Friday, August 18, 2006

Is it worth shutting down botnet controllers?

Gadi Evron has now suggested, following Paul Vixie, that it's a waste of time to fight botnets by shutting down botnet controllers. Here's what I wrote to some colleagues when I read Vixie's statement that stomping out botnets is not only a waste of time, but counter-productive because it causes botherders to change their behavior and find new malicious techniques:
1. If you don't stomp them they are *still* going to develop new ways of doing things as a result of internal competition. It may happen more slowly, but it will still happen. There's no getting around an arms race. Even taking his analogy seriously, he wouldn't recommend that we stop using antibiotics.

2. Waiting on law enforcement to start effectively prosecuting will take a long time, and I don't think I'll be happy with what it will take for them to do it (I'm already unhappy with the new CALEA draft bill that's circulating). Criminal prosecution will likely never target more than a minority of offenders--mostly the high-profile cases.

3. Taking action raises their costs, which applies more broadly the same economic effect as prosecution does in a narrower and stronger manner. Again, if we take the antibiotic analogy seriously, a diversity of approaches is better than relying on a single approach.

4. Our experience seems to indicate a drop in botnet controller activity when we hit them consistently. If the bulk of miscreants follow the path of least resistance, putting up a fight will tend to push them to environs where people aren't putting up a fight.
Shutting down botnet controllers does have positive effects--and it's much quicker and reliable than law enforcement prosecution. I think a diversity of defensive actions is important, and we need to continue developing more of them--as I said above, it is a continuing arms race.

Richard Bejtlich has also commented on this subject at his TaoSecurity blog, and there's some good discussion in the comments. David Bianco has offered a suggestion at the InfoSecPotpourri blog. Bianco's suggestion is to modify the botnet C&C traffic, which in order to be most effective would have to occur at either large consumer ISPs (where 99+% of the bots are located) or at a small number of high-volume, low-cost webhosting companies (where 75+% of the botnet controllers are located).

There are a number of approaches that are being developed, which I won't describe in any detail here, but I agree that new approaches need to go more strongly after the bots themselves rather than just the botnet controllers. Those approaches need to use Netflow, and they need to use DNS. We also need to provide incentives for consumers with old, unpatched, vulnerable systems to protect themselves and to be protected by their ISPs--that's where the biggest bang for the buck will occur.

No comments: