Frustrating ISP
Par Cédric PERNET, mercredi 10 octobre 2007 à 12:07 :: General :: #185 :: rss
In this period full of "Storms" and other malware, spreading worldwide in such an efficient manner, the need for cooperation between security companies has never been so huge.
- Computer Emergency Response Teams (CERT) collaborate on important topics, like fighting against phishing/pharming, providing information to each other, exchanging tips, and so on;
- Law Enforcement Agencies get to work together more and more. Although the system is far from being perfect, it is growing and getting better every day, with new cybercrime laws;
- Anti-Virus companies exchange data with each other, and cooperate with LE and sometimes CERTs;
- Incident Response Teams from many companies are in contact with one another, and are generally working well with LE.
Now what about the ISP who are giving you your daily connection to Internet ? In order to keep things clear, you have to be aware that this article only covers french ISPs.
In 1997, they founded the AFA (Associations des Fournisseurs d'Accès), an association to help develop Internet in France, to inform the public, and to cooperate internationaly with other ISPs. They also provide protection against child porn and are involved in anti-spam organisations. Now what do they do against malware ? You don't need to think about it for long : they do nothing. In some cases where they really could have a positive effect against cybercrime, they choose not to act.
Let's say you are a computer security professional working on a huge botnet. You see thousands of IP addresses from ISP in your country, all sending DNS and TCP packets to badstuff.com. Browsing www.badstuff.com, you see no web content. Now looking at the "whois" data from badstuff.com, you notice immediately it has been created to collect information from bots : it has been registered by John Doe, Planet Earth, h4ck1ngmastah@badstuff.com.
Calling the ISP, you tell him he should block all connections trying to reach this particular domain, because it is hosting the command&control of a big bad botnet, stealing personnal and confidential information to their customers. Moreover, you offer them to provide all the IP addresses+timeline of the infected computers, so that they can call their customers and explain them they are infected.
With usually a charming voice, they answer your request:
- We are sorry, but technically, we cannot block in such way;
- We are sorry, although we could technically do it, we won't, because it would infringe the freedom spirit of the Internet/the privacy rights of our customers;
Now take one of these two sentences as an introduction, and add one of the following, depending on the ISP:
- We are very interested in the IP addresses you collected while studying this botnet. Now we won't tell the users ;
- We are not interested at all, and won't say anything to our customers ;
- We are not interested at all, and if you say anything regarding our customers to the press, or if you say anything to our customers, we will engage a legal procedure against you. (the voice, in this case, is still charming, which is even more frightening).
We talked about blocking a single domain. Now imagine how an ISP reacts when you show him a complete range of malicious IP addresses from a well-known bulletproof hosting company...
Isn't this frustrating ?