The Government and ISPs At Odds Over Fighting Botnets

jackalope

Former Staff
Jan 2010
51,139
17,672
Maine
The Government and ISPs At Odds Over Fighting Botnets

Both the U.S. government and the country’s internet service providers (ISP) agree that botnets are among the greatest threats facing Web users.

But they can’t yet agree on what to do about it, because the ISPs aren’t exactly the biggest fans of a government document calling for them to establish voluntarily, industry-wide standards for detecting and fighting threats.

That was the major, unfortunate conclusion that came out of a contentious panel discussion on Tuesday featuring the White House cyber security coordinator, cyber experts at the Department of Homeland Security and the Department of Commerce and an ISP industry trade representative.

The U.S. government defines botnets as collections of compromised computers that are remotely controlled by a malevolent party. The networks are often used to launch crippling attacks against third parties online.

A recent study by Microsoft found the U.S. lead the world in terms of the number of computers infected with botnet malware, 2.2 million, compared to second-place Brazil’s 500,000. Globally,McAfee reported in late 2010 that it was seeing an average of 6 million new botnet infections every month.

(snip ... )

Also, the document provides three degrees of botnet fighting standards that would involve varying levels of government participation: From none, in the “private sector run and supported model,” to some government services for helping to notify users in a “public/private partnership,” to one where the government provides the central resource for helping consumers fix botnets.

Clearly, the federal agencies are right now pursuing the second model, but the ISPs argue that they are already doing a good enough job at helping customers, and that it is the government’s lack of clarity on legality and liability issues - such as if ISPs can be prosecuted for accessing customer’s private information - that is holding them back from doing a better job. Also at stake is who would pay for such botnet fighting services.

The government’s document points to successful public/private partnerships in Australia, Japan and Germany, each with its own unique features, that have all seen some gains in helping users detect and clean up botnets on their computers. Yet American ISPs say the situation here is much different and so those models aren’t necessarily applicable.

As Michael O’Reirdan, chairman of the Messaging Anti-Abuse Working Group, a global industry trade organization, said during the discussion: “There’s an emerging worldwide consensus something needs to be done.” But he also added: ” You can’t just focus on ISPs…end users have to be sensible…[cyber security] tools vendors need to come up with better tools.”

more: The Government and ISPs At Odds Over Fighting Botnets | TPM Idea Lab

The emergency worldwide consensus seems like a big duh! assessment. Better tools would be great. And a public/private partneship with ISPs would be great too. It seems like ISPs are in a position to know if there are botnets running or not. Why not use that information and do something about it?




Other links, from following the intra-article Microsoft detected 2.2 million infected computers link in story:

.
http://threatpost.com/en_us/blogs/us-reigns-most-bot-infected-country-101310

.
http://www.microsoft.com/security/sir/default.aspx

.
http://www.microsoft.com/security/sir/guide/default.aspx#!section_4

.
http://www.microsoft.com/security/scanner/en-us/default.aspx

.
 
Last edited:
Jun 2011
1,474
217
Well, more often than not an ISP can handle this kind of thing and isolate the source(s) of the traffic and put an end to it. They need the people who would be utilized to defend against this kind of attack ANYWAY.

The only thing that is close to it is when the government acts with its emergency powers for inclement weathers, storms. Imagine a blizzard, it snows really hard, the roads are covered. Its pretty obvious that most people should stay home and that the government should get the plows out (respond).

Now, imagine if this was the government response on July 4th when its 90 and sunny out. You'd say, "Hey, its NOT snowing" and of course that response would be absurd.

My understanding here is that the resistance stems from the fact that this varying degrees of involvement (which of course makes sense) won't be easily identified by the government and that they will might have a tendency to over-respond and start knocking them offline even though its only 'sunny with a chance of showers' instead of a full blown blizzard.

"It seems like ISPs are in a position to know if there are botnets running or not. Why not use that information and do something about it?"

Its my understanding that they will see if someone on their network as being hit, but its harder for them to see the one guy at one node who is infected and part of the assaulting array and they don't want the government coming in and knocking down that whole node for one guy (because when that happens everyone in that node is going to be calling customer service)
 
  • Like
Reactions: jackalope

Chief

Former Staff
Nov 2009
33,817
22,647
SoCal
Here's the thing... you have hundreds of millions of computers on millions of networks communicating with tens of millions of servers at any given moment. How do you sort out what's legitimate?
 
Jun 2011
1,474
217
Here's the thing... you have hundreds of millions of computers on millions of networks communicating with tens of millions of servers at any given moment. How do you sort out what's legitimate?
Well the first time that you know to start looking is when there's enough traffic that your server can't respond. Sometimes its actually quite legitimate.

I have a website that had a spike in traffic on a shared server. The spike came in (legitimate traffic; its a seasonal thing) and the traffic was too much for that SHARED server to handle, so my hosting company knocked it off line because that was slowing down the other sites on that server as well. I had to temporarily move to a dedicated server (just me) for $10 per day ($300 per month vs. $30 per month!) which WAS able to handle it.

So, when they start seeing their servers being unable to respond because of the volume of traffic, that's a flag. Another is that the spike can be pretty severe, akin to reading an earthquake chart...

At that point sorting out what's legitimate isn't the concern, its stopping the attack while minimizing the affect to the good apples.

Another thing to consider is that the processing power is such now that millions of servers and millions of requests is easier to analyze. Not THAT easy of course, its some complex things happening (kind've like calling summing a colum of 1000 numbers in EXCEL virtually instantaneously easy), but on a side note, its sometimes how the SEC catches insider trading (Rule 10(b)(5)), their computers are looking for "patterns in the noise" and there are times when they will catch you!
 
Last edited: