Weekly Edition
Return to the Security page
| |||||||||||||
ITU getting serious about botnetsBotnets are an increasing problem in today's internet. They can do much harm in the way of spam propagation and distributed denial of service attacks, but they also tend to evolve much more quickly than preventative measures. The International Telecommunication Union, an organization that predates the internet by more than 100 years, wants to do something about that. To that end, they are creating a Botnet Mitigation Toolkit. The ITU is now an agency of the United Nations, which puts it in the right place to assist with botnet mitigation. Much like the internet, botnets do not respect political boundaries; it is often the case that a botnet is attacking a target in one country, from hosts in multiple countries, using a command and control (C&C) infrastructure in yet another country. It will take an international response to thwart an attack of that sort. The toolkit is primarily focused at developing countries; it is meant to provide guidelines and best practice information to entities that need it. There are three types of information in the toolkit: legal, technical, and social. Each has a role to play in successfully handling botnets and their effects. From a legal standpoint, many developing countries do not have laws governing "cybercrime" that could be used to shut down or redirect botnet traffic. The toolkit will contain recommendations for how such legislation might be structured, what kind of jurisdiction requirements make sense, as well as the kinds of evidence that are likely to be available. One of the more serious difficulties is rectifying the needs of botnet fighters with the privacy of internet users. A country's privacy laws may cover what information can be gathered. A paper describing the toolkit (PDF), which is still in draft form, has some information about the intersection of privacy rights and internet security, but this is clearly an area that will need to be handled carefully. Another policy area that will be covered by the toolkit is in establishing a framework for handling incidents that occur. How to establish monitoring, putting together a collaboration between the government and internet service providers, along with deterring internet criminals from setting up shop in the country are all facets of a national "cybersecurity" policy. If a country is starting from a point where none of this kind of organization exists, which is true for much of the developing world, the toolkit will provide the government with the right questions to ask and areas that need a decision. At a minimum, it will also make recommendations that may be followed or ignored. From a technical standpoint, internet service providers may need information on best practices for securing their networks from external threats. They also may need information on handling malicious traffic originating in their networks. The toolkit intends to provide information on both. The contents of the paper contain a great deal of good information for those that are interested. Even for ISPs in developed countries, there is much that could be learned. The social aspect of dealing with botnets is perhaps the most difficult part, but, if successful, may provide the best defense. Like the technical measures, this is by no means a problem only in developing countries. Users everywhere need to learn good habits when using the internet. Free software is specifically called out as part of the solution in the social section of the paper, not because it is more resistant to malware (which is unclear), but because it can always be upgraded to fix security flaws. Many users in developing countries use unlicensed software from proprietary vendors that is difficult or impossible to upgrade. The ITU toolkit is a worthy project, which will hopefully be well received by countries around the world. Due care needs to be taken so that it is not seen as something being imposed by the developed world. Even if botnets are not currently causing any major pain for a country, they certainly will some day. Getting out ahead of that curve would be of great benefit, hopefully most countries will see it that way. A pilot project is planned for Malaysia, in cooperation with the government there, in 2008 that will allow the ITU to fine tune its message and the toolkit. After that, it can start rolling it out in other interested countries. It may be a few years off, but bot herders may start feeling the heat.
(Log in to post comments)
ITU getting serious about botnets Posted Nov 29, 2007 2:51 UTC (Thu) by brouhaha (subscriber, #1698) [Link] The ITU is now an agency of the United Nations, which puts it in the right place to assist with botnet mitigation.This seems a very dubious proposition at best. It's far from clear that the United Nations is the right place for anything. While the ideals behind the United Nations are perhaps laudable, the practice leaves a lot to be desired.
ITU getting serious about botnets Posted Nov 29, 2007 7:31 UTC (Thu) by dune73 (subscriber, #17225) [Link] >This seems a very dubious proposition at best. It's far from clear that the >United Nations is the right place for anything. While the ideals behind the >United Nations are perhaps laudable, the practice leaves a lot to be desired. In an ideal world, where all humans are angels like you are, there would not be a need for an organisation like the UN. But as the population on this planet consists of many ordinary people like myself, it is good to have such an institution. I still believe the ideals are laudable. Of course, there is a certain gap between the ideal and the practise. But that is known in many organisation. Even in the 2-person comittee governing the washing up in my household. ;) But we rather want to talk about botnets and not politics, don't we?
ITU getting serious about botnets Posted Nov 29, 2007 13:26 UTC (Thu) by copsewood (subscriber, #199) [Link] So if not the ITU under UN auspices, who do you propose should do this work?
ITU getting serious about botnets Posted Nov 29, 2007 20:20 UTC (Thu) by brouhaha (subscriber, #1698) [Link] It's not a foregone conclusion that it needs to be any governmental organization.
