Botnet Worm Targets DSL Modems and Routers

CoreDuo writes "The people who bring you the DroneBL DNS Blacklist services, while investigating an ongoing DDoS incident, have discovered a botnet composed of exploited DSL modems and routers. OpenWRT/DD-WRT devices all appear to be vulnerable. What makes this worm impressive is the sophisticated nature of the bot, and the potential damage it can do not only to an unknowing end user, but to small businesses using non-commercial Internet connections, and to the unknowing public taking advantage of free Wi-Fi services. The botnet is believed to have infected 100,000 hosts." A followup to the article notes that the bot's IRC control channel now claims that it has been shut down, though the ongoing DDoS attack on DroneBL suggests otherwise.

Tomato

[Merritt.kr]

Glad I recently switched my router to Tomato. Works better than DD-WRT, too.

Re:Tomato

[snowraver1]

I'm pretty sure that Tomato is in the same boat. According to the Tomato FAQ, Tomato is Linux based, and according to TFA Embedded Linux devices seem to be the target.

Re:Tomato

[zombietangelo]

TFA states:

any linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices)

This does not exclude Tomato, especially if your router is set up as mentioned or you have weak passwords.

Re:Tomato

[Repton]

If you allow ssh access from the wide internet, and you have a weak password for root, you are probably still vulnerable..

Re:Tomato

[Krizdo4]

Glad I recently switched my router to Tomato. Works better than DD-WRT, too.

Why does this article make you glad you switched?
The same thing that makes OpenWRT/DD-WRT vulnerable seems to be part of Tomato.

FTFA
"any linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices)."

From Tomato Features list:
"CLI (using BusyBox) with access via TELNET or SSH (using Dropbear)"

Re:Tomato

[John+Hasler]

> If you allow ssh access from the wide internet...

Why would you do that?

> ...and you have a weak password for root...

Why would you do that?

Re:Tomato

If you allow SSH access from the wide internet and you allow passwords, you are probably still vulnerable.

Really, just use SSH with private/public keys and you'll be okay.

Re:Tomato

[Yossarian45793]

If you allow ssh access from the wide internet, and you have a weak password for root, you are probably still vulnerable.

If you allow ssh access from the wide internet, and you have a weak password for root, you always were vulnerable. Now the vulnerability is just being exploited in a more automated way.

Re:Tomato

> If you allow ssh access from the wide internet...

Why would you do that?

Normally those routers do not have users other than root...

Re:Tomato

[xiong.chiamiov]

You don't have to enable remote ssh access to manage your router, unless you really need to administrate it remotely.

Re:Tomato

[tobiasly]

If you allow SSH access from the wide internet and you allow passwords, you are probably still vulnerable.

Really, just use SSH with private/public keys and you'll be okay.

Another alternative is to close port 22 and use a non-standard, high-numbered port instead. Not as secure but most automated attacks don't scan all 65536 ports looking for an open one. If I disable passwords I'm always afraid that the one time I really need to get into my LAN will be the one time I don't have my private keys with me.

Re:Tomato

[644bd346996]

By default, Tomato doesn't allow remote (from WAN port) administration. I don't know about the other WRT firmwares, but Tomato at least is secure from this exploit by default.

Re:Tomato

[X0563511]

dd-wrt doesn't allow admin from WAN either, unless you tell it to.

And you can tell it to do that intelligently, using SSH on a nonstandard port, enabling tunneling, and using public key auth.

Re:Tomato

[PReDiToR]

> If you allow ssh access from the wide internet...

Why would you do that?

`ssh -i ~/.ssh/myrouter.key root@my.router.ip '/usr/sbin/wol -i 192.168.0.255 00:11:22:33:44:55'`

But there is no reason on earth to use SSH with password authentication. Ever.

4096bit keys with 30+ character passphrase is my standard at the moment.

Re:Tomato

[IvyKing]

Note that with a strong root password and usage of a non-standard port will help keep the bots away. Even better if you disable password authentication for SSH and use a key instead.

Even better yet would be setting up a user acount with a non-common name and su'ing or sudo'ing to do the administrative stuff. As an example, both OpenBSD and Solaris default to blocking root access by ssh. Another nifty ssh trick is to set it up sshd to drop most connection attempts after two attempts in a minute.

Re:Tomato

[Kadin2048]

That would be nice, but it is not easy to do. The Linux distros that run on embedded routers are mostly set up to have only a single, root, user. DD-WRT is definitely this way, and I think Tomato is as well. It might be possible to rebuild it with multiple users but that is definitely not how it's designed right now.

