Educause Security Discussion mailing list archives

Re: IRC, IM Proxy Implementations

From: "Dave Monnier, IT Security Office, Indiana University" <dmonnier () IU EDU>
Date: Fri, 3 Sep 2004 11:10:51 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brian Eckman wrote:

Put simply, if you solely are counting on your port filtering
to prevent these worm-bots, you are failing already.

Brian


I didn't intend to give the impression that we rely on or believe that
this measure prevents anything but the misuse of our resources.  The
hosts still get infected, and they still scan other hosts, and we still
catch them.  In the meantime though, while the hosts are compromised,
they aren't able to connect to the IRC and waste massive amounts of
bandwidth.  This is not a preventive measure, it is a control mechanism
that is effective for the majority of infections we've seen. We can at
least limit the impact on our resources while we remove the infected
hosts rather than let them run buckwild while we remove them.

I suspect this thread is going to continue on either an agree or
disagree trend.  In the last year or so we've
identified/removed/contacted tens of thousands of these systems, working
directly with some of the members of this list in many of the cases.
Rather than make this an emacs/vi argument or similar, let me just say
that we're not unfamiliar with whats happening in the wild, we're aware
of the loopholes,workaround,pitfalls,etc however we have found this
tactic to be effective.

Cheers,
- -Dave

- --
| Dave Monnier - dmonnier () iu edu - http://php.indiana.edu/~dmonnier/ |
|  Lead Security Engineer, Information Technology Security Office    |
|  Office of the VP for Information Technology, Indiana University   |
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBOJeLBIf6jlONJjIRApliAJ9XNV/mSFLfT5a7MKZD4OyjoQlP1wCgrYwd
F5qYyDbITEYkPN/9S45n2UE=
=usGn
-----END PGP SIGNATURE-----

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Re: IRC, IM Proxy Implementations, (continued)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 02)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 03)
- Re: IRC, IM Proxy Implementations Brian Eckman (Sep 03)
- Re: IRC, IM Proxy Implementations Mike Iglesias (Sep 03)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 03)
- Re: IRC, IM Proxy Implementations Mike Porter (Sep 05)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 08)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Hearn, David L. (Sep 08)
- Re: IRC, IM Proxy Implementations Daniel Adinolfi (Sep 08)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 08)

(Thread continues...)