- <Possible follow-ups>
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 02)
- Re: IRC, IM Proxy Implementations Rick Coloccia (Sep 02)
- Re: IRC, IM Proxy Implementations Craig Blaha (Sep 02)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 02)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 02)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 02)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 02)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 02)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 02)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 03)
- Re: IRC, IM Proxy Implementations Brian Eckman (Sep 03)
- Re: IRC, IM Proxy Implementations Mike Iglesias (Sep 03)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)
(Thread continues...)