[Dshield] Dalnet being uses as a C&C server
ge at linuxbox.org
ge at linuxbox.org
Thu Jun 21 01:08:09 GMT 2007
On 2007-06-20 11:04-0700, Dalvenjah FoxFire wrote:
>I'd just like to chime in on this thread. I want to point out that
>DALnet first received notice of this issue at abuse at dal.net at 4:45PM PDT;
>the channel involved was blocked from use at 10:05PM PDT. That's what I
>would consider an excellent 5 hour response time; it also appears from this
>thread that confirmation was received that action was taken at around
>the same time.
>The apparent continuing discussion of "well I don't know if I trust that,
>let's pursue blocking DALnet" troubles me. As someone who has for upwards
I am unsure when this came up, as I didn't read the whole thread, but
maybe we need an history lesson here.
Botnets came originally from IRC, and therefore used public IRC
networks. Nowadays they mostly use private IRC servers if not other
protocols all-together, but some still use the old networks.. and it is
quite a burden on these networks.
There are hundreds if not thousands of "legacy botnets" still connecting
to servers for years, as well as new ones. There is no real power for
IRC operators to deal with this, and it is quite a menace for them (in
the networks where they actually notice it).
Blocking a legitimate public server for the DALnet network is lack of
clue on our part, and should not be done. In fact, I should stress
that it was on DALnet itself where much of what today we call botnet
hunting originated, and I am talking about 1996-7, not 2004. Some of us
who were on these networks back then, fighting these things, are still
around.. but we are mostly gone.
So, let's just stop talking about blocking IRC networks, and please
white-list them if you have a C&C blacklist, unless it is for your own
organization alone where it is your choice alone.
More information about the list