[Dshield] Dalnet being uses as a C&C server

[Micheal Patterson]

----- Original Message ----- 
From: <ge at linuxbox.org>
To: "General DShield Discussion List" <list at lists.dshield.org>
Sent: Wednesday, June 20, 2007 8:08 PM
Subject: Re: [Dshield] Dalnet being uses as a C&C server


> On 2007-06-20 11:04-0700, Dalvenjah FoxFire wrote:
>>Hello,
>>
>>I'd just like to chime in on this thread. I want to point out that
>>DALnet first received notice of this issue at abuse at dal.net at 4:45PM 
>>PDT;
>>the channel involved was blocked from use at 10:05PM PDT. That's what 
>>I
>>would consider an excellent 5 hour response time; it also appears from 
>>this
>>thread that confirmation was received that action was taken at around
>>the same time.
>>
>>The apparent continuing discussion of "well I don't know if I trust 
>>that,
>>let's pursue blocking DALnet" troubles me. As someone who has for 
>>upwards
>
> I am unsure when this came up, as I didn't read the whole thread, but
> maybe we need an history lesson here.
>
> Botnets came originally from IRC, and therefore used public IRC
> networks. Nowadays they mostly use private IRC servers if not other
> protocols all-together, but some still use the old networks.. and it 
> is
> quite a burden on these networks.
>
> There are hundreds if not thousands of "legacy botnets" still 
> connecting
> to servers for years, as well as new ones. There is no real power for
> IRC operators to deal with this, and it is quite a menace for them (in
> the networks where they actually notice it).
>
> Blocking a legitimate public server for the DALnet network is lack of
> clue on our part, and should not be done. In fact, I should stress
> that it was on DALnet itself where much of what today we call botnet
> hunting originated, and I am talking about 1996-7, not 2004. Some of 
> us
> who were on these networks back then, fighting these things, are still
> around.. but we are mostly gone.
>
> So, let's just stop talking about blocking IRC networks, and please
> white-list them if you have a C&C blacklist, unless it is for your own
> organization alone where it is your choice alone.
>
> Thanks,
>
> Gadi.
>

Back in the day when the term smurf started meaning an icmp flood 
instead of a little blue cartoon character.
Back in the day when folks started breaking out of dumb terminals and 
started using windows clients for irc.

Back in the days when the smurfers owned the irc networks because of 
their antics..

Yea, I'm still around and I remember those days.. The days that services 
were flooded to the point that they couldn't be used, the days that 
efnet servers would disappear for a few days under a heavy dos attack..

Dredster - EFNet - Admin irc.ionet.net
Micheal - DALnet - Technical advisor to Bahamut when it came over from 
EFNet's tree, and former DALnet Serivices Abuse Lead (1997'ish).. I'm 
still around. Long time no see Dal :)

--

Micheal Patterson
Senior Communications Systems Engineer
TSG Incorporated
 405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.