Using the router/modem to stop zombies

General discussion re sg.

Using the router/modem to stop zombies

Postby bnelson » Wed Apr 16, 2008 1:11 pm

A lot of spam is sent by zombie PCs that have been hijacked by a virus or trojan. The owners have no idea their machines are infected. As many of you are aware, you can install firewalls and virus scanners to reduce your risk of this. However, many people don't do this. They're not tech savvy enough to keep their PCs safe.

I was thinking there needs to be a very simple solution that doesn't require PC configuration. Something that Grandma would have no problem using. I was wondering if there's a way the router could let you know when mail was being sent.

If the router were to beep every time it made an outbound connection to the mail port 25, the owner would be able to hear when unauthorized mail is being sent. If I heard a beep after I sent mail, I know that's from me and it's safe. But if the thing is beeping constantly 24 hours a day, I know I have an infected machine. Even Grandma is going to get tired of the beeping and call someone to take care of it.

This isn't really something for spamgourmet, but I was wondering what you guys thought of this idea.
bnelson
 
Posts: 9
Joined: Wed Feb 18, 2004 8:52 pm

Re: Using the router/modem to stop zombies

Postby gourmet » Thu Apr 17, 2008 6:08 am

Better solution is that ISP automaticly blocks spam. And that's just what they have done in Finland.
gourmet
 
Posts: 124
Joined: Thu Mar 27, 2008 4:46 pm

Postby kevins10 » Sun Apr 20, 2008 12:39 am

There's already some routers vulnerable to attacks, and if this became common and spammers could find a vulnerability to gain admin access to the routers, they'd just add disabling the warnings to their malware. So this won't work, plus since there's already thousands of routers already out there that don't do it, it's not a viable solution. You'd need everyone in the world to replace their routers.
kevins10
 
Posts: 11
Joined: Sat Apr 12, 2008 4:15 am

Postby gourmet » Sun Apr 20, 2008 3:33 am

kevins10 wrote:There's already some routers vulnerable to attacks, and if this became common and spammers could find a vulnerability to gain admin access to the routers, they'd just add disabling the warnings to their malware.


So? That's why there are firmware updates regularly and security issues are getting fixed for sure. Also constant growth of internet forces hardware to be replaced regularly.

Here is one reference:
http://stateofsecurity.com/?p=339

It's also important to turn un-used control interfaces off and allow access from only one IP. Which actually may be IP that isn't occupied on that network at all. It can be IP which is used only be the control terminal.

Ok I know, as long as there is some way to get in. It's not impossible. Especially if control interface is in same physical lan without VLAN support. But it's still hard, and for sure any random automated attack bot isn't getting trough that. It'll require experienced and motivated attacker.
gourmet
 
Posts: 124
Joined: Thu Mar 27, 2008 4:46 pm

Re: Using the router/modem to stop zombies

Postby Paranoid2000 » Thu May 22, 2008 2:37 am

bnelson wrote:If the router were to beep every time it made an outbound connection to the mail port 25, the owner would be able to hear when unauthorized mail is being sent.
It's an interesting idea which could provide a useful warning of a compromised PC. The downside is it would involve some extra expense for router manufacturers in terms of adding a speaker and related circuitry - not much but every penny/cent counts in that business.
Paranoid2000
 
Posts: 71
Joined: Wed Dec 15, 2004 10:48 am

Postby SysKoll » Sun Jun 08, 2008 11:19 pm

The solution is simple: Just like some Finn and French ISPs, ISPs should set their routers so that their subscribers cannot connect to port 25 of any server except the ISP's mail server. That will go a long way to reducing spam.
-- SysKoll
SysKoll
 
Posts: 893
Joined: Thu Aug 28, 2003 9:24 pm

Postby Paranoid2000 » Mon Jun 09, 2008 8:14 am

SysKoll wrote:ISPs should set their routers so that their subscribers cannot connect to port 25 of any server except the ISP's mail server. That will go a long way to reducing spam.
Only if the ISP also imposes limits on emails sent per user - otherwise spamware could just use their server instead.

My ISP blocks port 25 by default but still ended up on a spam blocklist due to one subscriber bouncing (backscattering) their incoming spam.
Paranoid2000
 
Posts: 71
Joined: Wed Dec 15, 2004 10:48 am

Postby gourmet » Mon Jun 09, 2008 1:52 pm

Paranoid2000 wrote:Only if the ISP also imposes limits on emails sent per user - otherwise spamware could just use their server instead.


Rate is limited and all email goes trough spam check. If it's clear spam or virus/malware stuff then SMTP traffic will be compeletely halted.

In some cases they can restrict all network traffic, if synflooding or malware / dos attacks are detected. Network connection stays down until customer contacts ISP and it's confirmed that system is free from serious crap.

It's illegal to harm other users or disturb network traffic.
gourmet
 
Posts: 124
Joined: Thu Mar 27, 2008 4:46 pm

Postby bnelson » Tue Jun 10, 2008 4:58 pm

I don't mean to imply that a beeping router would be the one great solution that would end all spam. But I think it could help identify infected systems.

My setup at home is 5 networked computers. Only one computer has an email reader and sends email. The rest either use webmail or don't send email at all. I wouldn't want the ISP or router to unilaterally block or permit port 25 traffic. I need port 25 to be enabled for the one computer, but I don't want the other 4 computers to be spam-sending zombies.

There have times I've seen my router's transmission lights blinking and wondered what's going on. I've even gone so far as running a sniffer to see what the packets are. So far it's just been normal stuff like a program checking for updates. But I don't want to be a network admin all the time at home. If the router beeped when a corresponding email was sent, I'd know that's okay. But if it starts whistling like a tea kettle, I'd know there was an infected machine.
bnelson
 
Posts: 9
Joined: Wed Feb 18, 2004 8:52 pm

Postby gourmet » Thu Jun 12, 2008 6:03 am

bnelson wrote:I don't mean to imply that a beeping router would be the one great solution that would end all spam. But I think it could help identify infected systems.


How about reading system logs? I often find out that even if logging is on, nobody's reading those. And that's very very common. I have logging on only for cases that something serious happens and we do need those logs. But by default, no body's ever checking what's being logged. But that's life.

I have found out that security is a great joke. No body really cares, even they should. And if I can't win them I'm going to join them.
gourmet
 
Posts: 124
Joined: Thu Mar 27, 2008 4:46 pm


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 22 guests

cron