[fw-wiz] Botnets, IRC servers and firewalls?

From: Paul Robertson (proberts_at_patriot.net)
Date: 02/02/04

  • Next message: M. Dodge Mumford: "Re: [fw-wiz] Botnets, IRC servers and firewalls?"
    To: firewall-wizards@honor.icsalabs.com
    Date: Mon, 2 Feb 2004 17:02:58 -0500 (EST)

    Seems like we're seeing more and more botnet infections going out to IRC
    servers. Granted several of these infections go to servers on different
    ports than the default, but a significant number of them are hitting
    servers on tcp/6667.

    Now that most firewalls don't proxy, it seems way too many places are
    allowing TCP straight out to any port, so long as it originates inside
    (certainly the "NAT is a firewall crowd.") How many people routinely
    block TCP/6667, or non-allowed applications? How many of you who don't
    block it do regular reports on connections initiated inside to external
    servers that aren't on port 80, 443, etc?

    I was tempted to save all the mydoom samples I got and map them back
    to netblocks to see how many were home users, and how many folks allowed
    SMTP straight out. But I didn't have the patience to sort through all the

    Firewalls are certainly capable of blocking a lot of this stuff- and I
    don't believe that the problem is just home users- am I wrong, or do we
    have too many places with too lax a security policy anymore?

    ($diety knows we've got too many content filters and AV bouncers- I'm
    about to start collecting regexps for those to add to my block lists.)

    Paul D. Robertson "My statements in this message are personal opinions
    proberts@patriot.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    firewall-wizards mailing list

  • Next message: M. Dodge Mumford: "Re: [fw-wiz] Botnets, IRC servers and firewalls?"