Telstra trial detects 5.4 per cent botnet infection rate

Top telco says it had a successful test with DNS poisoning.

Telstra has successfully trialed using DNS poisoning to prevent botnets on the BigPond network, Telstra principal domain expert, Barrie Hall, said at an Internet Industry Association event to review iCode. The company detected an alarming number of infections, he said.

Telstra was pleased by a trial of Nominum’s Network Protection System (NPS) and is working with Nominum on “next steps,” said Hall.

Telstra used Nominum data to acquire domain names used by botnets to communicate with their “mother ships,” Hall said. “The entire premise of this is to blacklist, or poison if you like, the domain names associated with the command-and-control service.”

“Since DNS is so widely used by criminals, it’s a logical place to stop them,” Hall said.

In the trial, Telsta looked at 1 million IP addresses on BigPond and found that 5.4 per cent showed signs of being infected by a botnet, Hall said. That percentage is better than networks in other countries, he said. In the U.S., Comcast has “admitted up to [a] 15 percent infection ratio,” he said.

In all of Australia, 10 per cent of all fixed connections are infected by botnets, and 5 per cent on wireless, estimated Nominum sales director for Asia-Pacific, Carl Braden.

“A lot of my colleagues would say that mucking with DNS is evil,” Hall said. However, “we’re at war,” he said. “This is a way of helping.”

In a weekly “repeated sightings” report, the Australian Communications and Media Authority usually reports 5,000 to 6,000 infected IP addresses seen 10 or more times in a 14-day period, said ACMA manager of e-security, Bruce Matthews. That shows “continuing persistent infections that aren’t being actioned.”

In the last few months, DNSchanger has represented the greatest volume of infections seen by ACMA, Matthews said. ACMA is issuing a media advisory to help reduce the number of infections, he said. ACMA has seen a “significant” reduction in the number of Flashback infections, he said.

Conficker represents 25 per cent of ACMA’s reports, despite “being around for a very long period of time,” Matthews said. “There are lots of tools out there to fix Conficker. Why it is persisting is a cause for concern.”

Follow Adam Bender on Twitter: @WatchAdam

Follow Computerworld Australia on Twitter: @ComputerworldAU

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments
[]