Re: Cyberattacks Down?

[Joe St Sauver <JOE () OREGON UOREGON EDU>]

Hi Cam,

#Perhaps ISPs responsible for Cable/DSL users=20
#should be held accountable. Our data indicates=20
#that these groups are the fastest growing problem=20
#wrt botnets..
#
#This leads to the following questions:
#  o why aren't ISPs more reliable in addressing their
#    offending hosts?

In thinking about this issue, I'm struck by Panda Software's indication
that roughly half of all PCs in the United States are virally infested.
(see http://www.pandasoftware.com/virus_info/ ).

If you're on a system with Flash installed, and you click on the map on
the far right hand side, and then change from looking at the last day to
a year graph, you'll also see that we've gone from maybe 15 or 20% to
the current levels in six months, with no sign of things going levelling
off or going back down.

So what, you ask? I believe that what you're seeing is that strategies
that work if you have one-in-ten customers or even one-in-five customers
who may be infected fall apart completely when you get to one-in-two
customers who are infested. For example, while you might be willing to
disconnect 10% of your customers, and potentially make them so mad that
the move to your competitor, you would not be willing to do that for 50%
of your customers.

#  o why aren't ISPs that don't remove offending hosts
#    once identified fined in some way?

A bigger question is, "How do we do en-masse cleanup of literally millions
of hosts operated by people who lack the software tools, expertise, time,
motivation, etc. to do it themselves?"

#  o why are ISPs who don't use reverse-path
#    forwarding checks allowed to operate?

The question I would add is, "Given that the battle to clean customer PCs
is still an open/hard problem, why aren't ISPs looking upstream, at the
hosts hitting those customer PCs?"

If the quest is for scalable solutions, blocking traffic from upstream
hosts that are talking to zombied customer boxes has *huge* potential
payoff.

#ps. should note that in reporting all of these
#compromised hosts, we noticed that the .COMs/NETs
#stayed online far longer than the EDU hosts and
#that in most cases the respective ISPs never
#addressed the problems.

They won't/can't. Short list:

-- in some cases things are so badly infested, cleaning the host ends up
   killing it (yes, it should be nuked and paved anyhow, but that's not
   the issue); imagine how the ISP lawyers feel about that.

-- assume it takes four hours to thoroughly scan and disinfest a system
   with a single straightforward infestation; assume you're paying someone
   minimum wage to do the disinfection, plus benefits, and a vehicle of
   some sort, etc. How much would you need to charge to make that house
   call service break even? Will people pay that?

-- having de-infested someone once, will the party learn to avoid the
   behaviors that got them infested in the first place? will they avoid
   bad neighborhoods and risky behaviors? Will they keep their AV up to
   date? Will they patch their operating system and applications? If not,
   the process repeats...

-- leaving a broadband hosts infested insures that the user, even if they
   WANTED to go back to dialup, couldn't do so -- the sheer load of all
   the zombie traffic would swamp a dialup connection; infestation is thus
   GOOD for broadband network customer retention, as long as the
   infestations aren't SO bad that users get discourage and throw in the
   towel completely.

-- etc., etc., etc.

What a world, eh?

Regards,

Joe

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.