Re: [fw-wiz] stopping bots from phoning home

From: Kevin (
Date: 09/08/05

  • Next message: Firewall-Wizards: "RE: [fw-wiz] Cisco Remote Access VPN Problem"
    To: "" <>
    Date: Wed, 7 Sep 2005 23:43:56 -0500

    On 9/7/05, <> wrote:
    > > We take this a step further -- let all traffic that hits the blocks talk
    > > to a "sandbox" minimal IRCd, and if the traffic looks like bot chatter,
    > > quarantine the source host.
    > Do you use bopm or something like that on your sandbox ircd?

    We just run a very basic IRCd, modified to generate a log event for
    each PRIVMSG, JOIN, NICK and other similar command issued by
    any client. We can also look at the original destination IP they
    addressed, and check this against a list of known C&C channels.

    My customer base is very sensitive about even giving the
    impression of "port scanning", so we have to learn as much as we
    can from the sessions they initiate towards our infrastructure.

    > > I'm not sure that an explicit proxy solution will fly in a public ISP,
    > > customers just are not going to be comfortable with having to jump
    > > through hoops when they're used to just being able to click on the
    > > "live chat" button on their brokerage or Invader Zim webboard and go
    > > right into a conversation. Most of the time the user doesn't even know
    > > they are using IRC!
    > I'm somewhat sceptical that some "live chat" buttons actually invoke IRC.
    > Or Invader Zim webboard for that matter ;) Are you sure? Can you give me
    > a real example?

    The first "real" user who complained had clicked through from JDate,
    and suddenly found himself chatting with 37 instances of SDBot...

    As for Invader Zim, see

    Kevin Kadow
    firewall-wizards mailing list

  • Next message: Firewall-Wizards: "RE: [fw-wiz] Cisco Remote Access VPN Problem"