Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:30 AM
Connect Directly

University Cleans Up Bots on Campus

The University of Missouri-Columbia's IRC blocking system quarantines spamming client machines

The University of Missouri-Columbia was starting to get a reputation among the anti-spam community a year ago. Its zombified client machines were unknowingly spewing spam around the Internet, landing the university on several email blacklists.

So the university's security and IT groups, who support some 28,000 students and 10,000 faculty and staff, decided to try blocking Internet Relay Chat (IRC) traffic -- the method most botnets use to control bot-infected machines.

"We wanted to reduce complaints from outside about spam on our campus going out" and to remove the university from spam blacklists, says Allen Brokken, Principal Systems Security Analyst for MU.

That meant adding the then-new Quarantine Protection option to the university's TippingPoint IPS last year. Quarantine works hand in hand with the university's device registration system, which ensures that the clients students bring to the campus network are properly registered -- and therefore quarantinable. "We determined the most efficient way was to block IRC using the IPS, and to use the Quarantine action on it," Brokken says.

When the IPS Quarantine detects a client machine trying to initiate an IRC session, the user is automatically quarantined and redirected to a MU device registration Web page that informs the user his or her machine is infected. The site then gives instructions and links for cleaning up the machine before the client is allowed on the network. Brokken says the IRC block, which the university configured with the system, isn't a typical application of TippingPoint's Quarantine.

A machine is quarantined for one hour, and then admitted back on the network if it's clean.

The only catch with the IRC block is that sometimes users have legitimate reasons to be running an IRC session with other users for gaming or academic reasons. Brokken admits there's really no way for the system to know for sure if it's a bot communiqué. "We look at how many times a user is getting quarantined for IRC. If you do something that violated policy, we will kick you off for one hour to see if you are still doing it," he says. "If you were infected and clean it up, an hour later you're back on the network."

At first the university did inadvertently snare some legit IRC users. But since then, the false positives have dropped to few or none. "We figure that when people using IRC as a normal business practice learn about the restriction on it, they do something else instead. So now we don't have a lot of false positives," he says.

The IRC block also decreased spam complaints against MU. "We went from polluting people with spam to capturing [the offenders]," Brokken says. "That was our biggest win."

Still, it's not a perfect system for catching bots. Botnet operators are increasingly moving away from IRC and using less-conspicuous channels to communicate, such as HTTP and point-to-point links. But Brokken says there are other rule set options in Quarantine that the university can eventually use to block other botnet vectors. (See Black Hat: Botnets Go One-on-One and Botnets Don Invisibility Cloaks.)

The university also runs firewalls in front of each residence hall, which helps minimize botnet infection, Brokken says. "If you're a machine on that network, you can communicate out, but no one can talk to you." That helps prevent a botnet controller from polling a potential zombie, although a user could still fall victim via an infected email message. "We see more bot-related traffic on the administrative side of the network," which is more open.

The downside with TippingPoint's Quarantine feature is that the non-default features require more manual configuration than the ones that are enabled by default, Brokken says. "They have a large rule set that's not deployed by default," he says. And it's time-consuming to add these rules and ensure they don't generate lots of false positives, as the IRC block initially did. "It took us a month to get the IRC block completely deployed."

The university is currently evaluating several different network access control (NAC) products to help secure and manage its client machines, especially with the potential for BlackBerry and other PDAs joining the network. A NAC solution may or may not replace the existing registration and quarantine system, Brokken says.

Meanwhile, Brokken expects the bot threat to continue, despite the university's measures to combat it. Until about a year ago, the university's IPS was mostly catching machines that were infected from other machines, such as residual worm infestations. "Then the demographics started to change, with less hits from Sasser/Blaster, and more external spam complaints," he says. "I have a feeling most of what we are dealing with now are bot machines, or someone downloading or doing something silly. My gut tells me that's where things are headed, with more sophisticated" attacks.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • TippingPoint Technologies Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Inside the Ransomware Campaigns Targeting Exchange Servers
    Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
    Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
    Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-04-16
    Adobe Genuine Service version 6.6 (and earlier) is affected by an Uncontrolled Search Path element vulnerability. An authenticated attacker could exploit this to to plant custom binaries and execute them with System permissions. Exploitation of this issue requires user interaction.
    PUBLISHED: 2021-04-16
    Adobe Genuine Service version 6.6 (and earlier) is affected by an Improper Access control vulnerability when handling symbolic links. An unauthenticated attacker could exploit this to elevate privileges in the context of the current user.
    PUBLISHED: 2021-04-16
    Adobe Genuine Service version 6.6 (and earlier) is affected by an Uncontrolled Search Path element vulnerability. An authenticated attacker could exploit this to rewrite the file of the administrator, which may lead to elevated permissions. Exploitation of this issue requires user interaction.
    PUBLISHED: 2021-04-16
    SQL Injection in Tribalsystems Zenario CMS 8.8.52729 allows remote attackers to access the database or delete the plugin. This is accomplished via the `ID` input field of ajax.php in the `Pugin library - delete` module.
    PUBLISHED: 2021-04-16
    jose is an npm library providing a number of cryptographic operations. In vulnerable versions AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDecryptionFailed` would be throw...