blocking irc + botnets
lopsch at lopsch.com
Tue Aug 2 18:55:39 CEST 2005
hbeaumont hbeaumont schrieb:
> Can anyone help me with the proper method to block outgoing requests to
> botnets + irc?
> Or point me in the direction of searchable list archives (I could only find
> the non-searchable archives) or other FAQ that answers this?
> We have servers that could get infected via poorly wrote user scripts. I
> want to prevent these servers from being used as part of botnets or general
> connections to
> IRC (most scripts I run across seem to try to connect to IRC). I want to
> take the best preventative measures I can in case one of the machines would
> become infected
> or otherwise compromised.
> Also, interested in any other popular method of stopping general outgoing
> DOS attacks (rate limiting UDP perhaps? I'm not real up on the techniques
> used by the DOS'ers).
> I'm interested in the recommended rules to add to prevent this type of thing
> should it occur. Thanks.
You should block the appropriate IRC portrange. Additionally you could
mark IRC packets with l7 matching and then drop them afterwards. I think
this will filter pretty much of the IRC traffic, perhaps all.
More information about the netfilter