Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IRC, IM Proxy Implementations

From: Gary Flynn <flynngn () JMU EDU>
Date: Fri, 3 Sep 2004 09:54:58 -0400
Richard Gadsden wrote:


Granted, that is true. But what about the "stealthier" bot species that
have since, in order to evade the port block countermeasure, moved their
IRC traffic flows to non-standard ports? Are you able to detect those IRC
traffic flows?


There are lots of Snort sigs out for various IRC detections.
I'm contemplating configuring our IDP to start doing something
proactive with the more egregious traffic.


I see the short-term value of blocking the standard ports (and it sounds
like it's been a win for IU), but the gains are already being eroded as
the bots "evolve" into using non-standard ports...  and as Morrow has just
suggested, if/when encryption of the bots' IRC flows becomes common,
detecting these flows will be even more difficult :-(


No doubt all malware will eventually evolve into
encrypted web traffic. Web services and XML are as
valuable to the bad guys as to the good. :)

When that happens, we'll be left with few choices:

1) Traffic flow analysis which will be of most use
   for networks that can define good/bad/normal usage.
2) Organizational encryption/decryption boundaries
   and/or key escrow
3) Manage the Internet :)

--
Gary Flynn
Security Engineer
James Madison University

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: