March 16, 2008Are ISPs Accountable for Bots on Their Systems?
The European Network and Information Security Agency (ENISA) commissioned a study on the economic impact of network and information security. ENISA is an agency of the European Union, and its focus is clearly on what's happening in the EU. But, as we all know, security is a worldwide issue, so their findings aren't necessarily applicable only to the EU.
One of the recommendations was most striking:
Recommendation 4: We recommend that the European Union introduce a statutory scale of damages against ISPs that do not respond promptly to requests for the removal of compromised machines, coupled with a right for users to have disconnected machines reconnected by assuming full liability.
The authors of this report readily admit that this "is the most controversial of our recommendations." They provide an apt analogy wherein the highway system requires police to get drunk drivers off the road before the miscreants harm others and themselves. All licensed drivers know they're not supposed to drink and drive, but some do so anyway; likewise, your aunt may have heard your warnings about opening unsolicited email attachments, but couldn't resist unzipping the "shocking Britney photos," turning her PC into a zombie that sends spam and launches DoS attacks under the command of a botnet herder. Should her ISP act as cops to prevent her PC from inflicting more harm around the Internet?
I long believed that the ISP stands in the ideal spot between the user and the cloud to perform this type of service; and yet I've treated this dream as being merely fanciful. Some ISPs have taken small steps to limit potential damage by blocking PCs from sending spam directly to outside mail servers ("blocking outbound Port 25"). But a bot can still do harm in other ways that such blocking won't affect.
Some ISPs got suspicious if one of its subscribers sent huge blasts of email frequently. The botnet herders figured this out and now commonly instruct their bots to send out smaller chunks less frequently—but with more bots to keep the overall volume up.
Short of invasively scanning their customers' PCs for malware, could ISPs know which customers were infected? Mechanisms are already in place to capture the IP addresses of spam sent to spamtrap addresses and other types of attacks aimed at honeypots. Heck, after a 10- to 25-thousand dictionary attack day at my own email server, I could supply hundreds, if not thousands, of IP addresses of botnet machines.
Currently I don't bother reporting these infections to ISPs owning the IP address blocks because I have little faith in the report leading to a blocked account or, better still, cleaned-up PC. I simply can't imagine a big broadband ISP setting itself up for a customer service nightmare of turning off hundreds of customers per day. The telephone support lines would get hot enough to set most of southern Asia ablaze. Nor are big ISPs going to send technicians to every infected customer's home to rid the household's PCs of infestation (especially since most customers would balk at paying for such a service, despite their complicity in causing the problem in the first place).
Meanwhile, I sense that ISPs would rather sit back and let security researchers find and destroy the command-and-control mechanisms behind the botnets. Botnet herders prove themselves to be nimble and smart, finding new ways to make themselves hard to find.
Botnets represent the most serious potential threat to the Internet. They're like thousands of sleeper cells who know no national boundaries and who slavishly respond to their commander around the clock. If we don't start neutralizing the botnet cells voluntarily (whether it be ISP, massive public user education, or both), I worry that legislators will bull their way through our china shop and make things worse.
ISPs could do everyone a favor and step up sooner rather than later.
 I have had success when the IP block is owned by, say, a government agency. A couple of years ago, I was getting some nasty spam that I was able to determine originated from a Southern California agency. A day or so after my report, I received word back that the IT folks there had located the rogue computer—a laptop that an employee had occasionally used at home. The infection took place at home, but the zombie also did its spamming while the computer was at work, plugged into the agency local area network.Posted on March 16, 2008 at 01:37 PM