1. What is IRC? Internet Relay Chat 2. What message is sent by an IRC client when it asks to join an IRC network? IRC works by a user connecting with a client program to one of the servers. Once connected the user can join a channel and talk to the people that are currently in the channel. 3. What is a botnet? A Botnet is a network of IRC bots that communicate with one another. They share a means of communication where all bots speak to each other and exchange information. They are useful for keeping and maintaining a channel by acting as a group of channel bots that work together with a common goal. 4. What are botnets commonly used for? If an IRC bot dies there still remains the rest of the bots on the Botnet to continue maintaining the channel and the loss of the one bot means nothing as the other bots do its exact same job. 5. What TCP ports does IRC generally use? The IRC port is usually 6667, but is sometimes 7000 IN TCP 113; IRC Chat OUT TCP 100 IN TCP 101; IRC Fserve OUT TCP 110 IN TCP 111, IRC Send OUT TCP 120 IN TCP 121; IRC Get OUT TCP 130 IN TCP 131. 6. What is a binary log file and how is one created? A binary log file is a non-ASCII file of raw output saved in tcpdump format. With tcpdump you would use tcpdump ?w filename, with ethereal select save as in the file menu and select libpcap. 7. What iRC servers did the honeypot, which has the IP address 172.16.134.191, communicate with? 212.199.175.10 63.241.174.144 209.196.44.172 8. During the obervation period, how many distinct hosts accessed the botnet associated with the server having IP address 209.196.44.172? 346 client and 1 server 9. Assuming that each botnet host has a 56 kbps network link, what is the aggregate bandwidth of the botnet? 1.9376 Gig Intermediate Questions 1.What IP source addresses were used in attacking the honeypot? 66.8.163.125 209.45.125.69 logon failure 210.22.204.101 PSH, ACK, Scan 2.What vulnerabilities did attackers attempt to exploit? Port 1077, 1061, 3.Which attacks were successful? 207.172.16.150 General Questions 1. I learned a lot about how to look for alerts in ethereal and the problems with IRC chat. 2. Checking through log files and ACL reports will be easier with this tutorial. 3. This is the first time I have done this and I am very impressed with it so far.