Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zombie Report By ISP

Posted by Zonk on from the braaaains dept.

twitter writes "Information Week has a summary of a report by Prolexic detailing Zombie activity by ISP, country and population statistics. AOL, the largest provider, had the most zombies but lower rates than others. Fourth largest Earthlink was not in the top 20. The information is gathered from hundreds of customer sites." From the article: "Weinstein went on to say that Prolexic's numbers were actually good news for AOL. 'It's a demonstration that the tools we provide are keeping members safe. Our very aggressive actions -- we provide anti-virus, anti-spyware, and firewall services to our users -- make them measurably safer than those on other ISPs.'"

53 of 260 comments (clear)

  1. Turn turn turn ... by It+doesn't+come+easy · · Score: 5, Insightful

    AOL spins the report as good news because they claim a low rate of 0.54% zombie machines per million subscribers...yeah but...

    They are basing that on 21.7 million total subscribers. I wonder what their rate would be if they only counted broadband subscribers?

    --
    The NSA: The only part of the US government that actually listens.
    1. Re:Turn turn turn ... by tigerd · · Score: 4, Insightful

      I dont really think an ISP is responsible for zombiemachines. Its the endusers who has the final responsibility. That means your an my grandma...

    2. Re:Turn turn turn ... by dmolavi · · Score: 2, Informative

      bzzt..AOL For Broadband

    3. Re:Turn turn turn ... by It+doesn't+come+easy · · Score: 2, Insightful

      It's a good question. The truth is AOL isn't a real ISP. They are a proprietary system with access to the internet. Might be splitting hairs here but whatever. In any case, AOL has been trying to create an AOL broadband service. Not sure how successful that has been, but AOL does have partnership arrangements with other broadband providers where you connect to the broadband provider and then straight to AOL's system. I wonder how these kind of connections were counted? Probably not as an AOL IP address, cause the IP address would have been assigned to the broadband provider. Looks like another way to fudge the numbers to me...

      --
      The NSA: The only part of the US government that actually listens.
    4. Re:Turn turn turn ... by -brazil- · · Score: 2, Insightful

      Theoretically, yes. But pragmatically, some relatively simple measures taken by an ISP can greatly reduce end user vulnerability, while sufficiently educating all end users about how not to become infect is simply impossible in the face of most poeple's total lack of concern for the problem.

      --

      The illegal we do immediately. The unconstitutional takes a little longer.
      --Henry Kissinger

    5. Re:Turn turn turn ... by Disoculated · · Score: 2, Insightful

      Normally, a true "AOL" brand broadband customer will be tunneled through AOL, otherwise it's parental controls (part of it's selling point) wouldn't work. So they'd show up as being in AOL's network space.

      A person who's running AOL on another ISP's network and using the AOL client as a simple TCP app wouldn't (and shouldn't) be considered an AOL zombie for this study, otherwise the zombie would be counted twice.

    6. Re:Turn turn turn ... by ArsenneLupin · · Score: 2, Insightful
      A person who's running AOL on another ISP's network and using the AOL client as a simple TCP app wouldn't (and shouldn't) be considered an AOL zombie for this study, otherwise the zombie would be counted twice.

      ... but he will still be counted as a subscriber, leading to good per-subscriber infection rates. For fairness' sake AOL should really not count these users as subscribers either, nor the dialup users.

    7. Re:Turn turn turn ... by dekemoose · · Score: 2, Insightful

      Dial-up users are not the typical fare for Zombies, more due to their unpredictable behavior, sometimes they're on the net, sometimes not. However, the ability of a dial-up user to conduct a DoS should not be discounted. I can usually get at least 28.8 on a dial-up, let's call it 14.4 for arguments sake. At the rate you can saturate a T1 with a little over 100 zombies, you can drown out a 10M ethernet feed with a little over 700 zombies, and 3200 zombies will crush a T3. While all the attention is on the destructive power behind broadband users, the majority of users are still on dial-up and they are dangerous too.

