Slashdot Mirror
Zombie Report By ISP
twitter writes "Information Week has a summary of a report by Prolexic detailing Zombie activity by ISP, country and population statistics. AOL, the largest provider, had the most zombies but lower rates than others. Fourth largest Earthlink was not in the top 20. The information is gathered from hundreds of customer sites." From the article: "Weinstein went on to say that Prolexic's numbers were actually good news for AOL. 'It's a demonstration that the tools we provide are keeping members safe. Our very aggressive actions -- we provide anti-virus, anti-spyware, and firewall services to our users -- make them measurably safer than those on other ISPs.'"
AOL spins the report as good news because they claim a low rate of 0.54% zombie machines per million subscribers...yeah but...
They are basing that on 21.7 million total subscribers. I wonder what their rate would be if they only counted broadband subscribers?
The NSA: The only part of the US government that actually listens.
That the AOL users are zombies.
RTFA again for the best results.
You give AOL an inch and they take a mile. Sue they have the better number but this is only due to their holding of so much of the ISP market.
Unmatched Style |
Now, perhaps we can start putting some pressure on the bad ISPs to clean up their networks on the basis of their successful peers.
I'm really sick of everyone in the world looking down on me as soon as they find that my IP is on a Comcast block.
What do we want?
Brains!
When do we want them?
Brains!
AOL, the largest provider, had the most zombies
Sometimes jokes just write themselves...
There is nothing more practical than a good abstract theory.
we provide anti-virus, anti-spyware, and firewall services to our users
BUT WAIT! There's more!
If you act now, we'll throw in ANOTHER anti-virus service at no extra charge! All this for only 89.95!
Okay, I'm not supposed to do this, but I'll personally add another EXTRA anti-spyware monitoring system AND take off 50 bucks from the retail price!
All this and more for only 3 easy payments of 39.95!
Everyone knows the nexus for zombies is Haiti. Block the whole country and you should be safe.
So AOL has lower rate than some others. Doesn't really matter - since they have the most zombies in absolute numbers, blocking AOL from your IP range will give the most bang for the block anyway.
Trust the Computer. The Computer is your friend.
So, where is the chart showing the top 20?
honestly for my purposes i could block anything coming from AOL without affecting any of my servers - do you really want AOLers taking up your bandwith to begin with?
--JAB
1. Participation in Distributed Denial-of-Service attacks
2. EATING BRAINS
End users just *don't care*. This is why there are botnets. Because, although their owned boxen are f-ing with the rest of the internet, it doesn't affect them - a selfish luser attitude, why should they bother virus/trojan scanning their boxen?
I wish ISPs (victims and hosting) would hold the lusers responsible for this - I think criminal negligence would be an appropriate charge. I for one look after my gentoo linux boxen and keep them patched.
No amount of firewalls, switching to Mac or Linux, or anything else will stop people from having their computers taken over at the end of the day. Stupid users will always find a way to get infected dispite the best protection available.
Operating a computer should be like operating heavy machinary. You need to pass a test that says you're qualified to do it. Don't want to take the time to learn how to properly use a computer and avoid being just another zombie PC sending me emails about lowering my car payments or free nude pics of celebrities? Then don't use a computer at all.
If you think this is a little irrational, just remember that the financial damages caused by computer viruses are probably in the billions of dollars every year. Imagine how much trouble could be prevented.
The other thing about AOL's dialup service is that they buy modems from local ISP's in areas where they don't operate central hubs. I used to work for one such ISP that contracted to AOL. We were very proactive about protecting customers, etc.
So a lot of the AOL crowd having good numbers may very well be local ISP's that are taking good care of their own customers, and just happen to contract out to AOL on the side
-everphilski-
...Where can I see the report? I work for an ISP, it would be interesting to see where we fit. We're kinda medium-sized and mostly local, so I can't imagine we'd be on there at all.
But if we do show up at all, it's BOFH time!
FLR
aol should read this...
AOL is the largest ISP on the planet? Who is AOL's ISP? Assuming AOL isn't their only customer wouldn't that make them the largest?
-- Thou hast strayed far from the path of the Avatar.
They had the most zombies but a lower rate than others. They spin this as good.
But according to the post, Earthlink (the fourth largest provider) wasn't even in the top 20, implying that their zombie percentage is far lower than AOL's.
retrorocket.o not found, launch anyway?
Comment removed based on user account deletion
...and this is how it ends up.
Although, there are some AOL users I wouldn't mind being gobbled up, I hardly need to sit on my roof with a minigun and grenade launcher.
For the love of G-d, we must do something now!
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
Per capita ratio is so misleading. Per connected computer would give a way better picture.
People doing a study: "AOL, Your service is terrible!"
AOL: "Why thank you! See, that's why we have the best service!"
The actual report is at:
http://www.prolexic.com/zr/
--saint
And the AOL client is based on what browser?
Were the users given numbers in AOLs, or your IP space?
After all, it's also possible that the reason that AOL has such good numbers is from their users being counted against someone else.
[or, more likely, that their users don't spend as much time connected, and so by looking at the number of attacks, you actually have to compare the sum of time that the subscribers were connected, rather than the number of subscribers.]
Build it, and they will come^Hplain.
it must be such an inconvience to put "content" on their advertising website, i would hate to see the ratio of adverts>to content
----
America Online hosts more denial-of-service (DoS) spewing zombie PCs than any other ISP in the world, a report released Tuesday claimed. AOL thinks that's just fine.
Prolexic, a Florida-based company that offers a DoS mitigation service, tracked attempted attacks over the last six months to rank ISPs. AOL topped the global and U.S. domestic lists, with machines that use it as their link to the Internet accounting for 5.3 percent of DoS attacks worldwide, and 11.7 percent of those conducted in the U.S.
Worldwide, the German family of Deutsche Telekom ISPs -- t-ipconnect.de and t-dialin.net, among others -- came in second. In the U.S., Comcast, Bell South, Verizon, and Ameritech fleshed out the top five.
"We're the largest ISP on the planet," Andrew Weinstein, a spokesman for AOL, said Wednesday. "You'd expect us to have the most zombies."
Weinstein went on to say that Prolexic's numbers were actually good news for AOL. "It's a demonstration that the tools we provide are keeping members safe. Our very aggressive actions -- we provide anti-virus, anti-spyware, and firewall services to our users -- make them measurably safer than those on other ISPs."
Weinstein based that take on a comparison of Prolexic's numbers with the U.S. installed base of each ISP. Assuming JupiterResearch's estimate of AOL membership rolls is on target at 21.7 million, America Online accounts for
"That's three or four times as many attacks per million subscribers," Weinstein argued. "The numbers show that AOL members are significantly less likely to have been compromised by a zombie. This is actually good news for our users."
Some major U.S. ISPs were notable by their absence. EarthLink, for instance, the fourth largest provider according to JupiterResearch, was not on the list of the top 20, although Mindspring, which EarthLink acquired in 1999, came in at number 17, accounting for 1.3 percent of the DoS attacks tracked by Prolexic in the U.S.
CipherTrust http://www.ciphertrust.com/resources/statistics/zo mbie.php has a live ZombieMeter by country.
One ring to bind them - should probably have more fiber and less rings in their diet.
"That's three or four times as many attacks per million subscribers," Weinstein argued. "The numbers show that AOL members are significantly less likely to have been compromised by a zombie. This is actually good news for our users."
Picture that you're a script-kiddie botnet owner looking for more zombie systems. You have a program that someone provided to you that scans netblocks for systems vulnerable to hundreds of various buffer overflow attacks. You get to pick what netblocks the scanner runs on.
Which would you pick:
1. AOL dialup netblocks, where the user's average 48 K/bps connection takes an average of 1 minute to scan and provides you with a wimpy 48 K/bps of DDoS power
2. Comcast Cable Modem netblocks, where the user's average 384 K/bps upstream bandwidth takes an average of 6 seconds to scan and provides you with a beefy 4,000 K/bps downstream DDoS power.
The numbers quoted above should be accurate enough to get the point. AOL hosts take far longer to compromise and provide far less "bang for the buck". No wonder they're compromised a smaller percentage of time.
I'm a big tall mofo.
Except that it wasn't just an appliance, was it? It was a bug ridden piece of manure that was delivered with known defects, to people who by and large don't have the wherewithal to work around those defects.
This is Microsoft's fault, plainly. Not the poor bastards who were taken in.
if anyone remembers say a month ago, slashdot and this website already posted this,
1 1223&tid=172&tid=95&tid=1&tid=218
http://it.slashdot.org/article.pl?sid=05/05/28/23
~~~~~old news~~~~~~
i thought they where just a branded reseller of other peoples equipment, like VirginMobile they own nothing and are just middlemen to the real asset owners, unless AOL have been laying their own cables in the road
Perhaps if we can get the zombies to start sharing music and movies we can get the MPAA/RIAA to shut them all down, one lawsuit at a time. :)
What you're proposing is kind of like insisting that all pedestrians must have black belts in karate and carry big guns. Otherwise, they might get mugged and use valuable police and hospital resources.
It's like saying that everyone has to be a CPA, otherwise they could be the victim of fraud and use valuable police and bank resources.
We have to punish the criminals, not the victims.
You know, I've talked to AOL on the phone alot, and I have to agree with this article...it does seem that a high percentage of people working for AOL are zombies.
Don't take life so seriously. No one makes it out alive.
as far as i know, there is no easy way for the average user to find out if their computer is a zombie. it would be great if ISPs sent email notifications and then offered tools to remove malicious software. i think people would be very willing to take action, but the vast majority of people have no idea what the appropriate action is.
I was surpised to see that Vietnam has more zombies than Australlia and nearly as manay as Candada!
"Send more cops!"
AOL had a lower rate of zombies, by far, than Comcast or Verizon. So there's a correlation between speed (and duration) of connection and rate of zombies. Whoa, there's a surprise.
Have you read my blog lately?
Too bad AOL's spyware and firewall don't block the spyware that is AOL inherently... Here is how my AOL experience has gone.. 1. Install AOL software 2. Realize AOL software stinks and sends out all kinds of info back to AOL that I dont want them to have. 3. De-install AOL software. 4. De-install AOL software again after it reloads. 5. De-install AOL software again after it reloads. 6. Use a thermite grenade on my box because AOL angers me.
News Reporters Make Tasty Polar Bear Treats!
Remember: most zombies involved in a DDoS attack are simply opening a connection, sending a malformed request then closing the connection. They aren't playing FPS games or downloading porn, so high bandwidth isn't really required. What is required is a vast diversity in IP address so that the firewall and server are overwhelmed trying to process every incoming request.
Before you start licensing computer use, I thought I ought to remind you that there are plenty of computers out there which never touch the internet. Do you plan on licensing their users too?
Computer != Networked Computer
Please don't make that assumption.
I know it's easy to forget this nowadays, but I've run into too many developers who make that assumption and write their software as if every computer were networked. It makes it loads of fun to try to use software with "online help" when I'm in a location without a network connection. You want to make using the internet require a license, then make that your proposition, but leave us people who use computers to compute and not just to look at pretty pictures on the web, out of it.
zombie eat brain, but zombie cannot swallow this injustice . .
The "Average Joe" user isn't able to monitor their own PC for spyware, virus, or bot activity. I worked for my school's student computer repair group and I'd have to say 90% of the issues we had were related to viruses that were passed through AIM and email and spyware choking the systems to a halt. The other 10% were legitimate hardware or software issues (such as Windows imploding on itself or a NIC going bad).
Our school even gives out "free" (as in hidden in our tuition costs) copies of Norton (really Symantec, but I don't want to give up the old name) AV that takes care of many spyware threats and the vast majority of virus threats. The IT department also highly recommends that students use Spybot S&D or AdAware to remove and prevent spyware from getting a hold of their computers.
Most students just didn't care enough to worry about using the anti-virus and spyware tools that were provided to them. I've even been told by numerous people that running the tools makes their computers slow and they don't want to have it be slow when they are playing Snood.
The only way my school was able to successfully fight virus/bot activity on the network and prevent the entire campus from being taken over is to block users with "suspicious" activity (too many emails in a short period of time or too much outbound bandwidth in a short period of time were two tests that I knew of) from using the network until they can demonstrate that their computers are fully repaired.
The IT department used that technique to successfully stop Blaster and many of the other worms that hit our campus before too many computers were affected. Though it's "rule with an iron fist" at its best, it worked and made the network much safer for the rest of the population.
Without my school running things like this, it would have just been a matter of time before most of the computers on campus were taken over.
The blurb says Earthlink is not in the top 20. Mindspring, listed as 17th most infected, is Earthlink.
I don't understand the report, but that graphic is way cool. Can I get a black light poster of that?
What is really needed is a system that performs automatic blacklisting based on a report-confirm-block scheme. That is, a customer or a bottom-level ISP becomes the target of a DDoS attack. It reports the IPs of each attacker to its service provider, which reports to its service provider, and so on, up. If an IP address corresponds to an ISP that receives a report, then the ISP examines the traffic originating from that IP address locally (as locally as possible, to distribute the load so no one routing device gets overloaded), determines whether the traffic constitutes participation in a DDoS attack, and if it does, blocks the IP locally.
:)
Eventually some of the reports will reach backbone providers. At the top, IPs are reported to peers, which then route the reports back down to the local ISPs, who confirm the report and block the IP address locally. The problem then shifts to the end user, who must take responsibility for his or her machine and keep it secure.
Obviously, compliance is an issue, but this can be solved by having a higher-level provider begin blocking lower level subnets if the lower-level ISP does not comply with the mitigation request.
This scheme is in every ISP's interest, since backbone providers can reduce traffic and thus costs (carrot incentive) while smaller ISPs must comply or be blacklisted (stick incentive).
Now all we need is for a smart person to write up an RFC.
Where is the actual study? Submission just points to an article about it.
Actually, AOL's "ISP" is AOL Transit Data Network (ATDN), a related company. They're a "tier 1" provider, and they communicate directly with other tier 1 providers: AT&T, MCI, Level(3), Verio, GBLX, C&W, Verizon, etc. They're the guys who own the big continent- and ocean-spanning fiber optic networks.
"ISP" usually refers to something more customer-facing than the tier 1 providers.
...Why don't they tell infected owners to run a scan? That will drop their numbers quickly and ensure a good reputation.
--
42
I don't preview or spellcheck.
Sniper rifle on the roof! Damn that T-Virus.
Just like AOL, Earthlink has been making a huge push into broadband services.
Remember, traditional AOL service is dialup too? No difference between Earthlink and AOL in this respect. Both are dialup providers that have begun a push into broadband service, and in Earthlink's case, even mobile phone service. (Earthlink is an MVNO that resells Verizon and Sprint service.)
retrorocket.o not found, launch anyway?
I think this "story" is the second or third infomercial for Prolexic. Do the Slashdot editors have some kind of personal stake in the company?
The main way these worms spread is via e-mail and I've found one of the best long-term ways to stop it is to refuse any port 25 traffic from broadband IP space (that shouldn't be running a mail relay).
I know MAPs has a good DUL list, but I refuse to pay a fee to try their RBL without first seeing if it will affect my clients' legitimate e-mail, so does anyone have any good sources for free DUL RBLs?
IMO, all legitimate mail relays should refuse SMTP traffic from cable, dsl and other inappropriate IP space. This would substantially halt the infection and creation of zombie PCs. I'm asking if anyone out there can share their experience with RBLs of this type and which ones they use?
sprint-hsd.net is Earthlink. It is the Sprint DSL service which gives you Earthlink as your ISP. All dialup sprint customers were given to earthlink back in 1999.
Mindspring and Earthlink have merged so they also should be considered the same. Which would give Earthlink 4.25% (combine sprint and mindspring) for the US at spot 7 or 18-19 for the World. Heck, www.mindspring.com just redirects you to earthlink.com now.
Just a Tuna in the Sea of Life
OK, so we have a bunch of ignorant users who either don't know or don't care about this problem. I've always wondered if there was a good use for an Internet chain letter, and I think I've finally found one. Just send the following message to your favorite ignorant user. Maybe if this spreads, people will be so afraid that they'll actually clean their systems. Or at least we'll get to watch them squirm.
Subj: WARNING!!! Get rid of viruses or go to jail!!!
Please read this message! It is extremely important! It might even keep you out of jail!!!
You've probably heard about all the computer viruses that have been spreading like wildfire in the past few years. What you probably haven't heard is what they've been doing to the computers they infect. They've been turning these computers into "zombie computers" that can be controlled over the Internet to send spam, to attack other computers and Web sites, and to spread "phishing scams" to trick people into turning over credit card and bank account information to criminals. These infected computers are grouped into "botnets" and rented out to do the dirty work of whoever is willing to pay, often spammers, extortionists, and other criminal gangs located here and overseas in places like Russia, China, and Eastern Europe. AND YOUR COMPUTER COULD BE A ZOMBIE WITHOUT YOU EVEN KNOWING IT! RIGHT NOW, EVEN AS YOU READ THIS, YOUR COMPUTER COULD BE CHURNING OUT SPAM OR PERFORMING MANY OTHER CRIMINAL ACTIVITIES!!!
This isn't just a minor problem. In fact, it's gotten so bad that THE FEDERAL GOVERNMENT WILL SOON START PROSECUTING PEOPLE WITH INFECTED COMPUTERS!
In a recent Senate committee hearing, Dept. of Homeland Security secretary Tom Ridge said, "The attacks these infected computers can launch has become a matter of national security. We've tried and tried to educate people to run antivirus software to keep their computers free of these viruses, but it appears they aren't listening. I hate the idea of having to start prosecuting ordinary Americans for this, but we don't have many options left."
Ridge went on to say that DHS wants to give people time to get these viruses off their computers, so they plan to wait until Tuesday, September 6, 2005 before they start filing charges.
So, you have until TUESDAY, SEPTEMBER 6, 2005 (the day after Labor Day) to clean your computer of viruses. Otherwise, YOU COULD BE PROSECUTED!!!
BUT DON'T PANIC! Cleaning your computer is easy, and you don't even have to shell out any money to do it. Several antivirus companies have stepped up to the plate to help people meet this important deadline by offering free antivirus software.
AVG Free Edition
http://free.grisoft.com/
avast!
http://www.avast.com/eng/down_home.html
AntiVir Personal Edition Classic
http://www.free-av.com/
Even Microsoft has put up a site with links to free antivirus software from several companies.
http://www.microsoft.com/athome/security/protect/w indows2000/antivirus.mspx
If you don't have time to download and install antivirus software right now, several antivirus companies have even put up sites to do a quick scan and clean any viruses they find. THEY DON'T REPLACE ANTIVIRUS SOFTWARE, but they will let you quickly clean your computer until you can get software installed.
Trend Micro
http://housecall.trendmicro.com/
Symantec
http://security.symantec.com/sscv6/default.asp?pro ductid=symhome&langid=ie&venid=sym
McAfee
http://us.mcafe
The case could be made just as easily that only licensed engineers should be able to write/produce software. After all, the whole world isnt infected. So why should the burden be on all people who never had or caused a problem.
It would be "easier" to restrict the development of software. It would require fewer people to be compliant. And it would be fairly easy to implement a technological lock to allow only "registered" compilers run by "registered" developers to run on a proprietary OS.
If a programmer uses is powers for ill, then he loses his license and any software generated by him is blacklisted.
After all, its not the users who are commiting injurious acts on purpose. Its the people compiling the programs.
A different standard could be set for people who just did a bad job that left a vulnerability in their code. Those people could be hung out to public shame.
Its a slippery slope. I suspect that sooner or later we will find out whats at the bottom.
"You've Been Infected! Please run this application to clean your computer.
The loader for a computer would only load a program registered in a protected database.
That database can only be updated via a secure entry point. And the entry point is only through a installshield type interface that can be accessed through a registered program.
So no more "floating binaries" only a binary that is part of a registerd/installed software package can run on the processor.
I was wondering if there was any software out there that could watch the network of zombied machines?
What you're missing is the whole "economies of scale" concept. If someone is "acquiring" a botnet of 10,000 computers that is quite a lot of bandwidth even if all of them are providing a "wimpy 48 K/bps of DDoS power."
Good point, and one that I didn't miss. My point was, if you can scan any IP block range you want to, wouldn't you start (and likely finish) with Comcast Cable's instead of AOL's? All of them are obviously of value, but the Comcast ones give far more value and are far faster to scan.
I'm a big tall mofo.
Y'know what, though? While your argument may prove that AOL's actions aren't responsible for the situation, it DOES mean you're safer on AOL.
Linux may be more secure than Windows, but one of the big reasons you're safer on Linux isn't just better innate security--it's the same "bang for the buck" argument that a virus writer has a lot more to gain by finding a way to infect Windows than Linux.
By the way, not meaning to sound like I buy Microsoft's "Windows is just as secure as Linux" arguments in any way. Just pointing out that, whether it's "earned" or not by being better, when the shooting starts it's better to have a smaller target on your back.
