1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Blocking spyware and malware genrated traffic on the network

Discussion in 'Tomato Firmware' started by onehomelist, Mar 22, 2010.

  1. onehomelist

    onehomelist Addicted to LI Member

    In my network there are many infected pc's, which generate a lot of traffic on all the ports. A few pc's were infected with security tool malware, and they choked up all the upload bandwidth. I am using open dns malware blocking tools, but the infected pc's use ip addresses to send data, and open dns can block traffic only if domain name is used. Is there a script which will work like adblock tool but with capability of blocking spyware and malware blacklisted ip's on my tomato flashed Asus RT - N16.
     
  2. humba

    humba Network Guru Member

    Why not simply lock out the MAC address of those boxes until the owners prove to you that they've taken the appropriate measures? I know local ISPs around these parts take that measure (after first sending a warning letter via mail) - and while I'm vehemently opposed to three strikes and such, this looks like a reasonable measure.

    You can easily block IP targets using iptables..add a few iptables commands to block different addresses / ports into the wan up script and you can achieve your goal. But essentially you're combatting symptoms, not the root cause of the problem.
     
  3. onehomelist

    onehomelist Addicted to LI Member

    If i install clamav optware package, will it be able to block the connection that spywares and malwares use. Or is there any application that can analyse logs from the router to report about the spywares and malware activity. Many hijacked clients use port 25 to send spam out of my network. As, in my network no one uses port 25 to send mails, can anyone give me a script to block that port on my router.
     
  4. rhester72

    rhester72 Network Guru Member

    clamav is a traditional virus scanner only. It is not real-time and it does not block connections.

    The below will log any attempts to connect to outbound port 25 and block the attempts.

    Scripts/Firewall:

    iptables -A wanout -p tcp --dport 25 -j LOG
    iptables -A wanout -p tcp --dport 25 -j DROP

    Rodney
     
  5. Toastman

    Toastman Super Moderator Staff Member Member

    The most common problem in my networks are port 25 mail spamming. I deal with it by limiting the number of concurrent smtp sessions to 5 or 10, since I can't stop people using mail.

    The majority of people who have infected machines seem to be using NOD32 antivirus software.
     
  6. Porter

    Porter LI Guru Member

    I'd actually go with humpa's advice. Install something like a MAC Whitelist. Once there is no internet for people without decent antivirus and antispam software they will be cooperative.

    Trying to implement this on your router has too many side effects or doesn't work at all, because traffic analysis might need a lot of ressorces.
     
  7. onehomelist

    onehomelist Addicted to LI Member

    Untangle site says that clamav is effective in detecting spyware http://www.untangle.com/spyware-blocker

    My network is a small business network, so all the clients must get internet access (so MAC blocking won't be a solution). If any spy-ware or virus activity is reported it'll be dealt with by our IT department. But until the pc's are cleaned, to free the spy-ware hijacked bandwith, I wanted to have quick solution or some system which'll inform me about such network infections.
     
  8. onehomelist

    onehomelist Addicted to LI Member

    The easiest work around would be to have a firewall script (like the adblock script) which'll load blacklisted entries from a online database or text file, and the firewall would block such ip's.

    The major issues I face is my users use flash drives a lot, so many of those drives are infected with worms.

    I use opendns and it always reports about botnet and spyware activity on my network.
     
  9. onehomelist

    onehomelist Addicted to LI Member

    How to know which client uses higest bandwidth

    Thanks rhester72 for the script. It worked, nothing goes out of port 25 now.

    If I want to add more ports to the script can I add them by using comma, or should I create a new script for each port?

    Is there any way to know which client on the LAN uses highest bandwidth, or the client which shows up extremely high activity?
     
  10. rhester72

    rhester72 Network Guru Member

    Example of multiple ports:

    iptables -A wanout -p tcp -m mport --dports 25,465 -j LOG
    iptables -A wanout -p tcp -m mport --dports 25,465 -j DROP

    Rodney
     
  11. onehomelist

    onehomelist Addicted to LI Member

    Thanks rhester72.

    Here is a script that I got on some webiste which described it as complete bittorrent blocking script. It didn't work for me. I don't know much about iptables. I wanted to know can the script do what it says.

    Code:
    # Algo string
     $IPTABLES -A FORWARD -m string --algo bm --string "BitTorrent" -j DROP 
     $IPTABLES -A FORWARD -m string --algo bm --string "BitTorrent protocol" -j DROP
     $IPTABLES -A FORWARD -m string --algo bm --string "peer_id=" -j DROP
     $IPTABLES -A FORWARD -m string --algo bm --string ".torrent" -j DROP
     $IPTABLES -A FORWARD -m string --algo bm --string "announce.php?passkey=" -j DROP 
     $IPTABLES -A FORWARD -m string --algo bm --string "torrent" -j DROP
     $IPTABLES -A FORWARD -m string --algo bm --string "announce" -j DROP
     $IPTABLES -A FORWARD -m string --algo bm --string "info_hash" -j DROP 
     $IPTABLES -A FORWARD -m string --algo bm --string "/default.ida?" -j DROP  #codered virus
     $IPTABLES -A FORWARD -m string --algo bm --string ".exe?/c+dir" -j DROP  #nimda virus
     $IPTABLES -A FORWARD -m string --algo bm --string ".exe?/c_tftp" -j DROP  #nimda virus 
    # bittorrent key
     $IPTABLES -A FORWARD -m string --string "peer_id" --algo kmp --to 65535 -j DROP
     $IPTABLES -A FORWARD -m string --string "BitTorrent" --algo kmp --to 65535 -j DROP
     $IPTABLES -A FORWARD -m string --string "BitTorrent protocol" --algo kmp --to 65535 -j DROP
     $IPTABLES -A FORWARD -m string --string "bittorrent-announce" --algo kmp --to 65535 -j DROP
     $IPTABLES -A FORWARD -m string --string "announce.php?passkey=" --algo kmp --to 65535 -j DROP
    # DHT keyword
     $IPTABLES -A FORWARD -m string --string "info_hash" --algo kmp --to 65535 -j DROP
     $IPTABLES -A FORWARD -m string --string "get_peers" --algo kmp --to 65535 -j DROP
     $IPTABLES -A FORWARD -m string --string "announce" --algo kmp --to 65535 -j DROP
     $IPTABLES -A FORWARD -m string --string "announce_peers" --algo kmp --to 65535 -j DROP
     
  12. mstombs

    mstombs Network Guru Member

    can't comment on the details, but use the wanout chain as before, not FORWARD to make sure rules are checked at correct point.
     
  13. rhester72

    rhester72 Network Guru Member

    onehomelist,

    Almost certainly not. Encrypted streams (and they virtually all are these days) can't be parsed by the router.

    Rodney
     
  14. onehomelist

    onehomelist Addicted to LI Member

    My router always shows more that 65% unclassified traffic. Almost all of it shows destination port 445. I use 255.255.0.0 subnet. Most of the time the dest ip will have prefix 192 but none of those dest ip addressed clients are there on my local network. For example I have clients which are assigned ip's upto 192.168.5.X, But the dest ips shown in the log will have 192.168.134.X etc.

