Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:30 AM
Connect Directly

University Cleans Up Bots on Campus

The University of Missouri-Columbia's IRC blocking system quarantines spamming client machines

The University of Missouri-Columbia was starting to get a reputation among the anti-spam community a year ago. Its zombified client machines were unknowingly spewing spam around the Internet, landing the university on several email blacklists.

So the university's security and IT groups, who support some 28,000 students and 10,000 faculty and staff, decided to try blocking Internet Relay Chat (IRC) traffic -- the method most botnets use to control bot-infected machines.

"We wanted to reduce complaints from outside about spam on our campus going out" and to remove the university from spam blacklists, says Allen Brokken, Principal Systems Security Analyst for MU.

That meant adding the then-new Quarantine Protection option to the university's TippingPoint IPS last year. Quarantine works hand in hand with the university's device registration system, which ensures that the clients students bring to the campus network are properly registered -- and therefore quarantinable. "We determined the most efficient way was to block IRC using the IPS, and to use the Quarantine action on it," Brokken says.

When the IPS Quarantine detects a client machine trying to initiate an IRC session, the user is automatically quarantined and redirected to a MU device registration Web page that informs the user his or her machine is infected. The site then gives instructions and links for cleaning up the machine before the client is allowed on the network. Brokken says the IRC block, which the university configured with the system, isn't a typical application of TippingPoint's Quarantine.

A machine is quarantined for one hour, and then admitted back on the network if it's clean.

The only catch with the IRC block is that sometimes users have legitimate reasons to be running an IRC session with other users for gaming or academic reasons. Brokken admits there's really no way for the system to know for sure if it's a bot communiqué. "We look at how many times a user is getting quarantined for IRC. If you do something that violated policy, we will kick you off for one hour to see if you are still doing it," he says. "If you were infected and clean it up, an hour later you're back on the network."

At first the university did inadvertently snare some legit IRC users. But since then, the false positives have dropped to few or none. "We figure that when people using IRC as a normal business practice learn about the restriction on it, they do something else instead. So now we don't have a lot of false positives," he says.

The IRC block also decreased spam complaints against MU. "We went from polluting people with spam to capturing [the offenders]," Brokken says. "That was our biggest win."

Still, it's not a perfect system for catching bots. Botnet operators are increasingly moving away from IRC and using less-conspicuous channels to communicate, such as HTTP and point-to-point links. But Brokken says there are other rule set options in Quarantine that the university can eventually use to block other botnet vectors. (See Black Hat: Botnets Go One-on-One and Botnets Don Invisibility Cloaks.)

The university also runs firewalls in front of each residence hall, which helps minimize botnet infection, Brokken says. "If you're a machine on that network, you can communicate out, but no one can talk to you." That helps prevent a botnet controller from polling a potential zombie, although a user could still fall victim via an infected email message. "We see more bot-related traffic on the administrative side of the network," which is more open.

The downside with TippingPoint's Quarantine feature is that the non-default features require more manual configuration than the ones that are enabled by default, Brokken says. "They have a large rule set that's not deployed by default," he says. And it's time-consuming to add these rules and ensure they don't generate lots of false positives, as the IRC block initially did. "It took us a month to get the IRC block completely deployed."

The university is currently evaluating several different network access control (NAC) products to help secure and manage its client machines, especially with the potential for BlackBerry and other PDAs joining the network. A NAC solution may or may not replace the existing registration and quarantine system, Brokken says.

Meanwhile, Brokken expects the bot threat to continue, despite the university's measures to combat it. Until about a year ago, the university's IPS was mostly catching machines that were infected from other machines, such as residual worm infestations. "Then the demographics started to change, with less hits from Sasser/Blaster, and more external spam complaints," he says. "I have a feeling most of what we are dealing with now are bot machines, or someone downloading or doing something silly. My gut tells me that's where things are headed, with more sophisticated" attacks.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • TippingPoint Technologies Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
    Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
    7 Powerful Cybersecurity Skills the Energy Sector Needs Most
    Pam Baker, Contributing Writer,  6/22/2021
    Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
    Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    The State of Cybersecurity Incident Response
    In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-06-22
    Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
    PUBLISHED: 2021-06-22
    Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
    PUBLISHED: 2021-06-22
    Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
    PUBLISHED: 2021-06-22
    Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
    PUBLISHED: 2021-06-22
    Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.