Prolexic, a company providing Distributed Denial of Service (DDoS) solutions and security consulting products, recently issued a zombie analysis report that identifies AOL, Comcast, Bellsouth and Verizon as the United States' top four offenders for harbouring infected PCs.
The findings are based on statistics taken from real DDoS attacks during the last six months. Globally, AOL was found to have the most infected network on the Internet.
"It isn't surprising to find that the most high profile Internet Service Providers (ISPs) are most susceptible to providing refuge for large numbers of zombie PCs. It is these networks that are continually exploited to support large-scale DDoS attacks. Just because a home user subscribes to a reputable brand doesn't mean they're safe from the online criminal fraternity," said Barrett Lyon, Prolexic's chief technology officer.
The report also highlighted a significant change in the way DDoS attacks are coordinated. It was found that attacks are now focusing less on Layer-3 TCP and honing in on the weakness of DDoS mitigation devices.
"We have seen a 100 percent failure rate in several DDoS mitigation devices. Hardware does a poor job in identifying attacks that emulate legitimate traffic. Therefore, enterprises that rely on these devices are particularly vulnerable to this attack vector. Essentially, extortionists are becoming more intelligent and circumnavigating the security put in place to stop them," added Lyon.
Based on the data, the "attack of choice" in the first half of 2005 was an advanced, full-connection-based flood. This particular attack exposes the real IP address of the attacking zombie; however, the sheer number of IP addresses needing to be blacklisted to successfully defend the attack places an overwhelming load on mitigation hardware.
The zombie analysis report also identifies Europe as the most zombie-infested network overall and that Hong Kong as the most infested network per capita.
In conjunction with the report, an Opte image mapping the routes involved to the Prolexic IPN with DDoS attacks is provided to demonstrate how a single attack can flow over nearly the entire Internet.