stopping bots from phoning home

[mason () schmitt ca]

It seems that the majority of bots connect to an IRC server in order to
get their instructions and some spyware is starting to do the same.  So if
the avenue for abuse of an infected machine is via connection to IRC
networks, why not block all outbound IRC traffic (we have a Packeteer
packet shaper that I think can classify IRC traffic regardless of the port
it runs on) and implement a proxy that legitimate users of IRC have to log
into in order to gain access to IRC servers outside our network?  This way
an infected PC can't phone home, legitimate use of IRC is still possible
with only a slight hurdle, and I can log all traffic that hits my block so
that I can investigate those PCs.

Your thoughts?

Given that this flies in the face of this list's mantra of, "block
outbound IRC, there is no business case for it's use" and "a default deny
stance is far more secure than a default allow stance", I feel compelled
to say that I  absolutely fully agree with these points as well as the
vast majority of security truisms that are stated repeatedly on this list.
 However, I'm not talking about our company LAN or the servers that I
manage.  The network that takes the majority of my time is our customer
network.

I've posted before, but not often.  I'm a sysadmin for a small cable ISP. 
I  frequently struggle with the seemingly unworkable position of being
transparent to our customers while simultaneously protecting them from
themselves and the "big bad net".  As you can well imagine, I can't make a
default deny stance work in this environment, so I am left with exactly
what I don't want to be doing which is watching for problems and trying to
stop them before they make a real mess...  Needless to say, this sucks.

Because I am in this state and we have very little man power for things
such as maintaining router blacklist rules for known spyware sites, irc
botnet controllers, etc (which have their own support staff payload and
customer satisfaction issues as well), I'm always trying to think of ways
of reducing our customer's exposure to threats without getting in their
way more than I have to and without creating a maintenance nightmare for
myself.  I have implemented ingress/egress blocks for really common
problem ports, configured multiple layer virus filtering for inbound and
outbound email, we have a very cost effective anti-spam solution, I have
blocked windows popup spam, etc, but spyware and bots are finding plenty
of ways around my basic defences and the spyware problem is only going to
get more pronounced.  This is why I suggest awkward things like the
authenticating IRC proxy idea above.  I'm also currently looking at a
multi function gateway (sounds just as cheesy as those multi function
printer, fax, scanner things...) that does spyware, virus scanning and IPS
on all traffic traversing our link.

At this point, I don't see any way around it.  This is my quiet plea for
answers.

--
Mason
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards