Regulatory Developments

Last updated: 
1 week 5 days ago
Blog Manager
Log in to request membershipHide blog description
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Recent members:

Can ISPs help with Botnets?

Wednesday, June 6, 2012 - 10:29

An interesting talk at the GovCERT.nl Symposium by Michel van Eeten of Delft University. For some time, and in many countries, there have been suggestions that ISPs should be encouraged, perhaps by legislation, to do more to protect other internet users from their customers. Discussion has tended to focus on the possibility of using network flow data to determine which customers' PCs are members of botnets and then to place those customers into some sort of quarantine, with more restricted network access, until they have cleaned their machines (see, for example, the anti-botnet agreement between Dutch ISPs in 2009).

However given the very large number of ISPs in the world (in discussion of the Digital Economy Act it was suggested that there may be over 400 in the UK alone) it has never been clear whether this approach was likely to be effective. How many ISPs would need to act to significantly reduce the problem? Prof.van Eeten has analysed data from spam traps, Conficker sinkholes and the Dshield distributed monitoring system, covering more than 400 million infected IP addresses, and concludes that these are indeed concentrated in a relatively small number of ISPs - the "top" 50 ISPs contain more than half of these addresses. These are spread widely across those countries with good Internet connectivity, so actions by single countries seem unlikely to significantly improve the global situation. However there is wide variation in infection rates (percentage of customers infected) between ISPs in the same country - up to two orders of magnitude, in some cases - so it appears that significant improvements could be obtained just by wider implementation of existing good practice.

Any quarantine system has a significant economic difficulty because customers placed in quarantine are likely to need individual help in cleaning their systems. If ISPs have to bear the cost of this support then there will be a strong economic pressure not to inform customers that they have a problem. South Korea has apparently addressed this problem by creating a government-funded support centre that ISPs can direct infected customers to.

The research paper has been published by the OECD's Information Security and Privacy working party so it will be interesting to see how it influences legal, technical and practical developments.

[UPDATE: the report has been picked up by the BBC]

[UPDATE: a further study looking in more detail at ISPs in the Netherlands has also been published]

Botnets
Role of ISPs
incident response
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo