blocking irc + botnets
dufresne at sysinfo.com
Tue Aug 2 20:36:41 CEST 2005
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 2 Aug 2005, Daniel Lopes wrote:
> hbeaumont hbeaumont schrieb:
>> Can anyone help me with the proper method to block outgoing requests to
>> botnets + irc?
>> Or point me in the direction of searchable list archives (I could only
>> find the non-searchable archives) or other FAQ that answers this?
>> We have servers that could get infected via poorly wrote user scripts. I
>> want to prevent these servers from being used as part of botnets or
>> general connections to IRC (most scripts I run across seem to try to
>> connect to IRC). I want to take the best preventative measures I can in
>> case one of the machines would become infected
>> or otherwise compromised.
>> Also, interested in any other popular method of stopping general outgoing
>> DOS attacks (rate limiting UDP perhaps? I'm not real up on the techniques
>> used by the DOS'ers).
>> I'm interested in the recommended rules to add to prevent this type of
>> thing should it occur. Thanks.
> You should block the appropriate IRC portrange. Additionally you could mark
> IRC packets with l7 matching and then drop them afterwards. I think this will
> filter pretty much of the IRC traffic, perhaps all.
Which will catch the joe-average and below schmoozers. but will fail on
newer threats coming up the pipes and those aimed off te traditional IRC
servers/nets. This is a case for a well tuned IDS and monitoring your
layered security stratdgy. Emphasis on *wel tuned* IDS systems are not a
drop and play thing, and most tend to be poorly tuned, maintianed and
monitored. But taking the advice that others have provided will at least
place you in a positon to stop most common trojans.
admin & senior security consultant: sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the netfilter