IT Security
Web Reputation Filtering to Counter Bot Attacks
March 19, 2008
While Google is crawling the Internet, ranking Web sites for their popularity and content, other filters are out there too, ranking sites for their safety and security.
Web reputation filters track the behavior of Web hosts over time, to determine whether they're spewing malware, hosting phishing scams, or performing other evil tasks. The system has about 50 factors that it analyzes automatically. As it watches the traffic being sent, it develops a reputation score for each IP, based on how often that IP performs suspicious activities. The score is like a financial credit score that helps identify future risks on the web.
According to Shalabh Lohan at Ironport Systems, there are about 75 million compromised machines on the Internet capable of spewing spam and malware to other computers. Hackers can control which are activated at what times, and for how long. At any given time, only 5-10% of them are active. They might be performing dirty deeds for just an hour a day, or even a full afternoon.
Ironport, since it's owned by Cisco, has access to the world's largest traffic monitoring network, according to Shalabh. It uses Web reputation filters across this network to capture information about malware and bots. The information it gathers is filtered back into its security devices. As a result, IPs that have been known to send dangerous traffic across the web are blocked from sending that traffic into the network.
However, Shalabh says that reputation filtering can't actually stop the bot phenomenon because it doesn't have control over the zombie machines.
So, it looks like we're on track to see bots continue their dirty deeds for the time being.
But today IronPort did announce some enhancements for its reputation filter products, click here to learn more.
