ISPs found innocent of aiding zombie attacks in 'trial'

A group of cybersecurity professionals find ISPs not guilty of aiding zombie attacks in a mock trial.

ISPs (Internet service providers) were put on "trial" Tuesday, with hundreds of IT security professionals serving as jurors, for not doing enough to keep subscribers' computers from being compromised and used as tools in attacks on corporate networks.

The plaintiffs, a couple of fictional companies hit by denial of service attacks, argued that ISPs could do more to prevent "zombie" machines used in attacks by scanning subscribers' computers, monitoring traffic and shutting down suspicious network uses. "ISPs are in the best position to take reasonable steps to diminish the threat," argued real-life cybersecurity lawyer Ben Wright, during a mock trial at the Gartner Inc. IT Security Summit in Washington, D.C. "It's very difficult to go out and find the hackers who are responsible for these attacks."

But defense lawyer Stewart Baker, a partner in the Washington office of Steptoe and Johnson LLP, argued that it would be a violation of privacy for ISPs to check subscribers' computers. It would be nearly impossible for ISPs to distinguish between legitimate Internet traffic, such as a subscriber's browser updating a weather map every few seconds, and a computer being used in a denial of service attack, added Baker, representing a group of fictional ISPs.

In a distributed denial of service attack, hackers often first take over a group of thousands of computers by sending out a computer worm. The bad guys then use the group of so-called zombie machines, often tied together through an IRC (Internet relay chat) server called a botnet, to mass attack and crash a Web server. Some hackers use these denial of service attacks to extort money from companies by demanding cash to make the attack stop, according to some IT security experts.

Wright compared the ISPs' relative lack of enforcement to the owner of a dangerous piece of property who doesn't buy a fence to keep others out. But Baker suggested it is a computer owner's responsibility to protect against malicious viruses and worms, not the ISP's. Baker asked the audience how many would be willing to stay at a hotel that offered Internet access in exchange for being allowed to scan their computers for possible security vulnerabilities or illegal files such as music downloads. No one in the audience raised a hand.

"Suing us is like suing the telephone company for a bomb threat because they allowed it to be called in," said Rich Mogull, a cybersecurity analyst for Gartner Research and the expert witness for Baker and the ISPs. "There has to be an attacker someplace, and it doesn't seem like they're suing the attackers."

The mock trial was a half-serious discussion on the responsibility of ISPs for the security of their subscribers' computers. No actual ISPs or denial-of-service-attack victims participate, and the trial veered into a debate over the meaning of "promiscuous" computers and even references to the current trial of pop music star Michael Jackson.

Using electronic voting boxes, Gartner found that 71 percent of the audience of hundreds of IT security professionals agreed or strongly agreed that botnets are a serious problem for large businesses. But when asked who they sided with after the hour-long debate, only 30 percent of attendees backed the fictional corporations suing the fictional ISPs for a lack of zombie security measures. Fifty-four percent backed the ISP position, and the other 16 percent backed option three: Michael Jackson. Or, in other words, none of the above.

Baker and Mogull argued that it would be nearly impossible for ISPs to monitor millions of computers connected to the Internet for a few thousand machines compromised at any one time, and it would be difficult to define what type of activity on an individual computer would be linked to a denial of service attack. But Wright and expert witness Amrit Williams, a cybersecurity analyst at Gartner Research, argued that ISPs are in the best position to track denial of service attacks.

One audience member agreed, saying through their current scanning of traffic patterns, ISPs can see attacks as they develop, often before victimized companies know what's going on. "ISPs can see the activity, and they don't stop it," she said. "They're more than willing to turn a blind eye when our performance fails."

But Baker noted that in many cases, ISPs see spikes in traffic coming from outside their networks, and they can do little to stop that traffic. "This is not the ISPs' Internet," he said. "The Internet is owned by no one."