RE: IRC bots...

[Bill Nash <billn () billn net>]

On Sat, 12 Mar 2005, Hannigan, Martin wrote:

> [ SNIP ]
>
> Who's got time for all that? Chase the controller, shut down
> the user until they buy some AV software. We've gone beyond
> "I didn't know" for endusers in most regions.

Enterprise IT staff running from whip-cracking security staff, that's who 
has time for it.

Unless, however, you have no security requirements surrounding your 
accounting records, network inventory, provisioning tools, and credit card 
processing services.

Other reasons:
.. if you're providing a premium service to business grade 
customers who can sum up their connectivity requirements as '80, 443, 25, 53, 
period.'
..if you're running honeynets.
..if you're providing structured services with explicit controls on what 
goes on (ala AOL, some .edu networks, etc.)
..you've been singled out by your peers because a significant portion of 
large DDoS attacks are originating from your network.
..you've been singled out by accounting because of the traffic costs 
involved with sourcing DDoS attacks.

As popular as instant messenger, and increasingly, voip toys, have become, 
actual IRC usages represents a diminishing percentage of inter-user 
chatter. Even something as simple as carving irc usage out of your netflow 
records and tagging specific endpoints as potential sources is a piece of 
automation that will save you some time down the road. A decent network 
inventory would facilitate this.

- billn