How ISPs Could Combat Botnets
Focusing on the top 50 infected networks could eliminate half of all compromised machines.
Convincing Internet service providers to pinpoint infected computers on their networks could eliminate the lion’s share of zombie computers responsible for churning out spam and initiating other online threats, according to a new analysis.
The researchers analyzed more than 63 billion unsolicited e-mail messages sent over a four-year period and found more than 138 million unique internet addresses linked to sending out the spam. Typically such machines have been hijacked by hackers and are corralled into a vast network of remote-controlled system known as a “botnet.”
By correlating the Internet protocol addresses of these spam-sending machines with the networks maintained by Internet service providers, the researchers found that about two-thirds of them were located in the networks managed by the 200 largest ISPs from 40 countries. The top-50 networks responsible accounted for more than half of all compromised IP addresses. If these ISPs were to shut down, or block, the malicious machines on their networks, it could cut worldwide spam by half.
“Those 50 ISPs are not the [dubious] ones we hear about,” says Michel van Eeten, professor of public administration at the Delft University of Technology in the Netherlands and one of the authors of a paper on the research, which will be presented next month at the Workshop on the Economics of Information Security at Harvard University. “They are the ones we deal with every day, and so are more approachable and are in the reach of government.”
The research suggests that regulations designed to force ISPs to take action to curtail compromised systems would dramatically impact cybercriminals’ botnets.
Turkey’s national Internet service provider, Turk Telecom, recently blocked its users from sending mail through any but its own servers. As a result, nearly four million IP addresses showing signs of infection could no longer send spam, says David Rand, another member of the research team and chief technology officer of antivirus firm Trend Micro. Regulations that would prod other Internet service providers to take similar action could help clean up major networks, Rand says. “The goal here is to create some legislation that forces the ISPs to at least notify their customers,” he says.
National policy appears to have an impact on botnet populations. Countries that have joined the London Action Plan–an effort to coordinate anti-spam and anti-cybercrime efforts internationally–or who are signatories of the Council of Europe’s Convention on Cybercrime have fewer botnet infection, the researchers say.
While there is a relationship between the size of an ISP and the number of infected machines connected to the Internet through the provider’s network, some providers have 100 times more infections than others of the same size. And while some ISPs are addressing the problem, most are failing to meet the magnitude of the issue, Delft University’s van Eeten says. One large ISP recently removed 1,000 infected systems a month from its network, but it likely had 40,000 to 200,000 compromised computers connected to its network.”There is no way for a consumer to assess any of the claims that a particular ISP cares about its security,” van Eeten says.
The researchers hope to change that by developing metrics that show how actively an ISP is detecting and mitigating compromised systems, and they’re working with the Dutch government to develop such metrics.
Requiring ISPs to secure their customers’ computers would have mixed economic impacts, according to experts. Blocking consumers from connecting to the network if their computer is compromised would lead to an avalanche of costly support calls, according to Jose Nazario, senior researcher at network security firm Arbor Networks.
Still, Internet service providers are taking the threat more seriously. Providers in Australia, for example, have signed an agreement to notify consumers if their PC is compromised by malicious software and to possibly downshift their bandwidth. In the Netherlands, 14 ISPs have agreed to exchange information about security issues, to notify users if their system appears to be compromised, and to block traffic from infected systems, essentially quarantining users.
While the research suggests that focusing on the dozens of network providers with the largest botnet populations connected to their networks, Trend Micro’s Rand stresses that the entire problem has to be addressed more holistically.”Everyone needs to deal with the problem simultaneously,” Rand says. “We could fix the top 50 ISPs this year, and next year, we’ll find we are dealing with the top 500.”