[fw-wiz] Botnets, IRC servers and firewalls?

From: Paul Robertson (proberts_at_patriot.net)
Date: 02/02/04

  • Next message: M. Dodge Mumford: "Re: [fw-wiz] Botnets, IRC servers and firewalls?" 
    To: firewall-wizards@honor.icsalabs.com
Date: Mon, 2 Feb 2004 17:02:58 -0500 (EST)

    Seems like we're seeing more and more botnet infections going out to IRC
    servers. Granted several of these infections go to servers on different
    ports than the default, but a significant number of them are hitting
    servers on tcp/6667.

    Now that most firewalls don't proxy, it seems way too many places are
    allowing TCP straight out to any port, so long as it originates inside
    (certainly the "NAT is a firewall crowd.") How many people routinely
    block TCP/6667, or non-allowed applications? How many of you who don't
    block it do regular reports on connections initiated inside to external
    servers that aren't on port 80, 443, etc?

    I was tempted to save all the mydoom samples I got and map them back
    to netblocks to see how many were home users, and how many folks allowed
    SMTP straight out. But I didn't have the patience to sort through all the
    messages.

    Firewalls are certainly capable of blocking a lot of this stuff- and I
    don't believe that the problem is just home users- am I wrong, or do we
    have too many places with too lax a security policy anymore?

    ($diety knows we've got too many content filters and AV bouncers- I'm
    about to start collecting regexps for those to add to my block lists.)

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    proberts@patriot.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: M. Dodge Mumford: "Re: [fw-wiz] Botnets, IRC servers and firewalls?"

    Relevant Pages

    • Re: [opensuse] Remote upgrade problem
      ... All my remote sites have serial console servers connected. ... CCM840 8 port, dedicated local console ...
      (SuSE)
    • Re: Blocking attacks from spoofed IP addresses
      ... cause a _Self_ Denial Of Service attack. ... Defeating Denial of Service Attacks ... of our DMZ servers, and had source IPs from our public DNS servers. ... Web services are on your port 80 and/or 443, ...
      (comp.os.linux.networking)
    • panic: page fault - 6.0-RELEASE-p7
      ... While we thought we had done enough testing, apparently we hadn't and are now experiencing panic's on a number of the servers. ... ppc0: parallel port not found. ... unknown: can't assign resources (memory) ...
      (freebsd-questions)
    • Re: panic: page fault - 6.0-RELEASE-p7 (now 6.1-RC2)
      ... While we thought we had done enough testing, apparently we hadn't and are now experiencing panic's on a number of the servers. ... It has shown that information before, and it has always been tcpserver from the ucspi-tcp-0.88_2 port. ... unknown: can't assign resources (memory) ...
      (freebsd-questions)
    • Is FreeBSD ready for desktop (Mozilla Flash)
      ... monitor,, somehow the install fails to detect ... "Macromedia Flash plugin is not available for FreeBSD. ... I quote again "Install the www/linuxpluginwrapper port. ... servers, ...
      (comp.unix.bsd.freebsd.misc)