[Dshield] DShield's Public Goals

dshield.org@keithbergen.com dshield.org at keithbergen.com
Thu Jan 5 17:47:36 GMT 2006


I am an operator on one of the more smaller IRC networks, and I have seen
many botnets that use 6667. They almost never seem to use anything else. I
presumed that this is because you can always count on that port being open,
whereas the other ports are only open on a network-by-network basis.
Admittedly, most networks have 6668-6669, and often 6663-6666 as well, but
not always. Another explanation is that a lot of these smaller botnets are
being run by a less experienced person, and they don't know about other
ports.

One caveat, I haven't had the misfortune to come up against one of these
really big botnets. Most of the ones that attack us are under the 1,000 bots
mark.

One thing that may work: these botnets often have irc.[network-name].org in
their "config" files. If one were to block irc.*.org on 666*, then the user
would still be able to connect to the servers of choice, but they would need
to use the name ... Such as dshield.[network-name].org or
city.state.country.[network-name].org.

Just a couple thoughts,


Keith.

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Jeff Kell
Sent: Thursday, January 05, 2006 12:07 PM
To: General DShield Discussion List
Subject: Re: [Dshield] DShield's Public Goals


stu wrote:
> So my ISP will now block port 6667 to stop me from connecting to an IRC
> server and the bot code gets modified to use port 6668? While users
> complain IRC isn't working?

You're much better off allowing 6667 and blocking IRC traffic on any other
port :-)

I think I have seen *one* botnet that used 6667.

Jeff

_________________________________________
Learn about Intrusion Detection in Depth from the comfort of your own couch:
https://www.sans.org/athome/details.php?id=1341&d=1

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list