Botnets: Pin the Blame Properly

By Charlie Schluting | Aug 8, 2007 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/3693396/Botnets-Pin-the-Blame-Properly.htm
Charlie Schluting

Opinion: We'd all love to get less spam. To receive less spam we must clean up infected computers, but who is going to do it? Apparently, many people believe the ISP is responsible.

Taking it to extremes, the FBI recently published, then retracted, a recommendation to call your ISP, because "they can help you determine if your computer has been infected, and what steps to take to restore it." An outcry on the well-known network operator's list NANOG prompted the eventual removal of this recommendation. The remaining FBI article is simply part of a botnet awareness campaign.

We have been shown two things with this tidbit from the FBI. First, they don't have a solution for how to best combat the problem. Second, the FBI, like many other organizations, is quick to recommend that a user's ISP is responsible for helping end-users clean their systems.

ISPs should not be responsible, in any way, for supporting their customers' operating systems. Sure, they have a stake in helping a customer set up a computer such that it functions properly for Internet access, but that is the extent of their responsibility. Many ISPs will help users with all kinds of problems after they've helped them get Internet access working, but the ISP generally draws the line shortly after that point. The ISP certainly cannot economically justify spending hours on the phone helping its users clean up viruses.

An ISP sells a vehicle to the Internet. What a customer does while using these services is at the discretion of the customer. A few exceptions to the rule exist, such as a customer interrupting service for others. At times, an ISP will have to intervene, but for the most part an ISP should simply be a channel. Many frustrations people feel when using Internet services are a direct result of ISPs trying to protect themselves, and even their users. Blocked ports are the best example of a standard practice that results in high frustration levels for users.

Root Causes

The real cause of botnet infestations, where the responsibility should lie, is Microsoft. Some people actually argue that this is not true, but Microsoft does not. At great expense to its bottom line, Microsoft offers free technical support to all Windows users who have virus issues. Really! Give them a call at 1-866-PC-SAFETY. Some companies will charge up to $300 for cleaning up viruses, and when Dell sells $400 computers that are quite usable for most people, $300 in maintenance is difficult to justify.

The blame isn't 100 percent attributable to Microsoft, but it's close. Nobody is denying that poorly secured Web sites, usually PHP applications, play a role. But Microsoft's poor security model, coupled with its overwhelming market dominance, created the foundations on which botnet spam is built.

Zombie computers are responsible for most spam, and nobody wants to be responsible for the problem. Microsoft will assist users in cleaning up, but most users don't even know they're infected. Their ISP knows they're infected, but couldn't help even if it wanted to.

Why ISPs Can't Help

Let's say that an ISP's monitoring software detected botnet activity on a home user's computer. The ISP has two options: turn off the Internet access for that user in an effort to help clean the 'net, or notify the user and tell them to clean up. The former isn't good for business, and the latter is useless. A user will either ignore the notice, or require help. Therefore, the ISP opts for "none of the above." Simply talking to a user on the phone for 30 minutes means that most ISPs won't make any money off that person for the next two to six months (estimated, but with real figures in mind).

In an ideal world, an ISP would be able to redistribute Microsoft patches. Imagine if the ISP could quarantine an infected user, and present them with a Web page that explains what's wrong. "Dear $USER, you're infected. Please click here, here, and here, then install the software you've just downloaded. When complete, click 'here' and your Internet access will be restored." That would be wonderful, but there's a slight problem.

Microsoft will not allow ISPs to distribute Windows patches the way that universities can. If an ISP wants to allow access to only certain trusted Web sites from their quarantine, such as their own, and perhaps Windows Update, they're still stuck. Microsoft uses content providers to serve up Windows patches, and it's impossible to tell where a user will be downloading a patch from. Therefore, ISPs who wish to help their users are really stuck, all because Microsoft doesn't want to provide patches for pirated versions of Windows.

Where ISPs Fail

ISPs aren't entirely without fault, however. They provide Internet service, which by most measures is "as safe as possible" while still allowing productivity, but they do forget one important aspect. What if a customer needs to reinstall Windows? The critical period between the time they've finished installing and the amount of time it takes to install all Microsoft patches is plenty of time to get infected. Users without NAT are wide open. Many ISPs are shipping NAT-enabled modem/router equipment, but dialup customers, of which there are still quite a few, have no protection. ISPs should seriously consider providing a safe harbor for users, toggleable via a Web site.

There isn't a silver bullet to the botnet problem yet. In fact, most ISPs are forced to ignore the issue. It's hard to say who should take the plunge and spend the most time and money on the problem, and the obvious choice isn't doing enough. ISPs certainly want the net to be a cheerful and happy place, so maybe they would help more if fixing botted computers wasn't such a manual process.

The existing products in the market that address these types of security issues are targeted at small businesses—they would crumble under an ISP's load. Perhaps someone should create a mechanism for quarantining Internet hosts at the ISP level, in an effective manner.