Slashdot Mirror
50 ISPs Harbor Half of All Infected Machines
Orome1 writes "As the classic method of combating botnets by taking down command and control centers has proven pretty much ineffective in the long run, there has been lots of talk lately about new stratagems that could bring about the desired result. A group of researchers from the Delft University of Technology and Michigan State University have recently released an analysis of the role that ISPs could play in botnet mitigation — an analysis that led to interesting conclusions. The often believed assumption that the presence of a high speed broadband connection is linked to the widespread presence of botnet infection in a country has been proven false."
Well, since Verizon and Comcast harbor 10% of all user customer PC's all by themselves, this is not so impressive.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
They should go infecting machines, cleaning them, and distributing them to other machines. There is no other way, if we look at the nature. Diseases in body are cleaned similarly by defense cells that carry the cleansing information and multiply.
Read radical news here
"I say we take off and nuke the entire site from orbit. It's the only way to be sure."
I mean 50 is half of all the ISPs anymore anyways. Ta dit boom.
"the presence of a high speed broadband connection is linked to the widespread presence of botnet infection..... has been proven false."
What's this mean? That we can blame dialup users? The article hints that's the case when it says most infected computers are from poor households.
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
I first read 50% of ISPs Harbor Half of All Infected Machines. But either way it's probably pretty close to the same thing.
That means that persuading just these 50 ISPs to begin implementing new, more efficient approaches for preventing and eradicating the infection could make a big dent into the botnet market.
Combat these botnets through some type of mandatory scan and removal tool from their ISP or Microsoft, and also through some tool installed with Windows Update that runs immediately. Not sure exactly how this would be accomplished, but it would be a start.
He who knows best knows how little he knows. - Thomas Jefferson
Is that too much to ask for? I`d love to block as many as I can.
Is that too much to ask for? I`d love to block as many as I can.
I don't think it is. And I'm not sure why there isn't a routing option that allows ISPs to apply a metric against a variable like "network naughtiness". Flapping routes can get blackholed -- why not naughtiness? How 'bout it science?
50 ISPs Harbor Half of All Infected Machines
Do 100 ISPs harbor all infected machines then?
The real shocking truth here is that one single OS harbors the vast majority of botnets and viruses. That OS should be the real target, not ISPs or poor users or something. Sheesh...
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
A friend of mine who was tasked with looking after a university network years ago had a setup that worked well. When the user first connected, they were put in a sandbox, and thus not allowed outside access. They would be greeted with a web page stating that their computer was being scanned for ports well known for viruses and/or spyware. Once the scan was completed, which took about 60 seconds IIRC, they were allowed access to the Internet. Perhaps there is a way that ISP's could do the same sort of thing?
My site at home has been under a distributed hack attempt (a long list of IPs all trying to ssh in as root*) for days now. On the first day the attempts were quite frequent; approaching 1 per minute. Now on day 4 the attempts are trickling it as infrequently as one every 20 minutes. A system on a reasonably fast connection could on its own surpass the 1/minute barrier when running a dictionary password attempt through ssh if it wanted to; hence this looks like it could well be systems on slow connections. Add in that some IPs disappear for a while and then come back - as if the PC is logging off and then on again - and it certainly does look like a low-speed botnet.
* Naturally, my ssh denies all root attempts. Even if they got the password right they wouldn't know it, because the rejection would be the same. Other botnets have tried whitepages-style attacks using long lists of common user names and not matched any allowed users on my system as well.
** Yes I know I could just change my ssh port and much of this would go away. But I find it amusing and I have bandwidth to burn.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
One big problem with this logic is that it is based on IP addresses analyzed from captured spam. The problem with that is some major ISPs (including AT&T) are blocking access to out-of-network e-mail servers, and doing other things to make it difficult for even their legitimate customers to send legitimate e-mail. So this method of knowing where the botnets are would completely miss major botnets if they are unable to get spam out efficiently.