    8. Re:Turn turn turn ... by Dachannien · · Score: 2, Funny

      Each million AOL subscribers contribute 0.54% of the total DoS load. Thus, the 21.7 million AOL subscribers contribute 21.7 million * 0.54%/million = 11.7% of total load.

    9. Re:Turn turn turn ... by theCoder · · Score: 3, Insightful

      Yes, I think they do. There are a number of benefits, both in direct savings (less bandwidth used, less of their own customers attacked, better Internet image) and in good relations (assuming it's handled correctly). Most people don't know that much about their computers. And if their ISP called up and helped them clean a virus/worm/trojan/other malware off their PC and made it run better, that customer is probably going to have a more positive view of the ISP. Of course, if the ISP blocks them and doesn't help them get back online, they'll probably have a negative view of the incident.

      --
      "Save the whales, feed the hungry, free the mallocs" -- author unknown
  2. No one is surprised by Approaching.sanity · · Score: 2, Funny

    That the AOL users are zombies.

    --
    RTFA again for the best results.
  3. Good! by ajs · · Score: 3, Interesting

    Now, perhaps we can start putting some pressure on the bad ISPs to clean up their networks on the basis of their successful peers.

    I'm really sick of everyone in the world looking down on me as soon as they find that my IP is on a Comcast block.

    1. Re:Good! by kiwimate · · Score: 3, Insightful

      No kidding. Comcast.net is ranked #5 in the Top Infected Networks table, and #2 in the Infected US Networks table.

      So, let's summarize. If you live in the Philadelphia area, then you're stuck with the monopoly broadband company, and the commensurate extortionate prices, wretched customer service, frequent service interruptions...and now this.

      I really loathe Comcast. And you just know there's no way they're going to clean up their act. Why would they? Where's the incentive or threat?

    2. Re:Good! by Bonker · · Score: 4, Insightful

      I'd be willing to bet that the majority of the 1st world zombies originate on 'White Label' broadband. The aforementioned Comcast, Cox, SWB DSL... things like that. AOL has the most of any ISP, but I bet the conglomerate of the top 5 cable and dsl bandwidth providers easily dwarfs them.

      They're the 'cheap' local providers, not the 'evil' big boys like AOL, so they're what your grandmother will subscribe to when your idiot nephew convinces her she needs an 'Always On' connection to listen to NPR or check her email every five minutes.

      Yeah, this *looks* like it's just the industry's problem, but it's not. It's mine and yours. Every time you or I answer 'Well, I need a computer and a cable modem to check my email, right?' with just a 'yeah sure', we're adding to it.

      Go buy Grandma that $39.99 firewall from Best Buy, configure it for her, and tell her that she doesn't need to worry about it. It's like the extra deadbolt on her front door. It helps keeps the bad-guys out.

      --
      The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
    3. Re:Good! by GigsVT · · Score: 2, Insightful

      It doesn't matter which ISP you use, some idiots somewhere will have some personal grudge against it.

      --
      I've had enough abrasive sigs. Kittens are cute and fuzzy.
  4. Brains! by Anonymous Coward · · Score: 2, Funny

    What do we want?

    Brains!

    When do we want them?

    Brains!

  5. Let the jokes begin... by pete19 · · Score: 5, Funny

    AOL, the largest provider, had the most zombies

    Sometimes jokes just write themselves...

    --
    There is nothing more practical than a good abstract theory.
  6. Late night TV by Dancin_Santa · · Score: 5, Funny

    we provide anti-virus, anti-spyware, and firewall services to our users

    BUT WAIT! There's more!

    If you act now, we'll throw in ANOTHER anti-virus service at no extra charge! All this for only 89.95!

    Okay, I'm not supposed to do this, but I'll personally add another EXTRA anti-spyware monitoring system AND take off 50 bucks from the retail price!

    All this and more for only 3 easy payments of 39.95!

    1. Re:Late night TV by TheClam · · Score: 3, Interesting

      That's just not true. When I moved, I used a free AOL CD just for dial-up, but I never used the email address. When I closed the acct a few months later, I only had 5 emails in the inbox.

