[Dshield] Interesting Zombie Data Graphs

mjcarter@ihug.co.nz mjcarter at ihug.co.nz
Sun Nov 6 22:35:06 GMT 2005


I started a company with this problem in mind; ISPs do have
the ability to identify Zombies and other infections. But
most would not have the resource to handle the cleanup
themselves. Most of the time you won't be able to talk a
user through cleanup without spending hours on the phone and
there is always the danger of ending up with a dead system
due to miss interpreted instructions, language barriers,
wrong diagnosis, etc.

It is also resource intensive to have the customer "bring it
in". Do ISPs have the room or the staff to handle this? I
doubt that also especially during a major event, so I
believe that their (ISPs) best option is to shut off access
to their service. This way they can force the customer to
take action and call the helpdesk, they can then pass the
customer on to a service that specializes in these things.
Yes there would be a fee but users must take some
responsibility in keeping their systems clean and up to
date.

Regards
Mike

www.infosec.co.nz


> Pete Cap wrote:
> > --- Deb Hale <haled at pionet.net> wrote:
> >>Humm!  Comcast - imagine that.  They have to be the
> >>most loosely run company ever.
>
> > What gets me is that although Comcast must have
> > millions of users, and although I'm sure they're
> > moving many, many terabytes of data each day, it is
> > not really a difficult problem to identify zombies.
>
> The real problem with any major providers is that there
> isn't [yet] a proven, scalable support model to handle the
> results.
>
> Sure, zombies can be identified easily enough, but then
> what?  Block them?  Then what - they are expected to call
> (yes, call; you shut their network access)?  How do you
> tell them to fix it?  The typical John Doe user won't have
> a clue.
>
> Even here at the university, with our supposedly
> computer-literate user base, with Cisco Clean Access
> controlling network access checks which include current
> Norton definitions, we still end up with enough cases of
> 'fix it yourself, reload from CD, or bring it in' to keep
> the helpdesk queues fairly lengthy.  The recent plague of
> AIMbots (spread through AOL IM messages to 'click here')
> nailed about 3% of our supposedly scam-aware dorm
> population despite all of the protections above plus
> restrictive firewalling, neither of which are implemented
> by the major providers.  How many subscribers does Comcast
> have?  In the millions?  That's 30K infections per million
> users.
>
> It is difficult enough keeping the house clean even when
> you have extensive controls and restrictions over
> who/what/where access is permitted.  I have a hard time
> imaginine the difficulties faced by a major ISP, where
> 'unfiltered, naked internet' access is expected and often
> demanded.  There has been some progress with spam control
> by blocking/restricting SMTP, but controls over more
> recent threats (bots) are tougher to maintain.
>
> Jeff
> _________________________________________
> Using .Net? Need to know more about .Net Security?
> http://isc.sans.org/banner_count.php?dest=dotnet
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>


More information about the list mailing list