    Code:
    Apr 10 11:40:07 unknown user.warn kernel: IN=br0 OUT=vlan2 SRC=192.168.5.191 DST=220.227.59.67 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=42093 DF PROTO=TCP SPT=22952 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0 
    Apr 10 11:40:07 unknown user.warn kernel: IN=br0 OUT=vlan2 SRC=192.168.5.191 DST=220.227.130.134 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=42094 DF PROTO=TCP SPT=22958 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0 
    Apr 10 11:40:07 unknown user.warn kernel: IN=br0 OUT=vlan2 SRC=192.168.5.191 DST=220.227.130.135 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=42095 DF PROTO=TCP SPT=22959 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0 
    Apr 10 11:40:07 unknown user.warn kernel: IN=br0 OUT=vlan2 SRC=192.168.5.191 DST=220.227.59.68 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=42096 DF PROTO=TCP SPT=22953 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0 
    Apr 10 11:40:07 unknown user.warn kernel: IN=br0 OUT=vlan2 SRC=192.168.5.191 DST=220.227.130.136 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=42097 DF PROTO=TCP SPT=22960 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0 
    Apr 10 11:40:07 unknown user.warn kernel: IN=br0 OUT=vlan2 SRC=192.168.1.53 DST=220.158.44.184 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=44120 DF PROTO=TCP SPT=5056 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0 
    Apr 10 11:40:08 unknown user.warn kernel: IN=br0 OUT=vlan2 SRC=192.168.5.197 DST=192.97.241.93 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=28806 DF PROTO=TCP SPT=4609 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0 
    Apr 10 11:40:08 unknown user.warn kernel: IN=br0 OUT=vlan2 SRC=192.168.5.197 DST=192.217.180.154 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=28807 DF PROTO=TCP SPT=4610 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0 
    Apr 10 11:40:08 unknown user.warn kernel: IN=br0 OUT=vlan2 SRC=192.168.5.191 DST=220.227.130.137 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=42098 DF PROTO=TCP SPT=22961 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0 
    Apr 10 11:40:08 unknown user.warn kernel: IN=br0 OUT=vlan2 SRC=192.168.5.197 DST=192.60.90.51 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=28808 DF PROTO=TCP SPT=4612 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0 
    Apr 10 11:40:08 unknown user.warn kernel: IN=br0 OUT=vlan2 SRC=192.168.5.197 DST=192.81.121.215 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=28809 DF PROTO=TCP SPT=4611 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0 
    Apr 10 11:40:08 unknown user.warn kernel: IN=br0 OUT=vlan2 SRC=192.168.5.197 DST=192.180.30.112 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=28810 DF PROTO=TCP SPT=4613 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0 
    Apr 10 11:40:08 unknown user.warn kernel: IN=br0 OUT=vlan2 SRC=192.168.5.197 DST=192.24.67.135 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=28817 DF PROTO=TCP SPT=4617 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0 
    Apr 10 11:40:08 unknown user.warn kernel: IN=br0 OUT=vlan2 SRC=192.168.5.197 DST=192.124.104.158 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=28818 DF PROTO=TCP SPT=4618 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0 
    Apr 10 11:40:08 unknown user.warn kernel: IN=br0 OUT=vlan2 SRC=192.168.5.197 DST=192.8.203.0 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=28824 DF PROTO=TCP SPT=4621 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0 
    Apr 10 11:40:08 unknown daemon.info dnsmasq-dhcp[569]: DHCPINFORM(br0) 192.168.4.132 00:1f:3c:68:df:44 
    Apr 10 11:40:08 unknown daemon.info dnsmasq-dhcp[569]: DHCPACK(br0) 192.168.4.132 00:1f:3c:68:df:44 toshiba-PC
    Apr 10 11:40:08 unknown user.warn kernel: IN=br0 OUT=vlan2 SRC=192.168.5.197 DST=192.108.240.23 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=28828 DF PROTO=TCP SPT=4624 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0 
    Apr 10 11:40:08 unknown user.warn kernel: IN=br0 OUT=vlan2 SRC=192.168.5.197 DST=192.172.254.3 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=28832 DF PROTO=TCP SPT=4631 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0 
    Apr 10 11:40:08 unknown user.warn kernel: IN=br0 OUT=vlan2 SRC=192.168.5.197 DST=192.36.194.64 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=28833 DF PROTO=TCP SPT=4632 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0 
    Apr 10 11:40:08 unknown user.warn kernel: IN=br0 OUT=vlan2 SRC=192.168.5.197 DST=192.156.134.125 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=28838 DF PROTO=TCP SPT=4633 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0 
    Apr 10 11:40:08 unknown user.warn kernel: IN=br0 OUT=vlan2 SRC=192.168.5.197 DST=192.16.35.27 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=28839 DF PROTO=TCP SPT=4634 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0 
    Apr 10 11:40:08 unknown user.warn kernel: IN=br0 OUT=vlan2 SRC=192.168.5.191 DST=220.227.130.138 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=42101 DF PROTO=TCP SPT=22963 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0 
    Apr 10 11:40:08 unknown user.warn kernel: IN=br0 OUT=vlan2 SRC=192.168.5.191 DST=220.227.130.131 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=42104 DF PROTO=TCP SPT=22955 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0 
    Apr 10 11:40:09 unknown user.warn kernel: IN=br0 OUT=vlan2 SRC=192.168.5.191 DST=220.227.130.132 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=42105 DF PROTO=TCP SPT=22956 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0 
    
     
  15. mstombs

    mstombs Network Guru Member

    TCP port 445 is officially used for Microsoft Active directory/ SMB file sharing. The IP address ranges

    10.0.0.0 - 10.255.255.255
    172.16.0.0 - 172.31.255.255
    192.168.0.0 - 192.168.255.255

    are local IP address ranges which shouldn't be used across the Internet. There was a recent thread that pointed out they are not blocked by default - possibly because some ISPs may use them for some types of connection?

    Is it possible some users have corporate laptops that are set to communicate with corporate servers when connected by VPN or alternative, and when not tunnelled the PCs are continuously trying to connect?
     
  16. Toastman

    Toastman Super Moderator Staff Member Member

    I get quite a lot of this on my networks. Eventually the users come to me because they can't get an IP address from the router, and I usually find that their university or office has set them up with a fixed IP, something like mstombs suggests. Some very weird things happen on occasions. We have a lot of visible proxies here just before the international internet gateways, blocking many websites, they seem to use 10.0.0.0
     
  17. onehomelist

    onehomelist Addicted to LI Member

    The log I had posted above was taken after I had blocked the port 445 with the script provided by rhester72

    Code:
    iptables -A wanout -p tcp -m mport --dports 25,445 -j DROP
    But still traffic goes out of port 445, so it means that the protocol used is UDP.

    The script for blocking bittorrent that I had posted above doesn't work, even after I had used wanout chain instead of FORWARD. I use open dns service to block P2P sites and trackers. So the bittorrent client shows 404 error while connecting to trackers. But DHT doesn't get blocked. If there is anyway to block DHT, then bittorrent can be completely blocked. Any suggestions for blocking DHT.
     
  18. onehomelist

    onehomelist Addicted to LI Member

    For this script to work on tomato i need to load 'string match module'. I downloaded beta 11 (MIPS2) source code and looked into kernel configuration (menuconfig) and I found that string match module has been enabled. but I couldn't find it in the firmware directory /lib/modules/2.6.22/... in th router, but i was able to find all the other modules that were also enabled in the source code.In k 2.4 It was named as 'ipt_string.ko and in k 2.6 it's named as 'xt_string.ko'.
     

Share This Page