Educause Security Discussion mailing list archives
Re: IRC, IM Proxy Implementations
From: Richard Gadsden <gadsden () MUSC EDU>
Date: Fri, 3 Sep 2004 08:58:23 -0400
On Thu, 2 Sep 2004, Dave Monnier, IT Security Office, Indiana University wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Richard Gadsden wrote:We've already seen bots using non-standard ports for their IRC traffic. Blocking of the standard IRC ports by some sites has had an unintended consequence, namely, it has introduced a selective pressure into the environment, forcing the bot coders to adapt by adding support for non-standard ports, in the process making their bots harder to detect. Having feared (and now having observed) this adaptation, we've resisted the urge to block the standard IRC ports, believing that any benefit would likely be short-lived, and not worth the pain.In our experience we've found the opposite, they're now considerably easier to detect as they're the only traffic. Prior to the block, we also had to sort through the legitimate IRC traffic as well. Cheers, - -Dave
Granted, that is true. But what about the "stealthier" bot species that have since, in order to evade the port block countermeasure, moved their IRC traffic flows to non-standard ports? Are you able to detect those IRC traffic flows? I see the short-term value of blocking the standard ports (and it sounds like it's been a win for IU), but the gains are already being eroded as the bots "evolve" into using non-standard ports... and as Morrow has just suggested, if/when encryption of the bots' IRC flows becomes common, detecting these flows will be even more difficult :-( Thanks, Richard --- o --- Richard Gadsden Chief Information Security Officer Medical University of South Carolina ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: IRC, IM Proxy Implementations, (continued)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 02)
- Re: IRC, IM Proxy Implementations Rick Coloccia (Sep 02)
- Re: IRC, IM Proxy Implementations Craig Blaha (Sep 02)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 02)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 02)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 02)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 02)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 02)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 02)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 03)
- Re: IRC, IM Proxy Implementations Brian Eckman (Sep 03)
- Re: IRC, IM Proxy Implementations Mike Iglesias (Sep 03)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
(Thread continues...)