Educause Security Discussion mailing list archives
Re: Cyberattacks Down?
From: Joe St Sauver <JOE () OREGON UOREGON EDU>
Date: Wed, 8 Dec 2004 13:41:54 -0800
Hi Cam, #Perhaps ISPs responsible for Cable/DSL users=20 #should be held accountable. Our data indicates=20 #that these groups are the fastest growing problem=20 #wrt botnets.. # #This leads to the following questions: # o why aren't ISPs more reliable in addressing their # offending hosts? In thinking about this issue, I'm struck by Panda Software's indication that roughly half of all PCs in the United States are virally infested. (see http://www.pandasoftware.com/virus_info/ ). If you're on a system with Flash installed, and you click on the map on the far right hand side, and then change from looking at the last day to a year graph, you'll also see that we've gone from maybe 15 or 20% to the current levels in six months, with no sign of things going levelling off or going back down. So what, you ask? I believe that what you're seeing is that strategies that work if you have one-in-ten customers or even one-in-five customers who may be infected fall apart completely when you get to one-in-two customers who are infested. For example, while you might be willing to disconnect 10% of your customers, and potentially make them so mad that the move to your competitor, you would not be willing to do that for 50% of your customers. # o why aren't ISPs that don't remove offending hosts # once identified fined in some way? A bigger question is, "How do we do en-masse cleanup of literally millions of hosts operated by people who lack the software tools, expertise, time, motivation, etc. to do it themselves?" # o why are ISPs who don't use reverse-path # forwarding checks allowed to operate? The question I would add is, "Given that the battle to clean customer PCs is still an open/hard problem, why aren't ISPs looking upstream, at the hosts hitting those customer PCs?" If the quest is for scalable solutions, blocking traffic from upstream hosts that are talking to zombied customer boxes has *huge* potential payoff. #ps. should note that in reporting all of these #compromised hosts, we noticed that the .COMs/NETs #stayed online far longer than the EDU hosts and #that in most cases the respective ISPs never #addressed the problems. They won't/can't. Short list: -- in some cases things are so badly infested, cleaning the host ends up killing it (yes, it should be nuked and paved anyhow, but that's not the issue); imagine how the ISP lawyers feel about that. -- assume it takes four hours to thoroughly scan and disinfest a system with a single straightforward infestation; assume you're paying someone minimum wage to do the disinfection, plus benefits, and a vehicle of some sort, etc. How much would you need to charge to make that house call service break even? Will people pay that? -- having de-infested someone once, will the party learn to avoid the behaviors that got them infested in the first place? will they avoid bad neighborhoods and risky behaviors? Will they keep their AV up to date? Will they patch their operating system and applications? If not, the process repeats... -- leaving a broadband hosts infested insures that the user, even if they WANTED to go back to dialup, couldn't do so -- the sheer load of all the zombie traffic would swamp a dialup connection; infestation is thus GOOD for broadband network customer retention, as long as the infestations aren't SO bad that users get discourage and throw in the towel completely. -- etc., etc., etc. What a world, eh? Regards, Joe ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Cyberattacks Down? Jere Retzer (Dec 07)
- <Possible follow-ups>
- Re: Cyberattacks Down? Jordan Wiens (Dec 08)
- Re: Cyberattacks Down? Barbara Griffith (Dec 08)
- Re: Cyberattacks Down? Cam Beasley, ISO (Dec 08)
- Re: Cyberattacks Down? Joe St Sauver (Dec 08)
- Re: Cyberattacks Down? John Kristoff (Dec 08)
- Re: Cyberattacks Down? Wayne Wilson (Dec 13)
- Re: Cyberattacks Down? Joe St Sauver (Dec 13)