News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Martin McKeay's picture
Martin McKeay

Security Matters

More posts | Read bio

July 26, 2007 - 11:08 A.M.

Should your ISP protect you from yourself?

6 comments

Cox Communication has been attempting to help their customers by routing traffic destined for botnet controlled IRC servers to their own IRC servers.  Many, if not most, of today's bots use IRC channels to allow botnet owners to control infected computers, a fact that Cox is trying to use to their customers' advantage by using DNS tricks to send requests destined for these control channels to their own servers.  The Cox controlled IRC server then tries a number of commands to get the bot to uninstall itself.  Even if this doesn't work, the fact that the bot running on a home system is connecting to Cox's IRC server rather than the bot herder's means that the bot will not get commands from the real IRC channel, effectively rendering it useless to the bot herder.

This is a slippery slope for Cox, but I'm not sure I completely disagree with it.  While this sort of redirection can break a botnet, these networks are often using legitimate IRC servers for their control channels.  So when someone tries to connect to a legitimate channel on the servers, they're effectively cut off due to the fake DNS information.  This probably doesn't affect the majority of Cox's customers, professionals who rely on these IRC channels for communicating with their peers can be severely affected.

My real concern is where does this end?  How much responsibility does an ISP need to take for the traffic from a home system?  Traditionally, most ISP's are not much more than a conduit to get to the Internet.  By taking the efforts necessary to block and clean up botnets on home computers, the ISP is taking a much greater role in the security of those systems.  Will ISP's continue down this path, pushing additional security measures or will they be content with this level of control?

As long as ISP's are just acting on traffic traversing their networks, I think they're clearly acting within their rights.  But sending traffic back to your computer that attempts to remove the bot is starting into a gray area.  The next logical step would be to push anti-virus software to the computer.  While this might be effective, it blurs the line of responsibility for the ISP. 

What People Are Saying

Add new comment

Where do they get the C&C info?

Submitted by Jack on January 25, 2008 - 10:17 A.M.

I've noticed a number of ISP's following this line of enforcement - have nothing against it so long as the c&c infrastructure information they have is accurate.

Where are they getting these blacklisted C&C servers? Are these servers "all bad" or hi-jacked channels on legitimate servers? What about non-irc c&c? Wondering if the ISP's are detecting c&c traffic themselves or just getting the research from elsewhere?

Jack

Reply | Report this comment

I cannot agree with what Cox

Submitted by Lynne's Honey on July 28, 2007 - 11:49 A.M.

I cannot agree with what Cox is reported to be doing. It is known that the large ISP's wish to control the Internet, as highlighted by the Net Neutrality debate. This appears to be a step in that direction, though hidden under the guise of altruistic efforts to protect the users from themselves.

I do believe, however, that they have a couple of paths to follow. As mentioned in an earlier post, they could follow the example of AOL and offer free protection to the users, or even offer it on a subscription basis, with a small fee added to the bill each month as Verizon does, though I think Verizon is over pricing the service, since I can get the same or similar suites of products for less per year.

Should they take that route, the could go, I think, a step further and require that their customers maintain up-to-date A/V and firewall products to be able to connect to their network. While this would probably step on some toes, I do not believe that this would be construed as being illegal, just a clause in a a contract requiring it for use of the service.

Currently, if they detect a user who has an infected machine as determined from the type of traffic and, often enough, the destination, they can disconnect the user until the problem is resolved. I am sure that their current contract allows this. Then the burden is placed where it belongs, on the user, to clean up the offending machine or machines. If the user needs to seek out professional help for this, so be it.

Blocking ports, as mentioned in an earlier post, is not a viable option. There are legitimate uses for any port, and this could kill off those legitimate uses, as well as the user base. Those who write malware would then gravitate to ports that cannot be blocked, such as port 80, so they can communicate with their malware. Then where would we be?

Given that ISP's have a tendency to oversubscribe their lines, and given that they only have so much bandwidth to use, it is in their own self interest to find a way to limit traffic that may be considered as not legitimate. The way Cox is handling it is, I think, overstepping the bounds given other options that are available to them, however, from their perspective, it is probably the most cost effective.

