Re: IRC, IM Proxy Implementations

[Richard Gadsden <gadsden () MUSC EDU>]

On Thu, 2 Sep 2004, Dave Monnier, IT Security Office, Indiana University wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Richard Gadsden wrote:
> > We've already seen bots using non-standard ports for their IRC traffic.
> >
> > Blocking of the standard IRC ports by some sites has had an unintended
> > consequence, namely, it has introduced a selective pressure into the
> > environment, forcing the bot coders to adapt by adding support for
> > non-standard ports, in the process making their bots harder to detect.
> >
> > Having feared (and now having observed) this adaptation, we've resisted
> > the urge to block the standard IRC ports, believing that any benefit would
> > likely be short-lived, and not worth the pain.
>
> In our experience we've found the opposite, they're now considerably
> easier to detect as they're the only traffic.  Prior to the block, we
> also had to sort through the legitimate IRC traffic as well.
>
> Cheers,
> - -Dave

Granted, that is true. But what about the "stealthier" bot species that
have since, in order to evade the port block countermeasure, moved their
IRC traffic flows to non-standard ports? Are you able to detect those IRC
traffic flows?

I see the short-term value of blocking the standard ports (and it sounds
like it's been a win for IU), but the gains are already being eroded as
the bots "evolve" into using non-standard ports...  and as Morrow has just
suggested, if/when encryption of the bots' IRC flows becomes common,
detecting these flows will be even more difficult :-(

Thanks,
Richard

 --- o ---
 Richard Gadsden
 Chief Information Security Officer
 Medical University of South Carolina

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.