Monday, September 10, 2007

Why can't we manage botnets?

The Storm botnet has been in the news lately ...
Storm botnet - Wikipedia, the free encyclopedia

... The Storm botnet, or Storm worm botnet, is a massive Storm worm driven botnet that is estimated to number in the 1,000,000 to 50,000,000 range of infected computer systems. It is estimated to be more powerful than some of the world's top supercomputers. The botnet, or zombie network, is comprised entirely of computers running Microsoft Windows as their operating system, the only operating system which can be breached by the Storm worm. An estimated 5,000 to 6,000 computers alone are being used just to help propagate and spread the worm; 1.2 billion virus messages have been sent by the botnet including a record 57 million on 22 August 2007 alone.
Wikipedia reports claims that 25% of Windows PCs are part of a botnet. I assume the real number is maybe 5-10%, but of course that's way too many.

I haven't been able to figure out if it's possible to determine which ISP is transmitting botnet packages. I understand it may be hard to track them to the source machine, but if it is possible to track them to the ISP then the obvious next step is to begin decreasing the level of service of packets from responsible ISPs. That would translate to unhappy ISP customers, which would force ISPs to address the problem.

How could ISPs address the problem? I can think of a few obvious things an incented ISP could do:
  1. Discount costs for computers that aren't involved in botnets: machines running Windows 3.1, Windows 95/98, Mac OS Classic and Mac OS X. This would encourage migration to non-participating machines.
  2. Work with antiviral vendors to deliver an XP/Vista solution that alerts an ISP to infection, so they can respond to it
  3. Develop technologies to track botnet traffic to individual machines and send staff to service them or terminate traffic.
If we incent ISPs to deal with this problem they will. If we don't, they won't. End users also have insufficient incentive to avoid bots (otherwise they'd buy Macs or stop using the net), but they may also lack the capability to manage the problem. So we need to incent the ISPs first, then they'll incent the users and provide solutions.

Update: clarified last sentence.

No comments: