What Should ISPs Do about Bot-Infected Users?
There's no doubt that botnets are a major threat to the safety and stability of the internet -- not to mention the cleanliness of your inbox. After years of failure to act, could we finally be seeing ISPs waking up to their responsibilities? Let's take The Long View...
Botnets are a major source of spam, denial-of-service attacks, and other net nasties. For several years, I and others have advocated a more aggressive approach to fighting botnets.
While ISPs can't prevent users getting infected with bots, they are in a superb position to detect the signs of infection. Once an ISP has detected that a user is infected, they can ensure that the problem gets fixed -- remediated, as we jargonistas love to say.
The idea is that ISPs could detect signs -- say, by intercepting outbound spam, or botnet command-and-control traffic -- and cut the infected customer off from the internet. The user would be placed in a walled garden, where a web browser would only be able to see certain pages, which give instructions on how to fix the problem.
Contractually, the ISP would be reasonably justified in cutting off a user from the internet, as bot infection would be contrary to the terms of the ISP's acceptable-use policy.
However, the main counter-argument is that consumer ISPs operate on razor-thin margins, so the idea of doing extra work is unwelcome, to put it mildly. For some time, I've argued that governments should give incentives to ISPs, persuading them to detect bot infections and help customers clean house.
Over the years, we've seen a number of industry efforts to persuade ISPs to do this, but with limited effect. Here are just a few that spring to mind:
- In 2006, the Australian Internet Industry Association issued a guide to its members about how to detect and remediate bots
- In 2007, the Messaging Anti-Abuse Working Group (MAAWG) issued a set of "Best Practices for the Use of a Walled Garden" to its members
- In 2009, the IETF started work on "Recommendations for the Remediation of Bots in ISP Networks" (currently at draft 09)
Perhaps there's light at the end of the tunnel. Last week, Comcast announced it will warn customers found to be infected, but not go as far as a walled garden. And just today, Microsoft's Scott Charney -- Corporate Vice President of Trustworthy Computing, no less -- spoke at the International Security Solutions Europe Conference in Berlin, Germany, advocating bot detection and remediation.
Is this an idea who's time has come? Or will most ISPs continue to jam their fingers in their ears and sing, "La-la-la-la, I can't hear you!" at the tops of the voices?
What do you think? Leave a comment below...
You can also read Richi's full profile and disclosure of his industry affiliations.