You may say "Why does that matter as long as the spam is stopped?", but it matters a lot. The machines are still infected and could be used for other things, from denial of service attacks to hosting and spreading kiddy porn to just watching for private data to go by (like banking information and credit card numbers) and report them directly back to the control system. Making major judgments about botnets based only on IP addresses seen in spam is short sighted and foolish. And it also assumes that all botnets are honest enough to not forge IP addresses. Any smart botnet could easily forge the IP address the spam is coming from, to make it that much harder to find. If a clever bot just changed the fourth or even third and fourth part of the IP address and replaced it with a random number, the botnet would look much larger than it really is and make it much harder to track back to the infected machine, but would not be easy to detect by comparing the supposed source IP and the SMTP server from outside the network.
I'm an American. I love this country and the freedoms that we used to have.
Without knowing if the 50 providers have more or less then 50% of all users, this could mean anything.
If these 50 providers provide 95% of the people, then bigger providers are GOOD against spammers. If these 50 providers provide 5%, then it is bad.
So it is absolutely meaningless information.
Don't fight for your country, if your country does not fight for you.
Zipf's law strikes again!
Customers don't go to the ISP that associates with spammers/botnets/etc because they don't want their own machines infected or suspected, or put on stupid SPEWS lists.
There is a simple solution to the problem. Unfortunately, being simple does not mean it is easy.
1) ISPs by default implement some basic filtering:
1a) do not allow access to port 25, save to their own servers
1b) do not allow inbound nor outbound access to certain "LAN only" type services (e.g. NFS, SMB/CIFS, etc.)
2) NOTA BENE: ISPs SHALL allow users to elect to bypass these filters, but:
2a) This shall require action on the part of the account owner.
2b) Upon doing so, the account owner SHALL be responsible for their actions
2b.i) The ISP SHALL provide a contact mechanism (e.g. WHOIS record for that IP) that notifies both the ISP and the account holder of abuses.
2b.ii) The ISP SHALL act on complaints if the user does not.
2c) The action to disable blocking SHALL be done in a way that prevents a bot from doing it (e.g. require a phone call to the ISP, or a Turing test, etc.)
3) ISPs SHALL look for "infected" behaviors, like port scans, BEFORE the traffic leaves their network (remember people, the term "firewall" comes from building codes, where a building is supposed to have MANY levels of firewall. ISPs should be no different).
3a) such behaviors SHALL be investigated, and potential infectees quarantined and the owners contacted.
4) ISPs SHALL be required to address complaints
4a) The SHALL be required to have an automated means to report such abuses. No, Web pages don't count.
4b) ISPs that fail to address complaints SHALL be listed in such a way that other entities can block them (e.g. DNS-RBLs).
For too long ISPs have been able to externalize the costs of infected machines. Obviously, any cost a business can externalize will be externalized, and thus the business won't handle it. The solution is to force the costs of infected machines to be internalized to the ISPs. They will, of course, bitch mightily about this - again, no business will allow a previously externalized cost to be internalized without a fight.
www.eFax.com are spammers
Who are the 50? Publish the names and IP ranges and let the admins loose on them.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
I guess that makes me lazy. Oh well.
It is possible. It's just unlikely that your email will be accepted. If you're sending from a "home/dynamic" range, then YOU have to take the extra steps to distinguish YOUR email from the (literally) BILLIONS of spam messages coming from that same range. Or you can blame the admins who have to deal with those BILLIONS of spam messages.
Again, billions of spam messages from those "home/dynamic" ranges. But blame the ISP.
Yep, that's one sentence. The simple solution is for YOU to find a mail relay service that will accept your conditions as a customer. I use Google. I don't have to connect to their servers on port 25 so I'm not blocked by the ISP's rules.
Again, it's easy to complain about "lazy" admins but the reality is that YOU have to distinguish YOUR email from the ocean of spam that those "lazy" admins deal with every day.
Or you can just rant on /. about it.
