[Dshield] Interesting Zombie Data Graphs

Pete Cap peteoutside at yahoo.com
Mon Nov 7 01:58:17 GMT 2005

--- Jeff Kell <jeff-kell at utc.edu> wrote:
> The real problem with any major providers is that
> there isn't [yet] a proven, scalable support model
> to handle the results.
> Sure, zombies can be identified easily enough, but
> then what?  Block them?  Then what - they are
> expected to call (yes, call; you shut their network
> access)?  How do you tell them to fix it?  The
> typical John Doe user won't have a clue.
> Even here at the university, with our supposedly
> computer-literate user base, with Cisco Clean Access
> controlling network access checks which include
> current Norton definitions, we still end up with
> enough cases of 'fix it yourself, reload from CD, or
> bring it in' to keep the helpdesk queues fairly
> lengthy.  The recent plague of AIMbots (spread
> through AOL IM messages to 'click here') nailed
> about 3% of our supposedly scam-aware dorm
> population despite all of the protections above plus
> restrictive firewalling, neither of which are
> implemented by the major providers.  How many
> subscribers does Comcast have?  In the millions? 
> That's 30K infections per million users.  
> It is difficult enough keeping the house clean even
> when you have extensive controls and restrictions
> over who/what/where access is permitted.  I have a
> hard time imaginine the difficulties faced by a
> major ISP, where 'unfiltered, naked internet' access
> is expected and often demanded.  There has been some
> progress with spam control by blocking/restricting
> SMTP, but controls over more recent threats (bots)
> are tougher to maintain.
> Jeff

Nah.  That's what everyone SAYS but nobody, so far as
I can tell, is innovating in this area.  Stop thinking
of protecting the home users--you're right, it's a big
job, probably impossible, so don't bother.  But if you
can track who is on what botnet...well, now you're
getting somewhere.  You can see if a well-placed
"deny" statement in the right router can interfere
with someone's botnet, or degrade his operations.  Or
you can assist law enforcement to nail the botherd. 
Everyone says "Meh, it can't be done!" but "they" have
always said that, and "they" have always been proven
wrong.  So I think it's worth a shot.

Yahoo! Mail - PC Magazine Editors' Choice 2005 

More information about the list mailing list