Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: stopping bots from phoning home

From: mason () schmitt ca
Date: Wed, 7 Sep 2005 20:42:07 -0700 (PDT)
We take this a step further -- let all traffic that hits the blocks talk
to a "sandbox" minimal IRCd, and if the traffic looks like bot chatter,
quarantine the source host.


Do you use bopm or something like that on your sandbox ircd?



If enough sites start doing this, the Zombie Masters will find a
new C&C channel for their 'bots, perhaps SSL web sites on TCP/443...



They already have plenty.  The most disturbing of which are p2p overlay
networks that are setup just for controlling these bots.  ie - not
gnutella, fastrack, etc.


I'm not sure that an explicit proxy solution will fly in a public ISP,
customers just are not going to be comfortable with having to jump
through hoops when they're used to just being able to click on the
"live chat" button on their brokerage or Invader Zim webboard and go
right into a conversation.  Most of the time the user doesn't even know
they are using IRC!


I'm somewhat sceptical that some "live chat" buttons actually invoke IRC. 
Or Invader Zim webboard for that matter ;)  Are you sure?  Can you give me
a real example?


I don't know that the situation can be made to suck any less for a
public ISP.  I've been in that boat, am glad to be back on dry land.


Sometimes it's horribly frustrating.  Other times, I seriously enjoy the
challenge.  Being a lone sysadmin at a small ISP means that I get to play
with all the toys :)

--
Mason
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: