blocking irc + botnets

Daniel Lopes lopsch at lopsch.com
Tue Aug 2 18:55:39 CEST 2005


hbeaumont hbeaumont schrieb:
> Can anyone help me with the proper method to block outgoing requests to 
> botnets + irc?
> 
> Or point me in the direction of searchable list archives (I could only find 
> the non-searchable archives) or other FAQ that answers this?
> 
> Problem:
> 
> We have servers that could get infected via poorly wrote user scripts. I 
> want to prevent these servers from being used as part of botnets or general 
> connections to 
> IRC (most scripts I run across seem to try to connect to IRC). I want to 
> take the best preventative measures I can in case one of the machines would 
> become infected
> or otherwise compromised.
> 
> Also, interested in any other popular method of stopping general outgoing 
> DOS attacks (rate limiting UDP perhaps? I'm not real up on the techniques 
> used by the DOS'ers).
> 
> I'm interested in the recommended rules to add to prevent this type of thing 
> should it occur. Thanks.
> 
> 
You should block the appropriate IRC portrange. Additionally you could 
mark IRC packets with l7 matching and then drop them afterwards. I think 
this will filter pretty much of the IRC traffic, perhaps all.



More information about the netfilter mailing list