Thursday, September 17, 2009

IETF Draft, Remediation of Bots in ISP Networks


IETF released a new draft for the ISPs for detection, notification and remediation of botnets on their networks, it is time for ISPs to take actions and take the responsibility of cleaning the pipes. Only enforcement on the countries level will make this happen, otherwise it is up to the ISP to decide (many will not bother!)

Detection techniques:
- netflow, and anomaly detection
- Data sharing with 3dr party, like Block listing services and data clearing house
- DNS-based techniques
- Sinkholing or honeynets
- Scan for vulnerable user's hosts (Questionable !)
- User complaints

Notification methods:
- email
- postal mail (bad suggestion)
- phone call (another bad suggestion)
- Quarantine the user
- Instant message notification (one more bad idea)
- SMS
- Web browser notification, with no quarantine

Remediation techniques:
- Provide tools and education to the user, to perform remediation himself (good examples are given)

Update:
Dutch ISPs have agreed to launch a botnet eradication agreement to fight botnets, check the details.

Comcast in USA is implementing a pop-up notification system, to notify users of infected machines.

No comments: