Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

50 ISPs Harbor Half of All Infected Machines

samzenpus posted more than 3 years ago | from the dark-half dept.

Botnet 140

Orome1 writes "As the classic method of combating botnets by taking down command and control centers has proven pretty much ineffective in the long run, there has been lots of talk lately about new stratagems that could bring about the desired result. A group of researchers from the Delft University of Technology and Michigan State University have recently released an analysis of the role that ISPs could play in botnet mitigation — an analysis that led to interesting conclusions. The often believed assumption that the presence of a high speed broadband connection is linked to the widespread presence of botnet infection in a country has been proven false."

cancel ×

140 comments

Duh. (3, Insightful)

TaoPhoenix (980487) | more than 3 years ago | (#34266846)

Well, since Verizon and Comcast harbor 10% of all user customer PC's all by themselves, this is not so impressive.

Re:Duh. (2, Insightful)

Chrisq (894406) | more than 3 years ago | (#34266892)

Well, since Verizon and Comcast harbor 10% of all user customer PC's all by themselves, this is not so impressive.

I was thinking the same thing. What percentage of all PCs doe these 50 ISPs "harbour"? If it is arround 50% there's no story.

Re:Duh. (4, Insightful)

realityimpaired (1668397) | more than 3 years ago | (#34266938)

I'm guessing far fewer than 50%... while I could be wrong, the point they're trying to make is that a handful of small ISP's which don't seem to pay attention to security are a major source of the problem.

While I know it'll have a bunch of the net neutrality folks up in arms, it's relatively trivial for an ISP to redirect all outgoing traffic on port 25 through their internal mail servers, and to run server-side anti-virus on all outgoing mail. They can go one further, and rather than blacklisting potential viruses, they can work off a whitelist of allowed senders (sender e-mail address, in the case of my ISP), and require secure authentication to relay. My own ISP does exactly that, and while somewhat draconian it doesn't really affect the average user, and, when coupled with a blacklist of known viruses, it does take a significant chunk out of the potential to cause harm to others if you get infected yourself.

Re:Duh. (3, Interesting)

mikael_j (106439) | more than 3 years ago | (#34267008)

Unfortunately I've worked for several ISPs that had the bad habit of enforcing the following:

  • Blocked outgoing connections on port 25 for all hosts except their own SMTP relay.
  • Required valid logins on the SMTP relay in order to send emails.
  • Draconian size limits on emails passing through the SMTP relay.
  • Low upper limit on number of emails per day through the relay.
  • Antivirus software that ripped all sorts of benign data from emails for no reason.

Let's just say there were plenty of issues with users who couldn't figure out how to set things up on their own, not to mention users who found out the hard way that large attachments caused their emails to bounce (somewhere in the 10-15 MiB range IIRC).

Personally I'd love if there was at least an option for completely unfiltered access (perhaps even proper reverse lookup to deal with the idiots who think reverse lookup is a good way to deal with spam (hint: it's not, way too many legit companies have multiple hostnames on their mail servers or use a third party's mail relay for this to work well, it just gimps email)). Now. I'm not saying this should be for everyone, filter by default but give users an option to turn the filter off completely but display an overly clear "don't do this unless you're absolutely certain you know what you're doing" message that includes a warning about how the ISP will shut them down in a nanosecond if they get any legit spam reports. That way those who really want/need unfiltered access can have it while the rest of the users can enjoy the walled garden.

Re:Duh. (2, Insightful)

AndGodSed (968378) | more than 3 years ago | (#34267114)

While I largely agree, I am of the opinion that large mails are a bad idea. That said, email is no longer a communication protocol, but an idea/data sharing platform.

Client side mail programs and the antivirus that go along with them tend to fail when dealing with large mails, so the technology has not caught up with the new usage patterns that are emerging.

This is especially true for areas where people do not have "true" broadband and the timeout issue crops up. What I have seen happening is that the mail client (outlook especially) connects to the server the timout countdown begins. While the mail is being downloaded the Antivirus intercepts the mail and starts scanning it. Outlook is not aware that this is going out and if the mail is large enough+the line just that little too slow the timeout limit is reached and the mail download fails.

So while I understand why people want to send large mails (I'd much prefer other file sharing applications and services) the way email and the client side programs work breaks the model.

Re:Duh. (1)

Albanach (527650) | more than 3 years ago | (#34267254)

Why would you want to send mail from a residential IP? The vast majority of big mail servers will simply block your messages. What's the point of email if you don't have reliable delivery?

If you want to access your own mail server running elsewhere, it should be trivial for it to allow inbound connections requiring smtp auth on a port other than 25.

Re:Duh. (3, Interesting)

mikael_j (106439) | more than 3 years ago | (#34267320)

Why would you want to send mail from a residential IP?

Because it should be possible.

The vast majority of big mail servers will simply block your messages.

I've found it's more like a minority, and I've even encountered a few that block large swaths of IPs that they have tagged as "residential/dynamic" but will let incoming emails through if there's a proper matching SPF record.

What's the point of email if you don't have reliable delivery?

It's only unreliable because some admins are lazy. And boy, it sure is fun when an IP that's been a static business IP for years suddenly gets blacklisted as "dynamic residential"...

If you want to access your own mail server running elsewhere, it should be trivial for it to allow inbound connections requiring smtp auth on a port other than 25.

It's still just a workaround that doesn't need to be done if the ISP handles its network properly instead of just randomly blocking ports for shits and giggles. And most only block outgoing port 25 so it's pretty easy to set up your MTA to send via their relay and run the MTA locally anyway, but this still retains the problem of the ISP filtering and messing with outgoing email (as well as the potential loss of outside access if their SMTP relay decides to go down, and I've seen enough ancient Solaris machines handling customer email to have a strong distrust of ISP SMTP relays, it shouldn't be "normal" for it to go down at least 1-2 times per week if you have tens of thousands of customers).

Re:Duh. (1)

Albanach (527650) | more than 3 years ago | (#34267428)

Sending mail should be possible - use your ISPs smart host. I don't see any advantage for you in being able to directly connect to other mail servers from a residential IP, and can see lots of disadvantages where ISPs permit it en masse.

Have you ever run a mailserver for a business? It's not lazy to have tight spam controls - it's business sense. Spam costs money. For a couple of hundred accounts I see days with over 150,000 spam messages coming in. Users couldn't do their job if that were to be landing in their inbox. Filtering residential IPs will knock off 90% of that spam.

There's nothing random about blocking port 25, and no one is doing it for shits and giggles. I'm all for ISPs allowing the port to be opened for a customer where they request it, but seriously, as long as they provide a reliable SMTP server that you can use as a relay, the cost to the end user is almost nil.

Re:Duh. (1)

mikael_j (106439) | more than 3 years ago | (#34267526)

Sending mail should be possible - use your ISPs smart host.

Yes, I already run my own MTA at home, it just bugs me that I'm being sold an internet connection that is limited by my ISP.

