blocking irc + botnets

R. DuFresne dufresne at
Tue Aug 2 20:36:41 CEST 2005

Hash: SHA1

On Tue, 2 Aug 2005, Daniel Lopes wrote:

> hbeaumont hbeaumont schrieb:
>> Can anyone help me with the proper method to block outgoing requests to 
>> botnets + irc?
>> Or point me in the direction of searchable list archives (I could only 
>> find the non-searchable archives) or other FAQ that answers this?
>> Problem:
>> We have servers that could get infected via poorly wrote user scripts. I 
>> want to prevent these servers from being used as part of botnets or 
>> general connections to IRC (most scripts I run across seem to try to 
>> connect to IRC). I want to take the best preventative measures I can in 
>> case one of the machines would become infected
>> or otherwise compromised.
>> Also, interested in any other popular method of stopping general outgoing 
>> DOS attacks (rate limiting UDP perhaps? I'm not real up on the techniques 
>> used by the DOS'ers).
>> I'm interested in the recommended rules to add to prevent this type of 
>> thing should it occur. Thanks.
> You should block the appropriate IRC portrange. Additionally you could mark 
> IRC packets with l7 matching and then drop them afterwards. I think this will 
> filter pretty much of the IRC traffic, perhaps all.

Which will catch the joe-average and below schmoozers.  but will fail on 
newer threats coming up the pipes and those aimed off te traditional IRC 
servers/nets.  This is a case for a well tuned IDS and monitoring your 
layered security stratdgy.  Emphasis on *wel tuned* IDS systems are not a 
drop and play thing, and most tend to be poorly tuned, maintianed and 
monitored.  But taking the advice that others have provided will at least 
place you in a positon to stop most common trojans.


Ron DuFresne
- -- 
         admin & senior security consultant:
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
Version: GnuPG v1.2.4 (GNU/Linux)


More information about the netfilter mailing list