Digg this story   Add to del.icio.us  
Time to Exclude Bad ISPs
Oliver Day, 2008-12-09

In recent months, three questionable Internet service providers — EstDomains, Atrivo, and McColo — were effectively taken offline resulting in noticeable drops of malware and spam.

It is hard to argue that such takedowns, which took the command-and-control servers for several major botnets offline, would not benefit everyone who uses the Internet. Estimates of the decrease in spam from the McColo takedown ran from 40 to 80 percent, even if it lasted only for a short time. More importantly, as bulletproof hosting providers drop bad actors from their client list, the cost of hosting the command-and-control servers go up. Increasing the transaction costs to commit cybercrime is one of the best strategies to reduce it.

The takedown strategy, however, shows the weakness of the current system, rather than its strength. In both the McColo and Atrivo cases, shame seemed to be the only real trigger for action. Traditional law enforcement was absent, despite reports that alleged that computers hosted on those services' networks were responsible for many crimes.

While the hosting providers themselves may be protected as common carriers, it is still puzzling why agencies like the FBI weren't at least corroborating these claims. McColo and Atrivo were based in the United States, and thus under the jurisdiction of the nation's laws. The only mention of the FBI in the media reports following the takedowns quoted spokesman Joseph Schadler saying, "Resource-wise, we can't be in the business of prevention. We have to be in the business of prosecution."

Without the future participation of law enforcement, we are left with relying on vigilante justice and the use of shame to dissuade upstream providers from peering with rogue ISPs. Because of the way that Internet service providers operate within the array of national and international laws, other courses of action are limited.

Using the lens of international law and relations theory we can model some of these recent events. The traditional model of relations between actors is known as the Grotian model. Under this model, actors — in this case, Internet providers — act only in their own interests, even to the detriment of those that they represent. Thus, one of the defining characteristics of the Grotian model is that unilateralism prevails: Each actor can decide when to set new legal standards, how it settles disputes, and when to use force -- in this case, depeering. This model of operation is only efficient when it can be accomplished without cooperation.

Under the current model, each Internet provider makes their own rules using contracts such as terms-of-service agreements and peering arrangements. They have internal groups, such as abuse teams, to settle disputes and enforce the rules as needed. Violation of rules can be ignored so long as they are not in violation of any national laws where the servers reside.

Yet, a cooperative model, known as the Kantian system, exists as well. Under a Kantian system actors are representatives to an international body, follow a set of jus cogens — rules that all members agree to — and share common interests that benefit everyone. The theory works both ways: Each actor is bound by these rules but can also demand that others adhere to them. Actors cannot make unilateral decisions on how to react to breaches of conduct and must react to known violations.

In the McColo and Atrivo cases, we can see that the problem was discovered and publicized by a transnational group of researchers cooperating under a common goal. Despite what appears to be over a years worth of private communications to those corporations regarding illegal activity, action was never taken. Clearly unilateral operation of Internet service providers does not efficiently deal with this type of problem. Without the published evidence provided by those security researchers, the problems could very well still be infesting McColo and Atrivo.

The EstDomains' case was far more interesting, because the domain name system operates under a more Kantian system. In the world of Internet domains, registrars are governed by the international body known as ICANN and the jus cogens is encoded in the Uniform Domain-Name Dispute-Resolution Policy (UDRP) and Registrar Accreditation Agreement (RAA). The UDRP is a set of policies that all customers must abide by prescribing the rules and dictating how disputes are resolved. The UDRP prohibits "bad faith" use of domain name registrations and the RAA dictates what responsibilities registrar services are bound to observe.

When EstDomains' violations became public knowledge, ICANN initiated termination procedures and even allowed for the bulk transfer of existing customers to another registrar. EstDomains was even able to represent itself in a court of law and appeal before the final decision of termination was made.

The biggest hurdle towards building a Kantian model like ICANN in the Internet provider space is that, according to a Brooklyn Law Review article, "the UDRP [and RAA] derives its force from ICANN's de facto control of a critical Internet resource." That means that ICANN can retaliate toward bad actors by preventing the resolution of a domain name. This is real power in Internet terms. Since there is no equivalent body which controls the ability of a web host to offer services, it is unclear how we can ever make this critical leap.

One possibility is for Internet providers to create their own group and self regulate. This would be a step in the wrong direction, however, since often times insular groups of this nature do not foster cooperation and lead to self serving policies.

Instead, it would be better if a more diverse and cooperative group formed, including Internet service providers, security researchers, and governments representing the public to provide clear standards, due process, and transparency. This group could set new legal standards, document dispute settlement procedures and, when necessary, make recommendations to other controlling groups to depeer members who violate these rules.

At first glance, one may wonder why any of the Internet providers would submit themselves to a governing body which contained actors from outside their world. The past three months, however, have shown that security researchers are already part of the landscape for Internet service providers and there are consequences for those who don't respond to their reports. Hosting providers have an incentive to work together with the security community to agree on standards of behavior. Any long-term solution will have to enforce good behavior on the part of the hosting providers.

It is in the interest of all who use the Internet legitimately, that a fair, transparent and responsive process for dealing with future Internet providers who offer bulletproof hosting to cybercrime outfits is developed and administered by a cooperative and external group.

Oliver Day is a researcher at the Berkman Center for Internet and Society where he is focused on the StopBadware project. He was formerly a security consultant at @stake and eEye Digital Security. He has also been a staunch advocate of the disclosure process and providing shielding for security researchers.
    Digg this story   Add to del.icio.us  
Comments Mode:
Time to Exclude Bad ISPs 2008-12-09
Alex (1 replies)
Re: Time to Exclude Bad ISPs 2008-12-18
Anonymous (1 replies)
Re: Re: Time to Exclude Bad ISPs 2009-01-02
Professor Pooky
Time to Exclude Bad ISPs 2008-12-11


Privacy Statement
Copyright 2010, SecurityFocus