Who should bear the burden of de-fanging botnets?

Who should bear the burden of de-fanging botnets?

Summary: In a guest editorial, a senior research scientist at Cloudmark proposes a new way to deal with the menace from botnets.

TOPICS: Security

* Ryan Naraine is on vacation. 

Guest Editorial by Dr. Adam J. O'Donnell

Botnets and emission tradingIf you are even peripherally familiar with modern computer security issues, you have heard about the current struggle to identify and repair botnet drones. These botnet networks are the primary source of spam as well as DDoS (distributed denial-of-service attacks). There is common agreement that yes, botnets are a problem and yes, they need to go away. Who should actually bear the burden of de-fanging these networks?

Disarming the actors behind these attacks involves dismantling the botnets themselves, which is itself an increasingly challenging problem. Older-style bots used IRC servers as a central command-and-control mechanism, making them vulnerable to decapitation attacks by security personnel. Newer systems use P2P-style C&C protocols adapted from guerilla file-sharing systems that are notoriously difficult to control and can cause massive collateral damage if improperly remediated. Other than macro-scale traffic and content mitigation techniques like outbound spam filtering, which several organizations have proven to be extremely effective, the solution is to take down botnets node-by-node.

[SEE: Botnet assault: Spammers launch DDoS offensive ]

Who should eliminate botnets? End users don't feel responsible or even recognize that there is a problem. They are completely unaware of the security problem until a service provider or a security company comes along and informs them that they are infected with a virus.

Service providers (telephone and cable companies) who have infected customers aren't really responsible for their end user's behavior, but end up paying the cost of infection through outbound bandwidth charges and outbound MTA capacity.

Operating system vendors aren't responsible, because once they sell the product to the customer, they are no longer liable for if, when, or how the customer becomes compromised. Ultimately, the people who bear the largest cost are the ones who are least capable of remediating the source of the spam, namely the service providers of the attack recipients, or the people who are on the opposite end of the spam and various other forms of abuse. These actors have to pay for bandwidth for inbound attacks, storage for spam, and support calls from their customers.

We are ultimately left with a classic Tragedy of the Commons-type issue. The communal grazing areas, or shared resources that were critical for the working class' ability to make a living, have been replaced by copper and fiber. Everyone bears some responsibility for polluting the common area with abuse, but pushing the cost back onto the abuser is incredibly difficult. Currently, bandwidth providers solve the "tragedy" by employing content embargoes against one another. For example, if one service provider gets out of line, the others will block all mail originating from the offender. Recently I have been pondering another possible solution, one based upon the same financial mechanisms that are being proposed to address the greenhouse gas emission issue.

While it would likely be difficult to impossible to implement, a Cap-and-Trade-style trading system seems extremely appropriate. An instance of one of the many economic schemes devised to reduce carbon emissions, a cap-and-trade system for malicious content established between providers would create economic incentives to correctly monitor and reduce the volume of unwanted content that flows between their networks.

The system would involve a mutually determined cap on the volume of malicious content the parties would deem acceptable to send to one another. Providers who are able to more effectively control outbound malicious traffic, through expenditures on personnel and products, can recoup those costs through the sale of credits associated with the difference between their level of outbound malicious content and the agreed-upon cap. Providers who don't police their traffic are forced to buy credits from those who do, which in turn puts a price on their lack of responsibility. Eventually, the provider may choose to expose this cost of security to the end user, with rebates or special offers extended to users who keep their systems clean and never cause a problem. The end users in turn are incented to keep their machines clean.

Getting buy-in from all necessary parties, building a monitoring infrastructure, setting prices, assembling a market, and maintaining a clearinghouse for credit trades would be pretty damned hard, however. I don't think this is a practical idea, though it does make for a fun thought experiment.

Nevertheless, I do whole-heartedly believe that market-driven cooperation techniques will be the only means to solve the security problem we know of as botnets. * Dr Adam J. O'Donnell is a senior research scientist at Cloudmark, an anti-spam/anti-virus company.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • A little logical sleight-of-hand there

    Just because end users don't "feel" responsible doesn't mean they aren't responsible. They allowed their machines to get infected, so they should bear the cost of disinfection. This is not a tragedy of the commons, it's plain and simple negligence by end users.
    • Re: A little logical sleight-of-hand there

      As an IT Professional I would whole-heartedly agree with the fact that end users are responsible for the saftey of their computer and preventing it from being infected (because they are the ones who did it anyway, knowingly or not). however, how do you mitigate the threat of the (IMHO) most dangerous users out there, ones that do not know what they are doing and will click on any OK/YES button to clear the screen?

      I think that in the end, END USERS, need to clean up their act and get a clue; BUT the ISP should preserve its network and protect other customers by sending the individuals who become infected with said virus or other bad item and proxying them to a special web message that says "Your computer has been infected, please call <insert customer service number here> for assistance." That way, network integrity is preserved, users are protected from the abuse, and the End user is made aware.
    • End User's Responsibility?

      The end users can't be held responsible because most of them don't even know they are infected (as reported). And its the perpetrator of this infection that is ultimately responsible. How many end users do you think is capable of knowing this and have knowledge to resolve this in their computers?

      Its only wrong if you did something intentionally by your own creation or machination. So end users can't be responsible. But they could help resolve this problem by employing protection into their computers. But more than that is just asking too much from average users. Anyway, they are already bearing the cost by paying antivirus and spyware companies for protection on things like this. Don't you think?
      • In short, no.

        No I dont think users are paying in the way of protection, I personally use AVG Free, along with sound computing methods, the Windows Vista Firewall (for what its worth), MS Defender, and run my updates like you are supposed to. I have not laid out one cent to an anti-virus company or anti-spyware company. Oh i forgot to mention, I use webmail (from my ISP, Verizon Online) vice downloading it to my desktop. So where is the cost for the end user?

        Granted, I am not your average user, BUT with a little end user training and some ISP intervention (Oh and most major ISP's like Cox Communications and Comcast give away anti-virus/spyware tools to their customers free) we can go along way. I say End users are responsible because they ulitimately (or someone they let use their PC) did someting to cause it whether it be going to an infected website, downloading a "free" codec, programs, etc...all user interaction.
      • Agreed, and then some

        I spent part of Thanksgiving Day reformatting my father's hard drive because he had it so gunked up with his friend's e-mail "contributions" that it would't run. He blindly opens anything that anyone sends him and then forwards it on to a hundred of his best friends who, in turn... His reasoning is that he has AVG Free and Spybot, so he's "safe" and nothing I tell him is going to change that. And, as Twylite111 pointed out, he is unable to resolve the problems when they occur.

        We need better protection as common sense and warnings don't seem to be working. And if I was starting up an anti-virus/malware company right now, I'd be tracking these guys down and offering them jobs since they seem to be a multitude of steps ahead of the Big Boys.
  • RE: Who should bear the burden of de-fanging botnets?

    ISPs are the ones letting the traffic through their network (knowingly or not). End users are the ones with the infected PCs (self inflicted through lack of knowledge or not, they still have the access to them). The security firms know how to get rid of it (hopefully). Security guys come up with the fix, ISPs distribute to their customers (via secure email/cd/other), end users apply the fix. Done! :)
    • I Totally Agree!

      You're absolutely right! That's reality of things. Somebody does a crime. Investigation ensues. Authorities inform everybody about the new type of crime. And somebody creates a fix for it for everybody to be safe.
    • But it already happens..and doesnt work

      All major OS's offer updates that are delivered via secure means(Apple, MS, Linux, etc) and some users fail to apply them, others refuse to apply them. If you proxy these users internet connection and REFUSE to let their traffic leave the firewall and the cannot use the internet (with exception of say windows update or wherever mac updates are downloaded from) they would fix it right quick! Perhaps a new revenue service for ISPs...?
  • ISP account suspension

    I say, let the ISP's monitor the traffic. When they see that someone is infected, they should suspend their account until the end user has been cleaned. How the end user must show they are clean is an interesting topic to ponder, all by itself.

    And, while we're at it, the ISP should not have to clean the mess up. Either the user learns how to do it themselves, or they pay someone to come do it for them. Until there are consequences, the user won't bother to educate themselves.

    Part of the education should be to let the user know there are safer alternatives.

    • I share a connection with a windows box.

      So if my roomie gets his box nuked I gotta suffer because of his waiting for an MS update to fix it mentality. You have to mobilize some volunteers to show them alternatives and safe practices. That and (This sounds dirty but is a necessary evil) develop and deploy modified attacks that disable the infected machines internet connection (after a set number of hours after the infection declares itself to the user) through the same exploits. Let's face it the current attacks are to redirect the machine to the criminals intent. This being the case the owners/users are accessories to the crime (knowingly or otherwise). The un-updated machines need to be taken out of the picture it isn't unethical to let users infect their already infected machine.
      Hrothgar - PCLinuxOS User
  • Civility? At C/ZDNet?

    I'd just like to comment on the lack of personal attacks or idiotic religious zeal in the posts so far.

    • LOL, Give it time!! NT

  • Well I take issue with this statement

    "Operating system vendors aren?t responsible, because once they sell the product to the customer, they are no longer liable for if, when, or how the customer becomes compromised."

    They should be held accountable for some of the issues not all,
    they produce a product there should be some liability on their part.
  • Some thoughts

    End users: Yes, the online habits and ignorance of many end users are the reason for a lot of infection. However, this is not always true. Perfectly legitimate websites (even brand new hardware) can be infected, and pass it along to the end user.

    Operating systems: they sure could have less vulnerabilities. No. I'm not saying OS vendors should include anti-malware with the OS. I'm saying that they could write better code. Understanding of course, nothing will ever be perfect. I would also include hardware vendors here, e.g., processors and their associated instruction sets.

    Suggestion: To up and coming hackers- get your glory by exposing malware or its source, or hunting and destroying botnets with your own creations. Duct tape to a tree any of your buddies who release their malware into the wild.

    Governments should spend more resources hunting down the botnet creators. They are probably organized crime or terrorists of one sort or another. At least it makes a good story or excuse.
  • We all should step up

    In order for us to stop these bot nets we all need to step up. We need to work on making the average computer user aware of what malware and other scams are and how to spot them. We need to make the average user aware of methods of malware prevention and good security practices such as not running as a administrator. And Microsoft should continue to improve UAC and continue to default user accounts as non administrative. If we all work together on this it will be possible to eventually stop the continued growth of this evil botnets.

    - John Musbach
    John Musbach
  • Windows dominance is part of the problem

    Windows machines are ridiculously easy to infect and make part of these botnets. If you want to *prevent* the further growth of botnets, you have to get people to use more secure systems so they won't be so easily infected.

    For those who aren't impossibly tied down to Windows apps, they can try Linux or BSD. Sire, it will tkae some training and some changes, but the rewards can be worth it. Many have made the switch and they aren't looking back.

    Unfortunately, what's really holding back these more secure OSes is the FUD emanating from Redmond.
    • Before Vista

      Yes, Windows machines were ridiculously easy to infect..... but then again, so are Linux machines and Apple machines, when it comes down to it.

      None of the OS's before Vista that Microsoft made were done with security in mind from the get-go, because most people didn't share things between computers until the mass availability of the internet.

      The real issue here is that we are not SEVERELY punishing those people who run the botnets, and penalizing the people who go on the internet without security software of some sort.... in fact, when we find a person who is doing that, we should IMMEDIATELY confiscate their computer, because they are a danger to the rest of us in their stupidity, and I am an extreme liberal, so I don't usually say that!

      We also have to start offering MANDATORY security software with computers, and mandate that a security suite from McAfee, Norton or some other known security company that is well-respected has to be installed on a computer BEFORE it is sold.
      • Even After Vista

        Penalize an enduser for zero day exploits? No matter how we educate the average end user, they will NEVER be equipped to deal with code exploits. OS producers can't keep pace with the hackers so how can you suggest that we penalize the end user?

        Go after the hackers and put some teeth into the penaties. Stop producing email clients that default to preview. Stop allowing blanket email addresses to be distributed to entire alpha numeric lists. No don't place all the blame on end users.
  • While no ISP would....

    No ISP can seriously consider banning the operating systems subverted by botnets, but I'd switch in a moment to one that did.
    • You don't ban the operating systems

      You ban the people who are stupid enough to run those operating systems without the proper protection in place that they should have.