Re: [fw-wiz] stopping bots from phoning home
From: Paul D. Robertson (paul_at_compuwar.net)
Date: 09/01/05
- Previous message: Victor Williams: "Re: [fw-wiz] firewall rule lifecycle management"
- In reply to: mason_at_schmitt.ca: "[fw-wiz] stopping bots from phoning home"
- Next in thread: mason_at_schmitt.ca: "Re: [fw-wiz] stopping bots from phoning home"
- Reply: mason_at_schmitt.ca: "Re: [fw-wiz] stopping bots from phoning home"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: mason@schmitt.ca Date: Wed, 31 Aug 2005 22:33:23 -0400 (EDT)
On Wed, 31 Aug 2005 mason@schmitt.ca wrote:
> It seems that the majority of bots connect to an IRC server in order to
> get their instructions and some spyware is starting to do the same. So if
Yep, hence the "if you don't need to pass it" mantra that I like to chant.
> the avenue for abuse of an infected machine is via connection to IRC
> networks, why not block all outbound IRC traffic (we have a Packeteer
> packet shaper that I think can classify IRC traffic regardless of the port
> it runs on) and implement a proxy that legitimate users of IRC have to log
> into in order to gain access to IRC servers outside our network? This way
If you can get your customers to use an IRC proxy, great- it might be sort
of interesting to look at doing a transparent proxy and just sending up a
screen that asks for a specific response prior to continuing the
connection- I'd be *really* interested in your results though, espeically
with the newer IM clients that do IRC.
> an infected PC can't phone home, legitimate use of IRC is still possible
> with only a slight hurdle, and I can log all traffic that hits my block so
> that I can investigate those PCs.
>
> Your thoughts?
I'd probably look at who's using legitimate ports and offer them a
pass rule, or just pass them and close off everyone else, then get to
figuring out what's legitimate (there's a snooping line that you need to
be careful of.) Then make a new signup process that involves proxy info-
that'd probably get you less customer complaints than anything.
> Given that this flies in the face of this list's mantra of, "block
> outbound IRC, there is no business case for it's use" and "a default deny
> stance is far more secure than a default allow stance", I feel compelled
> to say that I absolutely fully agree with these points as well as the
> vast majority of security truisms that are stated repeatedly on this list.
> However, I'm not talking about our company LAN or the servers that I
> manage. The network that takes the majority of my time is our customer
> network.
>
> I've posted before, but not often. I'm a sysadmin for a small cable ISP.
> I frequently struggle with the seemingly unworkable position of being
> transparent to our customers while simultaneously protecting them from
> themselves and the "big bad net". As you can well imagine, I can't make a
> default deny stance work in this environment, so I am left with exactly
> what I don't want to be doing which is watching for problems and trying to
> stop them before they make a real mess... Needless to say, this sucks.
>
Like the last time this surfaced, I'd recommend offering the customers a
default deny option and see how many bite- if you can do per-user rules
(and I don't know what sort of scale you're talking about- MSOs come in
all sizes.) then you may get them to agree to it- I think the time is
right for that.
> Because I am in this state and we have very little man power for things
> such as maintaining router blacklist rules for known spyware sites, irc
> botnet controllers, etc (which have their own support staff payload and
> customer satisfaction issues as well), I'm always trying to think of ways
> of reducing our customer's exposure to threats without getting in their
> way more than I have to and without creating a maintenance nightmare for
> myself. I have implemented ingress/egress blocks for really common
> problem ports, configured multiple layer virus filtering for inbound and
> outbound email, we have a very cost effective anti-spam solution, I have
> blocked windows popup spam, etc, but spyware and bots are finding plenty
> of ways around my basic defences and the spyware problem is only going to
> get more pronounced. This is why I suggest awkward things like the
> authenticating IRC proxy idea above. I'm also currently looking at a
> multi function gateway (sounds just as cheesy as those multi function
> printer, fax, scanner things...) that does spyware, virus scanning and IPS
> on all traffic traversing our link.
You know, if we could get rid of the home user problem, all our lives
would get easier...
> At this point, I don't see any way around it. This is my quiet plea for
> answers.
Personal firewalls that block outbound connections are a good thing- you
might want to see if your marketing folks can do something akin to the
AOL and DSL provier firewall packages- marketing always has money that
techs don't...
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Victor Williams: "Re: [fw-wiz] firewall rule lifecycle management"
- In reply to: mason_at_schmitt.ca: "[fw-wiz] stopping bots from phoning home"
- Next in thread: mason_at_schmitt.ca: "Re: [fw-wiz] stopping bots from phoning home"
- Reply: mason_at_schmitt.ca: "Re: [fw-wiz] stopping bots from phoning home"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
