IRC on Non-Standard Ports

Johannes B. Ullrich from SANS wrote about a user that made an interesting find in their network (you can read Johannes note here). In short, the user wrote an IDS signature to look for the NICK and USER commands that signify the start of an IRC session, and lo and behold found IRC traffic on non-standard ports. This is probably not too surprising given the affinity that bots have both for IRC and traveling over non-standard ports (although it was certainly a good catch by the user).

However the important thing to keep in mind is that this is the tip of the iceberg. Hackers run traffic on non-standard ports specifically for the purpose of avoiding signatures, and its not a technique that is limited to IRC. If we all go back and think about how IDS/IPS signatures are written, they almost all look at the port number of traffic to determine whether to actually run the signature or not. The signature specifies a port or port range, and if the traffic is not on one of those ports, then the signature does not get applied. This is a simple, yet fundamental weakness that bots, malware and attackers of all stripes use.

This is where the Palo Alto Networks next-generation firewall differs from every other firewall or IPS on the market. By inspecting all traffic, on all ports, all of the time you find and classify all of that traffic on non-standard ports automatically. You instantly see all of that strange IRC traffic, or any other application or protocol for that matter. IPS, malware and filtering intelligence is applied to the traffic regardless of whether it uses a standard or non-standard port. So instead of having to hack together signatures for each type of traffic, we actually have a solution that is architecturally designed to solve just these kinds of problems.