Re: IRC bots...

[John Kristoff <jtk () northwestern edu>]

On Sat, 12 Mar 2005 17:09:17 -0800 (PST)
Bill Nash <billn () billn net> wrote:

> As popular as instant messenger, and increasingly, voip toys, have become, 
> actual IRC usages represents a diminishing percentage of inter-user 
> chatter. Even something as simple as carving irc usage out of your netflow 
> records and tagging specific endpoints as potential sources is a piece of 
> automation that will save you some time down the road. A decent network 
> inventory would facilitate this.

While most IRC traffic, even much of the so called 'bad' IRC traffic
uses TCP 6667, IRC traffic that doesn't is not easily discerned through
traffic flows except for perhaps with a pre-defined list of addresses
and ports to seed monitoring with.

Tallying then just the TCP 6667 traffic, perhaps eliminating very
short lived or small flows, should be a good indicator of IRC traffic
usage, but tagging those as potential sources for problems may be
difficult.  Perhaps in environments where IRC as an application is
strictly forbidden or blocked this will work well, but on more open
and larger network this may waste time, not save it.  Since in the
latter case, figuring out what is legit and what is not will likely
be a lot of leg work.

You can automate some of this further, by building white lists or
black lists of IRC server addresses.  A white list doesn't tend to
scale very well.  A black list scales better, but you have to get
those black listed addresses and doing that part is harder.  There
are some people/groups who spend time finding black list hosts so
leveraging their data can be very useful and time saving.

John