-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
An old article, but strangely enough it come across my
attention right when I was thinking about exactly the
same thing, wrt spam issues.
- ----
In the waning days of calendar year 2004, I watched some friends
as they happily killed off some "botnets", and then pondered the
usefulness of this (if any). A "botnet" is a collection of stolen
computers, whose owners are still using them. Botnets are useful
for sending spam and receiving stolen credit card numbers and all
kinds of other things a bad guy wouldn't want to get caught use
his or her own computers for. So, why isn't killing "botnets" an
unrestricted good idea?
Here's what I said about it on 30-December-2004:
I want to expand on this point somewhat. I'm the father of four
children, and one of the things that I have to think about that
my parents did not have to think about is "antibiotic-resistant
bacteria" or "superbugs". Here's how it happened. A number of
quick fixes were developed (penicillin, etc) and made widely
available. Folks overused them (due to convenience, revenue/hype,
etc). Enough bacteria were exposed to the wonderdrugs over several
decades that the small percentage who weren't killed by wonderdrugs
managed to reproduce more than the large percentage who were killed
by wonderdrugs. Ultimately the ecological niche that was once
occupied by "bugs" is now occupied by "superbugs", and the wonderdrugs
aren't working as well any more.
This shows how quick-fix action for convenience and/or profit by
a large number of self-interested people can end up retraining,
re-educating, and ultimately benefitting the attacking population
more than the defending population.
If you'd like a more topical example, consider "spam". People began
altering their e-mail "From:" lines in order to make their addresses
harder to guess or aggregate; people began doing pattern matching in
order to catch known-bad messages and either sideline or reject them.
Many defenders used many small tricks to protect their inboxes. The
result has not been that less spam is sent or even that less spam is
received, on an aggregate basis. Things are worse now than they've
ever been. (I say this as co-founder of MAPS LLC, by which I hope to
establish my credentials in the spam field for those of you who do not
know me.) Today a small number of highly advanced defenders is
spam-immune only because they are a small number and their techniques
are not widely effective against the attackers; and a small number of
highly advanced attackers can "spam at will" a far larger population
than ever before. And the trend is that things are getting worse, and
getting worse faster than ever before.
This shows how quick-fix action for convenience and/or profit by
a large number of self-interested people can end up retraining,
re-educating, and ultimately benefitting the attacking population
more than the defending population.
At MAPS, we started with the principle that the IP address who was
able to be used for transmission of unwanted bulk material was
poisonous, and that its owners ought to be more careful and more
respectful. Rather than "rotate our shield frequencies" and hope
that the attackers could not "rotate their weapons frequencies"
(hint: those are ST-TNG/Borg references), by saying "well you can't
send THAT body, but please keep trying!" we just revoked the implied
right of end-to-end communication whenever someone demonstrated lack
of proper respect for the implied responsibility of end-to-end value.
This was not effective -- spam got worse in spite of MAPS. But spam
did not get worse *because* of MAPS. Spam did get worse because of
brightmail, and spam has gotten worse because of Baynesian filtering.
Of course, Sunil Paul's goal in founding Brightmail was not to stop
spam but to create a company that could later be sold, which he did
(to Semantec, I believe.) But I digress.
Now I'm hearing about how people are joining and killing botnets. Why?
It is trivial to recreate them. All you're doing is helping to train
botnet operators in how to avoid getting caught; helping to train
rootkit developers in how to capture more computers; helping to train
botware developers in how to use non-IRC C&C channels. Do you really
want to gradually improve the breed and toolsets of attackers, at the
cost to them of nothing but time?
What we have to do is a lot of grunt work. Law enforcement, even of
unwritten laws like "don't spam me" or "don't DDoS me", is hard, boring,
"grunt" work. Gathering the evidence it takes to put a botnet operator
or malware developer in prison can take months or years, and the payoff
(of knowing that jackbooted government thugs are kicking in a door
somewhere and confiscating every powered device and every living person
in the building) is elusive. However, that's the only way to put a clamp
on the growth of botnet-related industries.
Stomping a botnet is actually a bad thing to do, unless it's done by lawful
authorities acting according to meatspace law, and hopefully as part of a
larger effort to imprison the people who wrote the software that captured
the bots, and the people who wrote the software that operates the botnet,
and the people who executed either of those kinds of software.
Stomping a botnet is actually a bad thing to do. Read that again. Please.
Working with meatspace law enforcement is what we have to do. I have made
myself available to my local FBI field office for consulting and training;
we must all do this, until the average FBI special agent is as good at
reading e-mail headers or lurking on IRC channels as they are at preserving
physical forensic evidence or sifting through the business records of a
suspected racketeer. And all of us who spend time defending against attacks
have to know how to gather evidence without polluting it, and we all have
to know who to contact when we've got something we think is actionable.
Annoying botnet handlers educates them. Don't do that! Let them succeed at
what they try, but watch their every move. Learn to predict what they will
do next. Learn how they did whatever they've done. Learn who they are. Learn
where they live, and where their money comes from. Let them have a wonderful,
annoyance-free life, right up to the instant that the front door of their
apartment is kicked in and the handcuffs go on. Don't create more
antibiotic-resistant superbugs. Don't teach them how to be more careful next
time, on a painless incremental basis.
- ----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iQCVAwUBRM9BIlJTxa108Mg4AQi8CgP9GT8aNgz6Vo+DbXXNiiAtEwH5V1KO9PPT
E8ouPJDZUDqeJRIAICKpR3Duf/yJjksFpSE3eUyUCilRyGJhEZyJjfpncwT23yPI
fJmqKezNPxMFGHmUODq0v10xP71+lXjE5DjNu3cAeM9svIIJoLsPcZuGHIYIxQb2
qhNcqYcGleU=
=LjmR
-----END PGP SIGNATURE-----
