A border approach to bot mitigation
While gathering up my notes for discussing firewall technology for this semester’s course, I started thinking about newer security issues that could be handled by the border or interposition approach of traffic cleansing.
It seems like netbot cleanup would be a good candidate for such a centralized technology. Computers that are open to infection are unlikely to be controlled by technically savvy people. So a client-oriented control is unlikely to be completely successful. However, a control installed by a technical savvy service provider could scan traffic looking for characteristic bot control traffic.
Since the service provider would be unlikely to want to annoy his client presumably, this would be on a track and alert case rather than immediately cutting the customer’s net connection. On suspicion of a remote controlled computer, the service provider could offer to do a scan of the system in question to remove well known infections.I can see several reasons why this has not yet been done.
- Given the experience with my home service provider, the depth of technical expertise isn’t there
- Unless the home service providers are getting negative feedback for hosting bots, there is no upside to going through this bother. Just pissing of your customers without getting anything in return
- The service provider customer are very price conscious and would not pay for centralized security features. This might explain we home service providers (at least around here) do not offer scanning, firewalling, or spam prevention services.
- Scanning for bot control traffic may not be feasible. The volume of control traffic would be much smaller than the bot generated traffic. While historically control traffic has been sent over IRC at a fixed port, attackers are getting clever and sending commands over different ports. The specifics of the commands could be easily changed making it difficult to separate commands from real human to human communication. I don’t know enough about today’s bot technology to know how easily it could be detected.
I’m most curious about the second issue. Given what I’ve been reading about the prevalence of bot networks, I would think this would be generating a significant amount of traffic from some service providers. Aren’t they getting negative feedback from upstream service providers and peer providers? Aren’t they getting blacklisted, etc? Or is no one tying back? In the case of address spoofed bot generated traffic doing the tie back would be difficult. But I would assume that much bot generated traffic uses its real address.