  7. Still the worst offender by JanneM · · Score: 2, Funny

    So AOL has lower rate than some others. Doesn't really matter - since they have the most zombies in absolute numbers, blocking AOL from your IP range will give the most bang for the block anyway.

    --
    Trust the Computer. The Computer is your friend.
    1. Re:Still the worst offender by Anonymous Coward · · Score: 4, Insightful

      But you will block 21 million legitimate users too. If that is acceptable, I don't really want to have anything to do with your company.

    2. Re:Still the worst offender by Anonymous Coward · · Score: 5, Insightful
      But you will block 21 million legitimate users too.

      If eBay, playboy.com and espn.com blocked AOL users until AOL got rid of their zombies AOL would make absolute certain that the problem would be solved within 48 hours.

  8. Zombie Activity by fuct_onion · · Score: 5, Funny

    1. Participation in Distributed Denial-of-Service attacks
    2. EATING BRAINS

  9. The fundamental zombie problem by Anonymous Coward · · Score: 3, Interesting

    End users just *don't care*. This is why there are botnets. Because, although their owned boxen are f-ing with the rest of the internet, it doesn't affect them - a selfish luser attitude, why should they bother virus/trojan scanning their boxen?
    I wish ISPs (victims and hosting) would hold the lusers responsible for this - I think criminal negligence would be an appropriate charge. I for one look after my gentoo linux boxen and keep them patched.

    1. Re:The fundamental zombie problem by generic-man · · Score: 2, Insightful

      The hostile behavior of self-proclaimed net.gods, looking down upon AOL "lusers" from their Linux "boxen," doesn't help matters any.

      If you're upset about end-users ruining your ability to download new packages for your "boxen," then offer to help instead of bitching them out on Slashdot.

      --
      For more information, click here.
    2. Re:The fundamental zombie problem by RealProgrammer · · Score: 3, Insightful

      >End users just *don't care*.

      Not meaning to sound flippant, but you're giving them too much credit.

      For most people, that their computer might be part of a world-wide network of zombie slaves to an international cybermob is just not within their ability to fathom.

      So no, they don't care, but it's on the level of caring that their Chinese-made desk lamp was made by people who can't read about democracy on MSN. That's not quite it, but the point is it's simply not part of their world.

      People call me to fix their "broken" computers. When I remove the viruses and other crap and explain the problem, they *always* express outrage that someone would do that to innocent little them.

      Until then they don't care because they don't understand. Anyone who does understand feels violated and tries to do something about it.

      --
      sigs, as if you care.
  10. A solution by alvinrod · · Score: 5, Insightful
    No matter how many software or hardware tools an ISP has in place to stop their customers computers from being turned into zombies, the only real way to combat the problem is to educate the end user more.

    No amount of firewalls, switching to Mac or Linux, or anything else will stop people from having their computers taken over at the end of the day. Stupid users will always find a way to get infected dispite the best protection available.

    Operating a computer should be like operating heavy machinary. You need to pass a test that says you're qualified to do it. Don't want to take the time to learn how to properly use a computer and avoid being just another zombie PC sending me emails about lowering my car payments or free nude pics of celebrities? Then don't use a computer at all.

    If you think this is a little irrational, just remember that the financial damages caused by computer viruses are probably in the billions of dollars every year. Imagine how much trouble could be prevented.

    1. Re:A solution by 99BottlesOfBeerInMyF · · Score: 3, Insightful

      Operating a computer should be like operating heavy machinary. You need to pass a test that says you're qualified to do it.

      You need to pass a test because lives are at risk, not bandwidth. Realistically their should be some basic instruction, hopefully provided in schools, but at that same time most computers should be much, much, much, much, much harder to remotely take over and turn into a zombie. Windows is the worst of the bunch, but pretty much all OSs could be a lot easier to use securely. I imagine they would be too, except for the fact that since MS gained their monopoly, innovation has slowed to a crawl. I want default sandboxes for new applications, services off by default, and easy built in standards compliant encryption and authentication schemes.

      I agree that there will always be really stupid users that will get their machines taken over and agree to the most ridiculous risks to see the little bunny cartoon, but at least make the user click a button that says "Let this program do anything it wants to my computer" right next to the "run it in a sandbox and give it no access to the internet or my files" button.

  11. The other thing about AOL by everphilski · · Score: 4, Informative

    The other thing about AOL's dialup service is that they buy modems from local ISP's in areas where they don't operate central hubs. I used to work for one such ISP that contracted to AOL. We were very proactive about protecting customers, etc.

    So a lot of the AOL crowd having good numbers may very well be local ISP's that are taking good care of their own customers, and just happen to contract out to AOL on the side

    -everphilski-

  12. Re:Where's the beef^h^h^h^hlist? by Anonymous Coward · · Score: 4, Funny

    You know those underlined bits in the summary at the top of this page? They're called hyperlinks, and you can click on them... try clicking on the second one.

  13. zombie survival guide by Anonymous Coward · · Score: 2, Funny

    aol should read this...

  14. Stupid AOL by Andy+Dodd · · Score: 3, Insightful

    They had the most zombies but a lower rate than others. They spin this as good.

    But according to the post, Earthlink (the fourth largest provider) wasn't even in the top 20, implying that their zombie percentage is far lower than AOL's.

    --
    retrorocket.o not found, launch anyway?
  15. Re:Umm... by khendron · · Score: 4, Informative

    Here you go

    The Prolexic Zombie Report

    --
    Life is like a web application. Sometime you need cookies just to get by.
  16. Comment removed by account_deleted · · Score: 2, Insightful

    Comment removed based on user account deletion

  17. This is how it starts... by suitepotato · · Score: 2, Informative

    ...and this is how it ends up.

    Although, there are some AOL users I wouldn't mind being gobbled up, I hardly need to sit on my roof with a minigun and grenade launcher.

    For the love of G-d, we must do something now!

    --
    If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
  18. Report. by saintlupus · · Score: 3, Informative

    The actual report is at:

    http://www.prolexic.com/zr/

    --saint

  19. Re:Article is incorrect by porcupine8 · · Score: 3, Informative
    I think it's (percent of all attacks originating from that provider) divided by (number of machines on that provider, in millions).

    So (making #s up) if AOL is 10% of all attacks, and 100 million machines, they have .1 percent per million. But if Joe's ISP has 5% of all attacks, and only 5 million machines, they have 1.0 percent per million.

    AOL has twice as many attacks total, but compared to their user base Joe's rate is ten times as high.

    --
    Warning: Apple/Nintendo fangirl. Likes her electronics cute & cuddly. May be rabid.
  20. AOL is on crack. Here's why. by bigtallmofo · · Score: 3, Insightful

    "That's three or four times as many attacks per million subscribers," Weinstein argued. "The numbers show that AOL members are significantly less likely to have been compromised by a zombie. This is actually good news for our users."

    Picture that you're a script-kiddie botnet owner looking for more zombie systems. You have a program that someone provided to you that scans netblocks for systems vulnerable to hundreds of various buffer overflow attacks. You get to pick what netblocks the scanner runs on.

    Which would you pick:

    1. AOL dialup netblocks, where the user's average 48 K/bps connection takes an average of 1 minute to scan and provides you with a wimpy 48 K/bps of DDoS power
    2. Comcast Cable Modem netblocks, where the user's average 384 K/bps upstream bandwidth takes an average of 6 seconds to scan and provides you with a beefy 4,000 K/bps downstream DDoS power.

    The numbers quoted above should be accurate enough to get the point. AOL hosts take far longer to compromise and provide far less "bang for the buck". No wonder they're compromised a smaller percentage of time.

    --
    I'm a big tall mofo.
  21. You gotta be kidding by Dammital · · Score: 5, Insightful
    "End users just *don't care* [...] a selfish luser attitude"
    I don't think that's fair. The end users, for the most part, have been handed a box that was advertised as an appliance: "Plug it in and you're good to go! Surf the net, download music, play games with your chums, get photos from the grandkids!"

    Except that it wasn't just an appliance, was it? It was a bug ridden piece of manure that was delivered with known defects, to people who by and large don't have the wherewithal to work around those defects.

    This is Microsoft's fault, plainly. Not the poor bastards who were taken in.

  22. AOL Zombies by jim_v2000 · · Score: 2, Funny

    You know, I've talked to AOL on the phone alot, and I have to agree with this article...it does seem that a high percentage of people working for AOL are zombies.

    --
    Don't take life so seriously. No one makes it out alive.
  23. AOL Software... by Evil+W1zard · · Score: 2, Funny

    Too bad AOL's spyware and firewall don't block the spyware that is AOL inherently... Here is how my AOL experience has gone.. 1. Install AOL software 2. Realize AOL software stinks and sends out all kinds of info back to AOL that I dont want them to have. 3. De-install AOL software. 4. De-install AOL software again after it reloads. 5. De-install AOL software again after it reloads. 6. Use a thermite grenade on my box because AOL angers me.

    --
    News Reporters Make Tasty Polar Bear Treats!
  24. Re:AOL is on crack. Here's why. by Foolomon · · Score: 3, Insightful
    What you're missing is the whole "economies of scale" concept. If someone is "acquiring" a botnet of 10,000 computers that is quite a lot of bandwidth even if all of them are providing a "wimpy 48 K/bps of DDoS power."

    Remember: most zombies involved in a DDoS attack are simply opening a connection, sending a malformed request then closing the connection. They aren't playing FPS games or downloading porn, so high bandwidth isn't really required. What is required is a vast diversity in IP address so that the firewall and server are overwhelmed trying to process every incoming request.

  25. It's the responsability of the ISPs to monitor... by GeoffKerr · · Score: 2, Interesting

    The "Average Joe" user isn't able to monitor their own PC for spyware, virus, or bot activity. I worked for my school's student computer repair group and I'd have to say 90% of the issues we had were related to viruses that were passed through AIM and email and spyware choking the systems to a halt. The other 10% were legitimate hardware or software issues (such as Windows imploding on itself or a NIC going bad).

    Our school even gives out "free" (as in hidden in our tuition costs) copies of Norton (really Symantec, but I don't want to give up the old name) AV that takes care of many spyware threats and the vast majority of virus threats. The IT department also highly recommends that students use Spybot S&D or AdAware to remove and prevent spyware from getting a hold of their computers.

    Most students just didn't care enough to worry about using the anti-virus and spyware tools that were provided to them. I've even been told by numerous people that running the tools makes their computers slow and they don't want to have it be slow when they are playing Snood.

    The only way my school was able to successfully fight virus/bot activity on the network and prevent the entire campus from being taken over is to block users with "suspicious" activity (too many emails in a short period of time or too much outbound bandwidth in a short period of time were two tests that I knew of) from using the network until they can demonstrate that their computers are fully repaired.

    The IT department used that technique to successfully stop Blaster and many of the other worms that hit our campus before too many computers were affected. Though it's "rule with an iron fist" at its best, it worked and made the network much safer for the rest of the population.

    Without my school running things like this, it would have just been a matter of time before most of the computers on campus were taken over.

  26. Earthlink *is* 17th... by brockbr · · Score: 3, Informative

    The blurb says Earthlink is not in the top 20. Mindspring, listed as 17th most infected, is Earthlink.

  27. Groovy by berbo · · Score: 2, Funny

    I don't understand the report, but that graphic is way cool. Can I get a black light poster of that?

  28. Automatic DDoS mitigation at backbone level by Dachannien · · Score: 2, Interesting

    What is really needed is a system that performs automatic blacklisting based on a report-confirm-block scheme. That is, a customer or a bottom-level ISP becomes the target of a DDoS attack. It reports the IPs of each attacker to its service provider, which reports to its service provider, and so on, up. If an IP address corresponds to an ISP that receives a report, then the ISP examines the traffic originating from that IP address locally (as locally as possible, to distribute the load so no one routing device gets overloaded), determines whether the traffic constitutes participation in a DDoS attack, and if it does, blocks the IP locally.