Only a registered program can set execute permissions on a file.
Since when did Voodo it the net?
I'm speaking as a network operator here. While it is easy to slam AOL for the lowest common denominator that is their customer-base, I have to say that actually dealing with AOL as a peer network operator is a pleasure. They are easy to get in touch with, they respond to abuse issues swiftly, they work with the other people in the operations community very well.
I can not say the same for many others (AT&T) (Shaw.ca) who seem to be completely unable to generate useful abuse reports, or respond to those sent to them.
ISPs have to have some responsibility for the traffic we send and accept, but you also need to be available to peers to work out issues as they arise.
Then cleanse your eyes of the madness.
On the linked page there is something interesting. I'm using Firefox 1.0.4 and when I scroll there is a java aplet that lags just ever so slightly in the middle of the screen. Its transparent but it still centers on the screen when you scroll down (hence you can see the lag).
Anyone else seeing this ??
Sure, it's part of the answer, but if you don't keep your software patched up to date no firewall will help you.
See, the point of being connected to the internet is to get email and access external resources. If you visit a web site that exploits your buggy browser, your firewall won't help you. If you click on an email that exploits your buggy mail client, your firewall won't help you.
The primary means of infection for the most prevalent malwares is email. Firewalls don't prevent you from receiving email.
That being said, you still should have a firewall. But keeping your OS and apps patched is even more important.
Even patching+firewalling won't save you if you are stupid enough to run binaries from untrusted sources. A virus checker can help out with that, but it won't save you from brand-new virii.
And if you add up the other domains Earthlink owns, it's even higher in the list...
m ains/index.jsp
http://webmail.atl.earthlink.net/wam/supported_do
-- Terry
Yes! Made the top ten, baby!!!!!!
I wonder where the number would be if all of SBC's networks (they own pacbell, and have for several years) were to be counted as one?
Do you really want to allow an ISP to search your PC?
What if this was a corporate laptop? The CEOs laptop? Configured to only VPN into the corporate network, and the scanner breaks something?
Do you want to fight those lawsuits?
I would just disconnect those users, and let them go to my competitors, except that there are too many idiots and any good ISP would soon go out of business that way. Plus, charging for reconnection has exactly that effect. Maybe ISPs should charge for outbound bandwidth by the byte, forcing users to clean up or pay.
I can throw myself at the ground, and miss.
Sure, grandma CAN open an email and get her computer infected all to hell, but it'll end up being a deaf zombie. If your firewall is blocking all incoming ports, the zombie can never recieve instructions on what to do, so it'll just sit there.
If everyone had a hardware firewall hooked up to their computer, the zombies wouldn't be a problem. They'd still exist for a while, but they couldn't do anything. I say a hardware firewall because an infection COULD disable a software firewall if not password protected.
"That's so plausible, I can't believe it!" - Leela
That's what you really think?
... whoops ...
Me, too!
Er
The Overrated mod is for reversing inappropriate, positive mods, not for voicing disagreement with a post.
The performance penalty on the zombie does not hit until it actually used in an attack. Even then, users severely infected with adware and spyware and tracking malware (that would be the majority of Comcast users on Windows, for example) see very little performance hit when they are part of a properly paced DDOS. Another approach, instead of pacing, is to only have the zombie participate in DDOSes during idle hours - broadband providers used to urge their customers to leave their computers on at all times, and many clueless techies still do make this recommendation (which Mom & Pop will blindly follow).
People building botnets may allow their zombies to lie quiescent for years before actually using them or selling them to someone who will.
So, a zombie lives until the user
- b) is traced by DDOS targets who make the ISP shut him down
or- c) the owner notices the infection and takes steps to remedy it (very rare)
There is theoretically a fourth way for a zombie to be terminated... the target of the attack responds by mulching the attackers. But that never happens. No responsible person would ever strike back, even though they'd never get caught or punished. All computer jocks are really Quakers at heart, you know. They just turn the other cheek.A firewall wouldn't stop a computer from being turned into a zombie, but it WOULD stop it from being used as a zombie. A zombie computer has to listen on a port for instructions on what to do. If that zombie is behind a firewall blocking that port, it'd just sit there and do nothing.
So yes, a firewall would fix the problem of a zombie computer being used to dos a site.
"That's so plausible, I can't believe it!" - Leela
Incorrect. The zombies make the outgoing connection without gramma's knowledge; the firewall does not block it because it's outgoing.
See, it comes in on an email, gramma clicks it, nothing obvious (to granny) happens. At some point (probably immediately after the next reboot) the zombie code connects to an IRC channel and waits for the secret word. It can wait forever, it doesn't care. When Groucho says the secret word, "Allez-allez-oxenfrei!" or whatever, all the zombies on the channel respond by switching to another channel where they say "YES MASTER I AWAIT YOUR BIDDING". Groucho tells them who to hit, how fast, and when.
There are many variations. But, firewalls do not prevent infected machines from receiving their control channel, because the zombie initiates the connection.
"AOL, the largest provider, had the most zombies but lower rates than others. "
I believe it's called "saturation." Probably not something you'll hear from the PHBs and marketing folks at AOL, but that's exactly what this looks like.
You need to learn what "per capita" means.
Fox 5 WWTG in Washington DC at 10PM covered this. They told people how to tell if your machine was being used as a zombie and how to stop it.
There's a difference between a college or university providing internet access to their students than a public ISP.
The school owns most of their own equipment, and are ultimately the ones purchasing the bandwidth which they then provide as part of their student services. Because of this, they are at liberty to protect their networks and investment. For example: A compromised machine is basically robbing legitimate users of system capacity; the same way that someone who repeatedly flushes a toilet while you're in the shower is 'stealing' water pressure from the rest of the users of the water system.
With a public ISP, or any utility, there is the basic assumption that as long as a customer continues to pay for the use of the service, they are free to do whatever they like with it. If I want to water my lawn with three sprinkler zones right as the neighborhood is showering and getting ready for work, it makes me an asshole, but I am still within my rights as a consumer to do so. Additionally, it would be highly unlikely the water company would terminate my service for this behavior, as they do of course *like* when people use a lot of the product they're selling.
The metaphore is not entirely accurate, of course, as the majority of internet users are now paying flat-rate fees for unlimited access. The comparison in business practice still holds, however, that it would be highly unlikely an ISP would willingly send business to a competitor. In short, as long as you're paying your bill, an ISP wouldn't care if your machine was relaying a million spam messages a day.
The *only* way that the ISPs will ever take on the problem of spyware and botnets is if it starts impacting their bottom line.
Now, as a slight tangent, I would like to add: Norton *does* make a Winbox run slower. The on-access scanning increases filesystem access times exponentially.
I do feel that we can all be confident that, if for no other reason, Microsoft have pretty well doomed themselves by never addressing these fundamental security issues. Eventually the consumer public *will* realize the difference, though it will take on the same order of time it took for people to realize that yes, lawn darts are dangerous as well.
The misuse of home computers may cause annoyance, but a home computer can't run someone over and kill them!
You make the mistake of thinking you can educate the fundamental stupidity out of people. You can't.
I'm posting this so that you (the moderator) have some context to consider twitter and not mod him up whenever he posts his filler preformatted rants about installing Knoppix or Mepis or whatever that unfortunately get him karma every single time and allow him to continue posting his trademark toxic crap (read on) day in and day out. You may consider this a troll - I consider it community service. And I ain't kidding.
If you're a /. subscriber, I invite you to look through some of his posting history. I guarantee that you'll be hard pressed to find someone that is more "out there" than twitter. You'll also probably notice he's got quite an AC following. Don't just read his posts, make sure you go through the replies.
To get an idea of what I'm talking about, check this post out. This is an article about email disclaimers. The parent of the post is complaining about the ads in the linked page and so on, and twitter actually goes off on a rant to blame it on Microsoft and recommend Lynx, because "is teh free".
Here's another. In this post twitter not only calls the OP a troll but attempts to "tell it like it is" while making some vague argument about "GNU". Yes, if you're confused, you're not alone. The reply (modded +4) proceeds to simply destroy his bogus argument. You will notice he did not reply. This is what some people call "drive-by advocacy". A sort of I'll just leave you with my thoughts here and move on to the next flamebait kind of deal. In fact, he almost never replies because he knows that his fanatical arguments simply do not hold up to any sort of discussion. It's not that he's chosen the wrong cause - he's just going at it in a completely wrong way.
Here's that drive-by advocacy and FUD in motion: twitter goes on about some topic and then drops the usual "oh and M$ is teh evil" because "WMP phones home" or some such. Called on his FUD, he then claims that WMP stores every song and movie you've ever played in a file, somewhere. Pressed further, he just sort of slithers out of sight, his FUD-spreading complete. This is not about some Microsoft technology that nobody likes anyway; it's about lying for the sake of lying. Way too many of his posts are exactly like this one.
More? Just read though this post and the subsequent replies. I guess this stands on its own. Or these two. Or this one. Or this one.
Still not convinced? This is what twitter considers "humour" while going about his daily "M$" routine.
host-148-244-150-58.block.alestra.net.mx should be taken off the net and fixed.
IMO, all legitimate mail relays should refuse SMTP traffic from cable, dsl and other inappropriate IP space.
An even better solution is for mailservers to simply reject incoming IPs that ARE NOT on file with DNS as bonafide mailservers.
The problem is is that the crackers and spammers will now attack bonafide SMTP mailservers, compromise them if possible (or just set one up 'properly' for a spam/malware mailbombing). And then we are back to square one....
End user client filtering and mailservers that punish spammers and neutralize malware seem to be the best way to go. The choice is yours....
AOL, the largest provider, had the most zombies but lower rates than others....
..."Weinstein went on to say that Prolexic's numbers were actually good news for AOL. 'It's a demonstration that the tools we provide are keeping members safe.
...actually it's a demonstration that they have more dial ups than broadband customers. As for the 'tools for keeping customers safe' it's the same pattern as 'protection from terrorism' - limit where one can go and what one can do to keep one 'safe'. 'Safe and dumb'.
Twitter, you're a petulant cock-gobbling sycophant to Linux Torvaldyos! Quit taking DP from ESR and RMS's feculent cocks and why don't you try to stop sucking quite so much? Get out of your parents' basement and see the real world - maybe then you'll see how pathetic you sound, with your neverending stream of bullshit about how Microsoft is stalking you. Wasn't it you who said that Microsoft believes your insane ranting is actually a threat to them, so they PAY PEOPLE to reply to you on Slashdot? No sir, I don't get any money. I do it for the love. Someone has to go up against your paranoid whining. So get back in your cage and shut the fuck up already.
I'm posting this so that you (the moderator) have some context to consider twitter and not mod him up whenever he posts his filler preformatted rants about installing Knoppix or Mepis or whatever that unfortunately get him karma every single time and allow him to continue posting his trademark toxic crap (read on) day in and day out. You may consider this a troll - I consider it community service. And I ain't kidding.
If you're a /. subscriber, I invite you to look through some of his posting history. I guarantee that you'll be hard pressed to find someone that is more "out there" than twitter. You'll also probably notice he's got quite an AC following. Don't just read his posts, make sure you go through the replies.
To get an idea of what I'm talking about, check this post out. This is an article about email disclaimers. The parent of the post is complaining about the ads in the linked page and so on, and twitter actually goes off on a rant to blame it on Microsoft and recommend Lynx, because "is teh free".
Here's another. In this post twitter not only calls the OP a troll but attempts to "tell it like it is" while making some vague argument about "GNU". Yes, if you're confused, you're not alone. The reply (modded +4) proceeds to simply destroy his bogus argument. You will notice he did not reply. This is what some people call "drive-by advocacy". A sort of I'll just leave you with my thoughts here and move on to the next flamebait kind of deal. In fact, he almost never replies because he knows that his fanatical arguments simply do not hold up to any sort of discussion. It's not that he's chosen the wrong cause - he's just going at it in a completely wrong way.
Here's that drive-by advocacy and FUD in motion: twitter goes on about some topic and then drops the usual "oh and M$ is teh evil" because "WMP phones home" or some such. Called on his FUD, he then claims that WMP stores every song and movie you've ever played in a file, somewhere. Pressed further, he just sort of slithers out of sight, his FUD-spreading complete. This is not about some Microsoft technology that nobody likes anyway; it's about lying for the sake of lying. Way too many of his posts are exactly like this one.
More? Just read though this post and the subsequent replies. I guess this stands on its own. Or these two. Or this one. Or this one.
Still not convinced? This is what twitter considers "humour" while going about his daily "M$" routine.