[ISN] ISPs found innocent of aiding zombie attacks in 'trial'

InfoSec News isn at c4i.org
Thu Jun 9 01:16:11 EDT 2005


By Grant Gross
IDG News Service

ISPs were put on "trial" Tuesday, with hundreds of IT security
professionals serving as jurors, for not doing enough to keep
subscribers' computers from being compromised and used as tools in
attacks on corporate networks.

The plaintiffs, a couple of fictional companies hit by denial of
service attacks, argued that ISPs could do more to prevent "zombie"  
machines used in attacks by scanning subscribers' computers,
monitoring traffic and shutting down suspicious network uses. "ISPs
are in the best position to take reasonable steps to diminish the
threat," argued real-life cybersecurity lawyer Ben Wright, during a
mock trial at the Gartner IT Security Summit in Washington, D.C. "It's
very difficult to go out and find the hackers who are responsible for
these attacks."

But defense lawyer Stewart Baker, a partner in the Washington office
of Steptoe and Johnson, argued that it would be a violation of privacy
for ISPs to check subscribers' computers. It would be nearly
impossible for ISPs to distinguish between legitimate Internet
traffic, such as a subscriber's browser updating a weather map every
few seconds, and a computer being used in a denial of service attack,
added Baker, representing a group of fictional ISPs.

In a distributed denial of service attack, hackers often first take
over a group of thousands of computers by sending out a computer worm.  
The bad guys then use the group of so-called zombie machines, often
tied together through an IRC (Internet relay chat) server called a
botnet, to mass attack and crash a Web server. Some hackers use these
denial of service attacks to extort money from companies by demanding
cash to make the attack stop, according to some IT security experts.

Wright compared the ISPs' relative lack of enforcement to the owner of
a dangerous piece of property who doesn't buy a fence to keep others
out. But Baker suggested it is a computer owner's responsibility to
protect against malicious viruses and worms, not the ISP's. Baker
asked the audience how many would be willing to stay at a hotel that
offered Internet access in exchange for being allowed to scan their
computers for possible security vulnerabilities or illegal files such
as music downloads. No one in the audience raised a hand.

"Suing us is like suing the telephone company for a bomb threat
because they allowed it to be called in," said Rich Mogull, a
cybersecurity analyst for Gartner Research and the expert witness for
Baker and the ISPs. "There has to be an attacker someplace, and it
doesn't seem like they're suing the attackers."

The mock trial was a half-serious discussion on the responsibility of
ISPs for the security of their subscribers' computers. No actual ISPs
or denial-of-service-attack victims participate, and the trial veered
into a debate over the meaning of "promiscuous" computers and even
references to the current trial of pop music star Michael Jackson.

Using electronic voting boxes, Gartner found that 71% of the audience
of hundreds of IT security professionals agreed or strongly agreed
that botnets are a serious problem for large businesses. But when
asked who they sided with after the hour-long debate, only 30% of
attendees backed the fictional corporations suing the fictional ISPs
for a lack of zombie security measures. Fifty-four percent backed the
ISP position, and the other 16% backed option three: Michael Jackson.  
Or, in other words, none of the above.

Baker and Mogull argued that it would be nearly impossible for ISPs to
monitor millions of computers connected to the Internet for a few
thousand machines compromised at any one time, and it would be
difficult to define what type of activity on an individual computer
would be linked to a denial of service attack. But Wright and expert
witness Amrit Williams, a cybersecurity analyst at Gartner Research,
argued that ISPs are in the best position to track denial of service

One audience member agreed, saying through their current scanning of
traffic patterns, ISPs can see attacks as they develop, often before
victimized companies know what's going on. "ISPs can see the activity,
and they don't stop it," she said. "They're more than willing to turn
a blind eye when our performance fails."

But Baker noted that in many cases, ISPs see spikes in traffic coming
from outside their networks, and they can do little to stop that
traffic. "This is not the ISPs' Internet," he said. "The Internet is
owned by no one."

More information about the ISN mailing list