Horror of the Zombies


Whether you think of your video network as being a data network or not, it is.

You already operate the highest-speed networks for accessing Web sites and downloading Internet videos. Your subscribers rely on you for their e-mail. Now, you're using Internet Protocol technology to carry telephone calls, which is about as personal as it gets.

This has been lucrative, but can also be dangerous. The reason: Zombies. No, not the kind made famous in such B-grade fare as Chopper Chicks in Zombietown (1989).

These zombies are infamous for computer-network attacks, in which thousands of unsuspecting (and unwitting) PCs are used to flood Web sites with spurious requests. In the worst case, sites are overwhelmed and go down. In August, the number of new zombies established every day rose not-so-gradually from 214,000 to 265,000, according to CipherTrust, an Internet security firm in Alpharetta, Ga.

Typically, these zombies exploit a flaw in Windows server or client security. The ways to rid yourself of the zombie horror — and the damage it can do to your network, your reputation and your subscribers' PCs — are not easy:

Block traffic. A common approach is blocking traffic emanating from your servers, using filters and rules. But these address the symptom, not the disease. You keep your servers off of blacklists, which allows e-mail and Web requests to keep going through. But subscribers remain unaware their machines have been hijacked. And information on those machines could be stolen, subjecting customers to identity theft.

Revoke e-mail privileges. You can cut off e-mail until the offending PC is disinfected. Send an message to the subscriber informing them that their outbound e-mail privileges have been revoked, explaining why. Offer to restore service when the problem is fixed. But many subscribers will ignore the message, thinking it is spam. And most are not savvy enough to remove the software themselves.

Call them. Have your service desk call the worst violators and walk each customer through the cleanup, step by step. Effective, but expensive.

Use the network. Fortunately, providers have a very powerful ally at their disposal to automate zombie remediation: their networks. Identifying zombies using existing policy-management tools is easy. Isolating and disinfecting them is harder.

There are two approaches for using the network to isolate zombies and provide subscribers with tools to disinfect their machines themselves. The first involves using packet level switching devices to quarantine hijacked PCs. Packet level switching, however, is cumbersome since it requires manual deprovisioning and reprovisioning of equipment.

A second alternative: Use the Domain Name Service (DNS) to quarantine subscribers as needed. Since DNS operates at the application layer, network access can be reinstated instantly, yielding a friendlier end-user experience. In addition, DNS switching can be used to address delinquent accounts, illegal hosting of copyrighted content or other service-intervention purposes.

If history is any guide, subscribers will soon demand a network-based protection against zombies, a.k.a. bots. The sooner you give it to them, the better off you'll be, as well.