Educause Security Discussion mailing list archives
Re: IRC, IM Proxy Implementations
From: "Dave Monnier, IT Security Office, Indiana University" <dmonnier () IU EDU>
Date: Thu, 2 Sep 2004 10:19:19 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hearn, David L. wrote:
Hello all, With the profusion of IRC related BOT e xploits , we are researching an IRC \IM proxy implementation. Since the se service s do have legitimate usage, we are leery of disabling universally . We also believe a proxy would mitigate some of issues we are experiencing. If an y one out there has such a solution in production, and has any advice, documentation, or links regarding the process, issue s and effectiveness, I would appreciate a jump-start. Thanks for your time and consideration. David Hearn
I suspect you will find a proxy to be a source of complaint from your users. Most every legitimate IRC network checks for clones by IP. Generally they put a limit on how many connections can originate from an IP. If your user base is all using the proxy, they will find that most people will be denied access to the IRC network due to all sharing the same IP. As an operational solution to our bot problem, we've blocked all IRC known ports at the border and require users to use the campus VPN should they want to reach IRC networks. This allows us to ensure that people who are connecting to IRC networks do so knowingly (not via a bot) and at the same time allow us to spot rogue IRCD traffic. We've also considered poisoning our own DNS to tarpit systems trying to resolve known bad IRC networks (rizon, criton etc). Redirecting these hosts to our own ircd where they can be handled appropriately. Cheers, - -Dave - -- | Dave Monnier - dmonnier () iu edu - http://php.indiana.edu/~dmonnier/ | | Lead Security Engineer, Information Technology Security Office | | Office of the VP for Information Technology, Indiana University | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBNzn3BIf6jlONJjIRAgVIAKCQYWMRXDTJcQuJxIwkyy0yEKyfpACfdSSe f+nY0pU0u7eLR8qdVN1XTcQ= =o+qR -----END PGP SIGNATURE----- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- IRC, IM Proxy Implementations Hearn, David L. (Sep 02)
- <Possible follow-ups>
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 02)
- Re: IRC, IM Proxy Implementations Rick Coloccia (Sep 02)
- Re: IRC, IM Proxy Implementations Craig Blaha (Sep 02)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 02)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 02)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 02)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 02)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 02)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 02)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)
(Thread continues...)