    Eventually some of the reports will reach backbone providers. At the top, IPs are reported to peers, which then route the reports back down to the local ISPs, who confirm the report and block the IP address locally. The problem then shifts to the end user, who must take responsibility for his or her machine and keep it secure.

    Obviously, compliance is an issue, but this can be solved by having a higher-level provider begin blocking lower level subnets if the lower-level ISP does not comply with the mitigation request.

    This scheme is in every ISP's interest, since backbone providers can reduce traffic and thus costs (carrot incentive) while smaller ISPs must comply or be blacklisted (stick incentive).

    Now all we need is for a smart person to write up an RFC. :)

    1. Re:Automatic DDoS mitigation at backbone level by 99BottlesOfBeerInMyF · · Score: 2, Interesting

      ISPs can already detect incoming DoS attacks and offramp them with existing tools and a few ISPs are now offering automated blocking to their enterprise customers. They can also easily generate a list of zombies in their network. The real problem is notifying infected machine owners and dealing with the customer service aspect costs too much money and is generally not worth the return.

  29. AOL's ISP is ATDN by jfengel · · Score: 4, Informative

    Actually, AOL's "ISP" is AOL Transit Data Network (ATDN), a related company. They're a "tier 1" provider, and they communicate directly with other tier 1 providers: AT&T, MCI, Level(3), Verio, GBLX, C&W, Verizon, etc. They're the guys who own the big continent- and ocean-spanning fiber optic networks.

    "ISP" usually refers to something more customer-facing than the tier 1 providers.

  30. Earthlink has broadband services by Andy+Dodd · · Score: 2, Informative

    Just like AOL, Earthlink has been making a huge push into broadband services.

    Remember, traditional AOL service is dialup too? No difference between Earthlink and AOL in this respect. Both are dialup providers that have begun a push into broadband service, and in Earthlink's case, even mobile phone service. (Earthlink is an MVNO that resells Verizon and Sprint service.)

    --
    retrorocket.o not found, launch anyway?
  31. Re:Where's the beef^h^h^h^hlist? by Fishstick · · Score: 2, Funny

    For me, the links don't show as underlined

    why, are you using AOL?

    *ducks*

    --

    There is much cruelty in the universe, John.
    Yeah, we seem to have the tour map.

  32. Re:Who is publishing the best DUL/Broadband RBL? by PitaBred · · Score: 2, Interesting

    Yeah, because no one runs their own mail servers. Wait, I do, and I know many people that have mail and web servers on cable and DSL connections. That's what the Internet is about, you know, being able to connect to other people any way you want.
    That being said, some of the things we do is attempt a tit-for-tat connection to an email server... if someone tries to send us mail, we ask if they accept mail, and if so, there's a good chance that they've got a legit server. That cuts down on a ton of bad connections.

    --
    My blog. Good stuff (when I remember to update it). Read it.
  33. Firewalling is not the answer. by Medievalist · · Score: 2, Insightful

    Sure, it's part of the answer, but if you don't keep your software patched up to date no firewall will help you.

    See, the point of being connected to the internet is to get email and access external resources. If you visit a web site that exploits your buggy browser, your firewall won't help you. If you click on an email that exploits your buggy mail client, your firewall won't help you.

    The primary means of infection for the most prevalent malwares is email. Firewalls don't prevent you from receiving email.

    That being said, you still should have a firewall. But keeping your OS and apps patched is even more important.

    Even patching+firewalling won't save you if you are stupid enough to run binaries from untrusted sources. A virus checker can help out with that, but it won't save you from brand-new virii.

  34. And if you add up the other domains Earthlink owns by tlambert · · Score: 2, Interesting

    And if you add up the other domains Earthlink owns, it's even higher in the list...

    http://webmail.atl.earthlink.net/wam/supported_dom ains/index.jsp

    -- Terry