427 Botnet fm qxd

and therefore a firewall wouldn’t keep up” reminds me of a recent bumper
sticker stating that “you should never drive faster than your guardian angel
can fly.” It doesn’t matter how fancy your firewall is—whether it a host fire-
wall, a commercial version, or just router-based access control lists (ACLs). If
you just monitor them, you will see “interesting” traffic.
One thing, though, is that if you have been paying attention, you probably
have noticed that the Internet is attacking you 24/7. Given that situation, it
makes sense to watch your firewall or router ACL logs to see if you are
attacking the Internet. For example, look at the following Cisco router log:
/var/log/cisco.0:Nov 26 02:00:01 somerouter.foo.com 390484: 5w1d: %SEC-6-
IPACCESSLOGP: list 104 denied tcp 192.168.1.1(46061) -> 10.32.5.108(25), 1
packet
/var/log/cisco.0:Nov 26 02:00:05 somerouter.foo.com 390487: 5w1d: %SEC-6-
IPACCESSLOGP: list 104 denied tcp 192.168.1.1(46067) -> 10.181.88.247(25), 1
packet
/var/log/cisco.0:Nov 26 02:00:06 somerouter.foo.com 390489: 5w1d: %SEC-6-
IPACCESSLOGP: list 104 denied tcp 192.168.1.1(46070) -> 10.1.1.81(25), 1
packet
/var/log/cisco.0:Nov 26 02:00:07 somerouter.foo.com 390490: 5w1d: %SEC-6-
IPACCESSLOGP: list 104 denied tcp 192.168.1.1(46074) -> 10.163.102.31(25), 1
packet
Be grateful. Only a few entries for this particular incident are shown; we
deleted thousands more and have laundered the IP addresses. 192.168.1.1 is
an infected internal “spambot” host trying to send spam outside the network,
presumably to a list of external hosts elsewhere. It can’t connect, so all we see
are TCP SYN packets aimed at port 25 on external hosts. Essentially the
Cisco router spotted and stopped it from getting to the Internet.This is
because port 25 for ordinary DHCP-using hosts inside the network was
blocked. It is considered a best practice to require all outbound SMTP traffic
to go through official e-mail gateways to get to the Internet. Blocking all
other port 25 traffic will also give you a warning whenever a spambot takes
up residence.
To reinforce this point, consider the following absolute barebones firewall
policy in terms of botnet activity. Of course, it represents the past, but the past
has a tendency to repeat itself. It also is not necessarily entirely botnet related,
but it exemplifies malware still lurking on the Internet. For example, SQL-
slammer at UDP, port 1434, is still out there waiting to get in:

Download 6,98 Mb.

Do'stlaringiz bilan baham: