Who's responsible for stopping those botnets, you or your ISP?
ISPs have been criticized for not stepping up as the first line of defense against the growing armies of zombies -- botnets -- that today run wild around their networks.
When an ISP's enterprise customer, for instance, is hit by a botnet, the ISP basically drops traffic to the victimized servers until they get fixed, but the ISP doesn't clean up the offending zombies themselves, says Danny McPherson, chief research officer for Arbor Networks. "They are treating the symptom instead of the problem."
Botnets are used in over half of distributed denial of service (DDOS) attacks, according to a recent survey of 55 ISPs by Arbor, which sells equipment to 70 percent of ISPs worldwide. ISPs running tools to measure and detect botnets say the largest botnet army they've seen hit 20,000 hosts in one attack, according to the survey. They ranked DDOS attacks as their number one threat and operational security issue.
The only chance of combating botnets is if ISPs get more aggressive, security experts say. "Getting the public to manage their own PCs is never going to get it done, and the target of botnet attention seldom has the visibility necessary to counter-attack the problem at its source," says Eric Ogren, security analyst for Enterprise Strategy Group. "ISPs are the only ones who can determine malicious 'low and slow' distributed activity, and they are the only place that can trace activity back to individual nodes in the botnet."
"This is one of those situations where this is not [due to] a lack of technology, but a real lack of commitment on the part of ISPs to do what they need to do," says Michael Rothman, president and principal analyst of Security Incite. "They are playing the ostrich game right now, hiding their heads in the sand and hoping one of the desktop AV guys, spyware guys, or anyone [else will] fix the problem at the endpoint level so they don't have to get their hands dirty."
Botnet-fighting tools indeed are emerging for ISPs. Arbor Networks recently released a new version 3.5 of its Peakflow SP switch, which alerts ISPs to botnet attacks. And Trend Micro today rolled out its first service for ISPs, InterCloud Security Service, which both identifies botnet activity and provides tools for ISPs to quarantine and clean infected machines. Simplicita is currently running trials of its botnet remediation system, which it announced in April.
Why haven't ISPs taken the lead so far? It's about return on investment, experts say.
It's just not cost-effective for ISPs on the commercial broadband services side, Arbor's McPherson says. Even fielding one service call from a hacked user can equal a loss of profitability for that customer, he says.
ISPs can't just quarantine zombie subscribers they find, either: "If I have Vonage and use E911, they can't shut me off," he says. "It's difficult with the infrastructure they have to do anything economically reasonable to mitigate the bot threat."
Arbor is doing its part by also offering a free service for ISPs called the Fingerprint Sharing Alliance, where they can share source-attack information, he says.
Still, it's not just up to the ISPs to clean up the zombies. End users have to be diligent about staying clean, and enterprises must put all possible endpoint security measures in place. "It's a little of everyone's responsibility," says Shane Coursen, senior technical consultant for Kaspersky Lab. "When a user suspects something is on their system, it's up to them to take care of it on their computer."
David Rand, CTO for Trend Micro, says ISPs need better tools, and that's why his company is offering its new service in Q4, which uses Trend's behavioral analysis technology to look at DNS-type activity for patterns of bot-like behavior.
The service will also be something ISPs can use as a marketing tool. "We have the ability to offer channels sales to the ISPs. Why shouldn't an ISP get a cut of that sale?" says Paul Moriarty, director of product marketing for Trend Micro.
But even once the ISPs do get on board in the botnet battle, the war will be far from over. Botnets are prolific, and until the real offenders get routinely prosecuted, there's no hope for much relief, security researchers say.
"We are fighting against humans, not technology," says Trend Micro's Rand.
Kelly Jackson Higgins, Senior Editor, Dark Reading