Everyone knows that the Internet is plagued by millions of computers that are infected with malicious software. Many of these are connected through botnets – networks of compromised machines that are under the control of attackers, thereby providing a platform for a whole array of criminal purposes. Beyond profit-driven crime, botnets are also associated with politically motivated attacks.
Botnets are widely seen as one of the most pressing security threats. Policies to fight botnets have predominantly focused on trying to get the owners of the infected machines –typically home or business users – to better protect themselves. While useful, it is clear that these policies alone will not substantially reduce the threat of botnets. Neither do the more recent successes of law enforcement against the criminals behind the botnets.
The focus is now shifting from end users to the Internet Service Providers (ISPs). Since they provide Internet access to the infected machines, they form a natural control point to mitigate the impact of botnets. In several countries, ISPs are now collaborating with governments and the security community to identify and quarantine infected machines in their network.
While this approach seems promising, it is based on three untested assumptions. First, it assumes that ISPs are a critical control point for infected machines. This may seem obvious, but it has never been empirically established what portion of infected machines on the Internet is actually located within the networks of ISPs – as opposed to, say, hosting providers, application service providers, webmail providers, university networks and corporate networks.
The second assumption is that the ISPs who would carry the burden of increased mitigation efforts are also the ones who control the bulk of the problem. We are most familiar with the legitimate ISPs – well-known brands that together possess the bulk of the market share. These organizations are identifiable, reachable and stable enough to be brought into some form of collaboration or under a regulatory regime. Treating ISPs as control points implicitly assumes that the problem exists for the most part within the networks of these providers; not in the margins of the market, which is teeming with large numbers of small ISPs, among which are the so-called ‘rogue ISPs’ that facilitate or at least condone criminal activity. These small ISPs are often short lived and difficult to survey, let alone reach through collaborative efforts or public regulation. They also typically evade, intentionally or not, the collaborative processes through which collective action is brought about.
The third assumption is that ISPs have discretion over their mitigation efforts. In other words, the incentives under which they operate allow them to increase their efforts. It is not clear to what extent ISPs are constrained by their market and institutional environment in freely determining their own policies in this regard.
Luckily, these assumptions can be empirically tested. The Organization for Economic Co-operation and Development (OECD) has just published a study written by my colleagues Johannes Bauer, Hadi Asghari, Shirin Tabatabaie and myself. It contains a detailed empirical study of these assumptions, as well as trying to explain why some ISPs perform substantially better than others. (It builds on and extends an earlier paper presented at the recent Workshop on the Economics of Information Security.)
These are some of the highlights:
• The bulk of all infected machines worldwide are located in networks of well-known, legitimate ISPs in the wider OECD – by which we mean the 34 members, plus one “accession candidate” and five “enhanced-engagement” countries. Just 50 ISPs account for around half of all infected machines.
• Botnets in the wider OECD are more or less stable, in other countries they are increasingly recruiting infected machines into the overall population of botnets
• Even good ISPs are likely tackling only a fraction of the bots
• The number of customers is the strongest factor influencing the number of infected machines in an ISP network
• ISPs of similar size and operating under similar institutional conditions can have a tenfold difference in the number of infected machines
• Attacks change rapidly, but the performance of ISPs is quite stable over time
• The most-infected ISPs are distributed across the wider OECD and include ISPs of all sizes
• Large ISPs have, on average, fewer infected machines per customer than small ISPs
• Governmental efforts seem to help reduce infection rates at ISPs
More details are provided in the full report (PDF, 961KB):
Michel van Eeten, Johannes M. Bauer, Hadi Asghari, Shirin Tabatabaie, (2010), The Role of Internet Services Providers in Botnet Mitigation: an Empirical Analysis based on Spam Data (STI Working Paper 2010/5), Paris: OECD.