blocking irc + botnets

blocking irc + botnets

[hbeaumont hbeaumont]

Can anyone help me with the proper method to block outgoing requests to 
botnets + irc?

Or point me in the direction of searchable list archives (I could only find 
the non-searchable archives) or other FAQ that answers this?

Problem:

We have servers that could get infected via poorly wrote user scripts. I 
want to prevent these servers from being used as part of botnets or general 
connections to 
IRC (most scripts I run across seem to try to connect to IRC). I want to 
take the best preventative measures I can in case one of the machines would 
become infected
or otherwise compromised.

Also, interested in any other popular method of stopping general outgoing 
DOS attacks (rate limiting UDP perhaps? I'm not real up on the techniques 
used by the DOS'ers).

I'm interested in the recommended rules to add to prevent this type of thing 
should it occur. Thanks.

RE: blocking irc + botnets

[Piszcz, Justin]

Well to start out, you'd want to block outbound TCP ports 6660-7000,
there are however, some IRC servers that accept connections on weird
ports to bypass firewalls.

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of hbeaumont
hbeaumont
Sent: Tuesday, August 02, 2005 11:41 AM
To: netfilter@lists.netfilter.org
Subject: blocking irc + botnets

Can anyone help me with the proper method to block outgoing requests to 
botnets + irc?

Or point me in the direction of searchable list archives (I could only
find 
the non-searchable archives) or other FAQ that answers this?

Problem:

We have servers that could get infected via poorly wrote user scripts. I

want to prevent these servers from being used as part of botnets or
general 
connections to 
IRC (most scripts I run across seem to try to connect to IRC). I want to

take the best preventative measures I can in case one of the machines
would 
become infected
or otherwise compromised.

Also, interested in any other popular method of stopping general
outgoing 
DOS attacks (rate limiting UDP perhaps? I'm not real up on the
techniques 
used by the DOS'ers).

I'm interested in the recommended rules to add to prevent this type of
thing 
should it occur. Thanks.

Re: blocking irc + botnets

[Daniel Lopes]

hbeaumont hbeaumont schrieb:
> Can anyone help me with the proper method to block outgoing requests to 
> botnets + irc?
> 
> Or point me in the direction of searchable list archives (I could only find 
> the non-searchable archives) or other FAQ that answers this?
> 
> Problem:
> 
> We have servers that could get infected via poorly wrote user scripts. I 
> want to prevent these servers from being used as part of botnets or general 
> connections to 
> IRC (most scripts I run across seem to try to connect to IRC). I want to 
> take the best preventative measures I can in case one of the machines would 
> become infected
> or otherwise compromised.
> 
> Also, interested in any other popular method of stopping general outgoing 
> DOS attacks (rate limiting UDP perhaps? I'm not real up on the techniques 
> used by the DOS'ers).
> 
> I'm interested in the recommended rules to add to prevent this type of thing 
> should it occur. Thanks.
> 
> 
You should block the appropriate IRC portrange. Additionally you could 
mark IRC packets with l7 matching and then drop them afterwards. I think 
this will filter pretty much of the IRC traffic, perhaps all.

Re: blocking irc + botnets

[R. DuFresne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 2 Aug 2005, Daniel Lopes wrote:

> hbeaumont hbeaumont schrieb:
>> Can anyone help me with the proper method to block outgoing requests to 
>> botnets + irc?
>> 
>> Or point me in the direction of searchable list archives (I could only 
>> find the non-searchable archives) or other FAQ that answers this?
>> 
>> Problem:
>> 
>> We have servers that could get infected via poorly wrote user scripts. I 
>> want to prevent these servers from being used as part of botnets or 
>> general connections to IRC (most scripts I run across seem to try to 
>> connect to IRC). I want to take the best preventative measures I can in 
>> case one of the machines would become infected
>> or otherwise compromised.
>> 
>> Also, interested in any other popular method of stopping general outgoing 
>> DOS attacks (rate limiting UDP perhaps? I'm not real up on the techniques 
>> used by the DOS'ers).
>> 
>> I'm interested in the recommended rules to add to prevent this type of 
>> thing should it occur. Thanks.
>> 
>> 
> You should block the appropriate IRC portrange. Additionally you could mark 
> IRC packets with l7 matching and then drop them afterwards. I think this will 
> filter pretty much of the IRC traffic, perhaps all.
>

Which will catch the joe-average and below schmoozers.  but will fail on 
newer threats coming up the pipes and those aimed off te traditional IRC 
servers/nets.  This is a case for a well tuned IDS and monitoring your 
layered security stratdgy.  Emphasis on *wel tuned* IDS systems are not a 
drop and play thing, and most tend to be poorly tuned, maintianed and 
monitored.  But taking the advice that others have provided will at least 
place you in a positon to stop most common trojans.

Thanks,


Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFC7708st+vzJSwZikRAkYVAKCBzDbeo/mRQPSVk+0+HdoCCElkRACdG9g7
sUG3pMVp5DgJ/nW4EwmOyOs=
=YuCO
-----END PGP SIGNATURE-----

Re: blocking irc + botnets

[Maxime Ducharme]

Hello

i suggest block every outbound ports on your
servers

use ip_conntrack to allow servers to answer ESTABLISHED
connections on your open ports (like 80 for a http server)

botnets or trojan downloaders can simply run on any port

a vulnerable script could be used to run a "wget ..."
command that would use outbound tcp 80, which isnt in
irc's port ranges, thats why you should simply block them all

hth

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau


----- Original Message ----- 
From: "hbeaumont hbeaumont" <ahlist@gmail.com>
To: <netfilter@lists.netfilter.org>
Sent: Tuesday, August 02, 2005 11:41 AM
Subject: blocking irc + botnets


Can anyone help me with the proper method to block outgoing requests to
botnets + irc?

Or point me in the direction of searchable list archives (I could only find
the non-searchable archives) or other FAQ that answers this?

Problem:

We have servers that could get infected via poorly wrote user scripts. I
want to prevent these servers from being used as part of botnets or general
connections to
IRC (most scripts I run across seem to try to connect to IRC). I want to
take the best preventative measures I can in case one of the machines would
become infected
or otherwise compromised.

Also, interested in any other popular method of stopping general outgoing
DOS attacks (rate limiting UDP perhaps? I'm not real up on the techniques
used by the DOS'ers).

I'm interested in the recommended rules to add to prevent this type of thing
should it occur. Thanks.

Re: blocking irc + botnets

[Jan Engelhardt]

>We have servers that could get infected via poorly wrote user scripts. I 

Fix the servers. Don't let arbitrary scripts in.


Jan Engelhardt
-- 

Re: blocking irc + botnets

[hbeaumont hbeaumont]

On 8/4/05, Jan Engelhardt <jengelh@linux01.gwdg.de> wrote:
> 
> 
> >We have servers that could get infected via poorly wrote user scripts. I
> 
> Fix the servers. Don't let arbitrary scripts in.
> 
> 
please take this in a friendly manner :)

When I wrote my initial message, I knew somebody would give me this type of 
reply (ie. secure your servers, smack the bad users)

However the fact is that in REAL LIFE, you will have users that use bad 
scripts or even "good" script that have bugs (phpbb, etc, etc.).

I want to find a way to make sure that we have an extra layer of protection 
to make sure our servers weren't DOS'ing other boxes - even if it was
only for a short time until an admin logged in to check the source of the 
outgoing traffic spike.

Bottom line :

I simply want to get a good ruleset to share so that anyone who might ever 
have a server compromised (even non-root, php-apache based stuff running as 
nobody) could help
stop the outgoing bad traffic. 

There is a lot of discussion on stopping things from coming into a server. 
If those of us who run servers (I'm pointing the finger at myself!) would 
take the extra effort to stop what can
possibly go out, it would solve a lot of the problems. 

I don't have the knowledge to set this up in the best method. That's why I 
asked here.

Thanks to all!

Re: blocking irc + botnets

[curby .]

On 8/4/05, hbeaumont hbeaumont <ahlist@gmail.com> wrote:
> I want to find a way to make sure that we have an extra layer of protection
> to make sure our servers weren't DOS'ing other boxes - even if it was
> only for a short time until an admin logged in to check the source of the
> outgoing traffic spike.

I'm a big fan of layers . =)

Even though there's only so much that netfilter can do as it generally
only looks at the lower half of the network stack, you can restrict a
lot.  For example, servers don't usually need originate much traffic
at all.  Trust and allow a few IPs for patch servers, time servers,
and DNS servers as opposed to allowing general outgoing traffic out to
ports 21,80,123,53,etc.

Log (with flood limits) dropped outbound traffic.  /dev/rob0 makes a
good point that logging is often useless.  If you have log analysis
tools that are monitored, they can possibly detect everything from
misconfigured software to malicious and mischevious users.

Something else you can do is proxy whatever small subset of external
services your servers can reach.  This can help prevent someone from
tunneling random things over port 80, for example (popular since it's
seldomly filtered).

You might also set netfilter to allow certain programs or users to go
out of certain ports.  I.e. root can go out on port 123 to synchronize
the clock, but a user cannot.  Of course, the more you restrict users,
the more unhappy they get!

Re: blocking irc + botnets

[Jan Engelhardt]

>> >We have servers that could get infected via poorly wrote user scripts. I
>> 
>However the fact is that in REAL LIFE, you will have users that use bad 
>scripts or even "good" script that have bugs (phpbb, etc, etc.).

Ah now I get it.

>I simply want to get a good ruleset to share so that anyone who might ever 
>have a server compromised (even non-root, php-apache based stuff running as 
>nobody) could help
>stop the outgoing bad traffic. 

Hm, I'd probably try with

-P OUTPUT DROP
-P OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED


Jan Engelhardt
--