Seems like we're seeing more and more botnet infections going out to IRC
servers. Granted several of these infections go to servers on different
ports than the default, but a significant number of them are hitting
servers on tcp/6667.
Now that most firewalls don't proxy, it seems way too many places are
allowing TCP straight out to any port, so long as it originates inside
(certainly the "NAT is a firewall crowd.") How many people routinely
block TCP/6667, or non-allowed applications? How many of you who don't
block it do regular reports on connections initiated inside to external
servers that aren't on port 80, 443, etc?
I was tempted to save all the mydoom samples I got and map them back
to netblocks to see how many were home users, and how many folks allowed
SMTP straight out. But I didn't have the patience to sort through all the
messages.
Firewalls are certainly capable of blocking a lot of this stuff- and I
don't believe that the problem is just home users- am I wrong, or do we
have too many places with too lax a security policy anymore?
($diety knows we've got too many content filters and AV bouncers- I'm
about to start collecting regexps for those to add to my block lists.)
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts_at_patriot.net which may have no basis whatsoever in fact."
probertson_at_trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Feb 02 2004
Intro
