[Dshield] DShield's Public Goals

Harry Hoffman hhoffman at ip-solutions.net
Sun Jan 8 16:27:52 GMT 2006


Hi,

I can say that in almost all cases of infected machines that I see at 
work (a .edu) irc communications do not happen on port 6667.

That's not to say that large amounts of botnet traffic don't happen on 
6667 but rather there is a significant amount of traffic occurring that 
use other ports.

Cheers,
Harry

dshield.org at keithbergen.com wrote:
> I am an operator on one of the more smaller IRC networks, and I have seen
> many botnets that use 6667. They almost never seem to use anything else. I
> presumed that this is because you can always count on that port being open,
> whereas the other ports are only open on a network-by-network basis.
> Admittedly, most networks have 6668-6669, and often 6663-6666 as well, but
> not always. Another explanation is that a lot of these smaller botnets are
> being run by a less experienced person, and they don't know about other
> ports.
> 
> One caveat, I haven't had the misfortune to come up against one of these
> really big botnets. Most of the ones that attack us are under the 1,000 bots
> mark.
> 
> One thing that may work: these botnets often have irc.[network-name].org in
> their "config" files. If one were to block irc.*.org on 666*, then the user
> would still be able to connect to the servers of choice, but they would need
> to use the name ... Such as dshield.[network-name].org or
> city.state.country.[network-name].org.
> 
> Just a couple thoughts,
> 
> 
> Keith.
> 
> -----Original Message-----
> From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
> On Behalf Of Jeff Kell
> Sent: Thursday, January 05, 2006 12:07 PM
> To: General DShield Discussion List
> Subject: Re: [Dshield] DShield's Public Goals
> 
> 
> stu wrote:
> 
>>So my ISP will now block port 6667 to stop me from connecting to an IRC
>>server and the bot code gets modified to use port 6668? While users
>>complain IRC isn't working?
> 
> 
> You're much better off allowing 6667 and blocking IRC traffic on any other
> port :-)
> 
> I think I have seen *one* botnet that used 6667.
> 
> Jeff
> 
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 
> 
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list


More information about the list mailing list