Zombie Report By ISP 260
twitter writes "Information Week has a summary of a report by Prolexic detailing Zombie activity by ISP, country and population statistics. AOL, the largest provider, had the most zombies but lower rates than others. Fourth largest Earthlink was not in the top 20. The information is gathered from hundreds of customer sites." From the article: "Weinstein went on to say that Prolexic's numbers were actually good news for AOL. 'It's a demonstration that the tools we provide are keeping members safe. Our very aggressive actions -- we provide anti-virus, anti-spyware, and firewall services to our users -- make them measurably safer than those on other ISPs.'"
Turn turn turn ... (Score:5, Insightful)
They are basing that on 21.7 million total subscribers. I wonder what their rate would be if they only counted broadband subscribers?
Re:Turn turn turn ... (Score:4, Insightful)
Re:Turn turn turn ... (Score:2, Insightful)
Re: (Score:3, Insightful)
Re:Turn turn turn ... (Score:4, Insightful)
zombie survival guide (Score:2, Funny)
Re:Turn turn turn ... (Score:2)
I have to say I'm surpsied some of the infection numbers were as low as they were. Considering how quickly a windows box gets owned through a typical broadband connection, and how sloppy most people are with security, I would have thought the numbers would have been higher. As an example, I have a friend who's intelligent, works
Re:Turn turn turn ... (Score:2)
So what exactly is a "% per million"? Is that one per hundred million (10e8)? The original post quotes "percent per million" as well...
Re:Turn turn turn ... (Score:3, Funny)
Re:Turn turn turn ... (Score:2, Informative)
Re:Turn turn turn ... (Score:3, Insightful)
Re:Turn turn turn ... (Score:3, Insightful)
A person who's running AOL on another ISP's network and using the AOL client as a simple TCP app wouldn't (and shouldn't) be considered an AOL zombie for this study, otherwise the zombie would be counted twice.
Re:Turn turn turn ... (Score:2)
Re:Turn turn turn ... (Score:2, Insightful)
Re:Turn turn turn ... (Score:2)
That's a really good point, and I'd have to agree. What I'd really find interesting though is how many of those zombies ARE dial-up (not just for AOL, but for all of the ISP's). Sure, individually they'd be ineffective, but en-masse they're probably worth looking at.
I'm sure that exploit scripts don't bot
Re:Turn turn turn ... (Score:2)
Re:Turn turn turn ... (Score:2, Insightful)
No one is surprised (Score:2, Funny)
Good! (Score:4, Interesting)
I'm really sick of everyone in the world looking down on me as soon as they find that my IP is on a Comcast block.
Re:Good! (Score:4, Insightful)
So, let's summarize. If you live in the Philadelphia area, then you're stuck with the monopoly broadband company, and the commensurate extortionate prices, wretched customer service, frequent service interruptions...and now this.
I really loathe Comcast. And you just know there's no way they're going to clean up their act. Why would they? Where's the incentive or threat?
Re:Good! (Score:2)
Re:Good! (Score:5, Insightful)
They're the 'cheap' local providers, not the 'evil' big boys like AOL, so they're what your grandmother will subscribe to when your idiot nephew convinces her she needs an 'Always On' connection to listen to NPR or check her email every five minutes.
Yeah, this *looks* like it's just the industry's problem, but it's not. It's mine and yours. Every time you or I answer 'Well, I need a computer and a cable modem to check my email, right?' with just a 'yeah sure', we're adding to it.
Go buy Grandma that $39.99 firewall from Best Buy, configure it for her, and tell her that she doesn't need to worry about it. It's like the extra deadbolt on her front door. It helps keeps the bad-guys out.
Re:Good! (Score:2)
One uses our DSL connection (they live very close) and the other is still on dial-up.
Firewalling is not the answer. (Score:3, Insightful)
See, the point of being connected to the internet is to get email and access external resources. If you visit a web site that exploits your buggy browser, your firewall won't help you. If you click on an email that exploits your buggy mail client, your firewall won't help you.
The primary means of infection for the most prevalent malwares is email. Firewalls don't prevent you from receiving em
Firewall is the answer (Score:2)
If everyone had a hardware firewall hooked up to their computer, the zombies wouldn't be a problem. They'd still exist for a while, but they couldn't do anything. I say a hardware firewall because an infection COULD disable a software firewall if not password prote
No, you don't understand how the zombies work (Score:2)
See, it comes in on an email, gramma clicks it, nothing obvious (to granny) happens. At some point (probably immediately after the next reboot) the zombie code connects to an IRC channel and waits for the secret word. It can wait forever, it doesn't care. When Groucho says the secret word, "Allez-allez-oxenfrei!" or whatever, all the zombies on the channel respond by swit
Re:Good! (Score:2, Insightful)
Re:Good! (Score:2)
To "make sure"? No. However, it's an easy enough thing to:
* Provide software that manages updates
* Provide user-configurable filtering
* Follow up on complaints with the customer
These are not hard steps to take, and they would yield a dramatic reduction in problems.
Let the jokes begin... (Score:5, Funny)
AOL, the largest provider, had the most zombies
Sometimes jokes just write themselves...
Re:Let the jokes begin...really? (Score:2)
Me, too!
Er
Late night TV (Score:5, Funny)
BUT WAIT! There's more!
If you act now, we'll throw in ANOTHER anti-virus service at no extra charge! All this for only 89.95!
Okay, I'm not supposed to do this, but I'll personally add another EXTRA anti-spyware monitoring system AND take off 50 bucks from the retail price!
All this and more for only 3 easy payments of 39.95!
Re:Late night TV (Score:2)
For only $499, you'll get a second processor (or second core) to run all your security software!
Twice the computing power, at only 25% more cost!
Re:Late night TV (Score:3, Interesting)
Re:Late night TV (Score:2)
As AOL is the largest ISP, they're more likely to have common names. Heck, I'd be willing to say that most addresses would work if you just stuck an aol.com on the end of it.
It would be an interesting experiment to farm a bunch of legitimate email addresses, stip off the domain and replace them with @aol.com. Then, mail something to the list and s
Re:Late night TV (Score:2)
Still the worst offender (Score:2, Funny)
Re:Still the worst offender (Score:4, Insightful)
Re:Still the worst offender (Score:5, Insightful)
If eBay, playboy.com and espn.com blocked AOL users until AOL got rid of their zombies AOL would make absolute certain that the problem would be solved within 48 hours.
Re:Still the worst offender (Score:2)
AOL isn't responsible legally for what their users do.
Re:Still the worst offender (Score:2)
Re:Still the worst offender (Score:2)
Depends on how much the zombies are hurting. I get a lot of phishers sending email as if I have an eBay account. (I have not used eBay in years) If eBay decides these are coming from zombie machines hosted by AOL, they might decide that the loss of AOL subscribers is worth it, and AOL subscribers who like eBay will be mad enough to force AOL to act.
Though in general I agree with you: won't happen. However if the phishing problem gets much worse it might.
Re:Still the worst offender (Score:2)
Yeah, AOL is not the best target. However enough AOL users use eBay that eBay could (if they stuck it out) force a change in any large ISP, and bankrupt small ones.
It would cost eBay a lot of money in the short run, and I'm not sure that could be recovered in the gains from less phishing attacks long term. You can be sure that eBay shutting out AOL would make national news, so long as they picked a slow news week. I just don't know if eBay has the right marketing guys to not loose in the realm of pu
Re:Still the worst offender (Score:2)
Not all people blocking IP ranges are companies, and of those, I can easily imagine that not all of them find it's worth providing business to AOL users. There are exceptions of course, but on average, AOL users are just plain annoying to deal with.
Re:Still the worst offender (Score:2)
Re:Still the worst offender (Score:2)
Unfortunately, if we do that I won't be able to read any of your future comments because I am using Comcast with my non-zombie machine.
A better solution might be if the ISP determines the machine is a zombie, route them to a packet filtering system and filter out all connection requests except for a web page that contained instruct
Zombie Activity (Score:5, Funny)
2. EATING BRAINS
The fundamental zombie problem (Score:3, Interesting)
I wish ISPs (victims and hosting) would hold the lusers responsible for this - I think criminal negligence would be an appropriate charge. I for one look after my gentoo linux boxen and keep them patched.
Re:The fundamental zombie problem (Score:3, Insightful)
If you're upset about end-users ruining your ability to download new packages for your "boxen," then offer to help instead of bitching them out on Slashdot.
You gotta be kidding (Score:5, Insightful)
Except that it wasn't just an appliance, was it? It was a bug ridden piece of manure that was delivered with known defects, to people who by and large don't have the wherewithal to work around those defects.
This is Microsoft's fault, plainly. Not the poor bastards who were taken in.
Re:The fundamental zombie problem (Score:2)
Re:The fundamental zombie problem (Score:4, Insightful)
Not meaning to sound flippant, but you're giving them too much credit.
For most people, that their computer might be part of a world-wide network of zombie slaves to an international cybermob is just not within their ability to fathom.
So no, they don't care, but it's on the level of caring that their Chinese-made desk lamp was made by people who can't read about democracy on MSN. That's not quite it, but the point is it's simply not part of their world.
People call me to fix their "broken" computers. When I remove the viruses and other crap and explain the problem, they *always* express outrage that someone would do that to innocent little them.
Until then they don't care because they don't understand. Anyone who does understand feels violated and tries to do something about it.
A solution (Score:5, Insightful)
No amount of firewalls, switching to Mac or Linux, or anything else will stop people from having their computers taken over at the end of the day. Stupid users will always find a way to get infected dispite the best protection available.
Operating a computer should be like operating heavy machinary. You need to pass a test that says you're qualified to do it. Don't want to take the time to learn how to properly use a computer and avoid being just another zombie PC sending me emails about lowering my car payments or free nude pics of celebrities? Then don't use a computer at all.
If you think this is a little irrational, just remember that the financial damages caused by computer viruses are probably in the billions of dollars every year. Imagine how much trouble could be prevented.
Re:A solution (Score:2)
True, but one can think about it another way. If viruses/spyware weren't a problem, there would be fewer jobs in IT. Those estimated 'billions of dollars' don't just go into an incinerator. The productivity losses do (money that never existed, btw), but money spent to correct problems goes into the econ
Re:A solution (Score:2)
Re:A solution (Score:4, Insightful)
Operating a computer should be like operating heavy machinary. You need to pass a test that says you're qualified to do it.
You need to pass a test because lives are at risk, not bandwidth. Realistically their should be some basic instruction, hopefully provided in schools, but at that same time most computers should be much, much, much, much, much harder to remotely take over and turn into a zombie. Windows is the worst of the bunch, but pretty much all OSs could be a lot easier to use securely. I imagine they would be too, except for the fact that since MS gained their monopoly, innovation has slowed to a crawl. I want default sandboxes for new applications, services off by default, and easy built in standards compliant encryption and authentication schemes.
I agree that there will always be really stupid users that will get their machines taken over and agree to the most ridiculous risks to see the little bunny cartoon, but at least make the user click a button that says "Let this program do anything it wants to my computer" right next to the "run it in a sandbox and give it no access to the internet or my files" button.
Re:A solution (Score:2)
How much in sales and profit do you suppose the mass market Windows PC generates in a year?
Think Microsoft, Dell, Google, Yahoo, Amazon, Time-Warner, Verizon. The PC game industry, "in decline," still rakes in $1.6 billion annually.PC games battle the consoles by going online [sfgate.com] Our small village Rite-Aid stocks Kodak digital cameras, smart media c
Zombies VS Usable Zombies (Score:2)
So yes, a firewall would fix the problem of a zombie computer being used to dos a site.
The other thing about AOL (Score:4, Informative)
So a lot of the AOL crowd having good numbers may very well be local ISP's that are taking good care of their own customers, and just happen to contract out to AOL on the side
-everphilski-
Whose IP space? (Score:2)
After all, it's also possible that the reason that AOL has such good numbers is from their users being counted against someone else.
[or, more likely, that their users don't spend as much time connected, and so by looking at the number of attacks, you actually have to compare the sum of time that the subscribers were connected, rather than the number of subscribers.]
Umm... (Score:2)
But if we do show up at all, it's BOFH time!
