Biter Bit?

Perhaps if governments and ISPs actually tried to sort out zombie machines then they wouldn't get hit so easily?

I'd happily turn over my firewall log to an organisation that had the clout to correlate it with others and pin down machines that were scanning for vulnerabilities and get them off the net (regardless of country/ISP) until fixed. It wouldn't be that hard, once a user account has been identified, to confirm that it was really was probing or spamming, and then contact the user to get the machine cleaned (or cut off).

Of course, not all spam is traceable - I see a humongous amount of messenger spam from an IP block allocated to Rogers in Canada, but as it's UDP, it's probably spoofed from somewhere else (I'm sure ISPs could block this if they really wanted to, as well, just by being picky about source addresses on packets originating from their network).

Politically motivated?

So how long before someone launches one against whatever passes for our government?

Some effort is definitely needed on this

As the two posters above have said there are ways of dealing with this stuff. Problem is at the moment most of them are software based and therefore incur a significant overhead at the gateways. And this overhead will be at exactly at the place you don't want it - your major international pipes. They also require some human input to prevent errors making them expensive.

My gut feeling is that this is something that needs to be addressed by the high end router manufacturers building the technology to filter and/or reroute these kind of attacks into their architectures/protocols. Not easy but probably not impossible.

And as Dave said there needs to be much more effort by ISPs to cut off zombie machines. Its not that difficult for an ISP to identify dodgy traffic and where its coming from and cut off those customers.

It wouldn't be that difficult for the internet governing bodies to scan all internet traffic for zombie machines and start blacklisting ISPs whose networks are riddled with zombie machines.

@RW

I think you missed the fact that the Internet is already "inter". There's no reason that an attack initiated by, say, Croations, has to come from Croatia. All they need to do is send out a tiny stream of commands (indistinguishable from legit traffic) while zombies all over the planet launch the actual attack.

Should you have loads of Chinese, American, British, German, French and Australian computers all DOSsing one target, just who do you cut off?

@Stuart Van Onselen

And, of course, they might come from an internal source as well. So even if your Great Firewall of not-necessarily-China blocks anything that looks like a DDOS attack, your government system / backbone routers might still get owned by local, patriotic computer owners who haven't kept their anti-virus up-to-date.

@Dave & @Mark - ISPs identifying zombies

Strangely enough, a short while ago my wife's PC became covered in spyware/malware, and her ISP blocked her IP address from sending e-mail from the computer, as it had identified large amounts of spam coming from it.

A rebuild sorted it and the ISP removed the block - but it made me think that ISPs could definitely help here, as it's 'their' bandwidth the botnets are using.

Just my 2 bits

International gateway

Blocking traffic at the borders won't help either. The source of the attack (ie the spamware or whatever) could come from outside, could easily be disguised as normal HTTP traffic - dodgy flash movie, image, PDF, MS-Word macro, whatever - and then sit dormant on badly-patched machines within the country to be attacked, maybe for weeks or months. Then at zero-hour, the attack comes from inside.

If any development work needs to be done to block this type of attack, maybe it should be on outgoing traffic in domestic DSL router/firewalls.

yet another reason

to abandon windows.

re: yet another reason

The OS has little or nothing to do with it. If you replaced all the PCs with Macs or Linux boxes, botnets would re-appear within weeks, I guarantee it. And just as many servers affected by these attacks are running Linux as anything else.

The issue is whether or not ISPs are able to identify bots on their network and cut them off until they are cleaned. My guess is that the fear of losing paying customers means more them than worry if half the computers on their network are forming a botnet.

People don't respond too well to being told "clean your machine or we'll cut you off". Particularly those who were hoodwinked into believing PCs are just another appliance but smooth talking bar stewards working at electronics stores. They don't have the knowledge to understand how to wipe and rebuild their computers. Saying "well they shouldn't be allowed to access the internet" is just the comment of a prick. The noobs are the ones that pay our salaries, and it's our job to fix their problem. If anyone could do it, we wouldn't be worth much and I'd rather keep my pay at a decent level, thanks.

Kicking everyone off the internet isn't the answer, they're the money behind our toys. The answer is finding a way to automatically clean their computers for them.

Limiting access

it does help, hate to break up the internet orgy fest, but a lot of folks do just block off entire subnets, and straight away see the attacks lessen.

It is simple maths really, but beyond the direct proportions, you will find attacks that originate outside your country are dis-proportionally higher. The reason is there is less chance of being physically caught if a border or two is being crossed, beyond the amusing let's call x or y country the cracker hotzone, that just appeals to the tribal nature of us.

Hosting in another country is not a bad idea, that way you have a couple of jurisdictions with which to pursue the attacker from.

There is more that can be done, and it would be good to see banks, and ecommerce systems take the lead here. For the main, those are the systems that need protecting, and banks should already be offering access only from IPs internal to the country (in some ways they should be going further and limiting it to a static IP or groups of IPs from the ISP), obviously at the customer's behest.

And still there is more to do, but I would prefer computer security pros get paid then fraud run rampant, and that is the equation we should be looking at when deciding to put in security or not.

Zombie machines will be with us for a long time, even if Linux takes the desktop, the windows users wants to bring in all their bad insecure practices, it is amusing and terrifying all at once.