ITU getting serious about botnets Posted Nov 29, 2007 14:07 UTC (Thu) by kleptog (subscriber, #1183) [Link] There are lots of institutions that are part of the UN that many people might not immediately recognise as such like the WHO (got rid of smallpox and polio), the ITU, The World Bank, the IMF and many others. Like it or not, it's about the only way to get anything done in this world without being tied to a country or region. It's a framework which we have that mostly works with not much in the way of alternatives, so lets use it and fix the problems as they arise.
ITU getting serious about botnets Posted Nov 29, 2007 20:26 UTC (Thu) by brouhaha (subscriber, #1698) [Link] Poor choice of examples. The IMF and World Bank have not solved any problems and have in fact caused much worse problems than they've tried to solve; aid from the IMF and World Bank is almost always tied to requirements of policy changes that prove disastrous in the long run, and cuase the countries receiving the aid to need even more aid later.The benefit of the ITU is questionable at best. I've worked for a company involved in ITU matters, so I've seen the sausage factory in operation. I don't know enough about the history of the WHO, so I'll give them the benefit of the doubt. In general, expecting the UN to solve problems is not a good bet. It's more likely to exacerbate problems and create new problems.
ITU getting serious about botnets Posted Nov 29, 2007 14:11 UTC (Thu) by job (guest, #670) [Link] What an uninformed comment. We have working international standards on everything from air traffic to document exchange (it was OASIS that specified ODF from the start, remember?) through working groups provided by the UN. I don't know what you specifically refer to, but arenas for cooperation is virtually a requirement in the modern globalized world.
ITU getting serious about botnets Posted Nov 29, 2007 20:30 UTC (Thu) by brouhaha (subscriber, #1698) [Link] On the contrary, I'm fairly well-informed about the working of the ITU and other standards bodies operating under the UN umbrella, and it's clear that non-UN standards bodies like the IETF do a far better job.The fact that a few good things have come out of the UN is not sufficient to demonstrate that it is a net positive, nor that it is the best place to promote new initiatives such as anti-botnet measures.
ITU getting serious about botnets Posted Dec 13, 2007 13:43 UTC (Thu) by job (guest, #670) [Link] The IETF works very differently because they do engineering and not political work. I'm not sure IETF would do any better than ITU or similar organizations when doing things like spectrum allocations, they are just as susceptible to policial deadlocks. But my guess is as good as yours, we just don't have any data points that compares the two. So I stand by my opinion that the original comment was in haste, uninformed, or both. A much better comparison would be the ITU and IANA, but the latter is still a bit young for it to be completely fair.
ITU getting serious about botnets Posted Nov 29, 2007 14:44 UTC (Thu) by jschrod (subscriber, #1646) [Link] Wow, can you be even more childish in your knee-jerk reaction? I don't think so. Well, the UN, it's like democracy: "Democracy is the worst form of government except for all those others that have been tried.", as Winston Churchill said. Likewise, the UN is the worst form of inter-state cooperation on a global level, except for all those others that have been tried. Joachim
ITU getting serious about botnets Posted Nov 29, 2007 20:33 UTC (Thu) by brouhaha (subscriber, #1698) [Link] You haven't refuted my statement at all. I wasn't making the case that the UN was a bad form of government. I was pointing out that there's no reason that ANY government, national or international, needs to be involved in this.Just because there's a problem, even a fairly serious one, doesn't automatically make government the best solution.
ITU getting serious about botnets Posted Nov 30, 2007 1:17 UTC (Fri) by jschrod (subscriber, #1646) [Link] Your strawman doesn't help.First, you did not made the point that this is not a topic for a governmental organization. You merely stated that the UN is not the right place for anything (your emphasis, not mine). And IMNSHO that is a pure political statement about the UN itself and not about the relevance or the appropriateness of the ITU for this specific issue. Second, as the article noted, an essential part of the ITU work is about legal advice, how one can introduce or structure laws to help fight botnets. And changing laws is very clearly the realm of governments, they are the only ones who can do it. Thus advice about a coordinated legal approach against a supranational threat to our IT security belongs into the realm of inter-governmental political organizations like the UN and its subsidiary organizations. This is not merely about technical counter-measurements which seems to be the only thing that you might think about. (You're mentioning the IETF as a better organization indicates this.) In two of three tiers of the toolkit, this is about non-technical approachs that tries to take on a larger picture of the botnet problem, beyond the technical aspects. You ignore these two tiers to be able to propagate your opinion that the UN is not good for »anything«, and to express that with emphasis. And you really want that I take your comment as a serious contribution? All in all, your f'up answers are yet another data point why I would like to get a KILL file feature in LWN's comment facility. *PLONK*, as I would like to be able to say.
ITU getting serious about botnets Posted Nov 30, 2007 1:44 UTC (Fri) by brouhaha (subscriber, #1698) [Link] The ITU most certainly does NOT give legal advice. That should be perfectly clear to anyone that's ever actually dealt with the ITU.It is far from clear that it is necessary or helpful for anyone to give countries legal advice on dealing with botnets. However, if it were necessary, there is still no obvious reason that the ITU (or any other part of the UN) is particularly well-suited for that function. It is not the case that advice on changing laws must come from a governmental organization or the UN; in fact the vast majority of such advice that legislators receive is NOT from such sources.
