Re: [fw-wiz] stopping bots from phoning home

From: Kevin (kkadow_at_gmail.com)
Date: 09/01/05

  • Next message: Victor Williams: "Re: [fw-wiz] firewall rule lifecycle management"
    To: "mason@schmitt.ca" <mason@schmitt.ca>
    Date: Wed, 31 Aug 2005 20:24:36 -0500
    
    

    On 8/31/05, mason@schmitt.ca <mason@schmitt.ca> wrote:
    > It seems that the majority of bots connect to an IRC server in order to
    > get their instructions and some spyware is starting to do the same. So if
    > the avenue for abuse of an infected machine is via connection to IRC
    > networks, why not block all outbound IRC traffic (we have a Packeteer
    > packet shaper that I think can classify IRC traffic regardless of the port
    > it runs on) and implement a proxy that legitimate users of IRC have to log
    > into in order to gain access to IRC servers outside our network?

    Sounds like a good plan, even without bots in the picture.

    There are a few open source IRC proxies, including bnc, JBouncer, etc.

    > This way an infected PC can't phone home, legitimate use of IRC is
    > still possible with only a slight hurdle, and I can log all traffic that
    > hits my block so that I can investigate those PCs.

    We take this a step further -- let all traffic that hits the blocks talk
    to a "sandbox" minimal IRCd, and if the traffic looks like bot chatter,
    quarantine the source host.

    If enough sites start doing this, the Zombie Masters will find a
    new C&C channel for their 'bots, perhaps SSL web sites on TCP/443...

    > However, I'm not talking about our company LAN or the servers that I
    > manage. The network that takes the majority of my time is our customer
    > network.

    I'm not sure that an explicit proxy solution will fly in a public ISP,
    customers just are not going to be comfortable with having to jump
    through hoops when they're used to just being able to click on the
    "live chat" button on their brokerage or Invader Zim webboard and go
    right into a conversation. Most of the time the user doesn't even know
    they are using IRC!

    > I've posted before, but not often. I'm a sysadmin for a small cable ISP.
    > I frequently struggle with the seemingly unworkable position of being
    > transparent to our customers while simultaneously protecting them from
    > themselves and the "big bad net". As you can well imagine, I can't make a
    > default deny stance work in this environment, so I am left with exactly
    > what I don't want to be doing which is watching for problems and trying to
    > stop them before they make a real mess... Needless to say, this sucks.

    I don't know that the situation can be made to suck any less for a
    public ISP. I've been in that boat, am glad to be back on dry land.

    Kevin Kadow
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Victor Williams: "Re: [fw-wiz] firewall rule lifecycle management"

    Relevant Pages

    • Re: Why attacker install irc after hacking?
      ... run bots off your server bandwidth to deliver information. ... These are the newest techniques on hacking servers, ftp accounts, credit info, paypal or other scams, and they store files that bots use on the irc to deliver them, and all sorts of software. ...
      (Security-Basics)
    • Re: whats up with irc #rec.food.cooking?
      ... Stopped by #rec.food.cooking just now on xeon.edigic.com and the bots ... to ensure you're on a linked server. ... rfc'ers that chat are using the new network, ... Moral of the story - if you don't find anybody in irc, ...
      (rec.food.cooking)
    • Re: Who would actually use a free chat system?
      ... any computer running a terminal program (including Proterm). ... I've looked at IRC and have found no actual ... Just create your own "room" and ban the bots. ...
      (comp.sys.apple2)
    • Re: Who would actually use a free chat system?
      ... any computer running a terminal program (including Proterm). ... I've looked at IRC and have found no actual ... Just create your own "room" and ban the bots. ...
      (comp.sys.apple2)
    • Re: SSH probe attack afoot?
      ... on most of the systems I checked I found that the IRC ports are open or on other ports some IRC alike service is running. ... > bots as part of botnets don't generally setup IRC servers on their ...
      (Incidents)