Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM
Connect Directly

ISPs Needed in Botnet Battle

More botnet-fighting tools and services are emerging for ISPs, but critics say ISPs have stayed on the fence too long

Who's responsible for stopping those botnets, you or your ISP?

ISPs have been criticized for not stepping up as the first line of defense against the growing armies of zombies -- botnets -- that today run wild around their networks.

When an ISP's enterprise customer, for instance, is hit by a botnet, the ISP basically drops traffic to the victimized servers until they get fixed, but the ISP doesn't clean up the offending zombies themselves, says Danny McPherson, chief research officer for Arbor Networks. "They are treating the symptom instead of the problem."

Botnets are used in over half of distributed denial of service (DDOS) attacks, according to a recent survey of 55 ISPs by Arbor, which sells equipment to 70 percent of ISPs worldwide. ISPs running tools to measure and detect botnets say the largest botnet army they've seen hit 20,000 hosts in one attack, according to the survey. They ranked DDOS attacks as their number one threat and operational security issue.

The only chance of combating botnets is if ISPs get more aggressive, security experts say. "Getting the public to manage their own PCs is never going to get it done, and the target of botnet attention seldom has the visibility necessary to counter-attack the problem at its source," says Eric Ogren, security analyst for Enterprise Strategy Group. "ISPs are the only ones who can determine malicious 'low and slow' distributed activity, and they are the only place that can trace activity back to individual nodes in the botnet."

"This is one of those situations where this is not [due to] a lack of technology, but a real lack of commitment on the part of ISPs to do what they need to do," says Michael Rothman, president and principal analyst of Security Incite. "They are playing the ostrich game right now, hiding their heads in the sand and hoping one of the desktop AV guys, spyware guys, or anyone [else will] fix the problem at the endpoint level so they don't have to get their hands dirty."

Botnet-fighting tools indeed are emerging for ISPs. Arbor Networks recently released a new version 3.5 of its Peakflow SP switch, which alerts ISPs to botnet attacks. And Trend Micro today rolled out its first service for ISPs, InterCloud Security Service, which both identifies botnet activity and provides tools for ISPs to quarantine and clean infected machines. Simplicita is currently running trials of its botnet remediation system, which it announced in April.

Why haven't ISPs taken the lead so far? It's about return on investment, experts say.

It's just not cost-effective for ISPs on the commercial broadband services side, Arbor's McPherson says. Even fielding one service call from a hacked user can equal a loss of profitability for that customer, he says.

ISPs can't just quarantine zombie subscribers they find, either: "If I have Vonage and use E911, they can't shut me off," he says. "It's difficult with the infrastructure they have to do anything economically reasonable to mitigate the bot threat."

Arbor is doing its part by also offering a free service for ISPs called the Fingerprint Sharing Alliance, where they can share source-attack information, he says.

Still, it's not just up to the ISPs to clean up the zombies. End users have to be diligent about staying clean, and enterprises must put all possible endpoint security measures in place. "It's a little of everyone's responsibility," says Shane Coursen, senior technical consultant for Kaspersky Lab. "When a user suspects something is on their system, it's up to them to take care of it on their computer."

David Rand, CTO for Trend Micro, says ISPs need better tools, and that's why his company is offering its new service in Q4, which uses Trend's behavioral analysis technology to look at DNS-type activity for patterns of bot-like behavior.

The service will also be something ISPs can use as a marketing tool. "We have the ability to offer channels sales to the ISPs. Why shouldn't an ISP get a cut of that sale?" says Paul Moriarty, director of product marketing for Trend Micro.

But even once the ISPs do get on board in the botnet battle, the war will be far from over. Botnets are prolific, and until the real offenders get routinely prosecuted, there's no hope for much relief, security researchers say.

"We are fighting against humans, not technology," says Trend Micro's Rand.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Arbor Networks Inc.
  • Trend Micro Inc.
  • Security Incite
  • Kaspersky Lab Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    FluBot Malware's Rapid Spread May Soon Hit US Phones
    Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
    7 Modern-Day Cybersecurity Realities
    Steve Zurier, Contributing Writer,  4/30/2021
    How to Secure Employees' Home Wi-Fi Networks
    Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-05-05
    The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
    PUBLISHED: 2021-05-05
    The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
    PUBLISHED: 2021-05-05
    The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
    PUBLISHED: 2021-05-05
    The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
    PUBLISHED: 2021-05-05
    The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...