blocking irc + botnets

Piszcz, Justin jpiszcz at servervault.com
Tue Aug 2 18:37:16 CEST 2005


Well to start out, you'd want to block outbound TCP ports 6660-7000,
there are however, some IRC servers that accept connections on weird
ports to bypass firewalls.

-----Original Message-----
From: netfilter-bounces at lists.netfilter.org
[mailto:netfilter-bounces at lists.netfilter.org] On Behalf Of hbeaumont
hbeaumont
Sent: Tuesday, August 02, 2005 11:41 AM
To: netfilter at lists.netfilter.org
Subject: blocking irc + botnets

Can anyone help me with the proper method to block outgoing requests to 
botnets + irc?

Or point me in the direction of searchable list archives (I could only
find 
the non-searchable archives) or other FAQ that answers this?

Problem:

We have servers that could get infected via poorly wrote user scripts. I

want to prevent these servers from being used as part of botnets or
general 
connections to 
IRC (most scripts I run across seem to try to connect to IRC). I want to

take the best preventative measures I can in case one of the machines
would 
become infected
or otherwise compromised.

Also, interested in any other popular method of stopping general
outgoing 
DOS attacks (rate limiting UDP perhaps? I'm not real up on the
techniques 
used by the DOS'ers).

I'm interested in the recommended rules to add to prevent this type of
thing 
should it occur. Thanks.



More information about the netfilter mailing list