The Internet Engineering Task Force has released a draft of its document “Recommendations for the Remediation of Bots in ISP Networks” (Text here.)
This is one of those important routine things with the potential to fix a big problem that nobody is really writing about. ISPs are in the position to do something about botnets, but the process is a lot more complicated than you might think.
The IETF’s draft lists detection methods for finding bot-infected machines, including:
— analysis of specific network and/or application traffic flows (such as traffic to an email server),
— analysis of aggregate network and/or application traffic data,
— data feeds received from other ISPs and organizations (such as lists of the ISP’s IP addresses which have been reported to have sent spam),
— feedback from the ISP’s customers or other Internet users
They note that scanning their IP space for unpatched and vulnerable hosts could help reduce the risks of bot infections, but port scanning could leave network services hung. Also, firewalls and host-based intrusion detection could interpret the scans as precursors to attacks.
Notifying owners of infected machines is another huge can of worms. E-mail notices could end up in the spam bucket, ignored or could be spoofed by botnet operators for further social engineering. Ground mail and phone calls are expensive and very time consuming given the millions of bot-infected machines in the country.
It SEEMS like ISPs could just shut off infected machines and let the owners figure it out in their own sweet time. Considering that some people might have telephone service only through a voice-over-IP network, shutting off their ability to make 911 calls could be fatal. It also could be a business-fatal legal liability for the ISP.
The draft says a possible solution to the shutdown and notification quandary is the “walled garden.”
“Placing a user in a walled garden is another approach that ISPs may take to notify users. A walled garden refers to an environment that controls the information and services that a subscriber is allowed to utilize and what network access permissions are granted. This is an effective technique because it could be able to block all communication between the bot and the command-and-control channel, which may impair the ability of a bot to disrupt or block attempts to notify the user.
“While in many cases the user is almost guaranteed to view the notification message and take any appropriate remediation actions, this approach can pose other challenges. For example, it is not always the case that a user is actively using a computer that uses a web browser or which has a web browser actively running on it.
”In one example, a user could be playing a game online, via the use of a dedicated, Internet-connected game console. In another example, the user may not be using a computer with a web browser when they are placed in the walled garden and may instead be in the course of a telephone conversation, or may be expecting to receive a call, using a Voice Over IP (VoIP) device of some type. As a result, the ISP may feel the need to maintain a potentially lengthy white list of domains which are not subject to the typical restrictions of a walled garden, which could well prove to be an onerous task, from an operational perspective.”
The Australian Internet Industry Association is working on similar guidelines (Text here.)