Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: IRC bots...

  • From: Bill Nash
  • Date: Sat Mar 12 16:38:47 2005

On Sat, 12 Mar 2005, Fergie (Paul Ferguson) wrote:

Somewhat related to operational issues...

It was interesting to read the "daily handler" log at
the ISC which related their experiences with detecting
(and disabling/disinfecting) a machine/network infected
with several IRCbot drone computers. As someone who has
had to deal with with this issue on several customer
networks, it is sometimes intriguing at the length at
which some of the developers of these damned things
go through to accomplish their feats.  :-)
A fun solution to mitigating this problem: NAT or PBR to funnel all standard outbound IRC traffic to an internal ircd of your choice.

When that doesn't work anymore, throw Snort on egress SPAN segments doing protocol inspection for irc protocol 'CONNECT' and similiar, hitched up to a syslog analyzer to catch outbound connections in real-time. The right tools in the right place would let you hitch the alarm to trigger execution of a utility capable of injecting packets into the stream to send RST in both directions.

False positives might be a problem. I officially declare them to be 'yours.' ;)

- billn




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.