This whitepaper provides very little value without naming those ISPs that harbor the botnets. Why not name names?
indeed...i've had theunpleasant experience while traveling to need to set up a c2c wifi cnxtn on a pc that uses an at&t gsm dongle 4 its internet access:-P after enabling that network device to share its cnxtn, i setup a c2c.
then on my mac i connect...but then the pc tries 2 disconnect the gsm:-\ and after i'm finished w/ the cnxtn, the pc forgets it's a c2c, and adds it to its wireless list, making it unavailable 4 c2c, even tho i've told it 2 remember it...
no wonder micro$serfs r so sorry;-}
If you want a single unifying factor behind botnets, look for things like greed and the like on the part of the botmasters.
Unfortunately those are a lot harder to combat than technical measures against infected computers.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Cause it makes everyone money! This shit is so easy to stop, hell even my college does machine blocking, if you connect to our wifi on campus your machine will be directed to a browser window that runs a scan to make sure you have all current updates, virus protection, and that your machine is not infected. If you have an issue with one of those 3 then your machine is blocked and cannot login till the problem has been rectified.
ISP's don't do this not because it would be too difficult for them to deploy or users to use, its just not cost effective for them, hence they make more money from infected users than clean ones.
Your privacy and safety online is not a concern, only the bottom line.
Visit my Forums?
Quote from the actual article this is all referencing: Box 3. Bulk of all infected machines are located in the networks of well-known ISPs As far as we can tell, all ISPs harbor infected machines – ‘bots’ – in their networks.What is surprising, however, is that the bulk of the total global population of infected machines are located in the networks of well-established providers, the brand names that are familiar to the consumers in those countries. Of the tens of thousands of ISPs that provide Internet access, the 200 ISPs that collectively hold nearly 90 percent of the total market share in the wider OECD area account for more than 60 percent of all infected machines worldwide. Other service providers, such as hosting providers, university networks, corporate networks and application service providers contain a smaller share of all bots.
jsut athnoer menagiensls ltitle psrhae for you to dcoede. Why do we wtsae our tmie dnoig tihs?
Some ISPs monitor for common attacks like this and drop connections when they're detected - so it's not uncommon for botnets to deliberately limit their rates. It serves two advantages - first, it reduces the chance of slowing the infected machines connection down, which makes the malware less likely to be detected by the machines owner. Secondly, it allows these machines to slip under the radar of some of the ISPs that try to filter for them (but don't do a great job).
That said, 1 per minute suggests it's either a very small botnet or someone renting a little capacity on one of the bigger ones. If you were the target of a well developed one you'd see a lot more traffic than that. :)
** Yes I know I could just change my ssh port and much of this would go away. But I find it amusing and I have bandwidth to burn.
Do you also have your daily/weekly log reports set to separate the chaff from the wheat so you can distinguish between worrisome attempts and the background noise?
The biggest reason to move the port - it cuts down on the message log spam, which often drowns out more important information. If I see attempts on my custom port #, I know I need to take a closer look.
(Second biggest reason to move the port - just in case some clueless admin, myself included, manages to change SSH to allow login via passwords by accident.)
Wolde you bothe eate your cake, and have your cake?
Surprised nobody has suggested denyhosts yet. I used to get my port 22 knocked on at an average of once per second, for months. For convenience I didn't feel like changing my ssh port, and it didn't worry me much because it is my personal machine with root login turned off, and with good passwords on all other login accounts. But as someone else mentioned, it filled my logs and made it hard to notice the more important things... After installing denyhosts, the ssh dictionary attacks were blocked almost immediately and almost entirely.
The same is true for almost everyone. For a list of IPs too long for denyhosts to cover practically, try checking out ssh-faker.
I have a home server exposed to the wild internet by only port 22. It's an old machine, and it only allowed a single authorized user to log in, only with key authentication, not password. Nonetheless, the attacks would sometimes come in at such a rate that the CPU was pegged too high for the system to be usable for any of its primary functions (firstly being an Apache proxy through an ssh tunnel from work). I looked into a number of options to mitigate this CPU use, but none of them were as useful as using /etc/hosts.deny (the whole internet) and /etc/hosts.allow (my employer plus 192.168.1.*). I still get a few dozen logged messages every day to feel good when attacks are denied, but my CPU no longer gets pegged from authentication failures -- face it, denying an authentication doesn't cost much bandwidth, but it can take a few cycles to fail to authenticate a key.
