Re: botted hosts

[Sean Donelan <sean () donelan com>]

On Mon, 4 Apr 2005, Suresh Ramasubramanian wrote:
> That said, Joe St.Sauver put it fairly well in his presentation at
> maawg san diego, when he said it is cough sirup for lung cancer, and
> what you need along with the cough sirup of port 25 filtering, is some
> stronger measures to locate and take down botted hosts, which of
> course can be used for nastier things (DDoS botnets for example) as
> well, things that do just fine without port 25.

Yep. I've saying that for several years, and then immediately get shouted
down.  A secure computer doesn't spam, spy, ddos, attack, zombie, bot or
any of the other awful things.  A compromised computer can do all that
and more.

Locating bots is relatively easy.  If you think that is the hard part, you
don't understand the problem.

Unfortunately, researchers haven't come up with a better way to fix
compromised machines without destroying the innocent victims' work.
Several grad students have told me they consider coming up with better
ways to recover a compromised computer too hard of a problem for their
thesis.  Many people prefer to keep using a compromised computer rather
than attempt to fix it.  And as anyone with a relative and a computer
knows, if you ever help someone with a compromised computer, everything
that ever goes wrong with the computer in the future becomes your fault.

So how do you encourage people to fix their computers, without the press
writing lots of stories about "evil" ISPs cut off service to grandmother's
on social security looking at pictures of their grandchildren.

There are at least 20 million and probably more compromised computers on
the Internet.  Who has a plan to fix them?