ISPs key to beating the botnets

30 Jun 2008

Security experts believe internet service providers (ISPs) could do more in the fight against spam, by identifying the infected PCs on their networks.

Deleting reams of spam from email inboxes is, for many people, as much a part of the daily routine as a morning coffee or chatting by the office water cooler. Despite the industry’s best efforts, the problem hasn’t gone away; if anything, it’s worse. Last month, spam accounted for more than three quarters of all email traffic worldwide, according to MessageLabs.

Most spam campaigns are sent from botnets. These are large groups of compromised PCs, often located in different countries, which are used to send email in bulk without the user’s knowledge. It’s difficult to stop spam at source, simply because there is no single point of origin. For example, last month MessageLabs traced 81,000 messages back to over 700 different IP addresses in the Storm botnet.

Figures from Trend Micro illustrate the massive growth in botnets. In 2005, there were around 2.1 million compromised computers used in any given month to send spam. By 2007, the average was 10 million. Spam is a global problem but there is a local angle; Trend Micro claims there are close to 200,000 infected computers in Ireland. Of this number, anywhere between 13,000 to 20,000 PCs are used each month to send spam.

So what can be done? Dave Rand, chief technology officer with Trend Micro, believes ISPs hold the key to beating the bots and slowing spam’s march. “The ISPs need to get involved in security. The ISPs know the bot networks are there and they know which users are infected and they’re choosing to turn a blind eye and not inform users,” he says.

Ken O’Driscoll, chief technology officer of IE Internet, says the problem with botnets is poorly secured home PCs. “Even in a badly run corporate network, if a machine gets compromised, it’s off the network in six hours. A home desktop machine plugged into a €40 USB modem could be ticking away for months.”

O’Driscoll believes it is unfair to expect an average home user with little technical knowledge to be a security expert and lock down their machine against attacks. He suggests ISPs could block access to certain computer ports which are typically used by spammers to send out their emails. “The average home user doesn’t need full access to TCP/IP services,” he says. “A lot of these things could be nipped in the bud if ISPs blocked certain types of communication between the home user and the internet.”

Paul Durrant, general manager of the Internet Service Providers Association of Ireland (ISPAI), says spam is as much of a nuisance for ISPs because of the load it places on their networks. He admits botnets haven’t been on the ISPAI agenda recently.

However, he warns that proactive tracking of customer email traffic would have privacy implications. “There are data protection issues that we have got to be very cognisant of. You are effectively monitoring people’s types of usage and this is something we have not been doing.”

Rand believes there is another reason why ISPs don’t contact customers. “The problem is, any time they have contact with a customer, it costs money and their profits vanish after one call.”

Frank Slyne, manager for operations and business support systems with Eircom Net, Ireland’s largest ISP, says the issue isn’t so simple. There are valid technical and legal reasons why ISPs must tread carefully around the issue of monitoring users, he says.

“When you get down to the level of peer-to-peer traffic, the overhead of analysing and controlling that traffic would be quite high. I don’t see the issue as being [one of] profit margin or overhead, I see it as data protection. If an ISP is aware of traffic that an end user is sending, it opens the door to other things that could be put at the ISP’s doorstep.”

Eircom Net follows established best practice, adds Slyne. “If it’s identified to us by other ISPs or legal authorities that a customer of ours has a phishing site or is generating spam, we track it and log it and we proceed according to those guidelines,” he says.

Responding to O’Driscoll’s suggestion about port blocking, Slyne says this has happened before, notably when Trojan Horse programs were launched against the Microsoft operating system some years ago.

“We closed off ports that were being abused to stop the traffic being sent over them,” he explains. However, he doesn’t believe this is a viable long-term option. “When you restrict traffic, it moves on to another port. [Spammers] move from open, unencrypted channels to encrypted channels so an ISP couldn’t drill down to those,” he says. “It’s a continuous moving target.”

Rand says ISPs won’t have to go it alone in helping end-users to get secure. “We in the security industry have to bring effective tools to bear on the problem so the ISP can just go to this website and click ‘yes’ and the problem will be fixed.”

He and O’Driscoll believe a security surcharge may be the inevitable result. “We’ve got to increase the rates overall for ISP access so security is part of the fee users pay,” says Rand. O’Driscoll adds: “Ultimately, the home user is going to spend more money within a year of buying their computer. They can either get someone external in to fix it, pay the ISP upfront or wait for something to happen.”

Intense competition in the broadband market is forcing prices down and whether ISPs admit it or not, this must affect their profit margins. Maybe the bigger question is, with the cost of internet access falling, will the average home user see the value in paying extra for security to fight an invisible enemy?

By Gordon Smith

Gordon Smith was a contributor to Silicon Republic