Up to 12 percent of all scanning attacks targeting broadband serviceproviders networks are launched internally, from their own subscribers,newly published research has claimed.
According to the study conducted by security firm Sandvine, the majority of these internal attackers are zombie PCs – whose owners are completely unaware that their computers are infected and scanning IP addresses, sending requests to useable port numbers, and transferring worm or Trojan code when a vulnerable host is found.
The report, which is based on data gleaned from over 100 globally-dispersed ISP deployments collectively supporting 20 million subscribers, goes on to claim that most ISPs mistakenly believe that all attacks come from external attackers, and that broadband security only consists of policing the borders between external and internal networks.
“If the enemy is already loose within the gates, it doesn’t matter how high the walls are,” said Dave Caputo, president and CEO of Sandvine, pointing out that strong network-edge defences can only form part of the solution to protecting networks and subscribers.
“Broadband service providers must not only prevent malicious agents from entering their network from the outside, but also cleanse the unsuspecting attackers on the inside.”
Caputo argues that, with the increase in more evasive, destructiveattacks, broadband providers can no longer rely on signature-baseddetection to mitigate attacks. He advocates using a combined approach that also includes behavioral detection and in-depth network traffic monitoring as the only way of stopping zero-day attacks and cleansing the network both from incoming and outgoing attacks.
This view was echoed by Lindsay Schroth, broadband access technologies, Yankee Group: “Malicious traffic is everyone’s problem, whether it’s dealing with off-net attackers or your own subscribers. Broadband service providers need traditional tools as well as real-time visibility into network traffic to stop zero-day attacks.”