I don't see any advantage for you in being able to directly connect to other mail servers from a residential IP, and can see lots of disadvantages where ISPs permit it en mass

From my point of view there are definitely advantages.

Have you ever run a mailserver for a business? It's not lazy to have tight spam controls - it's business sense. Spam costs money. For a couple of hundred accounts I see days with over 150,000 spam messages coming in. Users couldn't do their job if that were to be landing in their inbox. Filtering residential IPs will knock off 90% of that spam.

Yes I have. And of course spam filtering makes sense. But our spam filtering doesn't just rely on "ooh! this IP is in our 'residential' list! let's drop/bounce it!" but we have had issues with others blacklisting our primary external mail server's IP as a "residential" IP thereby making it impossible for us to send emails to them (and of course when we, one of their clients call them about it they immediately assume we're the ones who have somehow blacklisted ourselves by changing the blacklist they keep on their server).

There's nothing random about blocking port 25, and no one is doing it for shits and giggles. I'm all for ISPs allowing the port to be opened for a customer where they request it, but seriously, as long as they provide a reliable SMTP server that you can use as a relay, the cost to the end user is almost nil.

In my experience there are plenty of lazy ISPs out there who take the "how much shit can we block without overwhelming tech support" approach to port blocking. One that used to be the fastest available where I live (thankfully not anymore) blocked incoming traffic on a number of ports (including incoming on 25) and was extremely tight-lipped about which ports it was blocking, instead preferring to simply state that the blocked ports shouldn't affect "normal internet use".

Another problem with the outgoing SMTP relays is of course that through work I've seen a number of extremely underpowered such beasts serving lots of customers and the solution to the machine being underpowered hasn't been to spend a little money on something to replace the 15 year old SPARC. No, it's to supplement the spam filter (for outgoing mail) with a filter that strips all attachments that match certain criteria (like filename ends with pdf|js|exe|gz|bz2|and so on) to ease the load. Of course this creates issues for the users but the users can't do anything about it since they're locked in to the ISP's SMTP relay (and then there are the spam filters that edit the message thus breaking formatting or character encoding, that's another fun one).

You're assuming the server is reliable, in my (professional) experience it rarely is.

Re:Duh. (0)

Anonymous Coward | more than 3 years ago | (#34269450)

You have options, many ISPs will allow unrestricted traffic if you have a static IP. I know a company I was dealing with 'upgraded' their DSL package on Verizon and removed the static IP to save money. They suddenly couldn't send mail properly from their remote office using some old software that wouldn't use anything other than port 25.

A call to Verizon later, static IP added, modem power cycled, everything working again.

If that doesn't work you could do a colocation or cheap rented (virtual) server somewhere to run your mail.

Re:Duh. (2, Informative)

tlhIngan (30335) | more than 3 years ago | (#34269382)

There's nothing random about blocking port 25, and no one is doing it for shits and giggles. I'm all for ISPs allowing the port to be opened for a customer where they request it, but seriously, as long as they provide a reliable SMTP server that you can use as a relay, the cost to the end user is almost nil.

Use port 587 with SMTP AUTH. Gets around outgoing 25 blocks. It's not "open" in that you have to authenticate with the SMTP server so you're accountable for traffic using your credentials. If you colo you can set it up on your colo box, or I'm sure webhosts would love to sell you that service as well. Most SMTP servers these days support it, and you can block relaying and incoming 25 traffic.

http://en.wikipedia.org/wiki/SMTP_Authentication [wikipedia.org]

Re:Duh. (0)

Anonymous Coward | more than 3 years ago | (#34267514)

Calling admins lazy without first understanding their workload and work environment is - well - lazy thinking. Sure, with plenty of time and no other business pressures more admins would probably do more work. However they are always being tasked to do "more with less" and watching their colleagues get laid off while they have more and more things to manage.

Guess I'm lazy then. (1)

khasim (1285) | more than 3 years ago | (#34267652)

It's only unreliable because some admins are lazy.

I guess that makes me lazy. Oh well.

Because it should be possible.

It is possible. It's just unlikely that your email will be accepted. If you're sending from a "home/dynamic" range, then YOU have to take the extra steps to distinguish YOUR email from the (literally) BILLIONS of spam messages coming from that same range. Or you can blame the admins who have to deal with those BILLIONS of spam messages.

It's still just a workaround that doesn't need to be done if the ISP handles its network properly instead of just randomly blocking ports for shits and giggles.

Again, billions of spam messages from those "home/dynamic" ranges. But blame the ISP.

And most only block outgoing port 25 so it's pretty easy to set up your MTA to send via their relay and run the MTA locally anyway, but this still retains the problem of the ISP filtering and messing with outgoing email (as well as the potential loss of outside access if their SMTP relay decides to go down, and I've seen enough ancient Solaris machines handling customer email to have a strong distrust of ISP SMTP relays, it shouldn't be "normal" for it to go down at least 1-2 times per week if you have tens of thousands of customers).

Yep, that's one sentence. The simple solution is for YOU to find a mail relay service that will accept your conditions as a customer. I use Google. I don't have to connect to their servers on port 25 so I'm not blocked by the ISP's rules.

Again, it's easy to complain about "lazy" admins but the reality is that YOU have to distinguish YOUR email from the ocean of spam that those "lazy" admins deal with every day.

Or you can just rant on /. about it.

Re:Duh. (1)

John Hasler (414242) | more than 3 years ago | (#34267430)

> Why would you want to send mail from a residential IP?

CenturyLink's mail service is managed by incompetent boobs (they contract it out to some outfit called "Bigfoot"). Fortunately, Newsguy provides me with excellent service. However, this requires me to connect to Newsguy's mail servers via SMTP.

Re:Duh. (1)

Albanach (527650) | more than 3 years ago | (#34267518)

It's trivial to allow authenticated smtp connections on a port other than 25.

Newsguy allows you to connect to them on 110, 8100, 995 (SSL) / 25, 8025, 465(SSL)

I fail to see why your ISP blocking 25 should impact you.

Re:Duh. (1)

StuartHankins (1020819) | more than 3 years ago | (#34267400)

large attachments caused their emails to bounce (somewhere in the 10-15 MiB range IIRC)

If you're sending 10MB attachments via email, you're doing it wrong. Most email servers have an upper limit around 10 MB... converting that email attachment to email format makes it about 30% larger... so anything over 7.5 MB can be problematic.

Email was never designed for large attachments. Send a link. Use FTP. Find another method out of the 10,000 different ways you could do this.

Re:Duh. (1)

mikael_j (106439) | more than 3 years ago | (#34267436)

Great, you have a plethora of solutions (as do I), now please explain to someone who spends his/her days using Internet Explorer, Outlook, Excel and a handful of other "office drone tools" how to upload files to an FTP server. Oh btw, if it isn't done in exactly the same way as creating an attachment in Outlook they will never learn. These are the kind of people who call and mail software developers to complain when the "Print" and "Save" buttons have swapped places because they "can't find the print button" anymore...

