Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Botnets, IRC servers and firewalls?

From: Paul Robertson <proberts () patriot net>
Date: Tue, 3 Feb 2004 08:45:01 -0500 (EST)
On Tue, 3 Feb 2004, Gadi Evron wrote:


I've yet to see a business need for BotNet clients to run successfully ;)


Perhaps application filtering for the Drone control protocol?


Much better done in a controlled lab environment than on a production
network.  The bot connecting to a captive server isn't what I'd consider
"successful."


Drone armies, although massive are nothing special.

They are usually built of the same 2-4 Trojan horses that are big at
that time.


Yep, but the point I'm making is that we have widespread infections inside
companies "protected" by firewalls- while the firewalls are perfectly
capable of supporting sane security policies that would block the 98th
percentile of these things.


Filtering the traffic for their control protocol, on whatever port, or
their repetetive echo commands/ special connections to IRC servers under
certain IRC names or nickname/ident/name pattern-combinations is pretty
easy to do when you come to think about it.


Exactly my point.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: