Call for ISPs to Block Malware-Infected Computers

Posted 17 Sep 2007 at 19:11 UTC by shlomif Share This

This is a call to ISPs to block Internet-connected computers within their vicinity, which are infected with malware, especially, one that has turned the computer into a zombie machine, that is used to attack, spam or compromise other machines.

It is well known that due to security holes in operating systems, web-browsers and other programs, a computer can be compromised with permanently installed malicious software. Some black hat crackers have installed software on many such compromised Internet-connected computers that are used to send spam, perform Distributed Denial of Service Attacks (DDoS), and do other damage. This fact has become a major burden on the Internet.

The solution to all this is simple: each ISP should block the compromised computers in its network, from the inside, and not allow them to connect to other computers. Then, the operators of these computers can be educated on how to best remove the malware from their computers and further protect themselves.

This idea is not new. I heard it on a presentation I attended, and came to it by myself before that. But I wish to publicise it, so it will be properly acknowledged and acted upon.

This document is made available under the Creative Commons Attribution 3.0 Licence, copyrighted by Shlomi Fish, 2007.

Great idea, now how about some detection criteria?, posted 17 Sep 2007 at 19:43 UTC by Pizza » (Master)

This idea is only really feasible if automated.. but to be automated the ISPs would have to closely monitor outbound traffic from all of their customers, and watch for specific traffic patterns.

But how do you distinguish between legitimate and illegitimate traffic? This is not a simple problem to solve, unfortunately, and every rule-of-thumb has exceptions. (For example, as someone who runs a few mailing lists, I need the ability to send mail to several thousand people many times a day, but that would normally be considered a sign of a spam zombie)

Once they get that traffic monitoring up and running, what's to keep them from reclassifiying random other traffic they don't like (eg bittorent) as "illegitimate" and blocking your account? (Competition? What's that?)

The beauty of DDOS attacks is that each node sends only a little traffic; it's the sheer number of nodes that make it so formidable. You could perform a DDOS simply by issuing TCP SYN packets, which take almost no bandwidth at all.

Some nodes do it., posted 17 Sep 2007 at 20:32 UTC by nymia » (Master)

This is from experience, upstream nodes do block it. Try sending invalid email names. Your node will be blacklisted.

For valid email names, that's another story.

Yeah, detection criteria is the key, posted 18 Sep 2007 at 05:02 UTC by Omnifarious » (Journeyer)

I run a sort of mini-ISP for all my roommates and the downstairs neighbors. I have various bits of traffic monitoring going, but it's really hard to tell what's evil and what's not. When the downstairs neighbor's computer tries to connect to every port under the sun, is he infected or just running a filesharing program?

I should just ban Windows from my network and offer to install something else for anybody who wants in.

Mmmmyeah, posted 18 Sep 2007 at 07:54 UTC by ingvar » (Master)

There's the tiny little problem of "providing contracted service to paying customers". A well-worded AUP can get around it and way back when, in the drak mists of the early 2000s, I was happily blacklisting dial-up and ADSL users with Code Red, Nimda or Slammer visible, but the traffic analysis needed to proactively block spam was a bit too CPU intensive (we did block IPs that were reported as open relays, though, until we could verify that they had been fixed).

It can be done. It should be done., posted 18 Sep 2007 at 09:11 UTC by redi » (Master)

Some ISPs do it.

Don't most ISP contracts already require that you don't use the network to send spam or to conduct any other illegal activity (such as spreading trojans)? In that case, any compromised machine on the network is already in breach of contract, removing it is the best thing for everyone (see the link above for how one ISP deals with it, and the response from their customers.)

When ISPs take the attitude that it's not their problem, or that they'd upset customers by blocking them, we are in danger of criminals running the world's most powerful supercomputer

It isn't enough for only ISPs to take action though, there will still be thousands more poorly administered Windows PCs added to the net every day. But unless ISPs start to restrict service to compromised machines the customers will never even know they've been compromised, so there's no incentive for them to do anything about it, and no demand for better approaches to security.

How long do you think Windows would stay popular if people were informed they've been rooted, and their net access was blocked? I think there might be a lot more interest in other systems (probably Macs, until the malware authors targetted it as much as Windows) and Microsoft might one day approach security with the same effort they spend on rhetoric and DRM.

Like I said, a great idea, but what's step two?, posted 18 Sep 2007 at 14:21 UTC by Pizza » (Master)

1) User gets rooted. 2) Somehow detect "illegal" or "inappropriate" activity 3) User gets disconnected.

How is (2) supposed to happen, again? It's a difficult enough problem for individual hosts, to say nothing about applying it across hundreds of hosts.

Right now, when it happens it tends to be complaint-driven, simply because automatic detection requires stateful inspection of *all* traffic eminating from *all* hosts on your network. That's very expensive -- especially if you want it to have no discernable effect on your network throughput -- and it still won't catch entire classes of malware.

It's quite hard to discern intent.

(Now restricting this to SPAM zombies is a much simpler problem; if a host initiates more than, say, 1000 SMTP connections in a 24 hour period, they're not likely legitimate..)

Step 2, posted 19 Sep 2007 at 12:22 UTC by redi » (Master)

Could ISPs keep a list of IP addresses and ports that known malware connects to, either to download more malware or to phone home and report the machine's been owned? Any connections to those addresses would indicate a machine should be quarantined. There would be false positives, and it wouldn't catch everything, but it might be a start.

There are surely better ways, the hard part probably isn't how to do it, but getting ISPs to want to.

Re: Like I said, a great idea, but what's step two?, posted 19 Sep 2007 at 13:54 UTC by fzort » (Journeyer)

(Re: Stateful) It may not be necessary to maintain state. The intrusion detection system Snort does stateless analysis, just looking for suspicious patterns in packets. Here's a technical overview.

DIffering definitions of stateful..., posted 19 Sep 2007 at 14:18 UTC by Pizza » (Master)

To quote the referenced document, "Protocol Analisys NIDS developers take the term stateful inspection differently."

What I am referring to is that it isn't sufficient to simply inspect the packets one at a time -- For example, how do you tell the difference between a legit SMTP session and a spammer by simple packet inspection? By "looking for suspicious patterns in packets." The key here is that these packets are otherwise unrelated and occur over a long period of time.

When your rules are time-based, you must maintain state. To mach my example rule of "over 1000 SMTP connections in a 24-hour period" You have to keep track of each host's SMTP connections over time; ie "state". This adds up quickly.

Also, who's going to pay for this?, posted 19 Sep 2007 at 14:31 UTC by Pizza » (Master)

This packet analysis isn't cheap; on top of the obvious hardware/software costs, you have to factor in the extra expense of your otherwise clueless customers tying up your support lines complaining that "I can't get my myspace", plus the overhead of ensuring the customer is cleaned up, and finally switching their access back on.

I don't know what kind of money malware costs ISPs, but I'd wager that (per-capita) it's less than the cost of dealing with clueless users.

Even in the case of spam, where ISPs have non-trivial expenditures, the vast majority of the spam originates on other networks.

There may be value in an ISP offering this sort of monitoring service as a value-add, but I doubt there will be many takers, as the ones clueful enough to realize the point will probably be clueful enough to keep the malware off of their systems to begin with.

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!

Share this page