50 ISPs Harbor Half of All Infected Machines 140
Orome1 writes "As the classic method of combating botnets by taking down command and control centers has proven pretty much ineffective in the long run, there has been lots of talk lately about new stratagems that could bring about the desired result. A group of researchers from the Delft University of Technology and Michigan State University have recently released an analysis of the role that ISPs could play in botnet mitigation — an analysis that led to interesting conclusions. The often believed assumption that the presence of a high speed broadband connection is linked to the widespread presence of botnet infection in a country has been proven false."
Duh. (Score:4, Insightful)
Well, since Verizon and Comcast harbor 10% of all user customer PC's all by themselves, this is not so impressive.
Re: (Score:3, Insightful)
Well, since Verizon and Comcast harbor 10% of all user customer PC's all by themselves, this is not so impressive.
I was thinking the same thing. What percentage of all PCs doe these 50 ISPs "harbour"? If it is arround 50% there's no story.
Re:Duh. (Score:5, Insightful)
I'm guessing far fewer than 50%... while I could be wrong, the point they're trying to make is that a handful of small ISP's which don't seem to pay attention to security are a major source of the problem.
While I know it'll have a bunch of the net neutrality folks up in arms, it's relatively trivial for an ISP to redirect all outgoing traffic on port 25 through their internal mail servers, and to run server-side anti-virus on all outgoing mail. They can go one further, and rather than blacklisting potential viruses, they can work off a whitelist of allowed senders (sender e-mail address, in the case of my ISP), and require secure authentication to relay. My own ISP does exactly that, and while somewhat draconian it doesn't really affect the average user, and, when coupled with a blacklist of known viruses, it does take a significant chunk out of the potential to cause harm to others if you get infected yourself.
Re:Duh. (Score:4, Interesting)
Unfortunately I've worked for several ISPs that had the bad habit of enforcing the following:
Let's just say there were plenty of issues with users who couldn't figure out how to set things up on their own, not to mention users who found out the hard way that large attachments caused their emails to bounce (somewhere in the 10-15 MiB range IIRC).
Personally I'd love if there was at least an option for completely unfiltered access (perhaps even proper reverse lookup to deal with the idiots who think reverse lookup is a good way to deal with spam (hint: it's not, way too many legit companies have multiple hostnames on their mail servers or use a third party's mail relay for this to work well, it just gimps email)). Now. I'm not saying this should be for everyone, filter by default but give users an option to turn the filter off completely but display an overly clear "don't do this unless you're absolutely certain you know what you're doing" message that includes a warning about how the ISP will shut them down in a nanosecond if they get any legit spam reports. That way those who really want/need unfiltered access can have it while the rest of the users can enjoy the walled garden.
Re: (Score:3, Insightful)
While I largely agree, I am of the opinion that large mails are a bad idea. That said, email is no longer a communication protocol, but an idea/data sharing platform.
Client side mail programs and the antivirus that go along with them tend to fail when dealing with large mails, so the technology has not caught up with the new usage patterns that are emerging.
This is especially true for areas where people do not have "true" broadband and the timeout issue crops up. What I have seen happening is that the mail
Re: (Score:3, Insightful)
I have often used e-mail to send photographs to people. No, I don't want to set up an "online photo-album" or other such thing, I just want a mail-equivalent for the Internet. Given this requirement, e-mail is the best system available.
Care to explain the difference?
Re: (Score:2)
I have often used e-mail to send photographs to people. No, I don't want to set up an "online photo-album" or other such thing, I just want a mail-equivalent for the Internet. Given this requirement, e-mail is the best system available.
Care to explain the difference?
Re the difference:
Email has previously been a means of communication only. Similar to writing letters and the like. Gradually email has been used to send content along with the letters.
Lately I see more and more people using email almost as a collaboration tool, architects or engineers (many among my clients are) use it to send plans or technical drawings to each other.
These technical drawings can cause mails to be ridiculously huge.
Then graphics designers also tend to send huge images and design studies to
Re: (Score:2)
Why would you want to send mail from a residential IP? The vast majority of big mail servers will simply block your messages. What's the point of email if you don't have reliable delivery?
If you want to access your own mail server running elsewhere, it should be trivial for it to allow inbound connections requiring smtp auth on a port other than 25.
Re:Duh. (Score:4, Interesting)
Why would you want to send mail from a residential IP?
Because it should be possible.
The vast majority of big mail servers will simply block your messages.
I've found it's more like a minority, and I've even encountered a few that block large swaths of IPs that they have tagged as "residential/dynamic" but will let incoming emails through if there's a proper matching SPF record.
What's the point of email if you don't have reliable delivery?
It's only unreliable because some admins are lazy. And boy, it sure is fun when an IP that's been a static business IP for years suddenly gets blacklisted as "dynamic residential"...
If you want to access your own mail server running elsewhere, it should be trivial for it to allow inbound connections requiring smtp auth on a port other than 25.
It's still just a workaround that doesn't need to be done if the ISP handles its network properly instead of just randomly blocking ports for shits and giggles. And most only block outgoing port 25 so it's pretty easy to set up your MTA to send via their relay and run the MTA locally anyway, but this still retains the problem of the ISP filtering and messing with outgoing email (as well as the potential loss of outside access if their SMTP relay decides to go down, and I've seen enough ancient Solaris machines handling customer email to have a strong distrust of ISP SMTP relays, it shouldn't be "normal" for it to go down at least 1-2 times per week if you have tens of thousands of customers).
Re: (Score:2)
Sending mail should be possible - use your ISPs smart host. I don't see any advantage for you in being able to directly connect to other mail servers from a residential IP, and can see lots of disadvantages where ISPs permit it en masse.
Have you ever run a mailserver for a business? It's not lazy to have tight spam controls - it's business sense. Spam costs money. For a couple of hundred accounts I see days with over 150,000 spam messages coming in. Users couldn't do their job if that were to be landing in
Re: (Score:2)
Sending mail should be possible - use your ISPs smart host.
Yes, I already run my own MTA at home, it just bugs me that I'm being sold an internet connection that is limited by my ISP.
I don't see any advantage for you in being able to directly connect to other mail servers from a residential IP, and can see lots of disadvantages where ISPs permit it en mass
From my point of view there are definitely advantages.
Have you ever run a mailserver for a business? It's not lazy to have tight spam controls - it's business sense. Spam costs money. For a couple of hundred accounts I see days with over 150,000 spam messages coming in. Users couldn't do their job if that were to be landing in their inbox. Filtering residential IPs will knock off 90% of that spam.
Yes I have. And of course spam filtering makes sense. But our spam filtering doesn't just rely on "ooh! this IP is in our 'residential' list! let's drop/bounce it!" but we have had issues with others blacklisting our primary external mail server's IP as a "residential" IP thereby making it impossible for us to send emails to them (a
Re: (Score:3, Informative)
Use port 587 with SMTP AUTH. Gets around outgoing 25 blocks. It's not "open" in that you have to authenticate with the SMTP server so you're accountable for traffic using your credentials. If you colo yo
Guess I'm lazy then. (Score:2)
I guess that makes me lazy. Oh well.
It is possible. It's just unlikely that your email will be accepted. If you're sending from a "home/dynamic" range, then YOU have to take the extra steps to distinguish YOUR email from the (literally) BILLIONS of spam messages coming from that same range. Or you can blame the admins who have to deal with those BILLIONS of spam messages.
Re: (Score:2)
> Why would you want to send mail from a residential IP?
CenturyLink's mail service is managed by incompetent boobs (they contract it out to some outfit called "Bigfoot"). Fortunately, Newsguy provides me with excellent service. However, this requires me to connect to Newsguy's mail servers via SMTP.
Re: (Score:2)
It's trivial to allow authenticated smtp connections on a port other than 25.
Newsguy allows you to connect to them on 110, 8100, 995 (SSL) / 25, 8025, 465(SSL)
I fail to see why your ISP blocking 25 should impact you.
Re:Duh. (Score:4, Insightful)
Spoken like a gmail/yahoo/hotmail web user. Sorry, I actually use a real email client, and send/receive emails to and from multiple email accounts all from my one email client.
See there is this thing called an email standard, and that standard specifies port 25 is used for that purpose. Maybe a better standard needs to be made, but until then I want my ISP to leave port 25 alone. If they catch me sending spam from it, feel free to send me an letter and email and block the port temporarily.
Re: (Score:2)
I use Thunderbird with a gmail account over SSL, and it works just fine.
The SMTP standard defines that for use of servers. E-mail clients usually use POP or IMAP protocols, which use ports 110 and 143 respectively. So no, y
Re: (Score:2)
The SMTP standard defines that for use of servers.
Yes. It's quite clear to me that both Albanach and KingMotley are talking about ISPs blocking outgoing connections from customer's computer, arbitrary port to customer's (or recipient's) mail server elsewhere, port 25.
What you say about my home ISP requiring me to file a request to host a mail server on port 25 is spot on. But what you perhaps don't realise is that some ISPs operate on the basis that if you want to send e-mail from your home computer, you use webmail or you use the e-mail account which the
Re: (Score:2)
You really shouldn't try to correct someone when you don't even begin to understand what you are talking about.
Port 110 is for POP3, which is for RECEIVING email from a server.
Port 25 is for SMTP, which is for SENDING email (from a client OR another server).
I suggest starting to read here: http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol [wikipedia.org]
Re: (Score:2)
As a side note, I tried thunderbird. It sucked. It dies on the install if you try to import multiple email accounts as it tosses up multiple modal dialog boxes that you can't respond to any of them. Once you get passed that, it doesn't even have a threaded view of emails, doesn't sync with iTunes easily, and has a very limited amount of fields for contacts. Even my mobile phone has more fields than that which makes syncing a pita.
I wished it worked well, and I've tried looking for an open source email c
Re: (Score:2)
Re: (Score:2)
Sorry, I guess I'm still amazed at how little people actually know that read slashdot these days.
No, I am not running an email server, I'm using an email client that uses SMTP/POP3 for sending and receiving email.
Not knowing what/how POP3/SMTP work, what are you? In preschool? Or are you one of those people that think the blue e is the internet?
Re: (Score:2)
RFC-822 reserves port 25 for sending mail.
Re: (Score:2)
Gmail is one of the accounts I pull into my email client (smtp.gmail.com / pop.gmail.com), so gmail filters out spam for me before my client even sees them and does it's own filtering.
I also have an email account (my main one) that I've had for the past 25 years.
I also have my ISP account which I get periodic notices of stuff on.
I also have a few accounts (for gaming, etc) in which I want to keep completely separate from my others.
I also have one (or more) email accounts at my places of work (which change e
Re: (Score:2)
large attachments caused their emails to bounce (somewhere in the 10-15 MiB range IIRC)
If you're sending 10MB attachments via email, you're doing it wrong. Most email servers have an upper limit around 10 MB... converting that email attachment to email format makes it about 30% larger... so anything over 7.5 MB can be problematic.
Email was never designed for large attachments. Send a link. Use FTP. Find another method out of the 10,000 different ways you could do this.
Re: (Score:2)
Great, you have a plethora of solutions (as do I), now please explain to someone who spends his/her days using Internet Explorer, Outlook, Excel and a handful of other "office drone tools" how to upload files to an FTP server. Oh btw, if it isn't done in exactly the same way as creating an attachment in Outlook they will never learn. These are the kind of people who call and mail software developers to complain when the "Print" and "Save" buttons have swapped places because they "can't find the print button
Re: (Score:2)
Re: (Score:2)
Well, I would think they have a choice between:
1) use an appropriate tool, maybe learning something
2) Not working.
Most users I know, even the very office dronish ones, prefer tools that function vs not.
Re: (Score:2)
Yes, it's called a business class account with a static IP. Or a dedicated line like a T1/etc. With those, you can do whatever you wa
Re: (Score:2)
No. Quite the opposite. A small number of very large ISPs are a major source of the problem.
Re: (Score:2)
Better solution: block the commonly exploited ports (25, 80, etc.) for users by default, and offer them an option on the website to enable them.
This blocks the flow of malware, but still preserves neutrality.
My ISP (iiNet) does this and it works extremely well, IMO.
Re: (Score:2)
This is the same website that handles billing. If it's that easy to hack, the ISP has bigger problems.
Re: (Score:3, Interesting)
Do either of them filter outbound smtp?
It still amazes me that residential broadband connections don't filter this as standard. I guess while it's technically easy, it's all about cost, and it's cheaper to leave a customer running an infected machine than have them call your helldesk.
Re: (Score:2)
Filter, or block? I run my own mail server, you insensitive clod!
Re: (Score:2)
$ vi /etc/postfix/main.cf
relayhost = smtp.example.com
Re: (Score:2)
Handling Verizon DSL home service's TOS for the past decade, I thought their ban on "servers of any kind" was enforced for these obvious things.
In practice, I can "host" games like Unreal Tournament and not get shut down, but the ISPs ARE dropping inbound port 80 traffic to encourage a costly "business plan" upgrade. Still, it's unsettling that they won't put their foot down and disconnect bots like colleges dorm policies do nowadays.
Regardless, I'm spammed thru e-mail headers from of US broadband bots an
Re: (Score:2)
hey Americano, are you thinking 10% nationwide or globally?
Because bots, (hope this is not a shocker for you) are global problem.
And 10% of global PCs with broadband in Verizon? I don't think so.
Re: (Score:2)
Comcast + Verizon accounts for approximately 5.5% of the WORLDS connected users.
Comcast + AT&T accounts for approximately 7.2% of the WORLDS connected users.
The top 10 ISPs account for 39% of the WORLD connected users, so this story is backwards. One would expect the top 50 ISPs to have much more than 50% of the spammers.
TOP 10 ISP's in the world (accurate to +- 2 million):
China Telecom (55 million)
China Unicom (41 million)
NTT (18 million)
Comcast (18 million)
AT&T (15 million)
Deutsche Telecom (12 mi
Re:World's users (Score:2)
Awesome post.
I just wanted to drill out a moderately insightful First Post.
(Look! Very little trolling this thread! "Correlation wants to be related to Causation!")
Glad to know my lightning guess wasn't ludicrous.
Re: (Score:2)
Last time I checked, 5.5% was way lower than 10%.
Glad that you're still feeling well. Yes, in FP category this was definitely a +5.
Re: (Score:2)
No, those numbers do not count dialup users. Just broadband.
In this context, dialup users are pretty insignificant as they aren't always on and don't have the bandwidth necessary to mass infect other machines undetected.
Re:Americano (Score:2)
Sure, I'll grant you caught me on -1 Nationalism, but I did guess low with zero data and hoped.
The big surprise is I had no idea China had that many users.
Use similar viruses/code to cleanse them. (Score:2)
Re: (Score:1, Informative)
Umm...somebody tried this a number of years ago. It was called the W32.Welchia worm. It tried to download and install a well-known security patch from Microsoft,
It didn't make anyone particularly happy, particularly security admins.
Re: (Score:2)
Re: (Score:1)
I got caught by Welchia following a reinstall of Windows 2000. I forgot to install a firewall before getting the updates from MS. It took about 30 minutes before Welchia installed itself.
Re: (Score:2)
Obvious solution (Score:4, Funny)
Re: (Score:1, Redundant)
"Meme over, man! Meme over!"
Re: (Score:2)
"I say we take off and nuke the entire site from orbit. It's the only way to be sure."
The problem is trying to find a technical solution to a personal problem. Users will not exert the effort to make their machines secure unless and until they perceive a destructive threat to their personal PC.
We need destructive malware in abundance, so improperly secured machines are taken out of action and the remaining ones build an immune response. Since most computers are used for entertainment, no great loss if a bun
Re: (Score:2)
We're a small ISP and we pretty much do just that. We do not filter extensively, we are very quick to respond to abuse@ emails and disable whichever customer is infected instantly. It really didn't take long before most of our user base made the connection: Infected pc = disabled Internet.
Overall, I think the cost of educating our users was the cheapest alternative. I really don't get why other ISPs don't see it that way.
Re: (Score:2)
Re: (Score:2)
I only remember one such cases. We actually explain that unlike big megacorp, we can afford to warn our customers and treat them like human beings. They are typically quite grateful. Especially since they tend to notice their computer working a whole lot better once they have it cleaned up.
Makes sense (Score:2)
I mean 50 is half of all the ISPs anymore anyways. Ta dit boom.
Re: (Score:2, Insightful)
The study (linked to from the fine article) was of 200 ISPs, so 25% of ISPs are responsible for 50% of infected machines. Not surprising at all.
Re: (Score:2)
25% of ISPs, but not necessarily 25% of users.
Dialup Users? (Score:1)
"the presence of a high speed broadband connection is linked to the widespread presence of botnet infection..... has been proven false."
What's this mean? That we can blame dialup users? The article hints that's the case when it says most infected computers are from poor households.
Re: (Score:3, Insightful)
Not linked with high speed broadband != Linked with dial-up.
And low education is not necessarily linked with dial-up. Here in Portugal we have 12mbps for 20/month, which is affordable by most people, and yet we have terrible education levels compared to the rest of the EU (81% of the working population only have lower basic education levels).
Re: (Score:2)
"No Speak Americano" ;-)
But serious: You're right that I jumped to a bad conclusion where poor==dialup. (hits self). Here's what the article actually concludes: "Higher education levels in a country are also conducive to a lower level of infection." And vice-versa presumably.
agressive removal tactics (Score:2)
Combat these botnets through some type of mandatory scan and removal tool from their ISP or Microsoft, and also through some tool installed with Windows Update that runs immediately. Not sure exactly how this would be accomplished, but it would be a start.
Re: (Score:3, Informative)
You mean like the Malicious Software Removal Tool [microsoft.com] which is already offered through Windows Update as a critical update? Or Microsoft Security Essentials [microsoft.com] which either is or will shortly be available through Windows Update as a recommended update?
Re: (Score:2)
Re: (Score:1)
Err, no. First of all it is an optional update through Microsoft Update not Windows Update. So the user has to have chosen to switch to the Microsoft Updates which will update other MS software installed on the PC eg Office. Secondly it is only offered to users who are not already running A/V software.
Re: (Score:1)
Or Norton Security Suite, which is available for free for Comcast subscribers?
OK, so it's not mandatory, but at least it's free, and you gave me the opening to mention it for any Comcast users who might not be running current AntiVirus to save money (or might be wasting money buying a Norton subscription when a FREE one is readily available to them).
No more excuses, my fellow Comcasters, it's FREE (*).
http://security.comcast.net/norton/resi/?cid=NET_33_258 [comcast.net]
(*) "FREE" means "included with your overpriced, ove
Re: (Score:2)
Say what you will about Norton, but it's a shitload better than nothing
A false sense of security is worse than no security at all :)
Re: (Score:2)
I wouldn't use Norton if you PAID me to do it.
Re: (Score:2)
And you think our average Joe even knows what the Windows Update Center is, goes there, checks the optional updates, selects the software and installs it?
Really? I'd like to see that.
IMO, unless that thing comes as a critical update, that installs without question, it could as well not be there at all. Make nearly no difference.
Re: (Score:2)
http://it.slashdot.org/story/10/10/08/006240/Microsoft-Eyes-PC-Isolation-Ward-To-Thwart-Botnets [slashdot.org]
Re: (Score:2)
"Combat these botnets through some type of mandatory scan and removal tool from their ISP or Microsoft, and also through some tool installed with Windows Update that runs immediately."
I run Mac OS X, you insensitive clod!
Is there a list? (Score:1)
Re:Is there a list? (should be) (Score:1)
Is that too much to ask for? I`d love to block as many as I can.
I don't think it is. And I'm not sure why there isn't a routing option that allows ISPs to apply a metric against a variable like "network naughtiness". Flapping routes can get blackholed -- why not naughtiness? How 'bout it science?
Wrong way of looking at the problem (Score:4, Interesting)
The real shocking truth here is that one single OS harbors the vast majority of botnets and viruses. That OS should be the real target, not ISPs or poor users or something. Sheesh...
Re: (Score:2, Insightful)
Re: (Score:3, Interesting)
Fix the OS, and botnets will pop up on a different OS
That is indeed the common wisdom. However, somehow I'm not convinced that's entirely true: Linux and MacOS machines have been around for a long time, and even if the represent a small (albeit growing) segment of the market, they're there and you'd think many pieces of malware would have cropped up on these platforms already. Yet it just hasn't happened: there are some, but nowhere near what you'd expect if the latter OSes were as insecure as Windows.
The o
Re: (Score:2)
Re: (Score:2, Insightful)
Re:in 25 years Microsoft still hasn't figured out. (Score:1)
indeed...i've had theunpleasant experience while traveling to need to set up a c2c wifi cnxtn on a pc that uses an at&t gsm dongle 4 its internet access:-P after enabling that network device to share its cnxtn, i setup a c2c.
then on my mac i connect...but then the pc tries 2 disconnect the gsm:-\ and after i'm finished w/ the cnxtn, the pc forgets it's a c2c, and adds it to its wireless list, making it unavailable 4 c2c, even tho i've told it 2 remember it...
no wonder micro$serfs r so sorry;-}
Re: (Score:2)
Re: (Score:2)
You responded with a 2004 article from some unheard-of company, which was subsequently trashed because people knew it didn't make sense? Are you kidding me? I do this for a living.
From the article you quoted:
There are trade-offs to removing administrator rights. For instance, standard users typically can't install software and use applications that require elevated privileges
Now how does that translate to the home environment? That's right, many home Windows users (and many corporate users) are admins. In the corporate world, the UPS software as well as many other Windows software requires admin rights to run. Some software packages restrict the v
Re: (Score:2)
I don't think this is Troll (but I posted earlier so no modpoints). I think it's a very valid point.
The human brain OS? (Score:1)
If you want a single unifying factor behind botnets, look for things like greed and the like on the part of the botmasters.
Unfortunately those are a lot harder to combat than technical measures against infected computers.
Re: (Score:2)
Actually, one single planet harbors all of the botnets, viruses, and Justin Bieber fans. That planet should be the real target, no operating systems or poor ISPs or something. Sheesh...
Sandbox (Score:2, Interesting)
Re: (Score:2)
Re: (Score:2)
Wont work for the 1000s of people using home routers with NAT to allow connection of multiple devices with a single world-facing IP address.
Botnet sans broadband? Seen it already... (Score:4, Interesting)
* Naturally, my ssh denies all root attempts. Even if they got the password right they wouldn't know it, because the rejection would be the same. Other botnets have tried whitepages-style attacks using long lists of common user names and not matched any allowed users on my system as well.
** Yes I know I could just change my ssh port and much of this would go away. But I find it amusing and I have bandwidth to burn.
Re: (Score:2)
Do you also have your daily/weekly log reports set to separate the chaff from the wheat so you can distinguish between worrisome attempts and the background noise?
The biggest reason to move the port - it cuts down on the message log spam, which often drowns out more important information. If I see attempts on my custom port #, I know I need to take a closer look.
(Second bi
Re: (Score:2)
I have a home server exposed to the wild internet by only port 22. It's an old machine, and it only allowed a single authorized user to log in, only with key authentication, not password. Nonetheless, the attacks would sometimes come in at such a rate that
Re: (Score:2)
face it, denying an authentication doesn't cost much bandwidth, but it can take a few cycles to fail to authenticate a key.
That is true. However, at the rates that I am usually attacked the CPU usage is trivial. Denying one attack every minute (that is the high end) doesn't do much to my meager P4, and denying one every 20 minutes (as in at this moment) barely counts as noise.
If the attack frequency suddenly picked up dramatically - which I don't expect to happen on my server - then I would be concerned. But right now I'd say slashdot uses more of my home bandwidth (and CPU time) than the distributed attack does.
Re: (Score:3, Informative)
Naturally, my ssh denies all root attempts. Even if they got the password right they wouldn't know it, because the rejection would be the same. Other botnets have tried whitepages-style attacks using long lists of common user names and not matched any allowed users on my system as well.
I usually recommend disallowing password-based authentication, and permitting only key-based logins.
Re: (Score:2)
That said, 1 per minute suggests it's either a very small botnet or someone renting a little capacity on one of the bigger ones. If you were the target of a well developed one you'd see a lot more traffic than that. :)
I don't kid myself into thinking that my webserver is an important target. There is nothing of great value on there. I fully suspect that someone was trolling through a very long list looking for open SSH ports and picked up on my server; I am now on a long list of IPs that they try periodically when they have a chance. Likely they are just doing this trying to find more systems to add to their botnet...
If I had another IP address it would be fun to put a windows box up running cygwin openssh - then t
very flawed logic (Score:4, Interesting)
One big problem with this logic is that it is based on IP addresses analyzed from captured spam. The problem with that is some major ISPs (including AT&T) are blocking access to out-of-network e-mail servers, and doing other things to make it difficult for even their legitimate customers to send legitimate e-mail. So this method of knowing where the botnets are would completely miss major botnets if they are unable to get spam out efficiently.
You may say "Why does that matter as long as the spam is stopped?", but it matters a lot. The machines are still infected and could be used for other things, from denial of service attacks to hosting and spreading kiddy porn to just watching for private data to go by (like banking information and credit card numbers) and report them directly back to the control system. Making major judgments about botnets based only on IP addresses seen in spam is short sighted and foolish. And it also assumes that all botnets are honest enough to not forge IP addresses. Any smart botnet could easily forge the IP address the spam is coming from, to make it that much harder to find. If a clever bot just changed the fourth or even third and fourth part of the IP address and replaced it with a random number, the botnet would look much larger than it really is and make it much harder to track back to the infected machine, but would not be easy to detect by comparing the supposed source IP and the SMTP server from outside the network.
Re: (Score:2)
Look up in the sky! (Score:2)
Simple (but not easy) solution (Score:3, Interesting)
There is a simple solution to the problem. Unfortunately, being simple does not mean it is easy.
1) ISPs by default implement some basic filtering:
1a) do not allow access to port 25, save to their own servers
1b) do not allow inbound nor outbound access to certain "LAN only" type services (e.g. NFS, SMB/CIFS, etc.)
2) NOTA BENE: ISPs SHALL allow users to elect to bypass these filters, but:
2a) This shall require action on the part of the account owner.
2b) Upon doing so, the account owner SHALL be responsible for their actions
2b.i) The ISP SHALL provide a contact mechanism (e.g. WHOIS record for that IP) that notifies both the ISP and the account holder of abuses.
2b.ii) The ISP SHALL act on complaints if the user does not.
2c) The action to disable blocking SHALL be done in a way that prevents a bot from doing it (e.g. require a phone call to the ISP, or a Turing test, etc.)
3) ISPs SHALL look for "infected" behaviors, like port scans, BEFORE the traffic leaves their network (remember people, the term "firewall" comes from building codes, where a building is supposed to have MANY levels of firewall. ISPs should be no different).
3a) such behaviors SHALL be investigated, and potential infectees quarantined and the owners contacted.
4) ISPs SHALL be required to address complaints
4a) The SHALL be required to have an automated means to report such abuses. No, Web pages don't count.
4b) ISPs that fail to address complaints SHALL be listed in such a way that other entities can block them (e.g. DNS-RBLs).
For too long ISPs have been able to externalize the costs of infected machines. Obviously, any cost a business can externalize will be externalized, and thus the business won't handle it. The solution is to force the costs of infected machines to be internalized to the ISPs. They will, of course, bitch mightily about this - again, no business will allow a previously externalized cost to be internalized without a fight.
Who are they? (Score:5, Insightful)
Who are the 50? Publish the names and IP ranges and let the admins loose on them.
Re: (Score:2)
127.0.0.1, 192.168.x.x, etc. :P
One solution... (Score:2)
Forget about holding the ISPs responsible. There are some defective users and defective products allowing this to happen. If someone is found to be harboring a bot node on their home computer, hold them liable for statutory damages, much like the RIAA sues people for. If those people can demonstrate that they made a reasonable effort and followed accepted guidelines in maintaining their computers, then take the fight to the manufacturer, since the product is clearly defective. We need a New DMCA that holds
In other news... (Score:2)
Re: (Score:2)
NO, it's 50 ISPs. This is significant because it had been claimed by some that most bots were distributed among the thousands of small (and suppoesedly poorly run) ISPs. The fact that most bots connect via a small number of large ISPs means that changes in policy at those ISPs can have a large impact.