1&1, Gamballa, botnets, and quantitave internet security research  28.10.10

As mentioned the other day, security provider Gamballa released a study stating that some 11% of global botnet command&control servers were hosted by 1&1 Internet AG. Heise, presumably Germany’s most influential IT related news portal, brought the story, mostly citing the findings of the study. 1&1 was not amused about the journalistic performance. The flaws (de) in Gamballa’s study have been quickly uncovered by Thorsten Kraft of 1&1‘s Anti-Abuse team, which is closely linked to the consumer-focussed German Anti-Botnet advisory centre. Heise released another article explaining the flaws in the Gamballa report, and Gamballa has rightly taken its analysis down. The underlying lapse, according the reports linked above, was that Gamballa had allegedly added both ordinary, non-infected infrastructure servers and sinkhole and honeypot machines to the list of C&C server.


Microsoft’s Zink on whether ISPs should cut off infected users  26.10.10

Terry Zink, Program Manager for Microsoft Forefront Online Security, wants ISPs to play the role similar to the one email security service providers have in mitigating the spam problem.

In my view, ISPs taking action on botted machines is very similar to the problem that we as an outbound mail relay had when we were taking action on customers that were/are sending outbound spam…

For an ISP, if they know which domains a botnet calls home to, then in theory they could tell which IP address is connecting to which botnet URLs. Whenever someone sends a request, either http, ftp, or some other DNS protocol, that attempts to resolve the botnet C&C’s domain, then it is a logical assumption that the machine behind the IP address is part of a botnet. …

Obviously, it would be nice to use a finer layer of granularity but that option is not available without deep packet inspection where you can possibly map finer levels of identification.

In short: Anti-botnetting should be done by ISPs without using DPI. Zink does not want to see ISPs filling their data centres with perimeter DPI boxes, a) for privacy reasons and b) for the costs, as they would force ISPs to find new revenue models and become, e.g., non-net-neutral.

Microsoft isn’t the “internet security industry”, even though their Malicious Software Removal Tool and Security Essentials A/V are among the most widely deployed security tools out there. Microsoft is in the security business above all to get rid of infected Windows machines and to protect their Windows brand. Hence, my hunch is that they are rather pragmatic in their choices and would opt for any approach that helps to clean up the bot mess.

I wonder how such a botnet URL database would be operated, who would feed, who would harvest it, how it would be governed. Centrally? Commons-based? Commercial? Based on a club-model? Botnet URLs are too trivial to pose as the core of commercial security products in a way as virus signatures are a core asset for AV software providers. But commercialising security problems isn’t Microsofts problem.