SANS Institute slags Australia's anti-botnet iCode
- 06 December, 2011 09:33
The National Institute of Standards and Technology (NIST) is eyeing Australia's iCode as a model for its own ISP-led malware notification system, but Microsoft, the SANS Institute and others have expressed reservations about pursuing it in the United States (US).
The NIST this September sought feedback on how the US should go about establishing a voluntary notification scheme to tackle botnets, highlighting the iCode as one possible template.
Alan Paller, the director of research at the Sans Institute (PDF), argued the US should not follow the iCode because it was ineffective.
After analysing "the actual experience of the iCode in Australia", Paller said that SANS learned the desired impact "was not gained."
"The reductions were insignificant," he added, arguing that to justify a similar code in the US, it would need to achieve "substantial reductions" in the number of bots of at least 50 per cent.
The Internet Industry Association (IIA) launched the voluntary code in December 2010, and has since signed up 33 ISPs, including Telstra BigPond, iiNet and Optus, but still is missing some major ISPs such as TPG.
The US has shown interest in the iCode, with former IIA chief Peter Coroneous receiving an invite to the White House to discuss the program with White House Cybersecurity Coordinator, Howard Schmidt this May.
Microsoft and Symantec had reservations about relying too heavily on ISPs.
While ISPs were uniquely positioned to identify the impacted customer, Microsoft saw an important role for operating system, application and security vendors involved as well as domain hosts, banks, email providers and social networks.
Sending notifications also raised the possibility for fraudulent notifications, which Symantec argued could “aggravate the problem rather than alleviate it”.
PayPal supported ISP email, phone, fax or postal notifications over page “redirect” notifications for security reasons. It also held up Australia’s Internet Security Initiative - a precursor to the iCode - which combines notifications, traffic filtering and a “walled garden” quarantining component as an example to follow.
In fact, one of the iCode’s objectives is to get ISPs to participate in this scheme.
“We are also in favor of ISPs deploying traffic filtering solutions to eliminate certain types of botnet traffic. When feasible we believe ISPs should aggressively filter traffic to known botnet C&C servers from their networks,” said PayPal.