ITU getting serious about botnets Posted Nov 30, 2007 8:17 UTC (Fri) by nix (subscriber, #2304) [Link] So the EU Commission (the source of the majority of the more boring-yet-necessary new laws in most of Europe, even eurosceptic parts like the UK) is not a governmental organization? Fascinating. Your extreme US-centricism is plainly obvious from your claim that legislators are universes complete unto themselves that receive advice from no other governmental bodies. I'd be very scared of legislators that worked that way: who else are they ignoring? (It's odd: to a first approximation, the only people you can find against the UN as a whole are a bunch of nasty dictatorships and... parts of the US, the country which *founded* it.) The UN and the EU had the same design intent: to eliminate war on different scales (worldwide large-scale versus European), to try to stop any repetition of WWII. Both are doing lots of different things these days as well, but branching out from `stop large-scale wars' to `stop large-scale supranational threats' doesn't seem like all *that* much mission creep to me. This sort of thing is what these organizations are *for*, and being legal bodies they will use legal weapons to do it. (Yes, they suck at it and they're inefficient. Point me at any human organization that isn't. They might get something done, anyway. The EU should get involved, though, because unlike the UN it actually *can* get its constituent governments to pass laws.)
ITU getting serious about botnets Posted Nov 30, 2007 17:02 UTC (Fri) by brouhaha (subscriber, #1698) [Link] So the EU Commission (the source of the majority of the more boring-yet-necessary new laws in most of Europe, even eurosceptic parts like the UK) is not a governmental organization? Fascinating.I don't see how you derived that from what I said. Your extreme US-centricism is plainly obvious from your claim that legislators are universes complete unto themselves that receive advice from no other governmental bodies.What I said was that the vast majority of advice on changing laws doesn't come from supranational governments or organizations. In the US, most of the input into new laws or amendments at the federal level comes from other parts of the US government (e.g., the executive branch), states, and corporations. Do EU countries really work that much differently? I thought only a small portion of the laws of individual EU countries was forced upon them by the EU. Or, if you don't like the phrase "forced upon", I could say "given to".
ITU getting serious about botnets Posted Nov 30, 2007 23:03 UTC (Fri) by nix (subscriber, #2304) [Link] The figure for UK laws which consist of implementation of EU directives is around 50%, IIRC, and rising.
ITU getting serious about botnets Posted Dec 7, 2007 3:51 UTC (Fri) by okeydoke (guest, #46751) [Link] Hi. I wrote the botnet mitigation toolkit. You might want to read it leaving normal assumptions about ITU standards processes out of this .. this is an ITU-D effort (read: development and "capacity building"). There are lots of people from the network operator community (NANOG / IETF / IAB regulars, as well as large ISPs) who have agreed to help out in the technical part - in fact, the toolkit cites several RFCs, as well as data from an IAB workshop. In this context, what you have is a UN agency that is putting money and resources into a project that tries to get several different groups that are already working on botnet related issues (from a technical, as well as from policy and social work perspectives) to coordinate, work together etc. And it also tries to field test a whole lot of concepts and best practices that were mostly developed in US and canadian ISPs, in what may well be a rather different operating environment. [Yes, most of it wont change but there will be a few things that need to change, and work differently..] regards srs
ITU getting serious about botnets Posted Nov 30, 2007 3:56 UTC (Fri) by smoogen (subscriber, #97) [Link] I was pointing out that there's no reason that ANY government, national or international, needs to be involved in this. ==== Well to take the strawman further, any organization that makes decisions that people follow or feel compelled to follow is a government. The IETF is a government in that it decides standards where people should use the internet. Its enforcement is by usually public opinion, buying power of companies that will only get something RFC compliant, or other things. Governments occur all the time..
Conspiracy theory :-) Posted Nov 29, 2007 18:06 UTC (Thu) by felixfix (subscriber, #242) [Link] For your amusement only. Anyone who takes me seriously has other problems. I hear about the US's NSA and all its listening posts around the world, how the US telecommunications companies bend over backwards to pass it copies of all the packets they shift around the world, and the only logical conclusion is that they are listening to everything, or at least a great amount of it. What for? you may ask, and the answer is to find interesting tidbits. Now there is no way they could do that without tremendously automated filters. There is so much cruft and banality on the internet, and a good portion of that must be spam and botnets. Which also means that the NSA must be aware of botnets, their members, and their controllers. Imagine how those patterns must jump out at them, how certain commands appear on IRC and suddenly thousands of computers replicate their spam, or DDoS attacks, or whatever other activity ... Which makes one wonder ... no doubt the NSA knows intimately what commands they could use to make these botnets commit suicide. Why would they not do that? They don't seem the type to fret over ethics of killing off botnets ... which leaves one reason: to not tip their hand, to leave the botnets in place for when they decide there is a national emergency and they need to coopt the botnets for their own attacks ... That is my theory, and I'm sticking with it. I hope you enjoy it.
|
|||||||||||||