Egress over IRC port

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when an egress connection is made over port 6667 (IRC).

Strategy

Egress connections to unknown hosts over port 6667 should be rare. Internet Relay Chat (IRC) is a protocol that is commonly abused by malicious botnet operators. Malicious commands built into the malware include methods to fetch system information, download additional malware, or execute attacks targeting other hosts.

Triage and response

  1. Determine the process making the connection.
  2. Verify if there is a legitimate reason for the host to communicate over this port. Search network flows to determine whether the activity is happening on other hosts.
  3. Isolate the workload, preserving it for analysis.
  4. Review related signals to understand the full timeline of the incident.
  5. Find and repair the root cause of the incident.

This detection is based on data from Cloud Network Monitoring.