A solution to the botnet problem

  • Eric Goldman

2 May 2009   ::   Security   ::   #security awareness #botnets #ISP #privacy #inform


A solution to the botnet problem, in response to Avirami’s article I would beg to differ that there is no way to stop botnets. For the most part, botnets are composed of hijacked user PCs which are usually the most open to attack. Aviram is absolutely correct when he says that awareness is very important. Usually awareness implies that the user should have updated virus scan, not fall for scams, etc . be aware of the risk level they operate under and how that risk level is affected by their decisions. I propose a slightly more annoying example for the end user and the service provider:

There is a double edged sword in fighting botnets. On one hand, you want to deny these users access and filter out their traffic because they pose a threat to your security. On the other hand, they may also be legitimate users or future potential users; as a result you cannot block traffic from these hosts. So it seems the tradeoff here is allow these users access because they might contribute to profits or deny these users so we remain up and running to make profit from the other users. Furthermore, it becomes a blame game on the users for not knowing they are part of the botnet. Of course, presuming that a moderately literate computer use can keep up with the cunning of a high paid bot herder or virus writer is not in any way fair.

The best solution would be to allow these users to still come to your site, but at the same time tell them they are part of a botnet! You could have nice little message ontop of the page saying, Dear user, according to our records your IP address is associated with a number of botnet attacks. ISPs could do this as well:

Hello, we have noticed a large amount of traffic from your IP/dial-up assigned IPs/etc that has been linked to Internet attacks. You may have unknowingly been infected with a virus. You should check your anti-virus software. If you don’t have any anti-virus software we provide some for free or here are some sites where you can get some virus and malware scanners. Also, to prove we really are your ISP and this is not a hoax email tricking you into downloading more spyware, please feel free to call us. We have set up an entire service department to handle this; why? Because iti’s bad for business if botnets operate on our network.

This of course would require major ISPs and websites to share information in order to identify botnets and to implement effective measures to notify users. However, this is a worthwhile expenditure of time and money. As Aviram noted, a DDoS can take out a logical network, even if it is physically separated over long distances. Furthermore, we are entering the age of information sharing. Companies regularly share information (e.g. payment card industry) to limit fraud and theft; the spirit of competition only enables the identity thief to move on to the next company once you stop his methods. The only issue here becomes Privacy rights, especially in the EU. Do companies have the right to share this information, even when it would be in the public and individuals’ own interest? Only if they explicitly consent. God bless America.

So here is a quick summary of my plan:

  1. Identify the traffic that is causing the DDoS
  2. Identify the sources (IPs) of the DDoS
  3. Record these IPs and add them to the shared database
  4. Look for future occurrences of attacks and associated sources; this can help identify who is a member of the specific botnet, and who is actually on multiple botnets.
  5. As you identify the botnet members you take action:
    1. For IPs classified as an infected botnet member, apply higher security filtering on them, drop more of their abnormal traffic at firewalls and apply other stronger rules (still provide access, but limit the quality of service in order to protect yourself; most users will assume it is their connection anyway)
    2. And/or drop the traffic from nodes which have no traffic records in the past, but only have traffic associated with the botnet (they are not current customers and their node may be a zombie in some dark room that no human actually ever uses)
    3. And/or modify the site content to notify that they are in the botnet, provide links to only big name security vendors so people won.t think your site got hacked, you must also provide a contact number so people will take it seriously and not think it is just another pop up trick (As we have trained them to think anytime they see the offer for security software on some site).

Another thought comes to mind here. There is a lot of talk about increasing federal government level cyber security organizations. Certainly they could devote an entire team to consumer-based attacks; then the website simply directs you to NoMoreBotNets.gov, where there are helpful articles and a number to call for live help and advice. Uncle Sam isn’t going to sell you some snake oil solution! This would provide something that users could trust (until its obviously hacked) and would create a few more jobs that hopefully wouldn’t get outsourced.