IETF on Botnet Detection

A bot is a program, maliciously installed on a computer, that allows that computer and thousands of others to be controlled by attackers. Bots are one of the major problems on the Internet, involved in many spam campaigns and distributed denial of service attacks, as well as allowing attackers to read private information from the computer’s disk and keyboard. Some bots even allow cameras and microphones to be monitored by the attacker. Detecting and removing bots is therefore in the interests of both individuals and internet providers. RFC6561 describes the technical issues around detecting and notifying Internet users whose computers may have been infected by a bot, and also highlights the need to take account of legal, economic and reputational issues when doing so.

One of the main problems with bots is that they are now very good at concealing themselves alongside legitimate programs and internet traffic. The RFC notes that

With the introduction of peer-to-peer (P2P) architectures and associated protocols, the use of HTTP and other resilient communication protocols, and the widespread adoption of encryption, bots are considerably more difficult to identify and isolate from typical network usage.  As a result, increased reliance is being placed on anomaly detection and behavioral analysis, both locally and remotely, to identify bots.

Unfortunately neither anomaly detection nor behavioural analysis can be perfect: both may be triggered by legitimate Internet activity that happens to generate patterns that look like those of a bot. This means that any detection and notification process must be aware that some of the computers “detected” will not be in fact be infected. Even for computers that are infected, removing the bot may require more than the average level of technical skill, or involve actions such as deleting and re-installing the operating system that users are not willing or able to do. As an increasing number of devices are connected to the Internet, it seems likely that bots will infect equipment that the user simply cannot disinfect, such as games consoles, set-top boxes or smart meters.

Detecting infected systems also raises significant legal and technical concerns. Since Internet Service Providers know who their customers are, examining their traffic to identify devices that may be infected will involve processing of personal data; detailed inspection of traffic may even come within the scope of Interception law. Such laws may have exemptions for particular actions by network operators, but these are likely to be tightly constrained and require additional privacy protection. Even if the action is lawful, attempts to protect users in this way can be mis-understood - either as unjustified “snooping” or as an attempt to sell security services - resulting in end-users rejecting them.

There are some examples of successful botnet mitigation schemes, and a UK Parliamentary committee has recently called for ISPs to do more in this area. However it’s clear that any scheme needs to be very carefully designed, with input from technical, legal and communications experts.