Or even the deprecated ssmtp with SMTP AUTH enabled.
AT&T lets these through with no problems.
Outlook supports it.
Thunderbird supports it.
Evolution supports it.
Gmail supports it for users that opt for a non-web MUA.
Yahoo supports it for users that opt for a non-web MUA.
And if I can get a bunch of lawyers that can't understand why filenames of the form foo.pdf.exe are bad to configure Outlook to do submission, you should be able to configure it yourself.
There is no reason for you to be sending SMTP in the clear and without authentication from your home machine unless you coughed up the $$$ for a static IP and a nice WHOIS record showing your contact information for that static IP. There is no reason for you to be receiving SMTP in the clear and without authentication to your home machine either.
Yes, there is plenty of other evil a compromised machine can do, but this is one small piece that makes sense as there are reasonable alternatives to sending SMTP in the clear and without authentication.
That said, 1 per minute suggests it's either a very small botnet or someone renting a little capacity on one of the bigger ones. If you were the target of a well developed one you'd see a lot more traffic than that. :)
I don't kid myself into thinking that my webserver is an important target. There is nothing of great value on there. I fully suspect that someone was trolling through a very long list looking for open SSH ports and picked up on my server; I am now on a long list of IPs that they try periodically when they have a chance. Likely they are just doing this trying to find more systems to add to their botnet...
If I had another IP address it would be fun to put a windows box up running cygwin openssh - then their attempts would be even more meaningless as they would be trying to log in to a root account that doesn't exist anyways (of course on that they would just enter through a different security hole...)
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
face it, denying an authentication doesn't cost much bandwidth, but it can take a few cycles to fail to authenticate a key.
That is true. However, at the rates that I am usually attacked the CPU usage is trivial. Denying one attack every minute (that is the high end) doesn't do much to my meager P4, and denying one every 20 minutes (as in at this moment) barely counts as noise.
If the attack frequency suddenly picked up dramatically - which I don't expect to happen on my server - then I would be concerned. But right now I'd say slashdot uses more of my home bandwidth (and CPU time) than the distributed attack does.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Forget about holding the ISPs responsible. There are some defective users and defective products allowing this to happen. If someone is found to be harboring a bot node on their home computer, hold them liable for statutory damages, much like the RIAA sues people for. If those people can demonstrate that they made a reasonable effort and followed accepted guidelines in maintaining their computers, then take the fight to the manufacturer, since the product is clearly defective. We need a New DMCA that holds digital content vendors accountable for flaws in their products at the same time it protects their intellectual property rights.
I'm rarely one to defend M$, either, but I don't see much excuse for people to be getting infested with malware that harms more than themselves. I was almost irritated at the "Your computer is at risk" balloon popping-up in an XP VM, but then I thought about what a good thing that actually is. There's no excuse for someone who ignores that and gets infected. Heck, a remote kill-switch might be nice too-- not for the things M$ usually seems to want to implement such "features" over, but something that would knock a Windows PC into a reduced/controlled state if it was not current on patches, didn't have functioning and current AV software, or some form of infestation was detected. At the very least, frequent manual screening could be forced on unprotected computers in order to keep them fully functional. If you don't drop your trousers for the TSA (okay, that might be a few months into the future) in order to convince them that you're not a terrorist, you simply don't get to fly. Why shouldn't computers be held to some standard of safety, or they're not allowed on the internet?
Naturally, my ssh denies all root attempts. Even if they got the password right they wouldn't know it, because the rejection would be the same. Other botnets have tried whitepages-style attacks using long lists of common user names and not matched any allowed users on my system as well.
I usually recommend disallowing password-based authentication, and permitting only key-based logins.
Pirate Party UK
Kindly quit pulling random ports from your middle back pocket and get into the late 90s.
Use submission (port 587, SMTP + AUTH + TLS). Newsguy even supports it.
http://www.ietf.org/rfc/rfc2476.txt
http://tools.ietf.org/html/rfc4409
(I'd not favor smtps (465) as there is no requirement for smtp auth).
