ISPs may not be doing enough about botnets

Botnets—legions of zombified computers that can be controlled at the whim of a hacker to send out spam or launch DoS attacks—are increasingly becoming a concern for users and system administrators alike. In response, security companies have developed new technological solutions to try and stop the spread of botnets. Arbor Networks offers a service called PeakFlow that continually monitors networks to look for threats such as DoS attacks. Cloudmark merged with an anti-botnet company called Simplicita last October in order to provide real-time monitoring software for ISPs. Such software is typically sold as a service, with a monthly charge based on the number of user accounts the ISP currently provides.

Unfortunately, there are a couple of stumbling blocks that could prevent this kind of software from doing its duty. First, there are a new breed of botnets (such as SpamThru) operating now that work on a peer-to-peer model with no central command server and react to any attempt to disrupt their activities by simply moving said activities to another machine on the botnet. Mark Sunner, chief security analyst with MessageLabs, told Ars that "coming up with this botnet-seeking technology, like SecureCloud, is good, but the bad guys will keep moving and changing their botnet tactics making it increasingly harder to detect."

While proactively scanning the Internet for botnets may seem like a good idea, in reality they are much too dynamic a phenomenon, appearing and disappearing whenever someone tries to locate them.

The other and somewhat more worrying factor is that many smaller ISPs do not appear to be very interested in investing in antibotnet technology. A recent report from the Internet Security Operations Task Force (ISOTF) showed that many ISPs not only fail to address a significant proportion of botnet complaints, but a large group of them never resolve any complaints at all! Sunner believes that this absolutely needs to change. "In the past, customers haven't quantified what role their ISP played in Internet security," he said. "But now they understand that their ISPs can do something about security threats—and customers will expect their ISPs to do something about it."

Still, this assumes that customers will be educated enough to know if their ISP is doing something about botnet threats and proactive enough to demand that they do. In recent years, some of the larger ISPs have prominently advertised their security features, but it seems that the smaller providers will have to get on board as well if they want to keep up.