Educause Security Discussion mailing list archives
Re: IRC, IM Proxy Implementations
From: "Dave Monnier, IT Security Office, Indiana University" <dmonnier () IU EDU>
Date: Fri, 3 Sep 2004 11:10:51 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brian Eckman wrote:
Put simply, if you solely are counting on your port filtering to prevent these worm-bots, you are failing already. Brian
I didn't intend to give the impression that we rely on or believe that this measure prevents anything but the misuse of our resources. The hosts still get infected, and they still scan other hosts, and we still catch them. In the meantime though, while the hosts are compromised, they aren't able to connect to the IRC and waste massive amounts of bandwidth. This is not a preventive measure, it is a control mechanism that is effective for the majority of infections we've seen. We can at least limit the impact on our resources while we remove the infected hosts rather than let them run buckwild while we remove them. I suspect this thread is going to continue on either an agree or disagree trend. In the last year or so we've identified/removed/contacted tens of thousands of these systems, working directly with some of the members of this list in many of the cases. Rather than make this an emacs/vi argument or similar, let me just say that we're not unfamiliar with whats happening in the wild, we're aware of the loopholes,workaround,pitfalls,etc however we have found this tactic to be effective. Cheers, - -Dave - -- | Dave Monnier - dmonnier () iu edu - http://php.indiana.edu/~dmonnier/ | | Lead Security Engineer, Information Technology Security Office | | Office of the VP for Information Technology, Indiana University | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBOJeLBIf6jlONJjIRApliAJ9XNV/mSFLfT5a7MKZD4OyjoQlP1wCgrYwd F5qYyDbITEYkPN/9S45n2UE= =usGn -----END PGP SIGNATURE----- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: IRC, IM Proxy Implementations, (continued)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 02)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 03)
- Re: IRC, IM Proxy Implementations Brian Eckman (Sep 03)
- Re: IRC, IM Proxy Implementations Mike Iglesias (Sep 03)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 03)
- Re: IRC, IM Proxy Implementations Mike Porter (Sep 05)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 08)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Hearn, David L. (Sep 08)
- Re: IRC, IM Proxy Implementations Daniel Adinolfi (Sep 08)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 08)
(Thread continues...)