Akamai has taken steps to defend its network against a similar attack, and its staff will share information with the Internet security community using appropriate channels, Leighton said. In the meantime, cleaning up networks of compromised computers in botnets remains “an uphill battle,” he said.
Bot networks aggregate computers that have been compromised with trojans, allowing them to be remotely controlled by hackers. Their use in DDoS attacks dates to 1999 in Europe, followed by one on the University of Washington later that year and a series of high-profile attacks on Yahoo, eBay and other major web sites in February 2000. In the past year, the proliferation of e-mail borne viruses and auto-downloading trojans has dramatically increased the number and size of botnets, which now have economic value as Spam engines and tools in DDoS blackmail schemes. Numerous estimates suggest MyDoom compromised in excess of 500,000 machines worldwide, installing backdoors and trojans that “phoned home” in all of them.
Some networks are taking ad hoc steps to crack down on machines they think may be compromised . Last week Comcast said it was halting email originating from port 25 on suspect customer machines. Comcast and other cable modem networks are problematic because their customers are typically home users with fast connections, modest security skills and static IP addresses. The combination presents an attractive target for hackers and malware, and the enhanced processing power of today’s desktops make home computers useful in botnets.
But many network operators find policing their networks for zombie machines an econmoc drain. In many cases the issue for sysadmins is finding the time and staff resources to address the problem. A business consideration is that subscribers are often unaware their machine has been compromised, and are happily paying monthly fees for broadband Internet access. While lax enforcement exacts a cost on someone else’s network, strong network policing has its costs on one’s own network.