Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Security The Internet

Zombie Report By ISP 260

twitter writes "Information Week has a summary of a report by Prolexic detailing Zombie activity by ISP, country and population statistics. AOL, the largest provider, had the most zombies but lower rates than others. Fourth largest Earthlink was not in the top 20. The information is gathered from hundreds of customer sites." From the article: "Weinstein went on to say that Prolexic's numbers were actually good news for AOL. 'It's a demonstration that the tools we provide are keeping members safe. Our very aggressive actions -- we provide anti-virus, anti-spyware, and firewall services to our users -- make them measurably safer than those on other ISPs.'"
This discussion has been archived. No new comments can be posted.

Zombie Report By ISP

Comments Filter:
  • Turn turn turn ... (Score:5, Insightful)

    by It doesn't come easy ( 695416 ) * on Thursday June 16, 2005 @10:58AM (#12832309) Journal
    AOL spins the report as good news because they claim a low rate of 0.54% zombie machines per million subscribers...yeah but...

    They are basing that on 21.7 million total subscribers. I wonder what their rate would be if they only counted broadband subscribers?
    • by tigerd ( 890439 ) on Thursday June 16, 2005 @11:01AM (#12832337) Homepage
      I dont really think an ISP is responsible for zombiemachines. Its the endusers who has the final responsibility. That means your an my grandma...
      • Theoretically, yes. But pragmatically, some relatively simple measures taken by an ISP can greatly reduce end user vulnerability, while sufficiently educating all end users about how not to become infect is simply impossible in the face of most poeple's total lack of concern for the problem.
      • Look, I understand an ISP cannot 100% tell if machines are zombied and block users based on tracking user activity. I don't think they should be held responsible. HOWEVER, they should absolutely be held responsible for not acting when they are tipped off by security companies and knowedgable users about specific machines that are doing things.

        I think combining a complaint with a 10 minute packet tracking of the computer's activity should provide enough evidence to verify a machine is most likely zombie
    • by Anonymous Coward
      aol should read this... []
    • That was the first thing that leapt to my mind. What a crap comparison. Now they'll be trumpeting it all over, talking up their own safety based on an apples to oranges comparison.

      I have to say I'm surpsied some of the infection numbers were as low as they were. Considering how quickly a windows box gets owned through a typical broadband connection, and how sloppy most people are with security, I would have thought the numbers would have been higher. As an example, I have a friend who's intelligent, works
    • low rate of 0.54% zombie machines per million

      So what exactly is a "% per million"? Is that one per hundred million (10e8)? The original post quotes "percent per million" as well...

      • Each million AOL subscribers contribute 0.54% of the total DoS load. Thus, the 21.7 million AOL subscribers contribute 21.7 million * 0.54%/million = 11.7% of total load.

  • That the AOL users are zombies.
  • Good! (Score:4, Interesting)

    by ajs ( 35943 ) <> on Thursday June 16, 2005 @11:01AM (#12832336) Homepage Journal
    Now, perhaps we can start putting some pressure on the bad ISPs to clean up their networks on the basis of their successful peers.

    I'm really sick of everyone in the world looking down on me as soon as they find that my IP is on a Comcast block.
    • Re:Good! (Score:4, Insightful)

      by kiwimate ( 458274 ) on Thursday June 16, 2005 @11:09AM (#12832402) Journal
      No kidding. is ranked #5 in the Top Infected Networks table, and #2 in the Infected US Networks table.

      So, let's summarize. If you live in the Philadelphia area, then you're stuck with the monopoly broadband company, and the commensurate extortionate prices, wretched customer service, frequent service interruptions...and now this.

      I really loathe Comcast. And you just know there's no way they're going to clean up their act. Why would they? Where's the incentive or threat?
      • Monopolies suck for the non-monopoly owner, no doubt about it. You should check out Verizon DSL []. If you live close to a civilized part of Philadelphia, you may be able to get it at your house. Their basic DSL in Philly now offers the equivalent speed of the entry level internet cable at about 2/3s the price with no contract required. Plus, they have a sale untl the end of June, 2005 on the first three month's subscription and no signup charges (and no, I don't work at Verizon). If we all keep switching
    • Re:Good! (Score:5, Insightful)

      by Bonker ( 243350 ) on Thursday June 16, 2005 @11:16AM (#12832459)
      I'd be willing to bet that the majority of the 1st world zombies originate on 'White Label' broadband. The aforementioned Comcast, Cox, SWB DSL... things like that. AOL has the most of any ISP, but I bet the conglomerate of the top 5 cable and dsl bandwidth providers easily dwarfs them.

      They're the 'cheap' local providers, not the 'evil' big boys like AOL, so they're what your grandmother will subscribe to when your idiot nephew convinces her she needs an 'Always On' connection to listen to NPR or check her email every five minutes.

      Yeah, this *looks* like it's just the industry's problem, but it's not. It's mine and yours. Every time you or I answer 'Well, I need a computer and a cable modem to check my email, right?' with just a 'yeah sure', we're adding to it.

      Go buy Grandma that $39.99 firewall from Best Buy, configure it for her, and tell her that she doesn't need to worry about it. It's like the extra deadbolt on her front door. It helps keeps the bad-guys out.
      • by mi ( 197448 )
        Our grandparents have it even better -- their PCs run FreeBSD (with KDE front-end).

        One uses our DSL connection (they live very close) and the other is still on dial-up.

    • Re:Good! (Score:2, Insightful)

      by GigsVT ( 208848 )
      It doesn't matter which ISP you use, some idiots somewhere will have some personal grudge against it.
  • by pete19 ( 874979 ) <pete19@g[ ] ['mai' in gap]> on Thursday June 16, 2005 @11:02AM (#12832345) Homepage Journal

    AOL, the largest provider, had the most zombies

    Sometimes jokes just write themselves...

  • by Dancin_Santa ( 265275 ) <> on Thursday June 16, 2005 @11:02AM (#12832355) Journal
    we provide anti-virus, anti-spyware, and firewall services to our users

    BUT WAIT! There's more!

    If you act now, we'll throw in ANOTHER anti-virus service at no extra charge! All this for only 89.95!

    Okay, I'm not supposed to do this, but I'll personally add another EXTRA anti-spyware monitoring system AND take off 50 bucks from the retail price!

    All this and more for only 3 easy payments of 39.95!
    • Don't forget the second processor to run all the stuff...

      For only $499, you'll get a second processor (or second core) to run all your security software!

      Twice the computing power, at only 25% more cost!
  • So AOL has lower rate than some others. Doesn't really matter - since they have the most zombies in absolute numbers, blocking AOL from your IP range will give the most bang for the block anyway.

    • by Anonymous Coward on Thursday June 16, 2005 @11:07AM (#12832392)
      But you will block 21 million legitimate users too. If that is acceptable, I don't really want to have anything to do with your company.
      • by Anonymous Coward on Thursday June 16, 2005 @11:11AM (#12832424)
        But you will block 21 million legitimate users too.

        If eBay, and blocked AOL users until AOL got rid of their zombies AOL would make absolute certain that the problem would be solved within 48 hours.

        • Instantly sued by AOL and would probably win too.
          AOL isn't responsible legally for what their users do.
          • Unless AOL and eBay have a peering agreement, neither has legal recourse if the other blocks their traffic. eBay is under no obligation to accept traffic from anyone unless there's a contract signed. Same for AOL.
      • I help run an IRC channel that blocks AOL. Partly it's due to zombies and flooding, but much more commonly it's due to sheer stupidity. Every year or two we try unblocking it, and we get deluged by people demanding we do their homework, and we block it again.

        Not all people blocking IP ranges are companies, and of those, I can easily imagine that not all of them find it's worth providing business to AOL users. There are exceptions of course, but on average, AOL users are just plain annoying to deal with.
    • Bang per netblock, yes, but not bang per legitimate user. The cost of blocking isn't in the number of blocks of IPs you have to block, it's in the number of non-zombies that can't get through. You should concentrate on blocking ISPs with relatively few users, a large percentage of which of are zombies, since this gets you the most benefit per lost customer.
    • Why stop there? We could block the top four in the US (AOL, Comcast, Southwestern Bell, and Verizon) and knock off probably 2/3rds of all the zombie computers in the world...

      Unfortunately, if we do that I won't be able to read any of your future comments because I am using Comcast with my non-zombie machine.

      A better solution might be if the ISP determines the machine is a zombie, route them to a packet filtering system and filter out all connection requests except for a web page that contained instruct
  • by fuct_onion ( 870134 ) on Thursday June 16, 2005 @11:07AM (#12832384) Journal
    1. Participation in Distributed Denial-of-Service attacks
  • by Anonymous Coward on Thursday June 16, 2005 @11:08AM (#12832397)
    End users just *don't care*. This is why there are botnets. Because, although their owned boxen are f-ing with the rest of the internet, it doesn't affect them - a selfish luser attitude, why should they bother virus/trojan scanning their boxen?
    I wish ISPs (victims and hosting) would hold the lusers responsible for this - I think criminal negligence would be an appropriate charge. I for one look after my gentoo linux boxen and keep them patched.
    • The hostile behavior of self-proclaimed net.gods, looking down upon AOL "lusers" from their Linux "boxen," doesn't help matters any.

      If you're upset about end-users ruining your ability to download new packages for your "boxen," then offer to help instead of bitching them out on Slashdot.
    • by Dammital ( 220641 ) on Thursday June 16, 2005 @11:37AM (#12832611)
      "End users just *don't care* [...] a selfish luser attitude"
      I don't think that's fair. The end users, for the most part, have been handed a box that was advertised as an appliance: "Plug it in and you're good to go! Surf the net, download music, play games with your chums, get photos from the grandkids!"

      Except that it wasn't just an appliance, was it? It was a bug ridden piece of manure that was delivered with known defects, to people who by and large don't have the wherewithal to work around those defects.

      This is Microsoft's fault, plainly. Not the poor bastards who were taken in.

    • Doesn't affect them? Have you ever USED one of those virus/trojan ridden boxen? Slower than molasses, more unstable than a short halflife isotope... I'm sure the "lusers" would happily clean up their boxen if they had a clue how or even realized their machines were virus and trojan ridden.
    • by RealProgrammer ( 723725 ) on Thursday June 16, 2005 @11:50AM (#12832707) Homepage Journal
      >End users just *don't care*.

      Not meaning to sound flippant, but you're giving them too much credit.

      For most people, that their computer might be part of a world-wide network of zombie slaves to an international cybermob is just not within their ability to fathom.

      So no, they don't care, but it's on the level of caring that their Chinese-made desk lamp was made by people who can't read about democracy on MSN. That's not quite it, but the point is it's simply not part of their world.

      People call me to fix their "broken" computers. When I remove the viruses and other crap and explain the problem, they *always* express outrage that someone would do that to innocent little them.

      Until then they don't care because they don't understand. Anyone who does understand feels violated and tries to do something about it.

  • A solution (Score:5, Insightful)

    by alvinrod ( 889928 ) on Thursday June 16, 2005 @11:08AM (#12832398)
    No matter how many software or hardware tools an ISP has in place to stop their customers computers from being turned into zombies, the only real way to combat the problem is to educate the end user more.

    No amount of firewalls, switching to Mac or Linux, or anything else will stop people from having their computers taken over at the end of the day. Stupid users will always find a way to get infected dispite the best protection available.

    Operating a computer should be like operating heavy machinary. You need to pass a test that says you're qualified to do it. Don't want to take the time to learn how to properly use a computer and avoid being just another zombie PC sending me emails about lowering my car payments or free nude pics of celebrities? Then don't use a computer at all.

    If you think this is a little irrational, just remember that the financial damages caused by computer viruses are probably in the billions of dollars every year. Imagine how much trouble could be prevented.

    • If you think this is a little irrational, just remember that the financial damages caused by computer viruses are probably in the billions of dollars every year. Imagine how much trouble could be prevented.

      True, but one can think about it another way. If viruses/spyware weren't a problem, there would be fewer jobs in IT. Those estimated 'billions of dollars' don't just go into an incinerator. The productivity losses do (money that never existed, btw), but money spent to correct problems goes into the econ
    • Re:A solution (Score:4, Insightful)

      by 99BottlesOfBeerInMyF ( 813746 ) on Thursday June 16, 2005 @11:22AM (#12832499)

      Operating a computer should be like operating heavy machinary. You need to pass a test that says you're qualified to do it.

      You need to pass a test because lives are at risk, not bandwidth. Realistically their should be some basic instruction, hopefully provided in schools, but at that same time most computers should be much, much, much, much, much harder to remotely take over and turn into a zombie. Windows is the worst of the bunch, but pretty much all OSs could be a lot easier to use securely. I imagine they would be too, except for the fact that since MS gained their monopoly, innovation has slowed to a crawl. I want default sandboxes for new applications, services off by default, and easy built in standards compliant encryption and authentication schemes.

      I agree that there will always be really stupid users that will get their machines taken over and agree to the most ridiculous risks to see the little bunny cartoon, but at least make the user click a button that says "Let this program do anything it wants to my computer" right next to the "run it in a sandbox and give it no access to the internet or my files" button.

    • If you think this is a little irrational, just remember that the financial damages caused by computer viruses are probably in the billions of dollars every year

      How much in sales and profit do you suppose the mass market Windows PC generates in a year?

      Think Microsoft, Dell, Google, Yahoo, Amazon, Time-Warner, Verizon. The PC game industry, "in decline," still rakes in $1.6 billion annually.PC games battle the consoles by going online [] Our small village Rite-Aid stocks Kodak digital cameras, smart media c

    • A firewall wouldn't stop a computer from being turned into a zombie, but it WOULD stop it from being used as a zombie. A zombie computer has to listen on a port for instructions on what to do. If that zombie is behind a firewall blocking that port, it'd just sit there and do nothing.

      So yes, a firewall would fix the problem of a zombie computer being used to dos a site.
  • by everphilski ( 877346 ) on Thursday June 16, 2005 @11:09AM (#12832403) Journal
    The other thing about AOL's dialup service is that they buy modems from local ISP's in areas where they don't operate central hubs. I used to work for one such ISP that contracted to AOL. We were very proactive about protecting customers, etc.

    So a lot of the AOL crowd having good numbers may very well be local ISP's that are taking good care of their own customers, and just happen to contract out to AOL on the side

    • Were the users given numbers in AOLs, or your IP space?

      After all, it's also possible that the reason that AOL has such good numbers is from their users being counted against someone else.

      [or, more likely, that their users don't spend as much time connected, and so by looking at the number of attacks, you actually have to compare the sum of time that the subscribers were connected, rather than the number of subscribers.]
  • ...Where can I see the report? I work for an ISP, it would be interesting to see where we fit. We're kinda medium-sized and mostly local, so I can't imagine we'd be on there at all.

    But if we do show up at all, it's BOFH time!
  • "We're the largest ISP on the planet," Andrew Weinstein, a spokesman for AOL, said Wednesday.

    AOL is the largest ISP on the planet? Who is AOL's ISP? Assuming AOL isn't their only customer wouldn't that make them the largest?

    • AOL's ISP is ATDN (Score:5, Informative)

      by jfengel ( 409917 ) on Thursday June 16, 2005 @12:20PM (#12832941) Homepage Journal
      Actually, AOL's "ISP" is AOL Transit Data Network (ATDN), a related company. They're a "tier 1" provider, and they communicate directly with other tier 1 providers: AT&T, MCI, Level(3), Verio, GBLX, C&W, Verizon, etc. They're the guys who own the big continent- and ocean-spanning fiber optic networks.

      "ISP" usually refers to something more customer-facing than the tier 1 providers.
  • Stupid AOL (Score:4, Insightful)

    by Andy Dodd ( 701 ) <atd7.cornell@edu> on Thursday June 16, 2005 @11:18AM (#12832482) Homepage
    They had the most zombies but a lower rate than others. They spin this as good.

    But according to the post, Earthlink (the fourth largest provider) wasn't even in the top 20, implying that their zombie percentage is far lower than AOL's.
    • They had the most zombies but a lower rate than others. They spin this as good.

      It's not stupid at all, infact it is pretty good as it is completely unreasonable to compare numbers directly when one ISP has several times more customers than another.

      This is why a lot of comparisons are measured in percentages. It is so that the big players don't have a skew towards them (either for good or for bad) simply because of their larger customer base.

      To use an analogy, that would be like saying that you're f

  • ...and this is how it ends up. []

    Although, there are some AOL users I wouldn't mind being gobbled up, I hardly need to sit on my roof with a minigun and grenade launcher.

    For the love of G-d, we must do something now!
  • Report. (Score:3, Informative)

    by saintlupus ( 227599 ) on Thursday June 16, 2005 @11:27AM (#12832540) Homepage
    The actual report is at: []

  • by bigtallmofo ( 695287 ) on Thursday June 16, 2005 @11:36AM (#12832596)
    "That's three or four times as many attacks per million subscribers," Weinstein argued. "The numbers show that AOL members are significantly less likely to have been compromised by a zombie. This is actually good news for our users."

    Picture that you're a script-kiddie botnet owner looking for more zombie systems. You have a program that someone provided to you that scans netblocks for systems vulnerable to hundreds of various buffer overflow attacks. You get to pick what netblocks the scanner runs on.

    Which would you pick:

    1. AOL dialup netblocks, where the user's average 48 K/bps connection takes an average of 1 minute to scan and provides you with a wimpy 48 K/bps of DDoS power
    2. Comcast Cable Modem netblocks, where the user's average 384 K/bps upstream bandwidth takes an average of 6 seconds to scan and provides you with a beefy 4,000 K/bps downstream DDoS power.

    The numbers quoted above should be accurate enough to get the point. AOL hosts take far longer to compromise and provide far less "bang for the buck". No wonder they're compromised a smaller percentage of time.
    • What you're missing is the whole "economies of scale" concept. If someone is "acquiring" a botnet of 10,000 computers that is quite a lot of bandwidth even if all of them are providing a "wimpy 48 K/bps of DDoS power."

      Remember: most zombies involved in a DDoS attack are simply opening a connection, sending a malformed request then closing the connection. They aren't playing FPS games or downloading porn, so high bandwidth isn't really required. What is required is a vast diversity in IP address so th

      • What you're missing is the whole "economies of scale" concept. If someone is "acquiring" a botnet of 10,000 computers that is quite a lot of bandwidth even if all of them are providing a "wimpy 48 K/bps of DDoS power."

        Good point, and one that I didn't miss. My point was, if you can scan any IP block range you want to, wouldn't you start (and likely finish) with Comcast Cable's instead of AOL's? All of them are obviously of value, but the Comcast ones give far more value and are far faster to scan.
  • AOL had a lower rate of zombies, by far, than Comcast or Verizon. So there's a correlation between speed (and duration) of connection and rate of zombies. Whoa, there's a surprise.
    • This is due to AOL filtering port 25 traffic on their network, which is the primary way these worms propagate.

      If Comcast, Verizon and others started filtering all SMTP traffic from their DUL customers (except traffic to their authorized relays), the infection rate of PCs would drop exponentially.

      Despite what the report may indicate, AOL has one of the best anti-spam processes of any major ISP. Even Earthlink, which constantly advertises about how much they care about stopping spam, still lets their custo
  • by Evil W1zard ( 832703 ) on Thursday June 16, 2005 @11:48AM (#12832692) Journal
    Too bad AOL's spyware and firewall don't block the spyware that is AOL inherently... Here is how my AOL experience has gone.. 1. Install AOL software 2. Realize AOL software stinks and sends out all kinds of info back to AOL that I dont want them to have. 3. De-install AOL software. 4. De-install AOL software again after it reloads. 5. De-install AOL software again after it reloads. 6. Use a thermite grenade on my box because AOL angers me.
  • The "Average Joe" user isn't able to monitor their own PC for spyware, virus, or bot activity. I worked for my school's student computer repair group and I'd have to say 90% of the issues we had were related to viruses that were passed through AIM and email and spyware choking the systems to a halt. The other 10% were legitimate hardware or software issues (such as Windows imploding on itself or a NIC going bad).

    Our school even gives out "free" (as in hidden in our tuition costs) copies of Norton (really
    • Do you really want to allow an ISP to search your PC?

      What if this was a corporate laptop? The CEOs laptop? Configured to only VPN into the corporate network, and the scanner breaks something?

      Do you want to fight those lawsuits?

      I would just disconnect those users, and let them go to my competitors, except that there are too many idiots and any good ISP would soon go out of business that way. Plus, charging for reconnection has exactly that effect. Maybe ISPs should charge for outbound bandwidth by the byt
  • by brockbr ( 640130 ) on Thursday June 16, 2005 @12:04PM (#12832824)
    The blurb says Earthlink is not in the top 20. Mindspring, listed as 17th most infected, is Earthlink.
  • Groovy (Score:2, Funny)

    by berbo ( 671598 )
    I don't understand the report, but that graphic is way cool. Can I get a black light poster of that?
  • by Dachannien ( 617929 ) on Thursday June 16, 2005 @12:14PM (#12832902)
    What is really needed is a system that performs automatic blacklisting based on a report-confirm-block scheme. That is, a customer or a bottom-level ISP becomes the target of a DDoS attack. It reports the IPs of each attacker to its service provider, which reports to its service provider, and so on, up. If an IP address corresponds to an ISP that receives a report, then the ISP examines the traffic originating from that IP address locally (as locally as possible, to distribute the load so no one routing device gets overloaded), determines whether the traffic constitutes participation in a DDoS attack, and if it does, blocks the IP locally.

    Eventually some of the reports will reach backbone providers. At the top, IPs are reported to peers, which then route the reports back down to the local ISPs, who confirm the report and block the IP address locally. The problem then shifts to the end user, who must take responsibility for his or her machine and keep it secure.

    Obviously, compliance is an issue, but this can be solved by having a higher-level provider begin blocking lower level subnets if the lower-level ISP does not comply with the mitigation request.

    This scheme is in every ISP's interest, since backbone providers can reduce traffic and thus costs (carrot incentive) while smaller ISPs must comply or be blacklisted (stick incentive).

    Now all we need is for a smart person to write up an RFC. :)
    • ISPs can already detect incoming DoS attacks and offramp them with existing tools and a few ISPs are now offering automated blocking to their enterprise customers. They can also easily generate a list of zombies in their network. The real problem is notifying infected machine owners and dealing with the customer service aspect costs too much money and is generally not worth the return.

      • This is about improving detection and mandating compliance. If current attack detection were sufficient, DDoS wouldn't be a problem, so obviously something more is needed. You indicate that the CS issue is one reason why small ISPs don't want to deal with blocking end users unless they have to. Having a system where their upstream provider blocks part or all of the small ISP's network space if they don't comply helps to solve this issue.

        One way to mitigate the impact of increased CS calls is to route we
        • You can't mandate compliance by writing an RFC. I don't think the money an ISP could make redirecting to a antivirus manufacturer would recoup their losses from customers who move elsewhere because of the inconvenience or from paying all the people they need to answer the phones and tell customers why they are being redirected or to explain to them why the automated system thinks they have a worm. Give it time, eventually the automated tools will mature to the point that the cost is not as bad and, hopefu

  • I think this "story" is the second or third infomercial for Prolexic. Do the Slashdot editors have some kind of personal stake in the company?
  • The main way these worms spread is via e-mail and I've found one of the best long-term ways to stop it is to refuse any port 25 traffic from broadband IP space (that shouldn't be running a mail relay).

    I know MAPs has a good DUL list, but I refuse to pay a fee to try their RBL without first seeing if it will affect my clients' legitimate e-mail, so does anyone have any good sources for free DUL RBLs?

    IMO, all legitimate mail relays should refuse SMTP traffic from cable, dsl and other inappropriate IP space.
    • Yeah, because no one runs their own mail servers. Wait, I do, and I know many people that have mail and web servers on cable and DSL connections. That's what the Internet is about, you know, being able to connect to other people any way you want.
      That being said, some of the things we do is attempt a tit-for-tat connection to an email server... if someone tries to send us mail, we ask if they accept mail, and if so, there's a good chance that they've got a legit server. That cuts down on a ton of bad con
  • is Earthlink. It is the Sprint DSL service which gives you Earthlink as your ISP. All dialup sprint customers were given to earthlink back in 1999.

    Mindspring and Earthlink have merged so they also should be considered the same. Which would give Earthlink 4.25% (combine sprint and mindspring) for the US at spot 7 or 18-19 for the World. Heck, just redirects you to now.
  • I'm speaking as a network operator here. While it is easy to slam AOL for the lowest common denominator that is their customer-base, I have to say that actually dealing with AOL as a peer network operator is a pleasure. They are easy to get in touch with, they respond to abuse issues swiftly, they work with the other people in the operations community very well.

    I can not say the same for many others (AT&T) ( who seem to be completely unable to generate useful abuse reports, or respond to thos

"It's my cookie file and if I come up with something that's lame and I like it, it goes in." -- karl (Karl Lehenbauer)