Telstra trial detects 5.4 per cent botnet infection rate

Top telco says it had a successful test with DNS poisoning.

Telstra has successfully trialed using DNS poisoning to prevent botnets on the BigPond network, Telstra principal domain expert, Barrie Hall, said at an Internet Industry Association event to review iCode. The company detected an alarming number of infections, he said.

Telstra was pleased by a trial of Nominum’s Network Protection System (NPS) and is working with Nominum on “next steps,” said Hall.

Telstra used Nominum data to acquire domain names used by botnets to communicate with their “mother ships,” Hall said. “The entire premise of this is to blacklist, or poison if you like, the domain names associated with the command-and-control service.”

“Since DNS is so widely used by criminals, it’s a logical place to stop them,” Hall said.

In the trial, Telsta looked at 1 million IP addresses on BigPond and found that 5.4 per cent showed signs of being infected by a botnet, Hall said. That percentage is better than networks in other countries, he said. In the U.S., Comcast has “admitted up to [a] 15 percent infection ratio,” he said.

In all of Australia, 10 per cent of all fixed connections are infected by botnets, and 5 per cent on wireless, estimated Nominum sales director for Asia-Pacific, Carl Braden.

“A lot of my colleagues would say that mucking with DNS is evil,” Hall said. However, “we’re at war,” he said. “This is a way of helping.”

In a weekly “repeated sightings” report, the Australian Communications and Media Authority usually reports 5,000 to 6,000 infected IP addresses seen 10 or more times in a 14-day period, said ACMA manager of e-security, Bruce Matthews. That shows “continuing persistent infections that aren’t being actioned.”

In the last few months, DNSchanger has represented the greatest volume of infections seen by ACMA, Matthews said. ACMA is issuing a media advisory to help reduce the number of infections, he said. ACMA has seen a “significant” reduction in the number of Flashback infections, he said.

Conficker represents 25 per cent of ACMA’s reports, despite “being around for a very long period of time,” Matthews said. “There are lots of tools out there to fix Conficker. Why it is persisting is a cause for concern.”

Follow Adam Bender on Twitter: @WatchAdam

Follow Computerworld Australia on Twitter: @ComputerworldAU

Join the Computerworld Australia group on Linkedin. The group is open to IT Directors, IT Managers, Infrastructure Managers, Network Managers, Security Managers, Communications Managers.

References show all

Comments

Yin

1

The reason why conficker remains such a threat, is because people didn't take proper precautions (common sense) in the first place.

And it remains an issue, because people don't care about their servers, they only care that they can browse the internet, get their email and their stuff works.

Comments are now closed.
Related Whitepapers
Latest Stories
Community Comments
Whitepapers
All whitepapers

Australia needs effective government cyber policy leadership: report

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Sign up now to get free exclusive access to reports, research and invitation only events.

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia