Re: [fw-wiz] stopping bots from phoning home

mason_at_schmitt.ca
Date: 09/08/05

  • Next message: mason_at_schmitt.ca: "[fw-wiz] The home user problem returns"
    To: "Paul D. Robertson" <paul@compuwar.net>
    Date: Wed, 7 Sep 2005 19:18:11 -0700 (PDT)
    
    

    Paul,

    Thanks for your suggestions.

    While responding to your comments, it got me thinking. So, I've decided
    to share some of my other ideas for dealing with the problem of home
    computer security from the perspective of an ISP.

    There hasn't been a good constructive thread concerning the home user
    problem in a while, so hopefully my follow up email to this one will spark
    some interest.

    <snip>

    > Like the last time this surfaced, I'd recommend offering the customers a
    > default deny option and see how many bite- if you can do per-user rules
    > (and I don't know what sort of scale you're talking about- MSOs come in
    > all sizes.) then you may get them to agree to it- I think the time is
    > right for that.
    >

    It was a good suggestion then and it's a good one now, but my boss has
    said that despite the obvious technical merit, he's not going for it.
    He's concerned about an increase in support costs and negative customer
    experiences with people phoning in that forget/don't understand the
    repercussions of their choice. Or worse, leave us for the competition
    without even phoning us, because they decide to use some new app that they
    just downloaded and find that it doesn't work and their friend down the
    street says, well it works fine on my dsl connection!

    As well, the majority of support calls that we receive are from the very
    people that need the protection most, but their use of the internet would
    preclude a default deny ruleset on their modem. The kids are on IM and
    playing online games at all hours, the whole family participates in p2p
    filesharing and the fact that their computers are loaded to the gills with
    spyware suggests that they are spending time visiting the somewhat less
    savoury places on the net. The parents in these situations are most often
    not very technically savvy and many don't really understand or supervise
    what their kids are doing online.

    > If you can get your customers to use an IRC proxy, great- it might be sort
    > of interesting to look at doing a transparent proxy and just sending up a
    > screen that asks for a specific response prior to continuing the
    > connection- I'd be *really* interested in your results though, espeically
    > with the newer IM clients that do IRC.
    >

    I have given this some thought and talked it over with others here and we
    think that your variation on the original idea is an improvement. Largely
    due to the fact that popular IM clients, such as Trillian, that kind of
    support IRC, wouldn't allow for authentication and some servers have a
    limit on the number of connections from a single IP. So, rather than run
    all connections through a proxy, we thought that perhaps we could just
    watch for IRC connections to be established (really easy with the
    packetshaper and doesn't require sniffing). When we see a connection
    established, have a bot kick off that logs onto the server the connection
    was made to and initiate a direct chat request to the user that just
    logged on. The bot would ask a question and if it didn't get a response,
    it would block IRC traffic for that IP and send an email to our ticket
    system so that we know who is infected.

    There's probably a less convoluted way of approaching this (if you have
    one, let me know), but this is doable without having to do much
    programming.

    The big question is, whether it's worth the effort or not. I'm not sure.
    It increases the complexity of our network while only focusing on the
    current fad in spyware/trojans/bots (what do we call these things now?) of
    using IRC. Currently there are bots (settled on bots), that once on the
    host, will talk over http, p2p, or IM in order to get their instructions.
     IRC is the current dominant method, but not the only one.

    I'm more inclined to take a broader proactive approach, but could use some
    guidance concerning some of my current half thought out ideas. I'll send
    these ideas along in my next email.

    > You know, if we could get rid of the home user problem, all our lives
    > would get easier...
    >

    Then there wouldn't be an internet and that would suck. But, I know what
    you mean...

    > Personal firewalls that block outbound connections are a good thing- you
    > might want to see if your marketing folks can do something akin to the
    > AOL and DSL provier firewall packages- marketing always has money that
    > techs don't...

    Ha! You wouldn't believe the support problems that we have with people
    that choose to install firewalls that ask them to make choices. I think
    that having a firewall on the box that can see which program is trying to
    connect is great! ...if there is a person interacting with it that
    understands some basics. When the person using the computer has no idea
    what the little pop ups are talking about and doesn't really want to know,
    they just blindly click ok, because clicking ok means that they are more
    secure right? We have had plenty of support calls where the customer is
    angry that our mail server is down... when in reality, they clicked ok
    when the window asked if they wanted to block pop3...

    We do what we can to help out these people and sometimes that means having
    them bring their pc in so that we can get a look at it. Often we tell
    them that they would be better off with a common home firewall. The crazy
    thing is that I know that many of the large ISPs (not sure if I should
    name names or not) have it as part of their level1 tech support flow chart
    to ask the customer to disable the firewall and leave it like that! That
    really chaps my ass. If these big ISPs weren't so careless, I wouldn't
    have so many problems... nor would the rest of the net for that matter.
    Oh well, finger pointing isn't going to get me anywhere.

    --
    Mason
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: mason_at_schmitt.ca: "[fw-wiz] The home user problem returns"

    Relevant Pages

    • Re: How to get through iptables/NAT, reality and risk calculation
      ... IRC and the like allowed in your intranet is quite a risk. ... Your firewall could be easily fooled if the connection starts from the ... Basically you can not rely on the assumption that a connection initiated ...
      (Security-Basics)
    • Re: [fw-wiz] stopping bots from phoning home
      ... > He's concerned about an increase in support costs and negative customer ... well it works fine on my dsl connection! ... >> with the newer IM clients that do IRC. ... The bot would ask a question and if it didn't get a response, ...
      (Firewall-Wizards)
    • RE: Windows Vista and NetSharingManager.EnumEveryConnection
      ... I've disabled the Firewall for a VPN connection). ... the Windows Firewall is always On. ... Microsoft Online Community Support ...
      (microsoft.public.win32.programmer.networks)
    • Re: Personal Firewalls
      ... I've been asked to help support a set of computers at my church ... Unfortunately my experience has only been dial-up connection ... I need to install some firewall that's easy to use and maintain ...
      (comp.security.misc)
    • Re: Steam/ CS 1.6 error
      ... You should reply to their tech support as they requested: ... | steam icon, it always says "Error: ... Check your internet connection to make sure it is ... | Then a firewall is preventing you from accessing steam. ...
      (microsoft.public.games)