Zombie Report By ISP 260
twitter writes "Information Week has a summary of a report by Prolexic detailing Zombie activity by ISP, country and population statistics. AOL, the largest provider, had the most zombies but lower rates than others. Fourth largest Earthlink was not in the top 20. The information is gathered from hundreds of customer sites." From the article: "Weinstein went on to say that Prolexic's numbers were actually good news for AOL. 'It's a demonstration that the tools we provide are keeping members safe. Our very aggressive actions -- we provide anti-virus, anti-spyware, and firewall services to our users -- make them measurably safer than those on other ISPs.'"
Good! (Score:4, Interesting)
I'm really sick of everyone in the world looking down on me as soon as they find that my IP is on a Comcast block.
Let's all block AOL ip block... (Score:0, Interesting)
The fundamental zombie problem (Score:3, Interesting)
I wish ISPs (victims and hosting) would hold the lusers responsible for this - I think criminal negligence would be an appropriate charge. I for one look after my gentoo linux boxen and keep them patched.
Re:Late night TV (Score:3, Interesting)
Re:Good! (Score:1, Interesting)
Plus, I'm on a NAT behind a router, so it might be hard for them to scan my computers.
File sharing (Score:1, Interesting)
It's the responsability of the ISPs to monitor... (Score:2, Interesting)
Our school even gives out "free" (as in hidden in our tuition costs) copies of Norton (really Symantec, but I don't want to give up the old name) AV that takes care of many spyware threats and the vast majority of virus threats. The IT department also highly recommends that students use Spybot S&D or AdAware to remove and prevent spyware from getting a hold of their computers.
Most students just didn't care enough to worry about using the anti-virus and spyware tools that were provided to them. I've even been told by numerous people that running the tools makes their computers slow and they don't want to have it be slow when they are playing Snood.
The only way my school was able to successfully fight virus/bot activity on the network and prevent the entire campus from being taken over is to block users with "suspicious" activity (too many emails in a short period of time or too much outbound bandwidth in a short period of time were two tests that I knew of) from using the network until they can demonstrate that their computers are fully repaired.
The IT department used that technique to successfully stop Blaster and many of the other worms that hit our campus before too many computers were affected. Though it's "rule with an iron fist" at its best, it worked and made the network much safer for the rest of the population.
Without my school running things like this, it would have just been a matter of time before most of the computers on campus were taken over.
Automatic DDoS mitigation at backbone level (Score:3, Interesting)
Eventually some of the reports will reach backbone providers. At the top, IPs are reported to peers, which then route the reports back down to the local ISPs, who confirm the report and block the IP address locally. The problem then shifts to the end user, who must take responsibility for his or her machine and keep it secure.
Obviously, compliance is an issue, but this can be solved by having a higher-level provider begin blocking lower level subnets if the lower-level ISP does not comply with the mitigation request.
This scheme is in every ISP's interest, since backbone providers can reduce traffic and thus costs (carrot incentive) while smaller ISPs must comply or be blacklisted (stick incentive).
Now all we need is for a smart person to write up an RFC.
Re:Automatic DDoS mitigation at backbone level (Score:3, Interesting)
ISPs can already detect incoming DoS attacks and offramp them with existing tools and a few ISPs are now offering automated blocking to their enterprise customers. They can also easily generate a list of zombies in their network. The real problem is notifying infected machine owners and dealing with the customer service aspect costs too much money and is generally not worth the return.
Re:A solution (Score:1, Interesting)
Seig Heil!
Re:Turn turn turn ... (Score:1, Interesting)
Another thing that may account for AOL's low zombie percentage is that most brainwashed AOL subscribers don't even know how to use POP clients, since they can't use them with their AOL accounts. I have a feeling that it is extremely hard to get infected by a worm that is sent to your AOL address. Most that are contained in attachments do not make it through AOL's filters, thus the only likely infections were due to idiot users clicking links in the email. And since most are probably not using POP clients, even if they did get infected with a worm, chances are it won't be able to find any address to send itself to since there is no active address book, and no POP accounts setup to use in the first place. The only exceptions to this would be worms that use their own SMTP engine, but they would still be at a loss for address to mail themselves to.
Re:Who is publishing the best DUL/Broadband RBL? (Score:2, Interesting)
That being said, some of the things we do is attempt a tit-for-tat connection to an email server... if someone tries to send us mail, we ask if they accept mail, and if so, there's a good chance that they've got a legit server. That cuts down on a ton of bad connections.
And if you add up the other domains Earthlink owns (Score:3, Interesting)
http://webmail.atl.earthlink.net/wam/supported_do
-- Terry