Arbor Networks: Security to the Core

While sources, types and responses to Internet badness vary widely, there exists a clear intersection in technical and policy implications that may note be completely obvious.

There’s been a lot of press lately spotlighting China and its alleged government sponsored intrusions and repeated assaults on various corporate and government networks across the globe. Most of this seems to revolve around spying, intellectual property theft and corporate espionage. Much like the New England Patriots, they’re likely not doing anything others are not, they’re just not covering their tracks as effectively.

The U.S. most days dominates the top spot for geolocation of active botnet command and control (C&C) servers. The U.S. also holds that coveted “top spam sources” spot. Perhaps the big reason they don’t get bashed as badly as say, China or Russia on this front, is that arguably, U.S. operators and law enforcement are more responsive to abuse complaints. In particular, when there’s real badness (e.g., child pornography) as opposed to common annoyances we’ve all become somewhat accustomed to.

And, as you might suspect, much of the spam and botnet C&C mess with U.S.-based IPs are compromised hosts being administered from elsewhere, although I’m not sure that makes a difference.

The C&C servers listed above are a snapshot from ATLAS identifying new or reintroduced botnet C&Cs over the past 24 hours. Although the number of persistent servers is much larger, the percentages here are still reasonably representative of the larger aggregate.

Eastern Europe, Russia in particular, and the Russian Business Network (RBN) as a specific example, seems to dominate the financially motivated cybercrime scene. This has led to a great deal of discussion as of late, debating why they can’t just be taken offline. If we know their IP address space, or their domain names, or their AS numbers, why can’t we simply ‘take them out’?

Well, beyond the fact that they’ll simply adapt or relocate, there are lots of political and technical ramifications as well. One example is Russia’s considered creation of an independent network, because today “Russian users are accessing the internet via channels which are in the control of the US government…” With perceived U.S. control of the DNS root, and it’s “divine right to rule the Internet”, it also further contributes to the discussion of an alternate root and Internet numbers space. China’s there as well, well over a year ago confirming deployment of it’s alternate root for TLDs.

One of Russia’s primary motivators for an independent network is “information safety and security”. Consider the statistics above as an average Chinese or Russian Internet user and you might be able to come to terms with that argument. A fully “denationalized Internet governance regime“, as it’s so referred, to me means a more fragmented, more easily censored, less useful Internet. Is this a bad thing, absolutely. YMMV.

While many responses to mitigate threats look easy, and seem effective, many are further reaching that it may seem. Diplomacy and policy play crucial roles when dealing with Internet-based crime.

This entry was posted on Thursday, October 4th, 2007 at 5:04 pm and is filed under ATLAS, Arbor Networks, Botnets, Critical Infrastructure, Legal. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.