Re: [fw-wiz] Botnets, IRC servers and firewalls?

From: Paul Robertson (proberts_at_patriot.net)
Date: 02/03/04

  • Next message: Ng Pheng Siong: "Re: [fw-wiz] Generic Rules Digest Software" 
    To: Gadi Evron <ge@egotistical.reprehensible.net>
Date: Tue, 3 Feb 2004 08:45:01 -0500 (EST)

    On Tue, 3 Feb 2004, Gadi Evron wrote:

    > > I've yet to see a business need for BotNet clients to run successfully ;)
    >
    > Perhaps application filtering for the Drone control protocol?

    Much better done in a controlled lab environment than on a production
    network. The bot connecting to a captive server isn't what I'd consider
    "successful."

    > Drone armies, although massive are nothing special.
    >
    > They are usually built of the same 2-4 Trojan horses that are big at
    > that time.

    Yep, but the point I'm making is that we have widespread infections inside
    companies "protected" by firewalls- while the firewalls are perfectly
    capable of supporting sane security policies that would block the 98th
    percentile of these things.

    > Filtering the traffic for their control protocol, on whatever port, or
    > their repetetive echo commands/ special connections to IRC servers under
    > certain IRC names or nickname/ident/name pattern-combinations is pretty
    > easy to do when you come to think about it.

    Exactly my point.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    proberts@patriot.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Ng Pheng Siong: "Re: [fw-wiz] Generic Rules Digest Software"