Educause Security Discussion mailing list archives

Re: IRC, IM Proxy Implementations

From: "Dave Monnier, IT Security Office, Indiana University" <dmonnier () IU EDU>
Date: Fri, 3 Sep 2004 08:53:28 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Richard Gadsden wrote:

Granted, that is true. But what about the "stealthier" bot species that
have since, in order to evade the port block countermeasure, moved their
IRC traffic flows to non-standard ports? Are you able to detect those IRC
traffic flows?

Obviously it's not possible to identify bots by their encrypted IRCD
traffic. They're undetectable regardless of what blocks are in place
though. In our experience, detection of these hosts is generally done
when they misbehave (scanning the rest of the subnet, bruteforcing
accounts, or DDoS'ing other hosts) rather than by just communicating.
Unfortunately this means that the host has to cause other trouble on the
network before they can be identified as malicious.

So far, 90%+ of our bots have not been SSL wrapped nor have they used
SSL capable IRCD's. None of the major problem networks support SSL,
infact, to my knowledge none of the major IRCD codebases support it.
Most of the bots we see are used for XDCC. Since it would be difficult
to get people to join some random rogue IRCD to get their warez/etc
these bots are generally pointed at known IRC networks that don't use
SSL wrapped services.

So while I agree that blocking these ports does nothing to help detect
the rare bot using encryption, I will say that it has been effective for
what is 95% of the problem. It only took a few minutes to put the
blocks in place, and when SSL capable IRC networks become commonplace
we'll have to adjust our method. In the meantime it has reduced our bot
problem by easily 90%.

Cheers,
- -Dave

- --
| Dave Monnier - dmonnier () iu edu - http://php.indiana.edu/~dmonnier/ |
| Lead Security Engineer, Information Technology Security Office |
| Office of the VP for Information Technology, Indiana University |
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBOHdYBIf6jlONJjIRAtquAJ9eAyMYV03HX7WhO/Xf8+ifwWw2DgCgmXft
K+MZKcY6b6CkAagLn6fJsyE=
=cVm9
-----END PGP SIGNATURE-----

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/cg/.

Current thread:

Re: IRC, IM Proxy Implementations, (continued)
- Re: IRC, IM Proxy Implementations Rick Coloccia (Sep 02)
- Re: IRC, IM Proxy Implementations Craig Blaha (Sep 02)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 02)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 02)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 02)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 02)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 02)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 02)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 03)
- Re: IRC, IM Proxy Implementations Brian Eckman (Sep 03)
- Re: IRC, IM Proxy Implementations Mike Iglesias (Sep 03)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 03)

(Thread continues...)