Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM
Connect Directly

ISPs Needed in Botnet Battle

More botnet-fighting tools and services are emerging for ISPs, but critics say ISPs have stayed on the fence too long

Who's responsible for stopping those botnets, you or your ISP?

ISPs have been criticized for not stepping up as the first line of defense against the growing armies of zombies -- botnets -- that today run wild around their networks.

When an ISP's enterprise customer, for instance, is hit by a botnet, the ISP basically drops traffic to the victimized servers until they get fixed, but the ISP doesn't clean up the offending zombies themselves, says Danny McPherson, chief research officer for Arbor Networks. "They are treating the symptom instead of the problem."

Botnets are used in over half of distributed denial of service (DDOS) attacks, according to a recent survey of 55 ISPs by Arbor, which sells equipment to 70 percent of ISPs worldwide. ISPs running tools to measure and detect botnets say the largest botnet army they've seen hit 20,000 hosts in one attack, according to the survey. They ranked DDOS attacks as their number one threat and operational security issue.

The only chance of combating botnets is if ISPs get more aggressive, security experts say. "Getting the public to manage their own PCs is never going to get it done, and the target of botnet attention seldom has the visibility necessary to counter-attack the problem at its source," says Eric Ogren, security analyst for Enterprise Strategy Group. "ISPs are the only ones who can determine malicious 'low and slow' distributed activity, and they are the only place that can trace activity back to individual nodes in the botnet."

"This is one of those situations where this is not [due to] a lack of technology, but a real lack of commitment on the part of ISPs to do what they need to do," says Michael Rothman, president and principal analyst of Security Incite. "They are playing the ostrich game right now, hiding their heads in the sand and hoping one of the desktop AV guys, spyware guys, or anyone [else will] fix the problem at the endpoint level so they don't have to get their hands dirty."

Botnet-fighting tools indeed are emerging for ISPs. Arbor Networks recently released a new version 3.5 of its Peakflow SP switch, which alerts ISPs to botnet attacks. And Trend Micro today rolled out its first service for ISPs, InterCloud Security Service, which both identifies botnet activity and provides tools for ISPs to quarantine and clean infected machines. Simplicita is currently running trials of its botnet remediation system, which it announced in April.

Why haven't ISPs taken the lead so far? It's about return on investment, experts say.

It's just not cost-effective for ISPs on the commercial broadband services side, Arbor's McPherson says. Even fielding one service call from a hacked user can equal a loss of profitability for that customer, he says.

ISPs can't just quarantine zombie subscribers they find, either: "If I have Vonage and use E911, they can't shut me off," he says. "It's difficult with the infrastructure they have to do anything economically reasonable to mitigate the bot threat."

Arbor is doing its part by also offering a free service for ISPs called the Fingerprint Sharing Alliance, where they can share source-attack information, he says.

Still, it's not just up to the ISPs to clean up the zombies. End users have to be diligent about staying clean, and enterprises must put all possible endpoint security measures in place. "It's a little of everyone's responsibility," says Shane Coursen, senior technical consultant for Kaspersky Lab. "When a user suspects something is on their system, it's up to them to take care of it on their computer."

David Rand, CTO for Trend Micro, says ISPs need better tools, and that's why his company is offering its new service in Q4, which uses Trend's behavioral analysis technology to look at DNS-type activity for patterns of bot-like behavior.

The service will also be something ISPs can use as a marketing tool. "We have the ability to offer channels sales to the ISPs. Why shouldn't an ISP get a cut of that sale?" says Paul Moriarty, director of product marketing for Trend Micro.

But even once the ISPs do get on board in the botnet battle, the war will be far from over. Botnets are prolific, and until the real offenders get routinely prosecuted, there's no hope for much relief, security researchers say.

"We are fighting against humans, not technology," says Trend Micro's Rand.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Arbor Networks Inc.
  • Trend Micro Inc.
  • Security Incite
  • Kaspersky Lab Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 8/3/2020
    Pen Testers Who Got Arrested Doing Their Jobs Tell All
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
    New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
    Nicole Ferraro, Contributing Writer,  8/3/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Changing Face of Threat Intelligence
    The Changing Face of Threat Intelligence
    This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-08-08
    In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
    PUBLISHED: 2020-08-08
    In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
    PUBLISHED: 2020-08-08
    JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
    PUBLISHED: 2020-08-08
    In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
    PUBLISHED: 2020-08-08
    In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.