Who should bear the burden of de-fanging botnets?

In a guest editorial, a senior research scientist at Cloudmark proposes a new way to deal with the menace from botnets.
Written by Ryan Naraine, Contributor

* Ryan Naraine is on vacation. 

Guest Editorial by Dr. Adam J. O'Donnell

Botnets and emission trading
If you are even peripherally familiar with modern computer security issues, you have heard about the current struggle to identify and repair botnet drones. These botnet networks are the primary source of spam as well as DDoS (distributed denial-of-service attacks). There is common agreement that yes, botnets are a problem and yes, they need to go away. Who should actually bear the burden of de-fanging these networks?

Disarming the actors behind these attacks involves dismantling the botnets themselves, which is itself an increasingly challenging problem. Older-style bots used IRC servers as a central command-and-control mechanism, making them vulnerable to decapitation attacks by security personnel. Newer systems use P2P-style C&C protocols adapted from guerilla file-sharing systems that are notoriously difficult to control and can cause massive collateral damage if improperly remediated. Other than macro-scale traffic and content mitigation techniques like outbound spam filtering, which several organizations have proven to be extremely effective, the solution is to take down botnets node-by-node.

[SEE: Botnet assault: Spammers launch DDoS offensive ]

Who should eliminate botnets? End users don't feel responsible or even recognize that there is a problem. They are completely unaware of the security problem until a service provider or a security company comes along and informs them that they are infected with a virus.

Service providers (telephone and cable companies) who have infected customers aren't really responsible for their end user's behavior, but end up paying the cost of infection through outbound bandwidth charges and outbound MTA capacity.

Operating system vendors aren't responsible, because once they sell the product to the customer, they are no longer liable for if, when, or how the customer becomes compromised. Ultimately, the people who bear the largest cost are the ones who are least capable of remediating the source of the spam, namely the service providers of the attack recipients, or the people who are on the opposite end of the spam and various other forms of abuse. These actors have to pay for bandwidth for inbound attacks, storage for spam, and support calls from their customers.

We are ultimately left with a classic Tragedy of the Commons-type issue. The communal grazing areas, or shared resources that were critical for the working class' ability to make a living, have been replaced by copper and fiber. Everyone bears some responsibility for polluting the common area with abuse, but pushing the cost back onto the abuser is incredibly difficult. Currently, bandwidth providers solve the "tragedy" by employing content embargoes against one another. For example, if one service provider gets out of line, the others will block all mail originating from the offender. Recently I have been pondering another possible solution, one based upon the same financial mechanisms that are being proposed to address the greenhouse gas emission issue.

While it would likely be difficult to impossible to implement, a Cap-and-Trade-style trading system seems extremely appropriate. An instance of one of the many economic schemes devised to reduce carbon emissions, a cap-and-trade system for malicious content established between providers would create economic incentives to correctly monitor and reduce the volume of unwanted content that flows between their networks.

The system would involve a mutually determined cap on the volume of malicious content the parties would deem acceptable to send to one another. Providers who are able to more effectively control outbound malicious traffic, through expenditures on personnel and products, can recoup those costs through the sale of credits associated with the difference between their level of outbound malicious content and the agreed-upon cap. Providers who don't police their traffic are forced to buy credits from those who do, which in turn puts a price on their lack of responsibility. Eventually, the provider may choose to expose this cost of security to the end user, with rebates or special offers extended to users who keep their systems clean and never cause a problem. The end users in turn are incented to keep their machines clean.

Getting buy-in from all necessary parties, building a monitoring infrastructure, setting prices, assembling a market, and maintaining a clearinghouse for credit trades would be pretty damned hard, however. I don't think this is a practical idea, though it does make for a fun thought experiment.

Nevertheless, I do whole-heartedly believe that market-driven cooperation techniques will be the only means to solve the security problem we know of as botnets. * Dr Adam J. O'Donnell is a senior research scientist at Cloudmark, an anti-spam/anti-virus company.

Editorial standards