Botnets and what to do with them
01/06/08 09:56 Filed in: Internet
Botnets are everywhere nowdays and they are a big
threat to the internet and hence to just about
everything else as well. So far not a lot has been
done about this. Is this just becasue of apathy or is
it that nothing can be done?
Since this entry is going to mean nothing to you
unless you know what actually a botnet is, heres a
quick explanation. Basically is a net work of
computers (specifically windows PC’s) that have been
infected by one way or another with a virus or trojan
horse. Through this infection a controller can launch
attacks on other systems and yet still remain hidden,
since the attack is coming from the infected
machines, not the actual attacker.
The machines on a botnet, called zombies, can be used to flood services with bogus requests or to send spam. Besides keeping the attacker hidden a botnet offers another advantage to the attacker, since botnets can be huge (the largest found so far was 1.5 million machines), the attack is like wise huge and more importantly it comes from many different IP addresses making blocking the attack at the firewall difficult.
A more detailed explanation can be found here, as ever on wikipedia.
So what can be done about them then. Well as I see it there are 3 solutions, the first is to fix the vulnerabilities in windows which allow the infection in the first place. This would be the best solution, it is also the solution which won’t happen!
Firstly windows is just to large and complex now(and this is a subject I will be returning to soon), to be ever secure. In fact it could be argued that the same is true of all modern operating systems. Also even if Microsoft where to patch every known problem fully now, those patches would not get applied to machines out there. There are after all still people using windows 95 and pre service pack 1 versions of XP.
So the best solution is not going to work, so what’s the next answer?
Well since it’s the ISP’s that bear the brunt of the costs of botnet’s, they could get do something about them. The cost comes from the fact that the ISP have to pay charges for the data traffic which crosses other networks and of course if a lot of the traffic on their own network is from botnets, they need to upgrade it so there is bandwidth for the ‘normal’ traffic.
The first thing that they could do would be to block the incoming connections which controllers use to control the zombie machines at the edge of the ISP’s network. This sounds good, but has some problems, it would still mean that a controller on one ISP’s network would be able to control all of the zombies on that network or section of network. It’s a start but still not the full cure for the problem. Also note that this would lower the ISP’s data traffic cost to another ISP, but would do nothing about the usage of bandwidth on there own network.
Another thing that the ISP’s can do at the edge of their own network is to block some of the outgoing connections which a botnet might make. Again this would only stop some of the effects of a botnet, but they might be some of the biggest effects! To explain, the flood type attack (known technically as distributed denial of service attack or dDOS) uses a flood of legitimate traffic to overwhelm the target server, since this traffic only differs from normal traffic in it’s volume, there is no easy way to tell if any particular connection is legitimate or part of the attack. In other words you couldn’t block outgoing web traffic since that is what most people call the internet! The same is true for almost any type of traffic a botnet could generate.
There is however one type that you could block which would have a potentially big effect. You could block outgoing mail from the client machines at the edge of the ISP’s network.
What!? I hear you cry. But that would stop email. No it wouldn’t actually, look at it again. I said block outgoing mail from the client machines, not the ISP’s mail server. This is how most corporate networks handle mail, it’s not your machine that sends that mail you just wrote to Microsoft. No your machine sends the mail to the corporate mail server (probably an Exchange server) which then sends the mail. In fact if a client machine tried to send directly to Microsoft’s mail servers it would almost certainly get stopped by the corporate firewall.
If ISP’s did this, I think it would have a big effect on the global flood of spam. The ISP’s mail servers could do basic checks on the out going mail so it could only be sent from one of the ISP’s domain’s and in fact if it only allowed it to be sent from a known address on the ISP’s system this would give a much better level of protection.
This is still not with out it’s problems, this would prevent people like me (which I would call a power user of the internet) from sending mail via my own domain (hyperlands.net), which is nothing to do with my ISP (blueyonder). I never send mail from the address I got with my connection.
So this is where my third and most practical idea comes in. For your average internet user, the sort of person that doesn’t care about any of this, the person that just wants to get to the web and get emai, the ISP’s could offer a basic package with a pre-configured router. The router would block most incoming connections which would prevent a machine from ever joining a botnet if it got effected. Also the router would block things like out going mail connections to anything but the ISP’s mail servers. In order for this to work the router would have to be locked down so that the user couldn’t change any settings. Not that the sort of people that this package would get sold to would care much about that.
For the power users, like my self, the ISP would offer a different package, which of course they would charge more for. This package would offer unrestricted in and out traffic (no ISP supplied router), but would also require some sort of signed agreement that the user would keep there system clean of viruses etc. I don’t think this would be a problem, since it is the power users that are much more likely to exercise the caution on line which means they are unlikely to get infected. Also if they do get infected, they are much more likely to notice and do something about it.
As an incitement to us power users for the extra cost of the this sort of connection, the ISP could also offer us the sorts of things we want, like fixed IP addresses and a DNS entry so we can get back to our machines when out and about, or maybe direct access to second line support so we don’t have to go through the first line call center and it’s script following monkeys (sorry to any one that works in one of these, but I do hate that sort of call center!)
