Corralling the zombies
- 06 June, 2006 14:12
Zombies are the No. 1 problem facing network and security professionals today. No, this is not a bad horror movie. Basically, compromised consumer PCs provide the malicious engine behind every major attack we see today. Whether the attack vector is e-mail, instant messaging, DNS poisoning or denial of service, you can bet a zombie network is being used to launch the attack.
Aren't zombies anonymous? The analogy that I use to help folks understand zombies is the file-sharing networks used to pirate - I mean, share - music. Think about your old script kiddies that would do the dirty work themselves. With a good amount of detective work, you could figure out who they were and put an end to it. The hacker of yesterday was much like Napster, centralized and visible. Focus on shutting down the individual hackers, and the problem was controllable.
Then Kazaa happened. It made file sharing anonymous. There was no "villain" to go after, despite the music industry's best efforts to prosecute someone. These compromised PCs have no idea they've even been compromised. Maybe their machine runs a bit slower, but most folks just keep going their merry way as their machines are systematically used to break the law. Now any and every device on the Internet is a potential attacker. That's pretty scary, so what can we do about it?
The good news is that we are not as powerless as the music industry to stop the problem. We know what needs to be done, but it's expensive and unpopular. You need to take the zombies off the network until the devices can be cleaned up. That's right, Aunt Bessie needs to be put into the penalty box, because it's her machine (unbeknownst to her, of course) that is behind the attacks.
The ISPs have to take a stand. They have to stop playing the ostrich game and pull their heads out of the sand. They have to publicly denounce zombies, and they have to be willing to take folks who don't comply off their network. My US$30 a month cash cow be damned - these folks have no right to continue accessing the networks using devices carrying the bubonic plague. Legally, ISPs have the power to do this through their usage policies. But to date, they have not wanted to.
Why? Doesn't having 100,000 zombies streaming away on an ISP's network wreak havoc on network engineering? Doesn't it put all the other folks on the network at risk? Yes and yes, but it's easier to solve the problem by throwing some more bandwidth, boxes and smart network architects at it. So the network providers have chosen not to deal with the problem, because it's too hard.
I recently came across a company called Simplicita (www.simplicita.com) that attempts to fix the problem. These folks have a set of software servers that basically identify zombies based on behavior and then using DNS redirect the offenders to a remediation server to be fixed. It sounds pretty simple, no? Kind of like the endpoint control aspect of network access control, but for carriers.
That's why I like Simplicita's approach. It is well, simple. Putting a box in front of each DNS server isn't hard. And not having to do anything on the client end (they figure out who is bad based on what the devices are doing, not by scanning the machine) is a cleaner implementation. It also gives carriers additional revenue streams to maybe fix these machines as a value-add offering (or at least get some kickback, I mean referral fees, for pointing the customer toward someone who can help).
So what's the catch? First, these guys are early. So it's not clear that it works at ISP scale, especially the behavioral identification of zombies. The concept holds water, but until I see it in practice I'm skeptical. Second, the ISPs have to be willing to take irate calls from customers who cannot access the network. Depending on their answer, the customer may go to another provider, and ISPs need to be OK with that.
Finally, what Simplicita is doing is not really novel. That's part of what I like about it. But without a significant technical barrier to entry, there will be lots of companies that spin existing technology to solve this problem. So the market will inevitably become crowded and confusing. Pretty much like every other security and networking market.
But this is a problem that must be solved. ISPs are the only folks in a position to do anything about it, and they need to step up. At least now we are starting to see solutions to solving the problem.
Rothman is president and principal analyst of Security Incite, an analyst firm focusing on information security. Read his blog at http://feeds. feedburner.com/securityinciterants or send e-mail to email@example.com.