Custom Search

Sunday, January 30, 2011

DISAN: a proposed framework for botnet mitigation

With the limited experience I gained from botnet detection and notification last year, I am going to propose a botnet mitigation framwork here, in the hope to solve the botnet threat we face currently. While still sounding like a very serious problem today, in reality botnets have shrunk quite a bit, as evident from the global spam drop observed in the second half of 2010. So the framework I am proposing is meant to reinforce what has already been done right.

The primary objective of this framework will be to find out the locations of botnets (that is, their IP addresses), and subsequently notify the unknowning victims. The framework will comprise three parts: detection, information sharing, and notification. Let's just call it "DISAN." The "A" from the word "and" is kept for ease of pronounciation.

The keyword for the detection part is "diversity," which mainly applies to how and where (in the cyber world) to detect botnets. Most detection methods work by monitoring various abnormal network behaviors that botnets exhibit, like sending spam, DDoS, etc. Different monitoring mechanisms are going to uncover differnet botnets, so it is necessary to diversify the detection approaches. As botnets are not evenly distributed in the Internet, it is also better to scatter the detection systems around the globe as diversely as possible. Various VPS offerings can help us achieve that.

The keyword for the information sharing part is "trust." Detection is not needed if you can get information about botnets from somebody else. But if you don't trust them, the usefulness of the information to you will be problematic. Likewise, if the information providers don't trust you, they might be reluctant to share with you the IP addresses of botnets, which are potentially vulnerable computers. So it would be better if information providers and recipients belong to an existing structure (like workgroups, taskforce, etc.), and already have mutual trust among them.

The keyword for the last part, notification, is "awareness." The only reason why botnets are such a formidable threat today, is because the victims do not know that their computers have been compromised. Then as time goes by, botnet herders are destined to have many zombie computers waiting for their commands. Without the victims cleaning the computers and fixing the vulnerabilities, efforts like taking C&C servers offline are futile, as I pointed out in my previous post. So to successfully solve the botnet problem, whenever botnets are detected, the victims should be notified as soon as possible (daily notification would be good). Doing this would also raise their awareness about cyber security.

To comply with the spirit of environment friendly computing, I will try to utilize as many existing structures or organizations as possible in the proposed framework.

Who is well equipped for the detection of botnets? The first one I thought of is security companies like Symantec and Commtouch, which regularly release reports on the trend of spam and botnets, and seem able to detect lots of zombie computers daily. If they are willing to share their findings, that should be great. Another possibility is the three anti-botnet efforts I know of at national level: Australian Internet Security Initiative, Japan's Cyber Clean Center, and Germany's Anti-Botnet-Advisory Centre. Their primary focus is to reduce the number of bots within their countries of course, but I believe they also discover many foreign bots in the process.

Plenty of existing structures can be used to facilitate information sharing. FIRST (Forum of Incident Response and Security Teams) is a good one for global information sharing. Regional forums like APEC is also suitable for information sharing (through APEC TEL working group) within the Asia-Pacific Region. Meridian, a CIIP-focused forum, is yet another possibility.

Notification, which is essential to the success of any botnet mitigation effort, often has to be performed by the ISPs. So of course ISPs will also be involved with information sharing, at least as recipients. The only thing I want to add about botnet notification is, never forget that the owners of those malware-infected computers are victims. It might be better to make them aware of the incident in a soft, caring way.

Botnets and spam has shown a falling trend since the second half of 2010. I believe in 2011, this trend will continue, so long as some effort is focused on detecting the botnets and notifying the victims.

No comments:

Post a Comment