Okay this post has gone on for a bit longer than I’d planed and I’ve still not covered all the points I wanted to, so I’m going to leave it here for the moment and come back to this subject later.
The machines on a botnet, called zombies, can be used to flood services with bogus requests or to send spam. Besides keeping the attacker hidden a botnet offers another advantage to the attacker, since botnets can be huge (the largest found so far was 1.5 million machines), the attack is like wise huge and more importantly it comes from many different IP addresses making blocking the attack at the firewall difficult.
A more detailed explanation can be found here, as ever on wikipedia.
So what can be done about them then. Well as I see it there are 3 solutions, the first is to fix the vulnerabilities in windows which allow the infection in the first place. This would be the best solution, it is also the solution which won’t happen!
Firstly windows is just to large and complex now(and this is a subject I will be returning to soon), to be ever secure. In fact it could be argued that the same is true of all modern operating systems. Also even if Microsoft where to patch every known problem fully now, those patches would not get applied to machines out there. There are after all still people using windows 95 and pre service pack 1 versions of XP.
So the best solution is not going to work, so what’s the next answer?
Well since it’s the ISP’s that bear the brunt of the costs of botnet’s, they could get do something about them. The cost comes from the fact that the ISP have to pay charges for the data traffic which crosses other networks and of course if a lot of the traffic on their own network is from botnets, they need to upgrade it so there is bandwidth for the ‘normal’ traffic.
The first thing that they could do would be to block the incoming connections which controllers use to control the zombie machines at the edge of the ISP’s network. This sounds good, but has some problems, it would still mean that a controller on one ISP’s network would be able to control all of the zombies on that network or section of network. It’s a start but still not the full cure for the problem. Also note that this would lower the ISP’s data traffic cost to another ISP, but would do nothing about the usage of bandwidth on there own network.
Another thing that the ISP’s can do at the edge of their own network is to block some of the outgoing connections which a botnet might make. Again this would only stop some of the effects of a botnet, but they might be some of the biggest effects! To explain, the flood type attack (known technically as distributed denial of service attack or dDOS) uses a flood of legitimate traffic to overwhelm the target server, since this traffic only differs from normal traffic in it’s volume, there is no easy way to tell if any particular connection is legitimate or part of the attack. In other words you couldn’t block outgoing web traffic since that is what most people call the internet! The same is true for almost any type of traffic a botnet could generate.
There is however one type that you could block which would have a potentially big effect. You could block outgoing mail from the client machines at the edge of the ISP’s network.
What!? I hear you cry. But that would stop email. No it wouldn’t actually, look at it again. I said block outgoing mail from the client machines, not the ISP’s mail server. This is how most corporate networks handle mail, it’s not your machine that sends that mail you just wrote to Microsoft. No your machine sends the mail to the corporate mail server (probably an Exchange server) which then sends the mail. In fact if a client machine tried to send directly to Microsoft’s mail servers it would almost certainly get stopped by the corporate firewall.
If ISP’s did this, I think it would have a big effect on the global flood of spam. The ISP’s mail servers could do basic checks on the out going mail so it could only be sent from one of the ISP’s domain’s and in fact if it only allowed it to be sent from a known address on the ISP’s system this would give a much better level of protection.
This is still not with out it’s problems, this would prevent people like me (which I would call a power user of the internet) from sending mail via my own domain (hyperlands.net), which is nothing to do with my ISP (blueyonder). I never send mail from the address I got with my connection.
So this is where my third and most practical idea comes in. For your average internet user, the sort of person that doesn’t care about any of this, the person that just wants to get to the web and get emai, the ISP’s could offer a basic package with a pre-configured router. The router would block most incoming connections which would prevent a machine from ever joining a botnet if it got effected. Also the router would block things like out going mail connections to anything but the ISP’s mail servers. In order for this to work the router would have to be locked down so that the user couldn’t change any settings. Not that the sort of people that this package would get sold to would care much about that.
For the power users, like my self, the ISP would offer a different package, which of course they would charge more for. This package would offer unrestricted in and out traffic (no ISP supplied router), but would also require some sort of signed agreement that the user would keep there system clean of viruses etc. I don’t think this would be a problem, since it is the power users that are much more likely to exercise the caution on line which means they are unlikely to get infected. Also if they do get infected, they are much more likely to notice and do something about it.
As an incitement to us power users for the extra cost of the this sort of connection, the ISP could also offer us the sorts of things we want, like fixed IP addresses and a DNS entry so we can get back to our machines when out and about, or maybe direct access to second line support so we don’t have to go through the first line call center and it’s script following monkeys (sorry to any one that works in one of these, but I do hate that sort of call center!)
Okay this post has gone on for a bit longer than I’d planed and I’ve still not covered all the points I wanted to, so I’m going to leave it here for the moment and come back to this subject later.
|