Reply | Report this comment

There is one major key point

Submitted by jayjwa on July 28, 2007 - 4:55 A.M.

There is one major key point this article does not make clear: this was not an effective redirection of *only* infected traffic heading *only* to bot command and control centers. This was any Cox customer (infected or not, on Windows, Linux or Mac), that happened to want to use IRC and connect to a certain network/server. The server has a policy against botnets and does not tolerate abuse. If you wanted to, say, chat with your friends on irc.ablenet.org, and you were on Cox, you would find yourself forcefully redirected to Cox's fake server.

Additionally, their "removal tool" was nothing more than a bot in the auto-join channel there issuing bot-level commands to the infection Cox assumed you had. This denied legitimate, non-infected users from using IRC. Cox should be ashamed of themselves.

The the one who runs the IRC network pleads for help on FD list:
http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/55016

Reply | Report this comment

While the botnets are

Submitted by Chris on July 27, 2007 - 11:02 A.M.

While the botnets are hampering the bandwidth of this user and others, I don't think it is the responsibility of the ISP to come into my computer and fix my problems. If they have a program that monitors this type of activity, isn't it better and safer to match the IP to the user and send off an snail/e-mail noting the problem. Then I as a good netizen have the resposibility to clean up my system. I would find it VERY intrusive and borderline illegal for the ISP to invade by computer even to remove malware.

That being said, I can understand an ISP shutting off certain ports for an individual if the abuse of the bandwidth continues after the warning.

Reply | Report this comment

I am going to make an

Submitted by J on July 27, 2007 - 2:25 P.M.

I am going to make an educated guess in the fact that the Cox botnet removal tool is not going to go looking at machines that periodically attempt to access IRC, but the ones that are out there hitting the same channel time and time again (known ones that they are looking at). Borderline illegal, probably.

"Joe user" will probably never know that they are doing this. Couple that with their other alternative - shutting down access from his machine (they have done this to people I know) and Joe gets upset. Joe does not know how to clean up his own machine.

While you and I find this very intrusive, they have to weigh the individual objectives versus the objectives of the masses. The masses will have no clue that they have a bot and even less of a clue on how to fix it.

Unfortunately, with the way the botnet community it, there are no black and white way to combat this (and don't tell me education is) besides pulling the plug and never connecting to the Internet. Every way to combat this has some sort of gray area. Port blocking, IP address blocking, blocking individual homes, redirecting IRC traffic (DNS poisoning in effect), etc...gray, gray, gray.

Instead of complaining about it, maybe you should DO something about it. I know that I do not have a good answer for the problem yet.

Reply | Report this comment

The fact that the ignorant

Submitted by Tom on July 27, 2007 - 9:08 A.M.

The fact that the ignorant home user is not able to manage their own systems should not cost the isp additional money for the useless bandwidth consumed.

AOL figured out part of that when they offered free virus protection and spyware protection and packaged it as an altruistic move for their users, when in fact, it was probably a decision used to lower their bandwidth costs.

Definitely a slippery slope, but one day the ignorant home user’s endless consumption of bandwidth for botnets may lead to ISP's using metered service to bill bandwidth usage, so that the pain of the spyware hits where it should, at the user.

Will we see user agreements with the isp's that allow the ISP to automatically attempt to clean your computer or disconnect you if they see virus/spyware traffic from your computer? Only time will tell.

Reply | Report this comment

Related Posts

Spam culture, part 3: Nigeria (and 419 scams)
Obama Drupal-ing around; whitehouse.gov goes open source
Spammer trick of the month: Delayed DNS
Eugene Kaspersky wants no net anonymity

Today's Top Stories

IE9 to tap hardware to boost performance
Free Web apps to help organize your holidays
KT to sell iPhone in South Korea
New attack fells Internet Explorer
Google's Chrome OS hits BitTorrent
The 5 best and worst features of Google Chrome OS
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.