ISPs, researchers, and law enforcement officials are finding themselves in a quandary in the botnet war -- whether to infiltrate and monitor a botnet's command and control, or to shut it down altogether. Both approaches can help trip up a botnet, for sure, but they also run the risk of derailing an investigation.

Most ISPs today just toss lots of bandwidth, managed services, and other tools at botnet traffic on their networks. Their first choice traditionally has been to remain mostly hands-off, due to their lack of resources for investigating botnets, as well as the sticky legal ground such work entails.

But some are starting to get a little more proactive, by diverting a botnet's C&C traffic where they can study more closely what the hosts are connecting to, and other behaviors of the botnet. Or they discard packets to disrupt the botnet's communications pipe.

That can put ISPs into legal hot water. "It involves mucking with a customer or peer's Internet address space," says Danny McPherson, Arbor Networks' chief research officer, who works closely with ISPs and researchers on sharing ways to work together in the botnet war. "It could also mean simply identifying and connecting to a known C&C on your own, or someone else's, network. Obviously, liability in this area could be considerable."

The legal implications for ISPs may be part of what's holding some of them back from getting more aggressive. "What if you see an attack command issued on the C&C to lots of bots and would simply need to tell the bots to stop by entering a few characters?" he says. "There's an ethical dilemma there: Where are each of the bots? Where does the C&C reside? Where are you? You're probably illegally instructing other peoples' computers, whether your intentions are good or not."

McPherson says the chances of prosecution would be low, but not impossible, because it is still illegal.

And sometimes in botnet investigations, ISPs, researchers, and law enforcement end up inadvertently working at cross purposes. If an ISP in Spain, for example, were to blackhole or divert the C&C traffic of a botnet that U.S. law enforcement was monitoring, it could affect the view the investigators would have, McPherson notes.

"The easiest thing for ISPs is to take command and control offline from their network, so that any host through their network can't connect to that C&C channel," he says. "But researchers and law enforcement want them to stay online so they can monitor their activities and infiltrate it."

U.K.-based COLT Telecom, a voice and data service provider for medium-sized businesses, does not monitor or disrupt botnets. Nicholas Fischbach, senior manager for network engineering and security at COLT, says there are several reasons for this, namely that the ISP operates across 14 countries, so the legal issues are complicated; the technical challenges of Web and peer-to-peer based botnets; and that botnet C&C typically doesn't directly affect COLT's network.

The service provider sees only a "couple" of C&Cs each week in its downstream traffic, he says. Monitoring and disrupting botnets is not really a business requirement for the service provider, he notes, and it's difficult to justify one to three full-time employees dedicated to this.

"Infiltrating is very risky and getting legal support for such matters, very difficult," Fischbach says.

COLT does, however, work with its customers if they discover that they are hosting a botnet C&C. But it does not handle bot infections per se: "Resource-wise, it's a nightmare, probably worse than running a simple abuse desk," he says. "Except in some very specific cases, we don't proactively notify customers anymore for bot/malware/virus infection."

And there are more tools emerging for ISPs: Simplicita and Sana Security today said they have teamed up to offer ISPs a bot remediation system, made up of their respective product offerings. The Simplicita ZBX with Sana Security's Primary Response SafeConnect is available now and would let ISPs offer a botnet security service for their subscribers.

Meanwhile, Fischbach says ISPs could be doing more in the botnet fight. "My personal view is that something needs to be done, but it's a very complex and difficult task, as you only need some ISPs to not be proactive and you lose all benefit."

"Fighting C&C, botnets, malware, and phishing is a community effort," he says.

Arbor's McPherson says law enforcement seems to be making an effort to work with industry, and network operators in particular. "And service providers are coordinating more on response techniques, but there's a long road ahead."

McPherson says he thinks the best way to approach botnet eradication is with the "do no more harm" philosophy.

"If the botnet is actively being used for lifting ID data, launching attacks, compromising sensitive or critical systems, or any of an ever-expanding array of malicious activities, it needs to be taken out, assuming taking it out fixes the problem," he says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading