Firewall Wizards mailing list archives
stopping bots from phoning home
From: mason () schmitt ca
Date: Wed, 31 Aug 2005 11:52:45 -0700 (PDT)
It seems that the majority of bots connect to an IRC server in order to get their instructions and some spyware is starting to do the same. So if the avenue for abuse of an infected machine is via connection to IRC networks, why not block all outbound IRC traffic (we have a Packeteer packet shaper that I think can classify IRC traffic regardless of the port it runs on) and implement a proxy that legitimate users of IRC have to log into in order to gain access to IRC servers outside our network? This way an infected PC can't phone home, legitimate use of IRC is still possible with only a slight hurdle, and I can log all traffic that hits my block so that I can investigate those PCs. Your thoughts? Given that this flies in the face of this list's mantra of, "block outbound IRC, there is no business case for it's use" and "a default deny stance is far more secure than a default allow stance", I feel compelled to say that I absolutely fully agree with these points as well as the vast majority of security truisms that are stated repeatedly on this list. However, I'm not talking about our company LAN or the servers that I manage. The network that takes the majority of my time is our customer network. I've posted before, but not often. I'm a sysadmin for a small cable ISP. I frequently struggle with the seemingly unworkable position of being transparent to our customers while simultaneously protecting them from themselves and the "big bad net". As you can well imagine, I can't make a default deny stance work in this environment, so I am left with exactly what I don't want to be doing which is watching for problems and trying to stop them before they make a real mess... Needless to say, this sucks. Because I am in this state and we have very little man power for things such as maintaining router blacklist rules for known spyware sites, irc botnet controllers, etc (which have their own support staff payload and customer satisfaction issues as well), I'm always trying to think of ways of reducing our customer's exposure to threats without getting in their way more than I have to and without creating a maintenance nightmare for myself. I have implemented ingress/egress blocks for really common problem ports, configured multiple layer virus filtering for inbound and outbound email, we have a very cost effective anti-spam solution, I have blocked windows popup spam, etc, but spyware and bots are finding plenty of ways around my basic defences and the spyware problem is only going to get more pronounced. This is why I suggest awkward things like the authenticating IRC proxy idea above. I'm also currently looking at a multi function gateway (sounds just as cheesy as those multi function printer, fax, scanner things...) that does spyware, virus scanning and IPS on all traffic traversing our link. At this point, I don't see any way around it. This is my quiet plea for answers. -- Mason _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- stopping bots from phoning home mason (Aug 31)
- Re: stopping bots from phoning home Kevin (Aug 31)