50 ISPs Harbor Half of All Infected Machines 140
Orome1 writes "As the classic method of combating botnets by taking down command and control centers has proven pretty much ineffective in the long run, there has been lots of talk lately about new stratagems that could bring about the desired result. A group of researchers from the Delft University of Technology and Michigan State University have recently released an analysis of the role that ISPs could play in botnet mitigation — an analysis that led to interesting conclusions. The often believed assumption that the presence of a high speed broadband connection is linked to the widespread presence of botnet infection in a country has been proven false."
Re:Use similar viruses/code to cleanse them. (Score:1, Informative)
Umm...somebody tried this a number of years ago. It was called the W32.Welchia worm. It tried to download and install a well-known security patch from Microsoft,
It didn't make anyone particularly happy, particularly security admins.
Re:agressive removal tactics (Score:3, Informative)
You mean like the Malicious Software Removal Tool [microsoft.com] which is already offered through Windows Update as a critical update? Or Microsoft Security Essentials [microsoft.com] which either is or will shortly be available through Windows Update as a recommended update?
Re:Duh. (Score:3, Informative)
Use port 587 with SMTP AUTH. Gets around outgoing 25 blocks. It's not "open" in that you have to authenticate with the SMTP server so you're accountable for traffic using your credentials. If you colo you can set it up on your colo box, or I'm sure webhosts would love to sell you that service as well. Most SMTP servers these days support it, and you can block relaying and incoming 25 traffic.
http://en.wikipedia.org/wiki/SMTP_Authentication [wikipedia.org]
Re:Botnet sans broadband? Seen it already... (Score:3, Informative)
Naturally, my ssh denies all root attempts. Even if they got the password right they wouldn't know it, because the rejection would be the same. Other botnets have tried whitepages-style attacks using long lists of common user names and not matched any allowed users on my system as well.
I usually recommend disallowing password-based authentication, and permitting only key-based logins.