Do ISPs Ignore Security Researchers Who Point Out Zombied Machines?
from the not-such-a-good-thing dept
Over the last few years, we’ve all heard stories about how organized crime groups have taken to using botnets of “zombied” computers to run all sorts of scams and spam campaigns. ISPs have been somewhat slow to react. While they try to use fairly blunt instruments, like cutting off certain ports, many don’t seem to have a very good process in place for tracking down and stopping customers whose machines have become unwitting members in a botnet. In fact, security researchers are growing frustrated that when they come across evidence of a hijacked computer, ISPs don’t respond at all when told that a customer is causing trouble. There certainly are a few ISPs that are careful to help get rid of botnets, doing things like quarantining or cutting off certain users from their internet access until their machines are cleaned up, but most of the bigger ISPs don’t appear to do very much at all. Of course, there is the other side of this story — which is that when ISPs may be too proactive, it can often snag people whose machines aren’t actually doing anything wrong. But, it certainly seems like completely ignoring reports with evidence of a botnet may be going to the opposite extreme.
Comments on “Do ISPs Ignore Security Researchers Who Point Out Zombied Machines?”
Of course they dont stop it
Can you imagine the bad P.R. of some novice computer user on TV saying “I don’t have any viruses, my computer works, and they took down the internet I paid for.”
In major metro areas they can probably choose between DSL and cable, if one of those choices cuts you off for having viruses (a LOT of people have viruses) which one is going to loose customers?
Re: Of course they dont stop it
Most TOS/AUP give the ISP the right to protect their network and cut the offending users internet off.
I give our customers 5 working days to get their systems cleaned up, then if I do not see any improvement, I cut them off until they can prove to me their are clean.
Maybe send them an email notification or phone call. I would think most people would try to fix it. Better than not telling them at all.
dumbass system admins
They just don’t care and the problem goes beyond identifying bots in their systems. When bots send spam they forge the sender. They have done that forever and yet mail that can’t be delivered gets “returned” to someone who never sent it because dumbass system admins just don’t care. That multiplies the spam traffic on the net. You would think that these dumbass system admins could set up their mail daemons to verify that the IP of the sender actually matches the IP that sent the mail. They would only have to do this for mail being returned but, once they have identified a bot this way they could block that IP and stop all the spam coming into their system from that bot but, nooooo. Sysadmins are too busy being dumb.
I have an automated script that sends emails with complains to respective abuse@…… whenever it detects that somebody’s trying to bruteforce my system. So far about 1-2% of the notified admins responded, and they have been real people, as opposed to corporations. China is notoriously bad at that: their abuse@… addresses often bounce saying “mailbox too full” 😉
In short in the U.S., yes.. They are in the business to make money and not in the business to fix peoples computers..
three reasons it'll never happen
1) people refuse to take responsibility for their computers
2) people refuse to take responsibility for their actions
3) people refuse to take steps to mitigate the impact of 1&2
if people refuse to take responsibility for their actions, refuse to take responsibility for their computers, they will most assuredly refuse to take responsibility for their computer’s actions.
Hell yes they ignore it
Check out prjects like Dshield or My Net Watchman, completely automated systems that watch for attacks and notify their ISP or owner of the attacking ISP. I have been a member of both and the sheer lack of response is repulsive. If my firewall detects 26,000 attempted varying ID’s and passwords from an IP address then the blasted ISP should do something about it, but they DONT.