Few computer network users and operators appreciate the magnitude of the threat posed by botnets to networks around the world. Botnets are groups of computers, spread around the Internet, that have been infected with “rogue” software that causes them to log in to a central location from where one machine can control all the others. Under the direction of the “command and control server,” the computers can be used to send spam or to launch a distributed denial of service (DDoS) attack.
“Millions of computers on the Internet are compromised in some fashion and, if directed by a malicious botnet, have the combined ability to take down key Internet infrastructure,” says Darren Grabowski, manager of NTT America’s Global IP Network Security and Abuse Team in Dallas. “The compromised machines can also be used for other harmful activities that could cause a severe financial impact,” such as phishing. Grabowski delivered his warning in a white paper, “The Global Pandemic—The Silent Threat,” presented in December at the IEEE Globecom 2008 conference in New Orleans.
What makes botnets a great threat is that when they’re not involved in mischief, they are difficult to detect. They consume very little bandwidth—less than 0.1 percent of the available capacity on a 100-megabyte-per-second Fast Ethernet connection—and so do not cause network issues. That’s why Grabowski refers to them as a silent threat.
WHAT’S TO BE DONE? Grabowski points out that solutions to the botnet pandemic are simple if—and the if here is big—users and operators of both large and small networks work together. That’s not easy, given their limited budgets and heavy workloads.
“We are not going to rid the Internet of compromised machines. That does not mean the problem should be ignored, or that we can’t mitigate it,” Grabowski says. What can be done, he says, is to decrease botnets’ capability by reducing the number of infected machines. That requires operators of networks of all sizes to monitor their network traffic and remove infected machines.
Tools exist to monitor traffic at relatively low costs. Grabowski recommends setting up a darknet, defined as “a portion of routed, allocated IP space in which no active services or servers reside,” according to Team Cymru’s Darknet Project (Team Cymru, located in Burr Ridge, Ill., describes itself as a security research firm dedicated to making the Internet more secure.) In other words, a darknet is a piece of address space in which there should be no traffic of any kind. Some packets might be sent into a darknet by mistake—because of a system misconfiguration, for example. But most would be sent by malware. Network operators can detect new malware by monitoring and analyzing the statistics of traffic that does enter the space. Outbound traffic, in particular, is a bad sign and should set off an alarm.
Darknets make it easier for companies to detect infected computers on their networks, because only a small number of their own computers typically would be sending packets into the designated space. At NTT America, for example, Grabowski found the total number of individual company addresses accessing the darknet varied in one month from a low of one to a high of 18. Such numbers make it easier to identify infected users and notify them.
MONITORING GEAR Network providers in the United States that have purchased monitoring equipment in order to comply with the Communications Assistance for Law Enforcement Act (CALEA) are in an advantageous position. Such equipment can perform deep-packet inspection, stealth-packet filtering, and many other functions. A network operator could leverage the pattern-matching capabilities of those machines in the hunt for compromised hosts on the network. Even if CALEA compliance is not a concern, network operators might find it beneficial to acquire the gear and thus ease the task of monitoring their networks for harmful activity.
Grabowski emphasizes that the hunt for compromised machines is not limited to network providers. Any organization hooked up to the Internet can watch its traffic and report its findings. Instead of ignoring warnings from an intrusion-detection system, as is often done, operators could arrange for reports to be sent automatically to the owners of the compromised machines. With enough automation, the people responsible for network operations might become willing to spend more time reporting intrusions—just what’s needed if the good guys are to win the botnet wars.