"Linux and MacOS machines have been around for a long time, and even if the represent a small (albeit growing) segment of the market, they're there and you'd think many pieces of malware would have cropped up on these platforms already." - by Rosco P. Coltrane (209368) on Thursday November 18, @08:50AM (#34267186)
They have though? Heh, and MacOS X was out there on T.V. essentially saying "I'm a Mac and you're a PC and you get malwares: I don't!" which is, of course, COMPLETE bullshit, because malwares & worms do exist for the Mac (and they are out there for Linux too)...
I mean, look at ANDROID (a Linux variant that's REALLY "Taking off" & doing well + will do even better per Steve Wozniak even -> http://tech.slashdot.org/story/10/11/18/1433244/Woz-Says-Android-Will-Dominate )!
Recently, it had a HUGE security hole in it, recently -> http://mobile.slashdot.org/story/10/11/14/0115255/Android-Holes-Allow-Secret-Installation-of-Apps
So please: Don't try to tell us that "MacOS X and Linux are 'secure'" because they are only *secure*, due to being less used... pure "security by obscurity" and once their market share went up (MacOS X especially)? So did attacks on them, and of the same nature as those on Windows (malware based).
Also? I mean, hey: I run Linux here (KUbuntu 10.10.x) and it gets security updates/patches every week... lots of them - it's NOT like it's design is 110% perfect either "outta-the-box/oem-stock".
---
"Yet it just hasn't happened: there are some, but nowhere near what you'd expect if the latter OSes were as insecure as Windows." - by Rosco P. Coltrane (209368) on Thursday November 18, @08:50AM (#34267186)
WTF? You contradict yourself first of all, & secondly? Yes, it has happened, see above!
(I can produce MANY more to go with the examples above, easily... would you like the list of them? Just ask, and for BOTH MacOS X and Linux (I actually bookmark all these for reference as I find them for years now, call it a personal & professional interest, and for ALL OS', including Windows)).
What I wrote up above, which is VERY recent no less, IS merely proof it can done to Linux & its variants just like MacOS X (which you already know exist) & yes, it's BSD variants too!
(and could even more... So, just let that market share an OS enjoys, rise? The online criminals know it too, & target it, just like with Macs recently/lately/especially, and a Linux variant in Android... simple!)
Pity is? They're all decent Operating Systems nowadays, but they just need to be "Shored up" & about the ONLY GOOD THING about these malware makers is, they "point out" what needs "shoring up" (trying to make lemonade from lemons here on this subject is all, I don't like it anymore than you guys do (& I've cleaned out 1000's of systems in my time of malware infestations successfully for decades now)).
APK
P.S.=> Yes, the reason it doesn't happen MORE on Linux or MacOS X is VERY simple (IF you can think like a criminal, see my subject-line above): "Security-by-Obscurity", period. Less people use them, so they are less of a profitable target.
You've got to learn to "channel your inner criminal" really - think about pickpockets, for instance! They do NOT operate on "crowds of 1" generally, they operate in train & subway stations, crowded city streets, malls, & in general anyplace large numbers of people (victims) gather... online, what is the analog to those places as far as Operating Systems go? Windows... 90% of the market OR BETTER is why - more of a target possible, from a single attack codebase in a malware (of whatever form)... apk
Awesome post.
I just wanted to drill out a moderately insightful First Post.
(Look! Very little trolling this thread! "Correlation wants to be related to Causation!")
Glad to know my lightning guess wasn't ludicrous.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
"50 ISPs Harbor Half of All Machines"
-- dnl
Last time I checked, 5.5% was way lower than 10%.
Glad that you're still feeling well. Yes, in FP category this was definitely a +5.
Sure, I'll grant you caught me on -1 Nationalism, but I did guess low with zero data and hoped.
The big surprise is I had no idea China had that many users.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
The big surprise is I had no idea China had that many users.
It depends. Their standards of saying they are connected to the internet may differ from mine. I do not think this list requires true, unfiltered internet.
Well, I might have a way, but it only works on a semi spherical planet in a vacuum.