Personally what I'd recommend is not having any of the router's management interfaces exposed to the WAN side of things, for any reason, ever. If you think you might need to administer the router remotely, set up a hardened system inside the LAN somewhere, forward a nonstandard port to sshd on it, and then log into that machine and do SOCKS port-forwarding to connect to the router. This is how I run my home network and it takes literally only a second or two longer to connect to the router this way, versus if I had it directly accessible.

Re:Tomato

[Runaway1956]

I have a very strong password. "Administrator" See? Twelve letters. I'm pretty sure that Microsoft assured me years ago that a twelve letter password made for a real strong hash......

Re:Tomato

[Runaway1956]

"I'm always afraid that the one time I really need to get into my LAN will be the one time I don't have my private keys with me." You could have the keys digitally tatoo'd to your anatomy somewhere. Then, you could sit on a scanner to access your keys. All of the 32nd century James Bond types do it! :-)

Re:Tomato

[Seq]

Wouldn't it be substantially easier to just set a really strong SSH password and use key-based auth if you need to configure your router remotely?

Re:Tomato

[Medievalist]

Assuming ssh is usable. My ISP gave me a router that despite letting me set various port forwarding, refuses to honor them, so remote access to any of the machines just does not seem to work the way I would like. I do have ssh on my network machines, but they are keys, password, whitelist protected on uncommon port while only supporting version 2 connections.

Most likely you aren't programming it right, because it has a retarded programming interface. For example, you might have to open firewall holes for forwarded ports, even though it's excruciatingly obvious that you want to let in anything for which you've set up forwarding rules.

ISP routers are the cheapest crap imaginable. If you have Verizon, they'll likely give you a Westell specially built to be extra-crappy (or worse yet an Actiontec). You can usually make them do what you want with hundreds of hours of trial and error, but you may as well throw away the manual and don't bother calling tech support. Write down the configuration that works, when you find it, because the box will reach it's MTBF about the same time you find the insanely baroque combination of options that will make it do what you need.

Of course, if you have Comcast they probably won't even give you a router - they'll just plug the Internet right into your soon-to-be-worm-hosting-machine. And if you have any problems, the first thing their tech support will tell you is to turn off your firewall.

Tomato

Don't forget, Tomatoes get worms too!

Run to my openWRT router and look for.. what?

I actually RTFA, logged into my router, and I'm still not sure what to look for to see if we've been compromised.

What exactly are we looking for?

first post!
-edfardos

Re:Run to my openWRT router and look for.. what?

[Repton]

Considering that TFA says one of the things the bot does is lock you out, I suggest that if you can log in, you are fine :-)

Re:Run to my openWRT router and look for.. what?

[snowraver1]

If you are logged in using standard SSH port settings, then you should be okay. According to TFA, the worm adds the following rules:

# iptables -A INPUT -p tcp --dport 23 -j DROP
# iptables -A INPUT -p tcp --dport 22 -j DROP
# iptables -A INPUT -p tcp --dport 80 -j DROP

If you telnet/ssh connections are working, and you can get to the web page, then you should be okay.

Re:Run to my openWRT router and look for.. what?

[KillzoneNET]

Apparently I'm one of the "100,000" that got infected by this botnet.

This morning my router would not connect to any websites, yet my modem when directly connected to my PC still did. I reseted the settings to default, disabled the vulnerabilities that got the idiots in and put a stronger 35 character username and password.

How did I get infected in the first place? I left on remote access. And possibly my username and password weren't that complex. Live and learn I guess.

Re:Run to my openWRT router and look for.. what?

[itsthebin]

Good for you for being honest about it mate - I am sure there are a few other /.ers who were also compromised.

are you able to tell us the user and password and port that was compromised so we can make a judgment on how bruteforced it was .

if it is a password you use elsewhere ( ./ acc :D ) , I can understand if you won't want it published.

Re:Run to my openWRT router and look for.. what?

[KillzoneNET]

Not sure what the ports it was using exactly, but telnet was definitely on. The username was still 'root' and the password was a simple word. TFA mentions the botnet has brute forcing capabilities so I imagine with only one thing to bust through, it wouldn't at all be a hard task to get into.

Funny thing is, I thought this was just a minor bug until the first thing I saw was this /. article when my router was restored.

What to do about it?

