eWeek poses the question on whether the botnets have already won. Botnets are not new, but they have been hot news for the past year or so. Unfortunately, while technology likes to move quickly, and vulnerabilities appear and disappear even more quickly, botnets are a fact of life on the wire that is not going to go away any time soon. In fact, I firmly believe we’ve only just begun to see the power, effects, and changing landscape of the wire that botnets are catalyzing. The article mentioned is an excellent look at the situation.
Defending against botnets is difficult, if not even outright impossible right now. Traffic jamming at ISPs or even local networks is useless when the bots tunnel through common ports. Traffic inspection is useless when the bot traffic becomes encrypted or the attacks themselves are real traffic. Shutting down C&C servers is futile now that botnets can work with existing dynamic features on the Internet, can become smaller automous units, or just plain efficiently change servers in an instant. Centralized tracking, detection, and disinfection of bots is not cost-effective for anyone because many home users who are infected have no idea they are infected nor have any idea how to fix it without a lot of hand-holding. Besides, it is a common fact that securing every system on the Internet is just not going to happen. Coordinating efforts across nations and continents is not supportable at this time, and even if an effort got underway, laws are still far behind technology. Botnet code can be reverse engineered and attacked directly, but much like signature-based detection, is thwarted by even as little as a single bit change, let alone polymorphic code. And attempting all of these things is still tough to do in as lucrative and profitable a way as the attackers. The article even mentioned that some significant work is done by volunteers.
To strike up a poor analogy, imagine that cars are able to be controlled remotely (not all that far away considering we can monitor the status of cars now and unlock them from a central system or intall navigation systems), and I have a way to control half the cars in your neighborhood. What would happen if I have them all play demolition derby with your house? Imagine that some of them are unmanned, but some are manned with trapped drivers. You can build walls, attack each one with rockets, put mines up all over, build a basement they can’t get into, build fake houses so they may or may not get your real one…
So, what about beating botnets? Where are some of the weak points to attack? Well, first of all a botnet might be able to be wielded against a botnet, although to what aim, that is a bit unknown as are the ethical implications. However, it is only a matter of time before a government decides to have its own botnet for cyberdefense and attack reasons. Whereas so many simluations talk about targeted attacks and actual hacker penetrations shutting down systems, something as simple as a coordinated, specific DDoS attack by a botnet can stranglehold critical services. Ask any company that has gone out of business due to a sustained DDoS on their systems.
Botnets, in the end, are still controlled by one or a small number of skilled people. Those people need to be ferreted out and shut down or neutralized or brought to justice. While law enforcement is still largely powerless against foreign-based attackers, I can foresee a time when more secretive agencies or corporate-sponsored groups clash on the cyber battlefield as both attempt to protect their interests. Still, take out the people doing the intelligent coding…
Corporate IT security can move outward to protect employees even at home or on home networks. The real skill in cleaning infections and increasing security at work or at home still lie with IT professionals getting their hands dirty and educating users, even just a little bit. While corporate entities can do a decent job internally, so often we shy away from opening the doors to home support (and mostly rightly so…). It definitely would take a commitment from top management, but does make sense even from an HR perspective.
Better Operating Systems and security products for the home would be a step in the right direction, but will never be more than a variably-sized speedbump for botnets and attackers. Still, some protection is better than none, and a secure or less popular OS is better than putting oneself in the midst of the low-hanging fruit masses.
No matter how this plays out, the botnet war is worth watching. This is still only the beginning and is a major issue that few people want to talk about because of how debilitating it can be and how nearly impossible it can be to defend against or prevent. But this is a topic that will be shaping our security and maybe even our networking as a whole for the next ten years. Mark my words. 🙂