Friday | 10 July, 2009
CSO
Lax ISPs add to Internet security problem
Open source tools and content systems remain vulnerable.
Rodney Gedda (Techworld) 21/05/2008 09:33:32
Page:

In another phishing case a customer was compromised with a PHP injection and Perl bots were installed.

"I looked around and found five more phishers and the customer removed the site and said they fixed the plug, but the phishers returned," McIntyre said. "It turned out every day the customer was re-uploading the phishing sites and restoring them from a backup."

There is certainly no shortage of bots as McIntyre runs a number of "botpots" based on Unix to attract bots.

This year botpot One has seen some 29,000 bots so far, botpot Two about 200,000 and botpot Three has just under a million systems from over the world.

"The point is we are proactive and if you are not contributing in some way you are making it worse for the Internet," he said. "There is plenty of malware out there and the script kiddies are out there, but the big guys are doing it for the money. It's worrying how much information is out there and how cheap it is. The underground economy is rife with this stuff."

There are now targets for Web-based e-mail systems and the known attack is sent around the world with a one to two percent success rate, but even that's enough.

What else can ISPs do to keep customer accounts secure? Well, according to McIntyre the overall procedure is quite simple.

"We find the problem and we are looking for the trouble," he said. "We have notification ritual telling people they have a problem and we give them free anti-virus tools and try to make the bar as low as possible."

They also use a ticketing system for abuse matters and if your ISP doesn't have one "run away".

"We also created a walled garden environment where the customer can get information online without being put at risk," McIntyre said. "We use policy-based routing for HTTP content and have firewall rules in the router that limits customer traffic."

McIntyre's team is now developing some custom filters as a preventative measure.

"We want to prevent the bot from becoming a spam relay. It is not being used for abuse handling and not based on DPI, its purely port based," he said. "I've got 120Gbps of traffic so show me the hardware that can do DPI on that at a less than the cost of Australia!"

Page:
More about KPN, DPI, AusCert, CERT, Evolve, VIA

Comments

Post new comment

Login or register to link comments to your user profile, or you may also post a comment without being logged in.
The content of this field is kept private and will not be shown publicly.
Enter the fully qualified URL, eg. http://www.example.com/
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

Add to Google
Additional Resources
Newsletter Subscription
Sign up for our CSO Online newsletters!
RSS Feeds
Syndicate content Syndicate content
 
Get a job Careerone
Whitepaper


Read Whitepaper

Reducing the risk of insider abuse

The potential for insider abuse can never be eliminated completely, but the steps outlined in this white paper can reduce the potential for such abuse. Read on to ensure no one person can alter your operations to their personal advantage or to the detriment of your organisation.

Sponsored Links