[GrahamCox]

A. How do we know whether our kit is vulnerable?
B. How to tell whether we are infected?
C. What to do about it if we are?

I'd guess most people, even geeks, just think of their router as a black box and don't know much about them as long as they keep on working.

Re:What to do about it?

[adolf]

A. Is your password "admin," "root," "password," or some other such simplistic shit? Can you log into it remotely? If so, you're vulnerable.
B. Does SSH still connect? Can you get to your router's web page? If so, it's not infected.
C. It's a router, not something of any great intrinsic value. Nuke the firmware and start over. (Reset, boot_wait, JTAG - lots of ways to nuke a new firmware into these things without having network access to them. Listed previously are some good terms to Google for.)

I'd guess that most people, even geeks, don't run dd-wrt, tomato, or openwrt on their router unless they've got a pretty good clue about what's going on.

On the other hand: The average Joe, who just buys a WRT54G (aka: black box) from Wal-Mart, plugs it into his cable modem, and logs into the "linksys" SSID from his laptop isn't affected by this worm, since the default configuration doesn't allow remote access from the Internet at all.

Re:What to do about it?

[John+Hasler]

> ...the default configuration doesn't allow remote access from the Internet at all.

True. The crackers have to use the bot that controls his pc and the default password that he didn't change.

Re:What to do about it?

[seanadams.com]

The average Joe, who just buys a WRT54G (aka: black box) from Wal-Mart, plugs it into his cable modem, and logs into the "linksys" SSID from his laptop isn't affected by this worm, since the default configuration doesn't allow remote access from the Internet at all.

But it does allow access from the LAN side, so all that takes is one owned client connecting to that AP. It could even spread via laptops physically roaming to different hotspots (maybe not AT&T etc, but think of an independent coffee shop owner who should not have to be a networking guru).

Routers seem like a nice prize indeed. Always connected and on a public IP, and there's millions of them!. I'm surprised it's taken this long.

It's hard enough for most people to just hook one of these up, much less wipe a rootkit from it.

Re:What to do about it?

[chill]

I'd guess that most people, even geeks, don't run dd-wrt, tomato, or openwrt on their router unless they've got a pretty good clue about what's going on.

Really?

1. The article claims between 80,000 - 100,000 infected routers.
2. Neither DD-WRT nor OpenWRT allow connections from the outside world by default.
3. The worm brute-forces passwords.

From this we can conclude that there are at least 80-100K geeks who opened their connections to the outside world and used weak passwords. This does not sound like people with a "pretty good clue" to me.

Re:What to do about it?

[nenolod]

Actually, the worm also exploits some vulnerabilities in the HTTP servers in some of these models.

Re:What to do about it?

[Repton]

I recall reading a while ago about a javascript exploit that would attempt to log in to your router using the default admin login/password. It had a list of a few hundred different defaults to try. If it got in, it would mess with your DNS.

I'm not sure what came of that..

Re:What to do about it?

[totally+bogus+dude]

I use pwgen for pretty much all my passwords. It has some nice options to restrict/expand the allowed set of characters, and should be a standard installable package on most distros.

Its main advantage is that it creates passwords with a mix of vowels and consonants so you get an almost word-like password. If creating a password I'll need to remember, I usually set it to create 10 or 20 and skim through for something that seems memorable to me. If creating passwords for services that I just need to enter somewhere, I'll create a 20+ character password including punctuation (-y) and make it completely random (-s), then just copy and paste.

Re:What to do about it?

[Randall311]

If your username and password are "admin", then you're deservedly fucked.

Re:What to do about it?

[Otto]

On the other hand: The average Joe, who just buys a WRT54G (aka: black box) from Wal-Mart, plugs it into his cable modem, and logs into the "linksys" SSID from his laptop isn't affected by this worm, since the default configuration doesn't allow remote access from the Internet at all.

Many Linksys routers, to pick an example, run on top of a Linux even with their default firmware. And many (most?) of these firmwares have had known vulnerabilities that give you enough to get a shell out of it. Google "Linksys ping hack" if you want to see a truly devastating back door.

On top of that, many of these had remote access bugs. I recall one where, if you knew the right URL to hit, you could make the router execute your commands even though remote access had been disabled. All disabling it really did was not make the web pages show up on remote connections. The POST requests from the forms on them still, stupidly, went through.

Most of these problems have been patched, but how many people have never updated their router firmware? I'll bet you it's a lot. And every one of those could be hit with a not-even-that-hard-to-write worm.

In this case, the guy doesn't seem all that malicious, maybe. Especially since he's only storing the exploit script in the tmp directory. He could have just as easily stuck it in the flash memory and made it quite well hidden indeed.

Easy fix

Not a big deal, you can just:

ssh to your router
ifconfig eth0 down

All fixed, not vulnerable anymore.

Re:Hackers.

[palegray.net]

That's like saying CiCi's Pizza is the best dining experience of all time. It's not really pizza, but it is edible...

Scary Targets...

[IonOtter]

Okay, now this is scary.

Folks having OpenWRT/DD-WRT are usually a bit more savvy that the average user, so to see something specifically targeting such users is surprising.

And the fact it's gone this long without being noticed is even MORE frightening.

Re:Scary Targets...

[pushing-robot]

If you let anyone on the internet ssh into your linux boxes, and your root password is "admin" or somesuch, why is it surprising that someone will eventually exploit you?

This virus does not target "savvy users". Like most viruses, it targets idiots.

Re:Scary Targets...

[Techman83]

TFA:

any linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices).

Anyone Savvy enough to want to run OpenWRT/DD-WRT should hopefully be savvy enough to have a decent password. I'm guessing by DMZ it means open slather access to the device. Open Slather + Weak Password = Your Own Stupidity

Re:Scary Targets...

[Microlith]

DMZ = All ports not forwarded to other machines are routed to the IP specified as the "DMZ" IP.

So what we have is not simply routers getting attacked, but actual machines that are completely unprotected.

Re:Scary Targets...

[The+Hooloovoo]

You'd be surprised. It's easy enough for someone with just a bit of knowledge to read an article that raves about custom firmware, download said firmware, and flash the router. Plus, DD-WRT is configured rather poorly by default (doesn't everyone want telnet?) and is vulnerable to a rather elementary XSS exploit.

The XSS exploit can be prevented by logging out of the router when you're done, but here's the catch -- DD-WRT provides no logout button/link/etc. I recall someone suggesting it on the mailing list, and it earned them a good-ol' fanboy flaming. The solution, of course, is to close your browser -- but again, there are plenty of users out there who don't know that.

Preventative workaround

[XanC]

Configure the device for IPv6, over a tunnel or whatever. The worm blocks your control ports using iptables, but not apparently ip6tables.

Re:Preventative workaround

[ristretto_dreams]

errr, yeah, if you want to kill an ant with a nuke.

Or just change your password from the default and set ssh/web/telnet administration to local segment only.

Did you read the article?

Admin interface open on the WAN side?

[Mondo1287]

Who has their router set to allow access to the admin interface from the wan side? This is certainly not done by default. Is there some sort of browser hijack involved with this to gain access to the inside of the network?

Re:Admin interface open on the WAN side?

[itzfritz]

It's necessarily being exploited from the WAN; I've seen poc code that, guessing the gateway's internal ip (typically 192.168.1.1 class c), uses javascript or html trickery to attempt a GET request that modifies that router's config. ex:, on some webpage) img src='192.168.1.1/allow-external-connections.cgi' You get the idea. Dont remember where I saw it, maybe ha.ckers/sla.ckers.org..

Re:Admin interface open on the WAN side?

[Mr_Whoopass]

Who has their router set to allow access to the admin interface from the wan side?

Me. I use Tomato so that I can log in remotely from work and then use WoL to boot my computer, server and NAS remotely in order to access any files I might need but it still allows me to shut my machines down when not needed in order to keep my electricity bill low.

I do however use an 18 digit password that uses mixed-case, numbers and special characters to make the likelihood of a brute force attack being successful to almost nil. I also regularly change my passwords which I know (having been in the IT field for 10 years) that most people do not.

It all comes down to using tried and true security practices in my opinion. If you use simple common sense you can avoid most of these issues outright.

1) Use long passwords with mixed case, numbers and special characters.
2) Change those passwords regularly.
3) Do not use the same password for different site logins.
4) Keep your router firmware up to date (though that would not have helped in this particular case apparently).
5) I would also add that you stay away from installing applications not obtained directly from the software vendor that wrote them (read warez). You have no idea what that copy of Windows XP Super-Ultimate Gold might be installing in addition.
6) Stay away from websites that are heavily laden with nefarious advertising such as porn, etc.

Common sense really.

Re:Admin interface open on the WAN side?

