NetFort Advertising

Could there be zombies lurking on your network?

Zombie host

A few years ago I covered the network zombie issue on my Computerworld blog. In it I looked at a couple of customer issues where a zombie client had caused network problems. Is this all a distant memory?

If anything the problem has become worse in 2014. The list below is just a sample of the threats and vulnerabilities that made the news so far in 2014.

No matter what size network you manage you can fall victim to any of the above. While the majority of issues that I hear about are still user and application ones, you should still have tools and procedures in place to deal with the really bad stuff. I could be generalising here too much but the majority of network issues are typically broken down as follows:

  • Equipment failures
  • User and\or application problems
  • Malware or other targeted attacks

Back to the subject of zombies and they are still a big problem. Recently I heard from a customer where an IP phone went faulty during a very busy time on their network. The phone started flooding the network with broadcast traffic and had the potential to grind things to a halt. Once they received an alert they got onto their network activity monitoring solution and weeded out the phone quickly. Metadata captured from network packets was used to identify the phones MAC and IP address and this information was then used to trace where the device was plugged in.

In another recent case where LANGuardian was used, a faulty network switch resulted in a network getting flooded with data from a number of hosts. What was once a managed switch doing its job suddenly became a zombie; under the control of no one and destined to cause havoc. If you manage a network you can use this to justify the investment in network monitoring tools.  You need to be able to get alerts and see what is happening on your network. This will save money with less downtime and quicker troubleshooting speeds.

Over the last 18 months a trend has emerged where zombie hosts are now trying to take control of your data. Cryptorbit and its variants actively seek out file share and encrypt all files found. In some cases you may be able to decrypt your data but in others you may need to pay a ransom.

As I mentioned previously, these zombies can arrive on any network. Now that we are entering the era of the Internet of Things, we are increasing the possibility of zombies appearing on networks. No matter what sized network you manage you need to be able to see what is happening.  When it comes to home networks, Wireshark can be a really useful tool. Just install it on a client and use it to monitor local traffic or connect the client to a SPAN or mirror port if the traffic rates are low. On larger networks you should look at commercial tools like LANGuardian.

Tell us about the zombies you found on your own network, comments welcome!

Darragh