Firewall Wizards mailing list archives
Re: stopping bots from phoning home
From: mason () schmitt ca
Date: Wed, 7 Sep 2005 20:42:07 -0700 (PDT)
We take this a step further -- let all traffic that hits the blocks talk to a "sandbox" minimal IRCd, and if the traffic looks like bot chatter, quarantine the source host.
Do you use bopm or something like that on your sandbox ircd?
If enough sites start doing this, the Zombie Masters will find a new C&C channel for their 'bots, perhaps SSL web sites on TCP/443...
They already have plenty. The most disturbing of which are p2p overlay networks that are setup just for controlling these bots. ie - not gnutella, fastrack, etc.
I'm not sure that an explicit proxy solution will fly in a public ISP, customers just are not going to be comfortable with having to jump through hoops when they're used to just being able to click on the "live chat" button on their brokerage or Invader Zim webboard and go right into a conversation. Most of the time the user doesn't even know they are using IRC!
I'm somewhat sceptical that some "live chat" buttons actually invoke IRC. Or Invader Zim webboard for that matter ;) Are you sure? Can you give me a real example?
I don't know that the situation can be made to suck any less for a public ISP. I've been in that boat, am glad to be back on dry land.
Sometimes it's horribly frustrating. Other times, I seriously enjoy the challenge. Being a lone sysadmin at a small ISP means that I get to play with all the toys :) -- Mason _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: stopping bots from phoning home Paul D. Robertson (Sep 01)
- Re: stopping bots from phoning home mason (Sep 07)
- Re: stopping bots from phoning home Paul D. Robertson (Sep 08)
- <Possible follow-ups>
- Re: stopping bots from phoning home mason (Sep 08)
- Re: stopping bots from phoning home Kevin (Sep 08)
- Re: The home user problem returns Mason Schmitt (Sep 08)
- Re: The home user problem returns Marcus J. Ranum (Sep 12)
- Re: The home user problem returns Mason Schmitt (Sep 12)
- Re: The home user problem returns Chris Blask (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- Re: The home user problem returns Marcus J. Ranum (Sep 13)
- Re: The home user problem returns Chris Blask (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- Re: The home user problem returns Jim Seymour (Sep 13)
- Re: stopping bots from phoning home Kevin (Sep 08)
- Re: stopping bots from phoning home mason (Sep 07)