Re:Umm... (Score:5, Informative)
The Prolexic Zombie Report [prolexic.com]
#7 pacbell.net 4.09% (Score:2)
I wonder where the number would be if all of SBC's networks (they own pacbell, and have for several years) were to be counted as one?
AOL is the largest? (Score:2)
AOL is the largest ISP on the planet? Who is AOL's ISP? Assuming AOL isn't their only customer wouldn't that make them the largest?
AOL's ISP is ATDN (Score:5, Informative)
"ISP" usually refers to something more customer-facing than the tier 1 providers.
Stupid AOL (Score:4, Insightful)
But according to the post, Earthlink (the fourth largest provider) wasn't even in the top 20, implying that their zombie percentage is far lower than AOL's.
Re:Stupid AOL (Score:2)
It's not stupid at all, infact it is pretty good as it is completely unreasonable to compare numbers directly when one ISP has several times more customers than another.
This is why a lot of comparisons are measured in percentages. It is so that the big players don't have a skew towards them (either for good or for bad) simply because of their larger customer base.
To use an analogy, that would be like saying that you're f
Earthlink has broadband services (Score:3, Informative)
Remember, traditional AOL service is dialup too? No difference between Earthlink and AOL in this respect. Both are dialup providers that have begun a push into broadband service, and in Earthlink's case, even mobile phone service. (Earthlink is an MVNO that resells Verizon and Sprint service.)
This is how it starts... (Score:2, Informative)
Although, there are some AOL users I wouldn't mind being gobbled up, I hardly need to sit on my roof with a minigun and grenade launcher.
For the love of G-d, we must do something now!
Report. (Score:3, Informative)
http://www.prolexic.com/zr/ [prolexic.com]
--saint
AOL is on crack. Here's why. (Score:4, Insightful)
Picture that you're a script-kiddie botnet owner looking for more zombie systems. You have a program that someone provided to you that scans netblocks for systems vulnerable to hundreds of various buffer overflow attacks. You get to pick what netblocks the scanner runs on.
Which would you pick:
1. AOL dialup netblocks, where the user's average 48 K/bps connection takes an average of 1 minute to scan and provides you with a wimpy 48 K/bps of DDoS power
2. Comcast Cable Modem netblocks, where the user's average 384 K/bps upstream bandwidth takes an average of 6 seconds to scan and provides you with a beefy 4,000 K/bps downstream DDoS power.
The numbers quoted above should be accurate enough to get the point. AOL hosts take far longer to compromise and provide far less "bang for the buck". No wonder they're compromised a smaller percentage of time.
Re:AOL is on crack. Here's why. (Score:3, Insightful)
Remember: most zombies involved in a DDoS attack are simply opening a connection, sending a malformed request then closing the connection. They aren't playing FPS games or downloading porn, so high bandwidth isn't really required. What is required is a vast diversity in IP address so th
Re:AOL is on crack. Here's why. (Score:2)
Good point, and one that I didn't miss. My point was, if you can scan any IP block range you want to, wouldn't you start (and likely finish) with Comcast Cable's instead of AOL's? All of them are obviously of value, but the Comcast ones give far more value and are far faster to scan.
In case of ./ing, mirror of article: (Score:2)
Dialup versus broadband (Score:2)
Re:Dialup versus broadband (Score:2)
If Comcast, Verizon and others started filtering all SMTP traffic from their DUL customers (except traffic to their authorized relays), the infection rate of PCs would drop exponentially.
Despite what the report may indicate, AOL has one of the best anti-spam processes of any major ISP. Even Earthlink, which constantly advertises about how much they care about stopping spam, still lets their custo
AOL Software... (Score:3, Funny)
It's the responsability of the ISPs to monitor... (Score:2, Interesting)
Our school even gives out "free" (as in hidden in our tuition costs) copies of Norton (really
Re:It's the responsability of the ISPs to monitor. (Score:2)
What if this was a corporate laptop? The CEOs laptop? Configured to only VPN into the corporate network, and the scanner breaks something?
Do you want to fight those lawsuits?