[Tony+Hoyle]

You don't need external router access for that. Setup a port that when given a specific string, like 'wakeup' automatically sends a WOL to the computer, and does nothing else. Worst a hacker can do then is wake your computer up.

Re:How Can I Determine If My D-Link Router is Linu

[The_PHP_Jedi]

The subject text box isn't the "write-the-beginning-of-the-message-until-space-runs-out-and-then-use-the-big-textarea-under-it" field. The big textarea under it is there for a clear reason.

Just sayin'.

Needs more detail

[lordtoran]

Ok, TFA states

Get a shell on the vulnerable device (methods vary).

How will this supposed worm manage to login to the box? Brute force? Properly configured Linux will block login attempts for quite a while after several failures. SSH? Can't be compromised within a reasonable time. Telnet? Not supported on all routers I know.

The article doesn't go into the essential details, so I call FUD until proven otherwise.

Re:Needs more detail

[Krizdo4]

Ok, TFA states

Get a shell on the vulnerable device (methods vary).

How will this supposed worm manage to login to the box? Brute force? Properly configured Linux will block login attempts for quite a while after several failures. SSH? Can't be compromised within a reasonable time. Telnet? Not supported on all routers I know.

The article doesn't go into the essential details, so I call FUD until proven otherwise.

From the article:

any linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices).

Telnet is used at least on OpenWRT after you first flash it but before you set a root password.

No consumer router I've used blocked repeated failed password attempts be default.

A bug in the web interface for the default Linksys allowed people to load the OpenWrt by sending shell commands to turn on boot wait. Just do the same but insert malicious shell code instead with the default password.

Re:Needs more detail

[pushing-robot]

1. Be granted root access to the vulnerable device.

2. Do something nasty.

describes 99% of *nix (Linux, BSD, OS X) "exploits" I've seen.

Some of it is intentional FUD, but it's still a good example of why users should be forced to learn exactly what programs are allowed to do with user and root/admin privileges.

Most folks still think of programs the way they think of physical gadgets. Users don't understand privileges, and assume that programs are by nature isolated from each other, the operating system, and the user's personal files.

It doesn't occur to them that a malfunctioning toaster could suddenly delete their car.

Re:Needs more detail

[againjj]

It doesn't occur to them that a malfunctioning toaster could suddenly delete their car.

That is an incredibly insightful comment. That makes so clear what it is that people do not get about computers. This implies that that sandboxing needs to be taken to the next level. A VM for every app, perhaps?

Old news to me

[GaryOlson]

I commented on this exact subject about 18 months ago. Amused to see the security industry finally catching up.

Re:Old news to me

[GaryOlson]

Yes, I had complex and increasingly long passwords set -- the last password was 22 characters long with mixed case and special characters. And, configuring the router from the WAN was disabled.

Re:Hackers.

[houstonbofh]

That's like saying CiCi's Pizza is the best dining experience of all time. It's not really pizza, but it is edible...

Sex is like pizza... Even when it is bad, it's still pizza.

And you really needed to...

[m6ack]

... administer your home router over the Internet? Who does that? If you don't have an open port, even on these boxen, how could you be attacked?

But, it seems to me that this is more likely an attack on stock Linksys boxen that re-flashes with a special DD-WRT designed to "phone home." Yes, DD-WRT/OpenWRT are also vulnerable if they have weak passwords, but the bulk is more likely the former.

(Disclaimer: My home router runs HyperWRT & is not listed in DroneBL.)

OpenWRT/DD-WRT devices all appear to be vulnerable

[xmff]

How so? At least on OpenWrt, SSH and Webif aren't even exposed to the wan side without manually changing the iptables rules first.

I guess it's the same on DD-Wrt.

The devices that were targetted appear to have some serious flaws, here's a cite from an analysis of the malware:

"Several revisions of the NB5 modem shipped with a flaw which meant that the web configuration interface was visible from the WAN side, accepting connections and allowing users to administer the modem using the default username and password of 'admin' from outside the LAN. Furthermore, some of these modems suffered from another flaw, meaning that by default, authentication was not enabled for the web interface - meaning no username or password was required."

It really boils down to the usual find-weak-logins style of attacks, only the target platform has changed.

Re:private/public keys

[tobiasly]

The commercial routers don't have this option. Um like D-link, Linksys, etc. Unfortunately they are the majority of home/small enterprise routers But this would be the trick to use.

Except anyone who's knowledgeable enough to set up a private/public key based ssh server on their router would have ditched that crippled factory default firmware in the first place and installed something more advanced like Tomato, which does have this feature.

Wait Till They Get Verizon Routers Rooted

[darkmeridian]

The modem/router that Verizon provided for their DSL service had the firmware remotely upgraded. There is no way to avoid these updates. I hope it is secure. If someone roots that process, it will be the mother of all DDOS attacks.

Re:Wait Till They Get Verizon Routers Rooted

[Lumpy]

Really? you cant avoid that update?

Why was I able to turn it off along with disabling the crappy "router" function in the westell modems?

you CAN avoid it, you have to know what you are doing.

Re:Hackers.

[c_forq]

I'm going out on a limb and saying it probably did. I know the mangos and bananas in South East Asia taste way different than the mangos and bananas in America. I would expect the common corns are different too.

Re:Hackers.

You see, corn was very important in Japanese culture as it was originally from Japan, although an American Indian raid stole all plants and took them to America.
However, after they met Americans which are greasy and yellowy white just like popcorn, they stopped eating it altogether.
They put it over pizza so that the Yakuza can torture its victims. Japanese people are so scared of becoming fat like Americans that they would rather commit Hairy Curry also known as Sailor Fuku than eating corn pizza.

Re:Hackers.

[palegray.net]

they would rather commit Hairy Curry also known as Sailor Fuku than eating corn pizza.

I don't even know where to begin on this one...

Re:Hackers.

[turing_m]

Sex is like pizza... Even when it is bad, it's still pizza.

The difference is... when you get desperate enough to eat disgustingly bad pizza, your friends won't bring it up for the next ten years at every possible occasion.

I predicted this a few years ago

[wertarbyte]

While playing around with the fonera routers I already predicted issues like this: http://stefans.datenbruch.de/lafonera/whywedidit.shtml Consumer routers without decent firmware support are a even greater risk than unpatched windows systems; while access to the latter will probably be noticed, the profile of a hijacked routers stays low to its owner.

Re:Is my ass hanging in the wind?

[Dreadneck]

Apologies. I spent the last few years building up an immunity to iocane powder.

Re:OpenWRT/DD-WRT devices all appear to be vulnera

[Otto]

There's lots of ways to exploit cheapo home routers, whether they're running custom firmware or stock stuff.

- Linksys firmwares have had shell execution vulnerabilities (that's how it was originally discovered that they were running Linux in the first place) as well as remote access vulnerabilities (where turning it off didn't actually work), among others.
- Many of the custom firmwares (DD-WRT in particular) are vulnerable to rather trivial XSS attacks. Yes, visit the wrong webpage with malicious javascript and your router can get owned.
- Not to mention the large number of routers with default passwords out there...

A mildly clever script could gain a large foothold quite fast, without even having to resort to password guessing.

Re:Hackers.

[machine321]

Some sex crust is so bad it's inedible too.

Re:Hackers.

[Hatta]

You're not supposed to eat the handle.

So, block IRC at all firewalls

[Antique+Geekmeister]

This is not just flamebait, but a serious policy: IRC has been a popular protocol for years, but with the advent of more secure and less abused protocols, there is no modern excuse for permitting IRC through any network or system firewalls. That helps cut the painful-to-monitor control channel.

In fact, most corporate and institutional firewalls should only allow a few registered and useful protocols through their breaches, such as HTTP, HTTPS, SMTP, and SSH, and even those can often be funneled to a small set of securable servers. Yes, it interferes with the random-service-of-the-moment that some folks demand as their right. If they want such rights, they can pay the cost of running a host isolated by more secure firewalls and software management, outside the more trusted internal environment: folks should not expect both easy sharing of resources, and external access.

Re:So, block IRC at all firewalls

[Tony+Hoyle]

WIRC is not inherently insecure (or secure.. it's just a chat protocol), and is a popular means of talking with other admins for example. I use it for development purposes every day.

There's absolutely nothing to stop $virus_of_the_week using port 80 instead of port 6667. You're solving nothing by blocking a port like that.

Re:Hackers.

[laejoh]

That's what she said :(

Stop making sense.

[Medievalist]

Wouldn't it be substantially easier to just set a really strong SSH password and use key-based auth if you need to configure your router remotely?

You're interrupting the flow of this conversation.

You may need to down a few pints before posting in this topic. Or at least this particular thread.

Re:Hackers.

[Patch86]

When you eat a really bad pizza, you can only really bring it up the once...