Re:Duh. (1)

StuartHankins (1020819) | more than 3 years ago | (#34267952)

At work we have setup externally hosted FTP and granted rights to over a dozen users explicitly for this purpose. Our auditors use it to collaborate with our Finance and Accounting departments. They use the built-in Windows tools to accomplish this. So yes it can be done, by nontechnical personnel, in a corporate environment, with minimal effort.

Re:Duh. (0)

Anonymous Coward | more than 3 years ago | (#34268512)

If you're sending 10MB attachments via email, you're doing it wrong. Most email servers have an upper limit around 10 MB... converting that email attachment to email format makes it about 30% larger... so anything over 7.5 MB can be problematic.

FYI, the limits vary wildly and are entirely up to the admin (as noted). I've seen anything from limits as small as 1MB, but 25MB and 50MB limits are becoming more and more common. GMail allows 25MB. Our internal mail server allows 50 or 60MB. The 15-30 range seems to be more and more common.

But, as always with SMTP, you're limited to the lowest limit along all the hops. Which is usually your oubound SMTP server and the inbound SMTP server on the other end, but there might be content filtering servers or load balancing servers between you and the destination mailbox.

Re:Duh. (1)

WuphonsReach (684551) | more than 3 years ago | (#34268726)

Personally I'd love if there was at least an option for completely unfiltered access (perhaps even proper reverse lookup to deal with the idiots who think reverse lookup is a good way to deal with spam (hint: it's not, way too many legit companies have multiple hostnames on their mail servers or use a third party's mail relay for this to work well, it just gimps email)).

Yes, it's called a business class account with a static IP. Or a dedicated line like a T1/etc. With those, you can do whatever you want and I've never had an ISP filter ports or care about how much bandwidth I'm using.

The ship of "I should be able to do whatever I want on a residential IP address" has sailed. And been sunk. Then covered over with sediment and very small rocks that don't float. It's a dead concept and unless you start up your own ISP, you have to live with it. Your friends and neighbors have destroyed that with their desire to click on shiny things that show up in their inbox. As a result, alot of admins have pretty much decided that 99.99% of what comes from residential/dynamic IPs to be garbage (because it is).

Move on, get a virtual private server or a co-lo or a dedicated server in a data center with a clean IP range. Or take a risk with a business class account with static IP. Or just farm your SMTP/IMAP work out to a 3rd party ($10/mo easily gets you a few dozen GB worth of mail storage on an IMAP server).

Re:Duh. (1)

John Hasler (414242) | more than 3 years ago | (#34267484)

...the point they're trying to make is that a handful of small ISP's which don't seem to pay attention to security are a major source of the problem.

No. Quite the opposite. A small number of very large ISPs are a major source of the problem.

Re:Duh. (1)

delvsional (745684) | more than 3 years ago | (#34268136)

Leave my fucking e-mail alone.

Re:Duh. (2, Interesting)

Albanach (527650) | more than 3 years ago | (#34266952)

Do either of them filter outbound smtp?

It still amazes me that residential broadband connections don't filter this as standard. I guess while it's technically easy, it's all about cost, and it's cheaper to leave a customer running an infected machine than have them call your helldesk.

Re:Duh. (1)

icebraining (1313345) | more than 3 years ago | (#34267260)

Filter, or block? I run my own mail server, you insensitive clod!

Re:Duh. (1)

Albanach (527650) | more than 3 years ago | (#34267470)

Filter, or block? I run my own mail server, you insensitive clod!

$ vi /etc/postfix/main.cf


relayhost = smtp.example.com

Re:Duh. (1)

Kvasio (127200) | more than 3 years ago | (#34267376)

hey Americano, are you thinking 10% nationwide or globally?
Because bots, (hope this is not a shocker for you) are global problem.

And 10% of global PCs with broadband in Verizon? I don't think so.

Re:Duh. (0)

Anonymous Coward | more than 3 years ago | (#34268904)

Well, since Verizon and Comcast harbor 10% of all user customer PC's all by themselves, this is not so impressive.

Didn't know they operated outside the USA.
Or, if they don't, I had no clue that (1) these two together have the entire market of US customer pc's and (2) the US actually has 10% of all customer pc's on the internet.

Or perhaps the rsults aren't as obvious as you think it is...

Use similar viruses/code to cleanse them. (1)

unity100 (970058) | more than 3 years ago | (#34266860)

They should go infecting machines, cleaning them, and distributing them to other machines. There is no other way, if we look at the nature. Diseases in body are cleaned similarly by defense cells that carry the cleansing information and multiply.

Re:Use similar viruses/code to cleanse them. (0)

Anonymous Coward | more than 3 years ago | (#34266912)

Robert Tappan Morris thought basically the same idea would be a good one and look what it got him. LOOK WHAT IT GOT ALL OF US. For all we know what you propose to do would destroy the entire world.

Re:Use similar viruses/code to cleanse them. (1)

delinear (991444) | more than 3 years ago | (#34267090)

What it got him? According to the Wikipedia article, he did hundreds of thousands of dollars of damage yet was fined only $10,000 and escaped jail time and instead was given community service. Since then it looks like he's had a pretty full and rewarding career in the industry. I agree what he unleashed was bad for the world (although if not him, someone else would have done it soon), but from a personal perspective it doesn't seem to have done him too much harm - he was even awarded tenure at MIT, the very university he released the worm from to disguise the fact that it actually came from a grad student at Cornell!

Re:Use similar viruses/code to cleanse them. (0)

Anonymous Coward | more than 3 years ago | (#34267226)

Oh, come on. The key thing missing here is permission of the user. Thus, the only thing that would have to change in order to make the effort legitimate is to put up a big dialog box saying "Do you want to get rid of the virus on your computer? Cancel or Allow?"

That should clean up about half of the machines.

Re:Use similar viruses/code to cleanse them. (1, Informative)

Anonymous Coward | more than 3 years ago | (#34266950)

Umm...somebody tried this a number of years ago. It was called the W32.Welchia worm. It tried to download and install a well-known security patch from Microsoft,

It didn't make anyone particularly happy, particularly security admins.

Re:Use similar viruses/code to cleanse them. (1)

gman003 (1693318) | more than 3 years ago | (#34267078)

It angered people mostly because it spread so effectively that it clogged the Internet. If you coded one properly, such that it spread slowly and didn't try to reinfect machines, I think it would be viewed in a much more positive light.

Re:Use similar viruses/code to cleanse them. (1)

bvimo (780026) | more than 3 years ago | (#34267406)

I got caught by Welchia following a reinstall of Windows 2000. I forgot to install a firewall before getting the updates from MS. It took about 30 minutes before Welchia installed itself.

Obvious solution (3, Funny)

qbast (1265706) | more than 3 years ago | (#34266880)

"I say we take off and nuke the entire site from orbit. It's the only way to be sure."

Re:Obvious solution (0)

Anonymous Coward | more than 3 years ago | (#34267012)

Game over man, Game Over!

Re:Obvious solution (1, Redundant)

natehoy (1608657) | more than 3 years ago | (#34267084)

"Meme over, man! Meme over!"

Re:Obvious solution (1)

couchslug (175151) | more than 3 years ago | (#34267156)

"I say we take off and nuke the entire site from orbit. It's the only way to be sure."

The problem is trying to find a technical solution to a personal problem. Users will not exert the effort to make their machines secure unless and until they perceive a destructive threat to their personal PC.

We need destructive malware in abundance, so improperly secured machines are taken out of action and the remaining ones build an immune response. Since most computers are used for entertainment, no great loss if a bunch of them get blown away.

Re:Obvious solution (1)

Shark (78448) | more than 3 years ago | (#34267252)

We're a small ISP and we pretty much do just that. We do not filter extensively, we are very quick to respond to abuse@ emails and disable whichever customer is infected instantly. It really didn't take long before most of our user base made the connection: Infected pc = disabled Internet.

Overall, I think the cost of educating our users was the cheapest alternative. I really don't get why other ISPs don't see it that way.

Re:Obvious solution (1)

qbast (1265706) | more than 3 years ago | (#34267390)

I wonder how much of your user base blames you instead. After all other ISPs used by their friends never notice them about infections, so obviously your security sucks if you allow this many viruses through.

Re:Obvious solution (0)

Anonymous Coward | more than 3 years ago | (#34267818)

Large ISPs would have a problem with this. Their support is too disconnected from their network operations. A connection would be taken down due to infection, the user would call "support" and the support would have no idea why it was down or what to do about it. They'd check "the bulletin board" and report "no, there are no outages in your area." The user would spend a couple of hours on the phone with various call center reps before they finally got to someone who could tell them that the connection was disabled due to an infected machine. Hell, just two days ago I got a new MiFi on Verizon (corporate account, they were replacing an older AirCard for free and they did hundreds of ours the same week). I call the number listed to activate and get told that I don't know my own address (which I am reading to them right off of the "customer receipt" - it is the damn address they sent the device to.) Since I apparently don't know my address, they want the corporate Tax ID. Like I would know that! I am in IT not tax accounting. I hung up after 20 minutes because I was getting frustrated and snarky. I talked to our internal guy who deals with this account and found he was having a terrible time with this - apparently Verizon was rolling calls over from their business support to their retail support without any notice. 9 out of 10 of our corporate activation calls was going to someone who absolutely could not help us at all - didn't even have access to the correct database. Yes - this is how large ISPs operate. The next day, I call again and they stopped rolling the calls over. Got the actual corporate folks and it took 3 minutes to activate.

You don't want a large ISP dorking with your connection because it will be a cold day in hell when you will be able to get it fixed in a reasonable time.

Makes sense (1)

suso (153703) | more than 3 years ago | (#34266894)

I mean 50 is half of all the ISPs anymore anyways. Ta dit boom.

Re:Makes sense (0)

Anonymous Coward | more than 3 years ago | (#34266986)

"The networks of just 50 ISPs account for around half of all infected machines worldwide," say the researchers. "This is remarkable, in light of the tens of thousands of entities that can be attributed to the class of ISPs.

Re:Makes sense (2, Insightful)

Anonymous Coward | more than 3 years ago | (#34267040)

The study (linked to from the fine article) was of 200 ISPs, so 25% of ISPs are responsible for 50% of infected machines. Not surprising at all.

Re:Makes sense (1)

icebraining (1313345) | more than 3 years ago | (#34267306)

25% of ISPs, but not necessarily 25% of users.

Dialup Users? (0)

commodore64_love (1445365) | more than 3 years ago | (#34266908)

"the presence of a high speed broadband connection is linked to the widespread presence of botnet infection..... has been proven false."

What's this mean? That we can blame dialup users? The article hints that's the case when it says most infected computers are from poor households.

Re:Dialup Users? (2, Insightful)

icebraining (1313345) | more than 3 years ago | (#34267198)

Not linked with high speed broadband != Linked with dial-up.

And low education is not necessarily linked with dial-up. Here in Portugal we have 12mbps for 20/month, which is affordable by most people, and yet we have terrible education levels compared to the rest of the EU (81% of the working population only have lower basic education levels).

Re:Dialup Users? (1)

commodore64_love (1445365) | more than 3 years ago | (#34267638)

"No Speak Americano" ;-)

But serious: You're right that I jumped to a bad conclusion where poor==dialup. (hits self). Here's what the article actually concludes: "Higher education levels in a country are also conducive to a lower level of infection." And vice-versa presumably.

50 or 50%? (0, Redundant)

paintballer1087 (910920) | more than 3 years ago | (#34266918)

I first read 50% of ISPs Harbor Half of All Infected Machines. But either way it's probably pretty close to the same thing.

Re:50 or 50%? (1)

John Hasler (414242) | more than 3 years ago | (#34267240)

NO, it's 50 ISPs. This is significant because it had been claimed by some that most bots were distributed among the thousands of small (and suppoesedly poorly run) ISPs. The fact that most bots connect via a small number of large ISPs means that changes in policy at those ISPs can have a large impact.

agressive removal tactics (1)

digitaldc (879047) | more than 3 years ago | (#34266944)

That means that persuading just these 50 ISPs to begin implementing new, more efficient approaches for preventing and eradicating the infection could make a big dent into the botnet market.
Combat these botnets through some type of mandatory scan and removal tool from their ISP or Microsoft, and also through some tool installed with Windows Update that runs immediately. Not sure exactly how this would be accomplished, but it would be a start.

Re:agressive removal tactics (2, Informative)

Spad (470073) | more than 3 years ago | (#34267022)

You mean like the Malicious Software Removal Tool [microsoft.com] which is already offered through Windows Update as a critical update? Or Microsoft Security Essentials [microsoft.com] which either is or will shortly be available through Windows Update as a recommended update?

Re:agressive removal tactics (1)

digitaldc (879047) | more than 3 years ago | (#34267058)

Yes, indeed. MS Security Essentials now seems like it will become a mandatory part of the Windows OS.

Re:agressive removal tactics (1)

darksabre (250838) | more than 3 years ago | (#34267394)

Err, no. First of all it is an optional update through Microsoft Update not Windows Update. So the user has to have chosen to switch to the Microsoft Updates which will update other MS software installed on the PC eg Office. Secondly it is only offered to users who are not already running A/V software.

Re:agressive removal tactics (0)

Anonymous Coward | more than 3 years ago | (#34267434)

By the way, Security Essentials is pretty good as far as AV software go.

