[Dshield] DShield's Public Goals

dshield.org@keithbergen.com dshield.org at keithbergen.com
Thu Jan 5 17:47:36 GMT 2006

I am an operator on one of the more smaller IRC networks, and I have seen
many botnets that use 6667. They almost never seem to use anything else. I
presumed that this is because you can always count on that port being open,
whereas the other ports are only open on a network-by-network basis.
Admittedly, most networks have 6668-6669, and often 6663-6666 as well, but
not always. Another explanation is that a lot of these smaller botnets are
being run by a less experienced person, and they don't know about other

One caveat, I haven't had the misfortune to come up against one of these
really big botnets. Most of the ones that attack us are under the 1,000 bots

One thing that may work: these botnets often have irc.[network-name].org in
their "config" files. If one were to block irc.*.org on 666*, then the user
would still be able to connect to the servers of choice, but they would need
to use the name ... Such as dshield.[network-name].org or

Just a couple thoughts,


-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Jeff Kell
Sent: Thursday, January 05, 2006 12:07 PM
To: General DShield Discussion List
Subject: Re: [Dshield] DShield's Public Goals

stu wrote:
> So my ISP will now block port 6667 to stop me from connecting to an IRC
> server and the bot code gets modified to use port 6668? While users
> complain IRC isn't working?

You're much better off allowing 6667 and blocking IRC traffic on any other
port :-)

I think I have seen *one* botnet that used 6667.


Learn about Intrusion Detection in Depth from the comfort of your own couch:

send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list