Re: [fw-wiz] stopping bots from phoning home
From: Kevin (kkadow_at_gmail.com)
To: "email@example.com" <firstname.lastname@example.org> Date: Wed, 7 Sep 2005 23:43:56 -0500
On 9/7/05, email@example.com <firstname.lastname@example.org> wrote:
> > We take this a step further -- let all traffic that hits the blocks talk
> > to a "sandbox" minimal IRCd, and if the traffic looks like bot chatter,
> > quarantine the source host.
> Do you use bopm or something like that on your sandbox ircd?
We just run a very basic IRCd, modified to generate a log event for
each PRIVMSG, JOIN, NICK and other similar command issued by
any client. We can also look at the original destination IP they
addressed, and check this against a list of known C&C channels.
My customer base is very sensitive about even giving the
impression of "port scanning", so we have to learn as much as we
can from the sessions they initiate towards our infrastructure.
> > I'm not sure that an explicit proxy solution will fly in a public ISP,
> > customers just are not going to be comfortable with having to jump
> > through hoops when they're used to just being able to click on the
> > "live chat" button on their brokerage or Invader Zim webboard and go
> > right into a conversation. Most of the time the user doesn't even know
> > they are using IRC!
> I'm somewhat sceptical that some "live chat" buttons actually invoke IRC.
> Or Invader Zim webboard for that matter ;) Are you sure? Can you give me
> a real example?
The first "real" user who complained had clicked through from JDate,
and suddenly found himself chatting with 37 instances of SDBot...
As for Invader Zim, see http://www.badbadrubberpiggy.com/chat.php/
firewall-wizards mailing list