General discussion


AOL: world's largest botnet?

By deepsand ·
Study: AOL Leads in Zombie Infections

Internet giant's customers account for the highest percentage of infected PCs, researcher says.

John E. Dunn,
Thursday, June 16, 2005

AOL is the global network most infected with "zombie" PCs, according to a new study.

Prolexic has spent the last six months compiling information on the problem of zombies using real-world denial-of-service attack attempts generated by the hijacked machines. AOL accounted for 5.3 percent of all infections, with Deutsche Telekom in second place with 4.67 percent, and Wannadoo third with 3.27 percent.

The most infected countries as a percentage of the total detected were the U.S. (18 percent), China (11.2 percent), Germany (9.6 percent), the U.K. (5.1 percent), and France (5.1 percent). However, calculating zombie numbers on a per capita basis, the most infected countries turned out to be Hong Kong, Germany, Malaysia, Hungary, and the U.K., in that order.

High Profile ISPs
"It shouldn't be a surprise to find that some of the most high profile Internet Service Providers are most susceptible to providing a safe haven for large numbers of zombie PCs," says Prolexic CTO Barrett Lyon. "It is these networks which are continually being exploited to support large scale DDoS attacks."

"Just because a home user subscribes to a reputable brand doesn't mean they're safe from the online criminal fraternity," he says.

AOL has since defended itself by pointing out that it is by some way the largest ISP, and that the number of zombies on its network is actually low in relation to the total number of its subscribers.

Prolexic was at pains to emphasize that its zombie data was culled from attempted real-world attacks, and not traffic to research honeypots, used by some to calculate zombie incidence. The company's business is in selling "clean pipe" Internet connections so the assumption is that the data comes from attempts through its own network.

The company said it had seen a shift in the way zombies were being used for DDoS attacks in recent months. Attackers now favored "full connection based flood" whereby real IP addresses were apparent to the defenders. Such a brute force type of approach could still work because the sheer number of addresses could overload blacklisting systems.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Detroyed DALNet

by BFilmFan In reply to AOL: world's largest botn ...

I recall when AOL pretty much destroyed DALNets chat channel with bots.

Frankly, I believe that the answer is to shut people's ISP accounts and keep them off until such time they can use anti-virus to clean their systems.

But, I am somewhat of a meanie poo poo head about such things.

Collapse -

And turn off the $$$ spigot?

by deepsand In reply to Detroyed DALNet

I concur, but I'm not going to hold my breath waiting for the ISPs to get with the program.

I've a client who uses Adelphia cable as his ISP. He's being inundated with spoofed e-mails, purporting to come from administrator@, mail@, register@, service@, support@, &, all with bogus subjects re. a "security problem" with his account, blank or garbled bodies, and humongeous attachments.

All originate from Adelphia accounts.

When I reported this to Adelphia, I was told that if they purported to have come from Adelphia then they did! (Earth calling Adelphia ...)

After persisting in insisting that they look at the headers (how do we do that?), they finally acknowledged that it was a "known issue," which of course begs the question of why are they then continuing to deliver such?

3 weeks later, and they're still showing up in his in-box!

This, by the way, months after they made a big to-do about the new & wonderful filtering system that they supposedly installed.

Collapse -

Not much better in comcast country

by jmgarvin In reply to And turn off the $$$ spig ...

Comstast has (at least as far as I can tell) 0 filtering and plenty of zombies floating around..

Anybody want to join me in getting $400 million out of Nigeria or saving a dying boy by sending him $500?

Collapse -

Cable inherently risky.

by deepsand In reply to Not much better in comcas ...

Each local loop functions as a LAN; and, all loops within a local system share the same IP block.

This makes for very efficient port scanning.

Althought it's much smaller, Adelphia's system are as corrupted as those of ComCrap.

Collapse -

What a surprise

by vic In reply to AOL: world's largest botn ...

What a shock!!!! NOT

Collapse -

It's the stupid users.

by deepsand In reply to What a surprise

In particular, it's the stupid users who connect via cable, more so than DSL, whose machines are sitting there 24/7 port scanning their entire IP block.

As AOL does'nt control either the fiber or the copper, it's up to the ISPs, such as ComCast, to intervene.

Collapse -

AOL's response: "We're just fine."

by deepsand In reply to AOL: world's largest botn ...

June 15, 2005

AOL: We're Not Zombie Haven

By Gregg Keizer Courtesy of TechWeb News
America Online hosts more denial-of-service (DoS) spewing zombie PCs than any other ISP in the world, a report released Tuesday claimed. AOL thinks that's just fine.
Prolexic, a Florida-based company that offers a DoS mitigation service, tracked attempted attacks over the last six months to rank ISPs. AOL topped the global and U.S. domestic lists, with machines that use it as their link to the Internet accounting for 5.3 percent of DoS attacks worldwide, and 11.7 percent of those conducted in the U.S.

Worldwide, the German family of Deutsche Telekom ISPs -- and, among others -- came in second. In the U.S., Comcast, Bell South, Verizon, and Ameritech fleshed out the top five.

"We're the largest ISP on the planet," Andrew Weinstein, a spokesman for AOL, said Wednesday. "You'd expect us to have the most zombies."

Weinstein went on to say that Prolexic's numbers were actually good news for AOL. "It's a demonstration that the tools we provide are keeping members safe. Our very aggressive actions -- we provide anti-virus, anti-spyware, and firewall services to our users -- make them measurably safer than those on other ISPs."

Weinstein based that take on a comparison of Prolexic's numbers with the U.S. installed base of each ISP. Assuming JupiterResearch's estimate of AOL membership rolls is on target at 21.7 million, America Online accounts for .54 percent of the total U.S. DoS attacks for each million subscribers. Comcast, on the other hand, has just 7.4 million users, but accounted for 10.7 percent of the DoS attacks, for a rate of 1.44 percent per million. Verizon, meanwhile, posted a per million rate of 1.9 percent.

"That's three or four times as many attacks per million subscribers," Weinstein argued. "The numbers show that AOL members are significantly less likely to have been compromised by a zombie. This is actually good news for our users."

Some major U.S. ISPs were notable by their absence. EarthLink, for instance, the fourth largest provider according to JupiterResearch, was not on the list of the top 20, although Mindspring, which EarthLink acquired in 1999, came in at number 17, accounting for 1.3 percent of the DoS attacks tracked by Prolexic in the U.S.

Related Discussions

Related Forums