Zombies threaten ISPs

Zombie computers are the single biggest threat to ISPs, according to an annual security survey conducted by Arbor Networks, as compromised PCs are being used to spew out spam, launch distributed denial-of-service (D-DOS) attacks and perpetrate identify theft and phishing schemes.

About 60% of the ISPs surveyed identified zombies as either their primary or secondary threat, said Mike Hollyman, manager of consulting engineering, for Arbor Networks. Zombies--or “botnet” computers, as they are also known--are PCs linked to the Internet that have been taken over, without their owners’ knowledge, and can be used to send email, store information or run programs. While there is nothing new about botnets, Hollyman said, they are being used more extensively and in different ways.

“They are definitely doing more things – like launching D-DOS attacks, sending spams, serving as open proxies, and being drop sites for storing ID information, and for phishing sites,” he said. By using a widely distributed set of PCs, criminals can use one set of zombies to send out spam with a phishing message and, when an unsuspecting customer provides log-in and identity information, store that on a different zombie computer which can be anywhere in the world, Hollyman said. The traffic flows are more widely distributed and not as easy to detect.

“That makes it harder for law enforcement to track down,” he said. “The way they are created these days, it is easy to select individual hosts they want to use in nefarious ways. They may pick a botnet for a phishing attack that is in a site where there is no legal enforcement or the resources are limited.”

According to survey respondents, networks of zombies have become smaller and more adaptive, with “more firepower and more effective attack vectors,” Arbor reports, as well as better organized command and control servers that use peer-to-peer communications.

D-DOS attacks are the most common use of botnets and can take down Web sites and e-commerce operations, Hollyman said. Survey respondents say these attacks are getting more professional and therefore more disruptive.

“The largest attack has gone up to 24 Gb/s, which is 2.5 times the average link speeds,” he said. “One of those attacks could cause severe collateral damage, and we have seen that in last 12 months. As service providers start to monitor deeper into their networks, they are seeing these attacks might be impacting their infrastructure.”

That means an attack against a specific customer site – and most attacks are that specific – has collateral impact on other customers served by the same network aggregation device.

Service providers are acquiring in-house expertise to address security issues as concerns have grown, Hollyman said, but they could use more help from law enforcement.

“They are proving they have the in-house skills, and they are no longer just packet pushers, they are in the position to gather information from security that will lead to global changes to attack vectors,” he said. “What they need now is better law enforcement options. Today, the response is fragmented. Many attacks involve multiple providers and multiple law enforcement entities and that can be difficult to manage.”