Re:agressive removal tactics (1)

natehoy (1608657) | more than 3 years ago | (#34267158)

Or Norton Security Suite, which is available for free for Comcast subscribers?

OK, so it's not mandatory, but at least it's free, and you gave me the opening to mention it for any Comcast users who might not be running current AntiVirus to save money (or might be wasting money buying a Norton subscription when a FREE one is readily available to them).

No more excuses, my fellow Comcasters, it's FREE (*).

http://security.comcast.net/norton/resi/?cid=NET_33_258 [comcast.net]

(*) "FREE" means "included with your overpriced, overthrottled Comcast connection". But you're dropping the big bucks on your craptastic connection anyway, you might as well take full advantage of the stuff they want to throw at you as part of it. Say what you will about Norton, but it's a shitload better than nothing, which is what most people are currently using. So if you know someone on Comcast who is running unprotected, send them this link and tell them to install it. Now.

Most ISPs offer some form of free or discounted AntiVirus.

Re:agressive removal tactics (1)

Spad (470073) | more than 3 years ago | (#34267944)

Say what you will about Norton, but it's a shitload better than nothing

A false sense of security is worse than no security at all :)

Re:agressive removal tactics (1)

Seth Kriticos (1227934) | more than 3 years ago | (#34267190)

And you think our average Joe even knows what the Windows Update Center is, goes there, checks the optional updates, selects the software and installs it?

Really? I'd like to see that.

IMO, unless that thing comes as a critical update, that installs without question, it could as well not be there at all. Make nearly no difference.

Re:agressive removal tactics (1)

Chris Tucker (302549) | more than 3 years ago | (#34267662)

"Combat these botnets through some type of mandatory scan and removal tool from their ISP or Microsoft, and also through some tool installed with Windows Update that runs immediately."

I run Mac OS X, you insensitive clod!

Is there a list? (1)

fatbuckel (1714764) | more than 3 years ago | (#34266970)

Is that too much to ask for? I`d love to block as many as I can.

Re:Is there a list? (should be) (1)

stylewar (1942908) | more than 3 years ago | (#34267004)

Is that too much to ask for? I`d love to block as many as I can.

I don't think it is. And I'm not sure why there isn't a routing option that allows ISPs to apply a metric against a variable like "network naughtiness". Flapping routes can get blackholed -- why not naughtiness? How 'bout it science?

Not 100% (0)

Anonymous Coward | more than 3 years ago | (#34267006)

50 ISPs Harbor Half of All Infected Machines

Do 100 ISPs harbor all infected machines then?

Wrong way of looking at the problem (3, Interesting)

Rosco P. Coltrane (209368) | more than 3 years ago | (#34267046)

The real shocking truth here is that one single OS harbors the vast majority of botnets and viruses. That OS should be the real target, not ISPs or poor users or something. Sheesh...

Re:Wrong way of looking at the problem (2, Insightful)

stylewar (1942908) | more than 3 years ago | (#34267072)

guns don't kill people--- people kill people. Fix the OS, and botnets will pop up on a different OS. Botnets exist because of ignorance, not operating systems.

Re:Wrong way of looking at the problem (2, Interesting)

Rosco P. Coltrane (209368) | more than 3 years ago | (#34267186)

Fix the OS, and botnets will pop up on a different OS

That is indeed the common wisdom. However, somehow I'm not convinced that's entirely true: Linux and MacOS machines have been around for a long time, and even if the represent a small (albeit growing) segment of the market, they're there and you'd think many pieces of malware would have cropped up on these platforms already. Yet it just hasn't happened: there are some, but nowhere near what you'd expect if the latter OSes were as insecure as Windows.

The other wisdom is that Windows is insecure because Windows users don't know jack squat and can't take care of their own security. That too I think isn't true: there are a lot of Windows users who can and do take precautions, and setup accounts with limited rights and whatnot. It goes a long way to curb malware infestations, yet those Windows boxes still get infected. At any rate, if indeed Windows is insecure because it has to stay simple, it means that in 25 years Microsoft still hasn't figured out a way to cater to noobs without compromising security, which is pathetic.

There's a reason why running an antivirus and a firewall is an absolute necessity only on Windows...

Re:Wrong way of looking at the problem (1)

antifoidulus (807088) | more than 3 years ago | (#34267356)

It isn't just catering to "noobs" that causes Windows to be insecure, it's very much the culture of Microsoft itself. Microsoft managers are still stuck in the late 90s mentality that their biggest competitor is themselves. The managers constantly try to backstab eachother and refuse to work together on almost anything, and thus security, much like every other component of the OS, is a incoherent, bloated mess. Take the firewall settings in WIndows XP for example. There are no less than 3....THREE! different places in the OS to change firewall settings, and the way they interact and overrule each other is not at all intuitive. It's not just Windows that has this problem, every single group at Microsoft seems to suffer from this. For example the simultaneous development of 3 different, incompatible, mobile device OSs, or 2 different, incompatible, DRM standards, or the fact that the Windows interface is incredibly inconsistent etc.

Windows will not get more secure until the stockholders demand a total housecleaning on Microsofts senior execs and actually replace them with people who can, oh I don't know, MANAGE! The fact that the stockholders haven't called for Ballmer's head yet is just baffling.

Re:Wrong way of looking at the problem (0)

Anonymous Coward | more than 3 years ago | (#34268282)

Is it the culture of Microsoft or the culture of its users though? Once you install some basic anti-virus software and teach the user not to run random .exe files, virus infection rates drop.

Heck just look at the /. reader base. How many reader do you think use Windows and don't suffer from viruses?

Re:Wrong way of looking at the problem (2, Insightful)

moeluv (1785142) | more than 3 years ago | (#34267558)

I won't dispute that windows has it's share of holes that is true. The thing is they end up being found more often because 90% PC's run it. If Linux or macOS had that market share they would be put under the same magnifying glass buy exploit writers. It's the same reason that more legit software is written for Windows than macOS or Linux. The writers want as wide a distribution as possible.

Re:in 25 years Microsoft still hasn't figured out. (1)

airdrummer (547536) | more than 3 years ago | (#34267716)

indeed...i've had theunpleasant experience while traveling to need to set up a c2c wifi cnxtn on a pc that uses an at&t gsm dongle 4 its internet access:-P after enabling that network device to share its cnxtn, i setup a c2c.

then on my mac i connect...but then the pc tries 2 disconnect the gsm:-\ and after i'm finished w/ the cnxtn, the pc forgets it's a c2c, and adds it to its wireless list, making it unavailable 4 c2c, even tho i've told it 2 remember it...

no wonder micro$serfs r so sorry;-}

Re:Wrong way of looking at the problem (1)

StuartHankins (1020819) | more than 3 years ago | (#34267592)

Nope, that's the Microsoft apologist way of thinking.
  • UNIX and Mac have been around longer than Windows and do not require antivirus, anti-malware or malicious software removal tools.
  • Linux is newer but still does not require antivirus, anti-malware or malicious software removal tools.
  • There exist ZERO versions of Windows which should not have antivirus and anti-malware software installed and running at all times.
  • Even if a computer running Windows is removed from the network, it should still be protected. Simply inserting a USB key can cause its contents to autorun. Simply inserting an "enhanced" music CD can cause software to be installed without prompting (see Sony rootkit debacle)

While Windows users may be less educated as a whole, the flaws in Windows design result in higher failure rate due to viruses and worms. It's simply not possible to secure a Windows system without removing it from the network.

