On Thu, 12 Apr 2001 12:48:24 +0200, you wrote:
Accoroding to simovits.com most trojans use tcp and some litte udp. needless to say that udp in most cases can be blocked totally. But how would you try to stop trojans-communication if they used your most used hi-ports, lets say 25000-30000 for example? If you block these ports e.g. with ipchains, your clients are not able to communicate anymore to the outside world. If you block tcp-syn from internet to internal net according to Markus Gaugusch your chances depend on how the specific tcp trojan syncs: from client to server, server to client respectively. What would you do?
I think it's impossible to protect against all type of trojans. Client to server trojans are difficult (if not impossible) to block if you want still use your computer for web browsing and/or other client applications. If I were a trojan maker I'd make my trojan to use the client (victim) to server (attacker) method using port 80 as destination port (the chances this port is allowed are high). This would work in 99.9% cases including firewalled environments. I cannot figure a way to block this type of attack *without* breaking normal client functionality. The only way to block (quite) all of these attacks would be to filter *all* client activity and letting only outgoing packets go by if and only if they match a previosly established connection. Here is where stateful inspection becomes useful. But it's still imposible to achieve general trojaning protection without breaking client functionality, as I said. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~