In recent discussions about botnets, some people maintained
that botnets (and viruses and worms) are really not a relevant
topic for NANOG discussion and are not something that we
should be worried about. I think that the CSI and FBI would
disagree with that.
In a press release announcing the last CSI/FBI survey
the following statement appears:
Highlights of the 2005 Computer Crime and Security Survey include:
- The total dollar amount of financial losses resulting from
security breaches is decreasing, with an average loss of
$204,000 per respondent-down 61 percent from last year's
average loss of $526,000.
- Virus attacks continue as the source of the greatest
financial losses, accounting for 32 percent of the
overall losses reported.
- Unauthorized access showed a dramatic increase and
replaced denial of service as the second most significant
contributor to computer crime losses, accounting for
24 percent of overall reported losses, and showing
a significant increase in average dollar loss.
So where do botnets come in? First of all, botnets are
used to distribute viruses, the largest source of
financial losses. Second, botnets are built on what
the CSI calls "unauthorised access", the second largest
source of loss. And denial of service, which used to
be the 2nd largest, is also something that botnets do.
Now NANOG members cannot change OS security, they can't
change corporate security practices, but they can have
an impact on botnets because this is where the nefarious
activity meets the network.
Therefore, I conclude that discussions of botnets do
belong on the NANOG list as long as the NANOG list is
not used as a primary venue for discussing them.
One thing that surveys, such as the CSI/FBI Security
Survey, cannot do well is to measure the impact of
botnet researchers and the people who attempt to shut
down botnets. It's similar to the fight against terrorism.
I know that there have been 2 terrorist attacks on
London since 9/11 but I don't know HOW MANY ATTACKS
HAVE BEEN THWARTED. At least two have been publicised
but there could be dozens more.
Cleaning up botnets is rather like fighting terrorism.
At the end, you have nothing to show for it. No news
coverage, no big heaps of praise. Most people aren't
sure there was ever a problem to begin with. That doesn't
mean that the work should stop or that network providers
should withold their support for cleaning up the