[Dshield] Interesting Zombie Data Graphs

Jeff Kell jeff-kell at utc.edu
Sun Nov 6 17:26:36 GMT 2005


Pete Cap wrote:
> --- Deb Hale <haled at pionet.net> wrote:
>>Humm!  Comcast - imagine that.  They have to be the
>>most loosely run company ever.  

> What gets me is that although Comcast must have
> millions of users, and although I'm sure they're
> moving many, many terabytes of data each day, it is
> not really a difficult problem to identify zombies.

The real problem with any major providers is that there isn't [yet] a proven, scalable support model to handle the results.

Sure, zombies can be identified easily enough, but then what?  Block them?  Then what - they are expected to call (yes, call; you shut their network access)?  How do you tell them to fix it?  The typical John Doe user won't have a clue.

Even here at the university, with our supposedly computer-literate user base, with Cisco Clean Access controlling network access checks which include current Norton definitions, we still end up with enough cases of 'fix it yourself, reload from CD, or bring it in' to keep the helpdesk queues fairly lengthy.  The recent plague of AIMbots (spread through AOL IM messages to 'click here') nailed about 3% of our supposedly scam-aware dorm population despite all of the protections above plus restrictive firewalling, neither of which are implemented by the major providers.  How many subscribers does Comcast have?  In the millions?  That's 30K infections per million users.  

It is difficult enough keeping the house clean even when you have extensive controls and restrictions over who/what/where access is permitted.  I have a hard time imaginine the difficulties faced by a major ISP, where 'unfiltered, naked internet' access is expected and often demanded.  There has been some progress with spam control by blocking/restricting SMTP, but controls over more recent threats (bots) are tougher to maintain.

Jeff


More information about the list mailing list