Re: [fw-wiz] stopping bots from phoning home

mason_at_schmitt.ca
Date: 09/08/05

  • Next message: Mason Schmitt: "Re: [fw-wiz] The home user problem returns" 
    To: "Kevin" <kkadow@gmail.com>
Date: Wed, 7 Sep 2005 20:42:07 -0700 (PDT)

    > We take this a step further -- let all traffic that hits the blocks talk
    > to a "sandbox" minimal IRCd, and if the traffic looks like bot chatter,
    > quarantine the source host.

    Do you use bopm or something like that on your sandbox ircd?

    > If enough sites start doing this, the Zombie Masters will find a
    > new C&C channel for their 'bots, perhaps SSL web sites on TCP/443...
    >

    They already have plenty. The most disturbing of which are p2p overlay
    networks that are setup just for controlling these bots. ie - not
    gnutella, fastrack, etc.

    > I'm not sure that an explicit proxy solution will fly in a public ISP,
    > customers just are not going to be comfortable with having to jump
    > through hoops when they're used to just being able to click on the
    > "live chat" button on their brokerage or Invader Zim webboard and go
    > right into a conversation. Most of the time the user doesn't even know
    > they are using IRC!

    I'm somewhat sceptical that some "live chat" buttons actually invoke IRC.
    Or Invader Zim webboard for that matter ;) Are you sure? Can you give me
    a real example?

    > I don't know that the situation can be made to suck any less for a
    > public ISP. I've been in that boat, am glad to be back on dry land.

    Sometimes it's horribly frustrating. Other times, I seriously enjoy the
    challenge. Being a lone sysadmin at a small ISP means that I get to play
    with all the toys :) 

    --
Mason
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Mason Schmitt: "Re: [fw-wiz] The home user problem returns"
    • Quantcast