ISPs, under siege from increasingly more powerful and sophisticated botnet-based attacks, are fighting back -- with an anti-botnet business model.
Some service providers are looking at ways to productize their botnet research and investigations into anti-botnet managed security services -- a strategy designed to help them fund the buildout of more secure infrastructures that can better mitigate the attacks.
So far, anti-botnet services have mainly centered around distributed denial of service (DDOS) managed services that filter out and "scrub" traffic, such as AT&T's Internet Protect and Verizon Business's DoS Defense Mitigation. According to Arbor Networks's recent survey of ISPs, the number of service providers who offer managed security services jumped from six to 40 during the period of July 2006 through June of this year. And most were DDOS services, according to Arbor. (See Report: Attacks on ISP Nets Intensifying.)
ISPs traditionally took the old-school approach of throwing bandwidth at the botnets, but more powerful DDOS attacks are reaching Gigabit speeds and often outstripping the ISP backone's capacity.
"These managed security services allow [ISPs] to offer new services to customers and generate revenue, and also fund the infrastructure to mitigate attacks," says Danny McPherson, chief research officer for Arbor Networks.
But just how far will ISPs go in offering botnet protection for their customers? The next step is cleanup of infected machines, a job most ISPs say they just don't have the resources to do. (See Battling Bots, Doing No Harm.)
"[For the most part], they don't have a way to automate and deal with customer cleanup," McPherson says "And most people forget that malicious hosts are subscribers, and 99 percent of the time victims don't even know they are compromised."
"Most [service providers] would love to have the ability to wrap a business model around cleaning up hosts," he says.
But there's a big difference between filtering out bad traffic from a DDOS attack and actually cleaning up the infected bots behind it.
Cecil Adams, senior product manager with Verizon Business, says managed services indeed help providers such as Verizon fund their botnet investigations and mitigation efforts. "This [service] has provided us greater intelligence about events in our backbone," Adams says. "So we are able to extend and use technologies from the service to be a more responsible Internet provider."
As for disinfecting the bot machines on the attacking end, Verizon eventually plans to drill down as far as identifying for its customers any of their business partners or remote offices that are bot-infected, he says.
He says Verizon has tried, but so far hasn't been able to come up with a business model for its internal botnet forensics work, which includes monitoring botnets. "Knowing about a botnet community and having full visibility of [it] makes you more responsible, but we haven't been able to find the financial benefits of having that information," Adams says. "We're still trying to market an application" for the botnet side, he says.
AT&T, meanwhile, routinely looks for ways to productize any security tools, algorithms, or other solutions it comes up with internally. Michael Singer, executive director of security technology for AT&T, says that strategy helps AT&T build a more secure network infrastructure. "That can only help, because it's bringing in new revenue to the company," he says
But Singer says he doesn't see ISPs doing actual bot cleanup. "That's the hardest part for a service provider to get into," he says. "Nothing I've seen has suggested that service providers are getting into that part of the business at this point."
That would entail running control software on the client machines and scanning boxes -- and that's not happening for the average broadband user, he says. "Some providers have controls in place, though, that may [prevent] a DSL customer [from] acting like a mail server on the 'Net," for example, he says.
Most service providers just refer their bot-infected subscribers to Dell, or the Geek Squad, for instance, to do the machine cleanup, Arbor's McPherson says.
COLT Telecom, meanwhile, tries to track the source of a DDOS attack only if the traffic isn't using spoofed addresses. "But being limited in time and resources, investigating the sources isn't our top priority," says Nicolas Fischbach, senior manager for network engineering/security for European ISP COLT Telecom, which has offered a DDOS service since 2002.
And tracking botnets gets tougher every day, as botnet operators get more sophisticated in covering their tracks with fast-flux networks, encryption, and peer-to-peer communications. (See Carrier Capex Climbs, Attackers Hide in Fast Flux, and Black Hat: Botnets Go One-on-One.)
"The bad guys are always trying find ways to accomplish their goals," says Mary Youngblood, senior product manager for EarthLink's Inbound Spam effort. "We'll never say we stopped all the Internet bad guys out there."
Have a comment on this story? Please click "Discuss" at the top of this page. If you'd like to contact Dark Reading's editors directly, send us a message.