[78596] in North American Network Operators' Group
Re: IRC bots...
daemon@ATHENA.MIT.EDU (Bill Nash)
Sat Mar 12 16:38:10 2005
Date: Sat, 12 Mar 2005 13:39:58 -0800 (PST)
From: Bill Nash <billn@billn.net>
To: "Fergie (Paul Ferguson)" <fergdawg@netzero.net>
Cc: nanog@merit.edu
In-Reply-To: <20050312.102613.5805.153823@webmail01.lax.untd.com>
Errors-To: owner-nanog@merit.edu
On Sat, 12 Mar 2005, Fergie (Paul Ferguson) wrote:
> Somewhat related to operational issues...
>
> It was interesting to read the "daily handler" log at
> the ISC which related their experiences with detecting
> (and disabling/disinfecting) a machine/network infected
> with several IRCbot drone computers. As someone who has
> had to deal with with this issue on several customer
> networks, it is sometimes intriguing at the length at
> which some of the developers of these damned things
> go through to accomplish their feats. :-)
A fun solution to mitigating this problem: NAT or PBR to funnel all
standard outbound IRC traffic to an internal ircd of your choice.
When that doesn't work anymore, throw Snort on egress SPAN segments doing
protocol inspection for irc protocol 'CONNECT' and similiar, hitched up to
a syslog analyzer to catch outbound connections in real-time. The right
tools in the right place would let you hitch the alarm to trigger
execution of a utility capable of injecting packets into the stream to
send RST in both directions.
False positives might be a problem. I officially declare them to be
'yours.' ;)
- billn
