blocking irc + botnets

Maxime Ducharme mducharme at cybergeneration.com
Wed Aug 3 18:18:55 CEST 2005


Hello

i suggest block every outbound ports on your
servers

use ip_conntrack to allow servers to answer ESTABLISHED
connections on your open ports (like 80 for a http server)

botnets or trojan downloaders can simply run on any port

a vulnerable script could be used to run a "wget ..."
command that would use outbound tcp 80, which isnt in
irc's port ranges, thats why you should simply block them all

hth

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau


----- Original Message ----- 
From: "hbeaumont hbeaumont" <ahlist at gmail.com>
To: <netfilter at lists.netfilter.org>
Sent: Tuesday, August 02, 2005 11:41 AM
Subject: blocking irc + botnets


Can anyone help me with the proper method to block outgoing requests to
botnets + irc?

Or point me in the direction of searchable list archives (I could only find
the non-searchable archives) or other FAQ that answers this?

Problem:

We have servers that could get infected via poorly wrote user scripts. I
want to prevent these servers from being used as part of botnets or general
connections to
IRC (most scripts I run across seem to try to connect to IRC). I want to
take the best preventative measures I can in case one of the machines would
become infected
or otherwise compromised.

Also, interested in any other popular method of stopping general outgoing
DOS attacks (rate limiting UDP perhaps? I'm not real up on the techniques
used by the DOS'ers).

I'm interested in the recommended rules to add to prevent this type of thing
should it occur. Thanks.




More information about the netfilter mailing list