Can ISPs Help Beat Botnets?

To fight hackers, companies are informing customers of threats, creating public-private partnerships, and devising security standards.

Botnets, or groups of compromised computers that can be remotely commanded by hackers, continue to be a problem. They can be used to send large amounts of spam or to launch denial-of-service attacks. McAfee estimates that there are more than four million new botnet infections per month.

Attempts to combat the problem have included the creation of a set of 24 best practices for botnet protection issued in late 2010 by a Federal Communications Commission (FCC) working group. A draft, Recommendation for the Remediation of Bots in ISP Networks, was also issued a few years ago by the Internet Engineering Task Force. The release of those guides has not significantly hindered botnet activity, however.

Ground-level efforts to bring down botnets often focus on taking down command and control servers. In many cases, authorities work with experts from security companies and other organizations to identify botnets; law enforcement then works to seize servers and arrest perpetrators. Such efforts can be effective, but they are after the fact, and in any case, such servers can eventually be replaced, says Alana Maurushat, a professor at the University of New South Wales in Sydney and director of the university’s Cyberspace Law and Policy Center.

In contrast, finding ways to help users clean up their own computers is a more preventive approach, a “major component of the puzzle,” she says.

To that end, there is now a move to enlist the help of Internet service providers (ISPs). They could monitor network traffic, for instance, and through their current relationship with customers, are in a strong position to contact them about possible infections.

The U.S. Department of Homeland Security (DHS) and the U.S. Commerce Department recently issued a joint request for information in which they sought comment on a “voluntary code of conduct” for ISPs with regard to botnets. Submitted comments have been published online by the National Institute of Standards and Technology.

The document also asked for feedback on the possible creation of a new entity that could help with botnet detection and remediation. The entity, which could be either established by the government or the private sector or through a public-private partnership, could collect and distribute threat data from a variety of security companies, the document states.

If government proceeds with a rule, some warn it should not go for a one-size-fits-all approach. Many smaller and regional ISPs lack the resources to effectively monitor their networks or notify customers, says Brent Rowe, a senior economist in the Technology Economics and Policy Group at RTI International.

Larger ISPs are more capable of doing so. Some are already more proactive. Comcast, for instance, began notifying customers about botnet infections in October 2010 as part of its Constant Guard service, which is provided free to the company’s high-speed Internet subscribers. Customers are notified via e-mail or Web banner and given information about a Web site that offers guidance on cleaning their computer, according to the company.

Some larger ISPs also provide customers with some form of anti-virus assistance, which the ISPs frequently purchase from security companies and repackage for consumers.

But it’s not clear how much ISPs, especially smaller ones, can help consumers without busting their budgets, says Rowe. For example, consumers will need additional assistance, such as via telephone, in cleaning their computers, but it doesn’t appear that many ISPs can currently afford to provide that level of service.

Michael O’Reirdan, chairman of the Messaging Anti-Abuse Working Group, which represents numerous ISPs and other organizations, says one problem with any kind of government requirement is that it may be limited by the fast-changing nature of the bot threat. Today’s bot problem isn’t going to be tomorrow’s, he says.

Other countries are ahead of the United States in creating public-private partnerships and security standards to help ISPs fight botnets. In late 2010, for instance, the Australian government joined with the Australian Internet Industry Association and other groups to establish voluntary ISP security standards that would help curtail botnets. For example, the standards provide that ISPs who see indication of infections in customers’ accounts would notify those customers about the possible infections and then direct them to a site with instructions on how to clean their computers. More than 30 Australian ISPs participate in the program. Similar efforts have been launched in Germany and Japan.