[Dshield] Blocking IRC

Keith Bergen keith at keithbergen.com
Tue Nov 18 13:44:48 GMT 2003


Historically, IRC servers have used those TCP ports (and 
primarily 6667) as the main server ports, however a lot of 
IRC servers now offer web based interfaces. Those work on 
your standard port 80, which is much more difficult for the 
IT department to block. In addition, many IRC servers have 
expanded their ports.

I help administer an IRC network, and we have 6661-6669 
available. We also opened up 7001 years ago so that AOL users 
could connect (as AOL either blocked 6661-6669, or used it 
for something else). We also allow 4400 and 7070. All of 
these extra ports are in no way a standard, but this shows 
you an example of how difficult it would be to block out all 
IRC traffic.


---- Original message ----
>Date: Tue, 18 Nov 2003 19:27:14 +1300
>From: "Mike" <mjcarter at ihug.co.nz>  
>Subject: [Dshield] Blocking IRC  
>To: <list at dshield.org>
>Hi All,
>I originally sent this to another list, A few things I 
learnt from that was
>that I didn't include enough info, so here goes with this 
>I'm looking at moving my career towards security, so was 
interested when I
>received an email from our security department that stated 
they would be
>blocking IRC by closing ports 6665-6669.
>I would have thought a lot more ports would need to be 
closed if the secops
>wanted to completely block IRC.
>What is the "best" way to disable access to IRC?
>Block known ports, what ports would need to be blocked?
>Or just drop packets, how would that be done?
>We use Cisco equipment and are primarily a win2k 70% winxp 
30% site
>Like I said I'm wanting to move into security, but at the 
moment I wouldn't
>even class myself as a novice.
>Additional info for the Dsheild list:
>Our security team is wanting to block access for users using 
an IRC client.
>They want to stop viruses from infecting through IRC.
>And they want it to be seamless and low on overhead.
>Someone mentioned "Please keep in mind that you have just 
announced your
>configuration to the whole world." (not sure if I'm breaking 
>rules/ethics, this person doesn't know I posted his response 
here but I
>thought it was relevant to answer anyone who thought the 
>I didn't say who I work for and I used my personal email 
account to send my
>question to the list but I appreciated the input.
>Any input I could get will be very much appreciated!
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 

More information about the list mailing list