I would just disconnect those users, and let them go to my competitors, except that there are too many idiots and any good ISP would soon go out of business that way. Plus, charging for reconnection has exactly that effect. Maybe ISPs should charge for outbound bandwidth by the byt
Earthlink *is* 17th... (Score:3, Informative)
And if you add up the other domains Earthlink owns (Score:3, Interesting)
http://webmail.atl.earthlink.net/wam/supported_do
-- Terry
Groovy (Score:2, Funny)
Automatic DDoS mitigation at backbone level (Score:3, Interesting)
Eventually some of the reports will reach backbone providers. At the top, IPs are reported to peers, which then route the reports back down to the local ISPs, who confirm the report and block the IP address locally. The problem then shifts to the end user, who must take responsibility for his or her machine and keep it secure.
Obviously, compliance is an issue, but this can be solved by having a higher-level provider begin blocking lower level subnets if the lower-level ISP does not comply with the mitigation request.
This scheme is in every ISP's interest, since backbone providers can reduce traffic and thus costs (carrot incentive) while smaller ISPs must comply or be blacklisted (stick incentive).
Now all we need is for a smart person to write up an RFC.
Re:Automatic DDoS mitigation at backbone level (Score:3, Interesting)
ISPs can already detect incoming DoS attacks and offramp them with existing tools and a few ISPs are now offering automated blocking to their enterprise customers. They can also easily generate a list of zombies in their network. The real problem is notifying infected machine owners and dealing with the customer service aspect costs too much money and is generally not worth the return.
Re:Automatic DDoS mitigation at backbone level (Score:2)
One way to mitigate the impact of increased CS calls is to route we
Re:Automatic DDoS mitigation at backbone level (Score:2)
You can't mandate compliance by writing an RFC. I don't think the money an ISP could make redirecting to a antivirus manufacturer would recoup their losses from customers who move elsewhere because of the inconvenience or from paying all the people they need to answer the phones and tell customers why they are being redirected or to explain to them why the automated system thinks they have a worm. Give it time, eventually the automated tools will mature to the point that the cost is not as bad and, hopefu
Re:Automatic DDoS mitigation at backbone level (Score:2)
Re:Automatic DDoS mitigation at backbone level (Score:2)
informercial for Prolexic (Score:2)
Who is publishing the best DUL/Broadband RBL? (Score:2)
I know MAPs has a good DUL list, but I refuse to pay a fee to try their RBL without first seeing if it will affect my clients' legitimate e-mail, so does anyone have any good sources for free DUL RBLs?
IMO, all legitimate mail relays should refuse SMTP traffic from cable, dsl and other inappropriate IP space.
Re:Who is publishing the best DUL/Broadband RBL? (Score:2, Interesting)
That being said, some of the things we do is attempt a tit-for-tat connection to an email server... if someone tries to send us mail, we ask if they accept mail, and if so, there's a good chance that they've got a legit server. That cuts down on a ton of bad con
Earthlink is listed (just not as Earthlink) (Score:2)
Mindspring and Earthlink have merged so they also should be considered the same. Which would give Earthlink 4.25% (combine sprint and mindspring) for the US at spot 7 or 18-19 for the World. Heck, www.mindspring.com just redirects you to earthlink.com now.
Re:Earthlink is listed (just not as Earthlink) (Score:2)
At least AOL is responsive! (Score:2)
I can not say the same for many others (AT&T) (Shaw.ca) who seem to be completely unable to generate useful abuse reports, or respond to thos
Brains! (Score:2, Funny)
Brains!
When do we want them?
Brains!
Re:Brains! (Score:2)
Homer: "He was a zombie?."
Re:Where's the beef^h^h^h^hlist? (Score:4, Funny)
Re:Where's the beef^h^h^h^hlist? (Score:2, Funny)
why, are you using AOL?
*ducks*
Re:Let's all block AOL ip block... (Score:2)
Since in practice no user should do this and go through AOL's SMTP servers anyway, you're only going to block crap by firewalling off packets from AOL dial-up/ADSL blocks coming to port 25.
Re:Article is incorrect (Score:4, Informative)
So (making #s up) if AOL is 10% of all attacks, and 100 million machines, they have .1 percent per million. But if Joe's ISP has 5% of all attacks, and only 5 million machines, they have 1.0 percent per million.
AOL has twice as many attacks total, but compared to their user base Joe's rate is ten times as high.
AOL Zombies (Score:2, Funny)