Educause Security Discussion mailing list archives

Re: IRC, IM Proxy Implementations

From: "H. Morrow Long" <morrow.long () YALE EDU>
Date: Thu, 2 Sep 2004 18:04:40 -0400

Note that we believe that we have also recently seen
another expected evolutionary trend in IRC DDoS "bots"
-- not just a use of ports outside the range 6666-7000 --
but the use of encrypted IRC traffic, possibly IRC over SSL
(which was going to TCP port 7000 in these cases btw),
so as to escape detection by IDSes and human analysis.

- H. Morrow Long, CISSP, CISM
  University Information Security Officer
  Director -- Information Security Office
  Yale University, ITS


On Sep 2, 2004, at 5:28 PM, Dave Monnier, IT Security Office, Indiana
University wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Richard Gadsden wrote:

We've already seen bots using non-standard ports for their IRC
traffic.

Blocking of the standard IRC ports by some sites has had an unintended
consequence, namely, it has introduced a selective pressure into the
environment, forcing the bot coders to adapt by adding support for
non-standard ports, in the process making their bots harder to detect.

Having feared (and now having observed) this adaptation, we've
resisted
the urge to block the standard IRC ports, believing that any benefit
would
likely be short-lived, and not worth the pain.


In our experience we've found the opposite, they're now considerably
easier to detect as they're the only traffic.  Prior to the block, we
also had to sort through the legitimate IRC traffic as well.

Cheers,
- -Dave

- --
| Dave Monnier - dmonnier () iu edu - http://php.indiana.edu/~dmonnier/ |
|  Lead Security Engineer, Information Technology Security Office    |
|  Office of the VP for Information Technology, Indiana University   |
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBN5CEBIf6jlONJjIRAhZ7AKCAPHtB4PSffBx9OLCzVqg0s+S3UgCfZKGC
IP9vLFN8zLOJnlW+SX02QiU=
=1tqS
-----END PGP SIGNATURE-----

**********
Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Attachment: smime.p7s
Description:

Current thread:

IRC, IM Proxy Implementations Hearn, David L. (Sep 02)
- <Possible follow-ups>
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 02)
- Re: IRC, IM Proxy Implementations Rick Coloccia (Sep 02)
- Re: IRC, IM Proxy Implementations Craig Blaha (Sep 02)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 02)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 02)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 02)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 02)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 02)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 02)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 03)
- Re: IRC, IM Proxy Implementations Brian Eckman (Sep 03)
- Re: IRC, IM Proxy Implementations Mike Iglesias (Sep 03)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)

(Thread continues...)