We're not talking only trojans here, which can affect almost any OS. We're talking about security in general. Windows is beyond laughable in this department, and the common thinking is that of course you got hacked, you're running Windows. It's fairly common knowledge that you can't secure Windows -- too many flaws and too many patches, there's more broken than not.

Hey, but at least Windows is cheap, right? I mean, I'm not including the time spent for updates and patches, or the downtime when I get infected and have to restore / reinstall. Oh, wait, the time I spend making sure all my anti-malware tools are kept up-to-date, yeah, and the time I spend...

You aren't getting a steak dinner with Windows, you're getting the cheapest-to-produce McMeal possible.

Re:Wrong way of looking at the problem (0)

Anonymous Coward | more than 3 years ago | (#34267924)

I would point out that was correct... up until maybe 2007

Vista was a security overhaul and 7 improved on that. A recent study found that 90% of all windows patches were completely unnecessary if you did not run as administrator. How many Linux users here run as root normally?
http://news.cnet.com/8301-27080_3-20001359-245.html?part=rss&subj=news&tag=2547-1_3-0-20

Administrator account on windows is now a user account with prompted escalation to admin rights (The UAC prompt, similar to Sudo, if you click through on that or disabled it you get what you deserve) This blocks CDs and USB from auto installing on your system.

Linux servers account for 80% of all hacked servers. which is not surprising, more Linux systems in use as servers than desktops.
http://www.zdnet.com/blog/itfacts/linux-servers-hacked-more-frequently-than-windows/5369

Just goes to show you that they will target the largest installed base, it doesn't matter how long a system has been around. Remember Code Red? Microsoft patched that vulnerability two months before the virus went amok. but with the size of the user base there were still enough unpatched systems that it could get a foothold. There are plenty of unpatched Linux and Macs but the number of them with a vulnerability to be exploited means its a lot of work to hit the same number of systems.

Re:Wrong way of looking at the problem (1)

StuartHankins (1020819) | more than 3 years ago | (#34268492)

I will feed you, troll.

You responded with a 2004 article from some unheard-of company, which was subsequently trashed because people knew it didn't make sense? Are you kidding me? I do this for a living.

From the article you quoted:

There are trade-offs to removing administrator rights. For instance, standard users typically can't install software and use applications that require elevated privileges

Now how does that translate to the home environment? That's right, many home Windows users (and many corporate users) are admins. In the corporate world, the UPS software as well as many other Windows software requires admin rights to run. Some software packages restrict the version of IE that is installed. Installing printers in Windows requires admin rights.

Let's contrast that to OSX: There are standard installers. You must enter the admin password. I'm not aware of any way to run OSX as "root" although you can enable the root account (it's disabled by default). OSX has significantly fewer prompts for authentication which means more people actually read them.

The issue is Windows, its pitiful security model is broken and recent attempts by Microsoft to patch it haven't worked. Windows accounts for the vast majority of worm and virus-related incidents throughout the world. A problem which does not exist on other platforms. This is not news, so stop pretending it's fixed. It's not and a simple Google search would tell you that.

Re:Wrong way of looking at the problem (1)

Shark (78448) | more than 3 years ago | (#34267724)

I don't think this is Troll (but I posted earlier so no modpoints). I think it's a very valid point.

The human brain OS? (1)

davidwr (791652) | more than 3 years ago | (#34267964)

If you want a single unifying factor behind botnets, look for things like greed and the like on the part of the botmasters.

Unfortunately those are a lot harder to combat than technical measures against infected computers.

Re:Wrong way of looking at the problem (1)

MobyDisk (75490) | more than 3 years ago | (#34267972)

Actually, one single planet harbors all of the botnets, viruses, and Justin Bieber fans. That planet should be the real target, no operating systems or poor ISPs or something. Sheesh...

Sandbox (2, Interesting)

Mr. Munshun (1926910) | more than 3 years ago | (#34267122)

A friend of mine who was tasked with looking after a university network years ago had a setup that worked well. When the user first connected, they were put in a sandbox, and thus not allowed outside access. They would be greeted with a web page stating that their computer was being scanned for ports well known for viruses and/or spyware. Once the scan was completed, which took about 60 seconds IIRC, they were allowed access to the Internet. Perhaps there is a way that ISP's could do the same sort of thing?

Re:Sandbox (1)

camperdave (969942) | more than 3 years ago | (#34268626)

I've been online continuously for months; since our last blackout. What good is a one minute scan last spring going to do?

Botnet sans broadband? Seen it already... (3, Interesting)

damn_registrars (1103043) | more than 3 years ago | (#34267168)

My site at home has been under a distributed hack attempt (a long list of IPs all trying to ssh in as root*) for days now. On the first day the attempts were quite frequent; approaching 1 per minute. Now on day 4 the attempts are trickling it as infrequently as one every 20 minutes. A system on a reasonably fast connection could on its own surpass the 1/minute barrier when running a dictionary password attempt through ssh if it wanted to; hence this looks like it could well be systems on slow connections. Add in that some IPs disappear for a while and then come back - as if the PC is logging off and then on again - and it certainly does look like a low-speed botnet.

* Naturally, my ssh denies all root attempts. Even if they got the password right they wouldn't know it, because the rejection would be the same. Other botnets have tried whitepages-style attacks using long lists of common user names and not matched any allowed users on my system as well.

** Yes I know I could just change my ssh port and much of this would go away. But I find it amusing and I have bandwidth to burn.

Re:Botnet sans broadband? Seen it already... (0)

Anonymous Coward | more than 3 years ago | (#34268360)

Some ISPs monitor for common attacks like this and drop connections when they're detected - so it's not uncommon for botnets to deliberately limit their rates. It serves two advantages - first, it reduces the chance of slowing the infected machines connection down, which makes the malware less likely to be detected by the machines owner. Secondly, it allows these machines to slip under the radar of some of the ISPs that try to filter for them (but don't do a great job).

That said, 1 per minute suggests it's either a very small botnet or someone renting a little capacity on one of the bigger ones. If you were the target of a well developed one you'd see a lot more traffic than that. :)

Re:Botnet sans broadband? Seen it already... (1)

damn_registrars (1103043) | more than 3 years ago | (#34269444)

That said, 1 per minute suggests it's either a very small botnet or someone renting a little capacity on one of the bigger ones. If you were the target of a well developed one you'd see a lot more traffic than that. :)

I don't kid myself into thinking that my webserver is an important target. There is nothing of great value on there. I fully suspect that someone was trolling through a very long list looking for open SSH ports and picked up on my server; I am now on a long list of IPs that they try periodically when they have a chance. Likely they are just doing this trying to find more systems to add to their botnet...

If I had another IP address it would be fun to put a windows box up running cygwin openssh - then their attempts would be even more meaningless as they would be trying to log in to a root account that doesn't exist anyways (of course on that they would just enter through a different security hole...)

Re:Botnet sans broadband? Seen it already... (1)

WuphonsReach (684551) | more than 3 years ago | (#34268604)

** Yes I know I could just change my ssh port and much of this would go away. But I find it amusing and I have bandwidth to burn.

Do you also have your daily/weekly log reports set to separate the chaff from the wheat so you can distinguish between worrisome attempts and the background noise?

The biggest reason to move the port - it cuts down on the message log spam, which often drowns out more important information. If I see attempts on my custom port #, I know I need to take a closer look.

(Second biggest reason to move the port - just in case some clueless admin, myself included, manages to change SSH to allow login via passwords by accident.)

Re:Botnet sans broadband? Seen it already... (1)

naturaverl (628952) | more than 3 years ago | (#34268954)

Surprised nobody has suggested denyhosts [sourceforge.net] yet. I used to get my port 22 knocked on at an average of once per second, for months. For convenience I didn't feel like changing my ssh port, and it didn't worry me much because it is my personal machine with root login turned off, and with good passwords on all other login accounts. But as someone else mentioned, it filled my logs and made it hard to notice the more important things... After installing denyhosts, the ssh dictionary attacks were blocked almost immediately and almost entirely.

Re:Botnet sans broadband? Seen it already... (1)

slashdime (818069) | more than 3 years ago | (#34268960)

The same is true for almost everyone. For a list of IPs too long for denyhosts to cover practically, try checking out ssh-faker.

Re:Botnet sans broadband? Seen it already... (1)

chrysrobyn (106763) | more than 3 years ago | (#34269198)

My site at home has been under a distributed hack attempt (a long list of IPs all trying to ssh in as root*) for days now. ... Yes I know I could just change my ssh port and much of this would go away. But I find it amusing and I have bandwidth to burn.

I have a home server exposed to the wild internet by only port 22. It's an old machine, and it only allowed a single authorized user to log in, only with key authentication, not password. Nonetheless, the attacks would sometimes come in at such a rate that the CPU was pegged too high for the system to be usable for any of its primary functions (firstly being an Apache proxy through an ssh tunnel from work). I looked into a number of options to mitigate this CPU use, but none of them were as useful as using /etc/hosts.deny (the whole internet) and /etc/hosts.allow (my employer plus 192.168.1.*). I still get a few dozen logged messages every day to feel good when attacks are denied, but my CPU no longer gets pegged from authentication failures -- face it, denying an authentication doesn't cost much bandwidth, but it can take a few cycles to fail to authenticate a key.

Re:Botnet sans broadband? Seen it already... (1)

damn_registrars (1103043) | more than 3 years ago | (#34269566)

face it, denying an authentication doesn't cost much bandwidth, but it can take a few cycles to fail to authenticate a key.

That is true. However, at the rates that I am usually attacked the CPU usage is trivial. Denying one attack every minute (that is the high end) doesn't do much to my meager P4, and denying one every 20 minutes (as in at this moment) barely counts as noise.

If the attack frequency suddenly picked up dramatically - which I don't expect to happen on my server - then I would be concerned. But right now I'd say slashdot uses more of my home bandwidth (and CPU time) than the distributed attack does.

very flawed logic (3, Interesting)

frovingslosh (582462) | more than 3 years ago | (#34267170)

One big problem with this logic is that it is based on IP addresses analyzed from captured spam. The problem with that is some major ISPs (including AT&T) are blocking access to out-of-network e-mail servers, and doing other things to make it difficult for even their legitimate customers to send legitimate e-mail. So this method of knowing where the botnets are would completely miss major botnets if they are unable to get spam out efficiently.

You may say "Why does that matter as long as the spam is stopped?", but it matters a lot. The machines are still infected and could be used for other things, from denial of service attacks to hosting and spreading kiddy porn to just watching for private data to go by (like banking information and credit card numbers) and report them directly back to the control system. Making major judgments about botnets based only on IP addresses seen in spam is short sighted and foolish. And it also assumes that all botnets are honest enough to not forge IP addresses. Any smart botnet could easily forge the IP address the spam is coming from, to make it that much harder to find. If a clever bot just changed the fourth or even third and fourth part of the IP address and replaced it with a random number, the botnet would look much larger than it really is and make it much harder to track back to the infected machine, but would not be easy to detect by comparing the supposed source IP and the SMTP server from outside the network.

Re:very flawed logic (0)

Anonymous Coward | more than 3 years ago | (#34267476)

ISPs could put an end to spoofing VERY quickly. 2-3 router rules of what source IPs can talk on this segment. See an out of bound one drop it on the floor. That narrows the spoofing pool quite considerably. Also they can check mac vs ip and drop there too.

Spoofing only happens because ISPs let it happen and do not have their routers configured properly. They are not configured properly either due to cost or lack of knowledge.

Re:very flawed logic (0)

Anonymous Coward | more than 3 years ago | (#34269160)

One big problem with this logic is that it is based on IP addresses analyzed from captured spam. The problem with that is some major ISPs (including AT&T) are blocking access to out-of-network e-mail servers, and doing other things to make it difficult for even their legitimate customers to send legitimate e-mail. So this method of knowing where the botnets are would completely miss major botnets if they are unable to get spam out efficiently.

You may say "Why does that matter as long as the spam is stopped?", but it matters a lot. The machines are still infected and could be used for other things, from denial of service attacks to hosting and spreading kiddy porn to just watching for private data to go by (like banking information and credit card numbers) and report them directly back to the control system. Making major judgments about botnets based only on IP addresses seen in spam is short sighted and foolish. And it also assumes that all botnets are honest enough to not forge IP addresses. Any smart botnet could easily forge the IP address the spam is coming from, to make it that much harder to find. If a clever bot just changed the fourth or even third and fourth part of the IP address and replaced it with a random number, the botnet would look much larger than it really is and make it much harder to track back to the infected machine, but would not be easy to detect by comparing the supposed source IP and the SMTP server from outside the network.

So go tell your off-network mail host to allow mail access on a different port. Say, like gmail does.

Or pony up a few extra bucks for a business account with a static IP. honestly, the faster response time for technicians and support from a higher Tiered tech group is worth it on its own, imho. It's nice being able to call up and say "Hey, I think you've got a routing loop, here's some traceroutes" and get a reply of "sweet, I'll send this over to engineering" instead of "I'm sorry, but I don't see that you ever purchased a routing loop. I can transfer you to sales to get you setup with one?"

Use submission (SMTP + TLS + Auth on port 587) (0)

Anonymous Coward | more than 3 years ago | (#34269374)

Or even the deprecated ssmtp with SMTP AUTH enabled.

AT&T lets these through with no problems.

Outlook supports it.
Thunderbird supports it.
Evolution supports it.
Gmail supports it for users that opt for a non-web MUA.
Yahoo supports it for users that opt for a non-web MUA.
And if I can get a bunch of lawyers that can't understand why filenames of the form foo.pdf.exe are bad to configure Outlook to do submission, you should be able to configure it yourself.

There is no reason for you to be sending SMTP in the clear and without authentication from your home machine unless you coughed up the $$$ for a static IP and a nice WHOIS record showing your contact information for that static IP. There is no reason for you to be receiving SMTP in the clear and without authentication to your home machine either.

Yes, there is plenty of other evil a compromised machine can do, but this is one small piece that makes sense as there are reasonable alternatives to sending SMTP in the clear and without authentication.

Useless statistic (1)

houghi (78078) | more than 3 years ago | (#34267202)

Without knowing if the 50 providers have more or less then 50% of all users, this could mean anything.

If these 50 providers provide 95% of the people, then bigger providers are GOOD against spammers. If these 50 providers provide 5%, then it is bad.

So it is absolutely meaningless information.

Look up in the sky! (1)

Haedrian (1676506) | more than 3 years ago | (#34267264)

Zipf's law strikes again!

Obvious (0)

Anonymous Coward | more than 3 years ago | (#34267346)

Customers don't go to the ISP that associates with spammers/botnets/etc because they don't want their own machines infected or suspected, or put on stupid SPEWS lists.

Simple (but not easy) solution (2, Interesting)

wowbagger (69688) | more than 3 years ago | (#34267468)

There is a simple solution to the problem. Unfortunately, being simple does not mean it is easy.

1) ISPs by default implement some basic filtering:
1a) do not allow access to port 25, save to their own servers
1b) do not allow inbound nor outbound access to certain "LAN only" type services (e.g. NFS, SMB/CIFS, etc.)
2) NOTA BENE: ISPs SHALL allow users to elect to bypass these filters, but:
2a) This shall require action on the part of the account owner.
2b) Upon doing so, the account owner SHALL be responsible for their actions
2b.i) The ISP SHALL provide a contact mechanism (e.g. WHOIS record for that IP) that notifies both the ISP and the account holder of abuses.
2b.ii) The ISP SHALL act on complaints if the user does not.
2c) The action to disable blocking SHALL be done in a way that prevents a bot from doing it (e.g. require a phone call to the ISP, or a Turing test, etc.)
3) ISPs SHALL look for "infected" behaviors, like port scans, BEFORE the traffic leaves their network (remember people, the term "firewall" comes from building codes, where a building is supposed to have MANY levels of firewall. ISPs should be no different).
3a) such behaviors SHALL be investigated, and potential infectees quarantined and the owners contacted.
4) ISPs SHALL be required to address complaints
4a) The SHALL be required to have an automated means to report such abuses. No, Web pages don't count.
4b) ISPs that fail to address complaints SHALL be listed in such a way that other entities can block them (e.g. DNS-RBLs).

For too long ISPs have been able to externalize the costs of infected machines. Obviously, any cost a business can externalize will be externalized, and thus the business won't handle it. The solution is to force the costs of infected machines to be internalized to the ISPs. They will, of course, bitch mightily about this - again, no business will allow a previously externalized cost to be internalized without a fight.

Re:Simple (but not easy) solution (0)

Anonymous Coward | more than 3 years ago | (#34268424)

They will, of course, bitch mightily about this - again, no business will allow a previously externalized cost to be internalized without a fight.

Quite true.

And that simply means that they will try to minimize the cost by :

1) demanding that the user compensate the costs they make of any malicious access to "their" network from the users machine(s).

2) demand that the user runs an approved OS laden with virus- and other scanners.

And yes, with the few ISPs available and even lower number which actually can provide a connection to specific house that will be agreed upon by the lot of them (either by forbidden agreements between them, or by one doing it and the others "just following").

Your "easy solution" could well mean that you will be turned into a dog on a leash, and pay a nice extra sum for the privilege too.

Re:Simple (but not easy) solution (1)

Sot32 (1230720) | more than 3 years ago | (#34269302)

Filtering port 25 isn't a bad idea, but it treats a symptom, not a problem. There seems to be a business opportunity here, and I wish I could figure out how to make it work. The ISPs should certainly have enough information in their logs to identify the infected machines. There is a benefit to the public to get those machines repaired. There are many qualified but unemployed IT professionals available. How can we put these puzzle pieces together and "create jobs" without creating another government agency? I mean sure, you can force the ISPs to deal with it, and then we'll all end up paying for it in our broadband bill. Maybe it would be better if the ISPs were forced to cut off their service and refer them to the local repair shop. Let the people with a problem pay to fix the problem rather than taxpayers or the other subscribers of that ISP.

Who are they? (5, Insightful)

HangingChad (677530) | more than 3 years ago | (#34267620)

"The networks of just 50 ISPs account for around half of all infected machines worldwide," say the researchers.

Who are the 50? Publish the names and IP ranges and let the admins loose on them.

Why not name names? (0)

Anonymous Coward | more than 3 years ago | (#34267710)

This whitepaper provides very little value without naming those ISPs that harbor the botnets. Why not name names?

We have this problem for one reason (1)

chucklebutte (921447) | more than 3 years ago | (#34268124)

Cause it makes everyone money! This shit is so easy to stop, hell even my college does machine blocking, if you connect to our wifi on campus your machine will be directed to a browser window that runs a scan to make sure you have all current updates, virus protection, and that your machine is not infected. If you have an issue with one of those 3 then your machine is blocked and cannot login till the problem has been rectified.

ISP's don't do this not because it would be too difficult for them to deploy or users to use, its just not cost effective for them, hence they make more money from infected users than clean ones.

Your privacy and safety online is not a concern, only the bottom line.

Obvious is surprising to some researchers (1)

gsgriffin (1195771) | more than 3 years ago | (#34268354)

Quote from the actual article this is all referencing: Box 3. Bulk of all infected machines are located in the networks of well-known ISPs As far as we can tell, all ISPs harbor infected machines – ‘bots’ – in their networks.What is surprising, however, is that the bulk of the total global population of infected machines are located in the networks of well-established providers, the brand names that are familiar to the consumers in those countries. Of the tens of thousands of ISPs that provide Internet access, the 200 ISPs that collectively hold nearly 90 percent of the total market share in the wider OECD area account for more than 60 percent of all infected machines worldwide. Other service providers, such as hosting providers, university networks, corporate networks and application service providers contain a smaller share of all bots.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...