We’re seeing a lot of press visibly around the ITU and a new effort around a BOTNET Mitigation Toolkit. (see Hunters kill off zombies ). It is fantastic that we have another education avenue for Service Provider (SP) Executives, Government Policy Makers, and Regulators. But there is a reality SP Engineering, Operations, and Abuse need keep in mind. Namely, we have tools to identify violated computer. What is being proposed in not new and any SP join the multiple efforts that already exist to disrupt criminal activities.
First, lets walk through what is really going on in Australia. We have the Australian Communications and Media Authority (ACMA) being the home for two community activities:
- SpamMATTERS – a tool and system which ACMA runs to allow their constituents (residents of Australia) to download a tool and easily report SPAM to a central source. ACMA then distributes that information to SPs in Australia. The SP then sends an E-mail to their subscriber letting them know that their computer might have been violated by malware and sending SPAM – point these violated customers to site to help them try to fix their malware problems.
- Australian Internet Security Initiative (AISI) – a groups which allows malicious activities – specifically BOTNETs – to be collected and then information distributed to the ISPs and SPs.
So, what is really going on here? We have:
- A collaboration of SPs working together.
- Information being collected, complied, correlated, sorted, and distributed out to the owning Autonomous Systems (AS) number (i.e the SP).
- The SP then receives that information, matches the IP addresses/time stamp to their subscribers, and sends that subscriber a notice that something might be wrong with their system. This means the SP has to have a tool to take an IP address and timestamp and match it to their subscriber database. It also means that the SP has to have time synchronization in their network.
- The violated subscriber is pointed to an SP page which attempts to help them remove the malware from their systems (see Westnet’s page done for the AISI work – http://www.westnet.com.au/internet/about/aisi/).
This all good and highly recommended as a Best Common Practice (BCP) for any SP. But is it new and is it a breakthrough? We currently have other groups doing the same sort of collection, correlation, and distribution of violated systems to SPs. Dshield, MyNetWatchman, Team CYMRU, Shadowserver, Castlecops, SPAMHaus, and many others do this now. It is easy for any SP’s Abuse or Security Department to get 10 or more useful feeds of information which provide details of systems which could have been violated by criminal malware. So getting information about which customer’s computers are violated is readily available to the SP. Many SPs also have web pages which help customer’s attempt to resolve their malware problem.
So if the information is available, the E-mail notice tools deployed, the clean up web pages built, why don’t more SPs E-mail their customer’s when they get information about malware? THAT is the question people should be asking. What dynamics exist which stop an SP from E-mail their customers that their computers could be violated?
These are the questions ITU, APEC Tel and other groups trying to be the center of Cybersecurity are missing.