Detecting Botnets in Service Provider Networks: The Impact of CSRIC's U.S. Anti-Bot Code of Conduct

By TMCnet Special Guest
Gunter Ollmann
  |  September 06, 2012

This article originally appeared in the Sept. 2012 issue of INTERNET TELEPHONY

In March of this year, the Communications Security, Reliability and Interoperability Council Working Group 7 accepted the first of three reports containing recommendations to the FCC (News - Alert) titled "U.S. Anti-Bot Code of Conduct for ISPs." The report – simply referred to as the "ABCs for ISPs" – describes the methodologies and motivations for ISPs in addressing bot activity in broadband networks.

The CSRIC tasked WG7, Botnet Remediation, with proposing a set of voluntary practices that could serve as the framework for an opt-in model in which ISPs and other broadband providers could help mitigate bots and botnets within residential networks. The working group itself consisted of key technology experts and representatives from major U.S. ISPs, telecommunication companies, financial institutes and security vendors, and was chaired by Michael O'Reirdan (who also serves as chairman of the Messaging, Malware, Mobile Anti-abuse Working Group). I was fortunate enough to be selected as a member of WG7 and was able to provide my experience in devising ways to combat botnets and the criminals that control them.

You'll note that there's a distinction between bots and botnets. Bots are effectively the victim devices that have had malicious software installed on them to perpetuate crime, and which periodically connect back to a criminal's command infrastructure, seeking new instructions or the opportunities to hand over stolen information. A botnet is the aggregation of many bots affiliated with a specific criminal Internet infrastructure. It is typically managed remotely by criminals as a collective unit. In this day and age, there are literally thousands of criminal groups who own, operate and build their own botnets. Each criminal may control multiple botnets, each of which may include many millions of bot infected devices from around the world.

The goals of WG7 are lofty – to create a voluntary code of conduct through which ISPs can take a leading role in combating the largest and most insidious threat facing all of us who access the Internet in some form or fashion, and to develop a set of guidelines that ISPs can follow and expand upon, and remediate bots and botnets.

To achieve these lofty goals, the Botnet Remediation working group, after several months of review, consultation and discussion, developed a code of conduct that encourages ISPs to participate in activities in support of end user education to help prevent bot infections, detection of bots operating within their subscriber networks, notification practices for potential bot infections, best practices in remediating bot infections, and collaboration and data sharing from those participating in the code. However, the code was not envisaged to be an all-inclusive approach to online security, or to act as a technical implementation document.

At its heart, the voluntary code of conduct encourages ISPs to engage in at least one activity in each of the following five areas:

education – to help increase end user education and awareness of botnet issues and how to prevent bot infections;

detection – to identify botnet activity in the ISP's network, obtain information on botnet activity in the ISP's network, or enable end users to self-determine potential bot infections on their end-user devices;

notification – to notify customers of suspected bot infection or enable customers to determine if they may be infected by a bot;

remediation – to provide information to end users about how they can remediate bot infections, or to assist end users in remediating bot infections; and

collaboration ­ to share with other ISPs feedback and experience learned from the participating ISP's code activities.

While the code itself goes into some discussion on each of these activity areas, the recommendations are not detailed in a technical manner (intentionally). Take for example the recommendations for detection. In that section of the code, three broad methods are listed:

receiving notifications from external entities, particularly those designed to aid with the overall understanding and real-time dissemination of bot related data; deploying capabilities within their networks that aid in identifying potential bot infections; and directing customers to tools, a web portal or other resources that enable customers to self-identify a potential bot infection.

ISPs will need to conduct their own research in each of these methods and decide which best fit their business. That said, I believe that many large ISPs have already pursued tools or processes related to these three methods, and have likely had some limited experience in their success.

I believe that a critical part of combating the global botnet wave of crime lies in ISP-level detection and notification.

From a detection perspective, receiving notifications from external entities of bot infections within your subscriber network isn't really a scalable solution. The reliance upon other entities to pass infection information back to the ISP in an efficient and encompassing fashion is fraught with problems, not to mention the cost. Botnet monitoring through sinkhole and other active monitoring technologies does not come for free, and over recent years, an entirely new industry has sprung up to monetize this kind of information-gathering platform. It is likely that charges for these kinds of service will continue to increase.

Directing customers to tools and web portals for self-help diagnostics is likely a minimal cost route for many ISPs. However, it is unlikely to make much of an impact in the overall botnet problem. Time and again we have seen that the sophistication of the criminals tasked with infecting devices and building botnets far exceeds that of the victims. In many cases, the victims are tricked into thinking that they're actually helping to mitigate the threat by installing specialist detection and remediation tools, when in reality they end up installing the malicious agents they were so desperately looking to avoid.

The most impactful detection route lies with the ISPs being capable of detecting botnets within their own network – ideally using passive detection technologies that do not require invasive data inspection techniques. While deep packet inspection technologies perform extremely well in the corporate world for detection bot infected devices within their private networks, it is often not palatable for many ISPs (without first gaining permission of their customers). Instead, domain name system-based detection approaches have come to the fore. Passive monitoring at the DNS level strikes the balance between customer privacy and detection fidelity. As customers attempt to resolve and connect to the criminals’ command and control infrastructure, it becomes possible to identify victim devices based upon the reputation of the domain names being resolved and, from that, provide a level of attribution to known criminal operators.

These passive detection approaches also allow ISPs to measure the size of particular botnets operating within their network, the rate they are growing or shrinking, tune alert and remediation advice to the victims and, last but not least, measure which alerting and remediation strategies are working best for their customers.

While the "ABCs for ISPs" report supports ISPs and other broadband providers in designing their anti-botnet strategies, it is just the first deliverable of what WG7 was tasked with. Later this year, the working group will publish a report covering "Barriers to Code Participation" and "Bot Remediation Performance Metrics".

That last report, Bot Remediation Performance Metrics, due in December, will be very important as it will define the ways in which both the code-participating ISPs specifically, and the Internet community generally, can measure success in combating bot-driven crime. Without an agreed upon and adequate frame of reference and the measurement practices to monitor it, how will ISPs know whether their anti-botnet strategies are succeeding? And, just as importantly, as a consumer who can select services from multiple Internet service providers, which ISP is going to offer me the best protection against those online criminals who are continuously targeting me?


Gunter Ollmann is vice president of research at Damballa Inc. (

Edited by Stefania Viscusi