NETI@home Data Analyzed

An anonymous reader writes "The NETI@home Internet traffic statistics project (featured in Wired and Slashdot previously) has a quick analysis on the malicious traffic they observed. It's a rough world out there." Perhaps not suprising, but still disheartening, the researchers find among other things that a large portion of typical end-user traffic consists of malicious connection attempts.

Considering..

[Renraku]

Considering these malicious programs aren't following any kind of 'standard' to reduce bandwidth utilization when checking over entire subnets of IPs that have been checked by 100000x other copies of the virus, it doesn't suprise me one bit.

It would be like setting up a massive feedback loop on a mail server. When user X gets message X, he passes message X to user Y, who upon receiving message X sends it back to user X.

Not necessarily a Bad Thing...

[KC7GR]

ISPs could use this data to great benefit, if they'd put out some effort.

Assuming that the statistics show which IP address ranges are the worst offenders for malicious traffic, the ISP(s) responsible could simply shut down the outbound connection(s) of the "problem" users until they de-virus their systems and KEEP THEM THAT WAY.

Perhaps that will help to finally clue people in that having Internet connectivity is a privilege, not a right, just like driving. If you're going to enjoy an Internet connection you need to show some responsibility for making sure your own system isn't going to be a problem to others.

I -still- think there should have been Internet user licenses, just like we have driver's licenses...

Keep the peace(es).

Re:Not necessarily a Bad Thing...

[eheldreth]

The problem is a large portion of those IPs are home users with dynamic addresses which means when if I am the next to get the IP my outgoing ports will be blocked because thelast person ran windows, er, I mean because they could not keep there pc's clean. And I am assuming the last part about internet usage licenses is troll baiting so I don't think I'll respond to that one.

Re:Not necessarily a Bad Thing...

I'm pretty sure internet connectivity is neither a privilege nor a right. It's just a service, plain and simple. You pay ISP, they provide internet connectivity. You don't pay, you don't get internet. No rights or privileges involved.

Re:Not necessarily a Bad Thing...

[Brushfireb]

Would you really want to piss of 40% of your client base in one swoop? Average joe doesnt care about thsi kind of crap, and he doesnt want his ISP forcing him to care either. He will cancel his account, and move to someone else, or he will drive up support calls by calling to complain about the change.

Any ISP who puts something like what you described in place is likely to lose customers in a hurry. Hotels/Airports/Coffeeshops have transient, non-recurruing customers, or the customers are there for something else other than internet, so its not as big of a deal there.

Root of the problem

[SamMichaels]

Ignoring all complaints about Windows, the root of the problem goes back to having access to the network in the first place. If ISPs would spent a few bucks on implementing passive traffic analyzers to search for the viral/trojan patterns and null route offenders, we'd clean things up pretty quick. Why do we have all these piracy probes going on to sue people and no infected probes going on to cut people's access?

Now, stepping back to the Windows complaints...wouldn't the ISP turning off your access motivate you to get a BASIC education in computing and maintain your PC?

To make an analogy, in most states you need to have your car inspected (and some require emissions inspection, too). PUBLIC roadways means you share it with other people...an unsafe car affects more than just you. When you're connected to the net, your PC affects everyone else. I'm not suggesting the ISPs make an inspection system or a law passes to force ISPs to monitor traffic, but the same logic applies....someone should be doing checkups and flagging the offenders.

Re:Root of the problem

[Politburo]

To make an analogy,

You should have just stopped there. Analogies are fucking stupid. Car analogies even moreso. Just stop it.

The reason why your analogy doesn't hold? Computers with viruses can't kill people. Cars with bad brakes can.

someone should be doing checkups and flagging the offenders.

If you want to pay for it, go right ahead. I don't experience any significant negative effects from zombie machines, so I am not willing to pay for such a system.

Re:Root of the problem

[nagora]

Computers with viruses can't kill people.

Oops! Someone hasn't noticed the number of trains and ships running Windows. No danger of a virus killing anyone there, then.

I don't experience any significant negative effects from zombie machines, so I am not willing to pay for such a system.

Someone also hasn't noticed the amount of effort that goes into protecting his system from zombie machine. Perhaps he thinks firewalls were a gift from unknown stellar travellers and spam filters require no effort to create and update.

Perhaps someone is a troll.

TWW

Re:Root of the problem

Yeah, but what ISP was it? Was it a good ISP, like Speakeasy, a small local outfit, or one of the biggies who thrive on the "don't know any better" crowd?

I know Speakeasy polices their network for open SMTP relays, because I see it in my server logs. I don't know if they actively look for zombied machines, but I can tell you that they've pretty quickly shut off the connections of customer machines on their network that I've brought to their attention when I've seen obvious worm-related connection attempts in my firewall logs.

I also know that the bigger ones, like Comcast and Verizon, don't really give a shit about that kind of stuff. I've even had another large ISP flat out deny that the machine I was complaining about was on their network, despite the fact that I look up who owns netblocks in ARIN's database so I know where to direct my complaints.

And the grandparent poster is exactly right about why they don't give a shit-- because if they cut off some idiot's access because his machine got owned, that idiot is more likely to find another ISP that won't cut off his access rather than learn how to properly admin his machine. The big ISPs would rather let all their customers lose bandwidth to a zombied machine than risk losing the money they make from the guy who owns that zombied machine.

Re:Root of the problem

[glesga_kiss]

If ISPs would spent a few bucks on implementing passive traffic analyzers to search for the viral/trojan patterns and null route offenders, we'd clean things up pretty quick.

Bollocks.

The aren't running a network in their parents basement you know. Their networks are massive, with nodes LITERALY spanning thousands of miles. The volume of traffic they deal with is HUGE. They use cutting-edge routers just to keep up with the demand.

How on earth do you do traffic analysis on that level? You might be able to catch some of the more obvious spammers, but how do you differentiate (on the IP level) between: a) a residential user b) a commercial user who maildrops willing customers c) a zombie d) a community group or e) blah. Blocking someone based on traffic is not possible, unless you want to lose your valid customers.

What they should do is be more responsive to complaints. If a customer of theirs is a zombie spambot or acting as a stepping stone for some script kiddie, they should have their connection suspended until it is remedied. But they can only do this based on a complaint.

Besides, what's the profit in spending any resource on the problem in the first place? Until that is affected, they won't care about it.

Standards for viruses?

[MarkByers]

You can't impose a standard upon viruses. What will you do if a virus doesn't follow the standard? Find the author and punish them unless they fix it and release a new version that fully supports the standard?

The only way viruses will ever get standards is if the authors agree that they will get a considerable benefit by working together. I can't see that happening.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:RBL of infected/malicious sites?

[delirium+of+disorder]

Why can't you restrict access to ssh from the firewall? One solution could be port knocking. You only let your firewall open up ssh after a series of connections on pre-defined parts are made. So say you choose "233 457 69 876 2094 576" to be your "password". You would make a client that would connect to those ports in that order and only after that initiate an ssh connection on port 22.

Next Step?

[merlin_jim]

Modify the Neti@Home client to do dynamic blacklisting?

The biggest problem in Intrusion Detection Systems (buzzword for firewalls with more intelligence than a typical rule-based firewall) is that metrics gathering is occuring at a specific site, making it difficult to discern malice intent from dropped packets or bad coding.

Any time the central server sees a certain threshold of malicious attempts from a single IP, it adds it to a short term blacklist... Make the term length just slightly longer than the reporting period so if it persists it'll remain on the list but if it stops, the IP is cleared in short order.

DSL/modem/router

[FidelCatsro]

Its insane the ammount of bandwidth this is sucking up (i remember a time when virus's and worms were relativly well programed, still as bad but less collaterol dammage).
I would like to see more ISP isntead of suplying basic DSL modems with those overpriced sign up deals but instead a proper firewall/router/Dsl modem.
This would save us all alot of pain in the long run .

Don't use SSH password authentication

[SIGBUS]

You really should be using RSA or DSA keys instead of passwords. Hardly a day goes by that my systems don't get at least one script-kiddie SSH password guessing scan. Since I'm requiring keys for authentication, they're wasting their effort; if someone manages to crack a public key, we have far worse problems than password guessing.

Re:Don't use SSH password authentication

[suitepotato]

You really should be using RSA or DSA keys instead of passwords

Exactly right. It's almost trivial even under Windows to do it. Two factor should have been a standard years and years ago but as long as people can have four to eight digit passes which are easy to break, we keep seeing problems that shouldn't be there.

Anyone notice that PGP has passphrases of quite possibly insanely large size? It's hard to remember some farked and leeted phrase chosen to confound brute force and guessing when you have ten different ones. It is not hard to remember verbatim a passage from your favorite book. What's the mathematical difficulty in breaking a password with over one hundred digits? I can type a forty digit pass right 99.9% of the time if it is a passage of meaning to me.

Combine strong passwords and two-factor and you eliminate the bulk of these amature breakers from contention. Now if only end-users couldn't do their work for them by running their trojans from e-mail attachments and bouncing pop-up windows. "Win a compromised box! Click now! Crackers are standing by!"

PDF, ack

[SamSim]

A PDF warning would be nice next time around, folks.