Combating Botnets Botnets are a complex and continuously evolving challenge to user confidence and security on the Internet. Introduction Botnets are networks made up of infected remote-controlled computers, used by cybercriminals for cyber attacks, to steal information, and other crime. They are considered one of the biggest threats to Internet security. Combating botnets requires cross-border and multidisciplinary collaboration, innovative technical approaches, and the widespread deployment of mitigation measures which respect the fundamental properties of the Internet.

Thus, one bad actor has control over many Internet-connected devices. What is a botnet? An Internet-connected device becomes infected by malicious software (malware) which turns the device into a bot now under the control of a remote operator (bot herder) who uses command-and-control servers to perform automated tasks. Thus, one bad actor has control over many Internet-connected devices. Definition: Botnets are networks made up of remote-controlled computers, or bots. Computers includes computing devices like smartphones, laptops, PCs, and Internet of Things-enabled devices. These computers have been infected with malicious software that allows them to be remotely controlled. Some botnets consist of hundreds of thousands of computers. Various techniques are used to infect computers so they become bots. For example: luring users into downloading malware, exploiting Internet browser vulnerabilities, and tricking users into loading malware (e.g., as a result of opening an infected email attachment), among other ways. The botnet’s creators can then decide what to do with the infected computers. Botnet malware is often designed to run in the background so users are unaware that their systems are infected. Botnets are frequently used for sending spam. They may also be used to: launch attacks on other computers, steal personal data and passwords, attack public and private networks, exploit users’ computing power and Internet access, and carry out Distributed Denial of Service (DDoS) attacks, among other usages. Botnets can be used to create more bots and bigger and/or new botnets.

Key Considerations Botnets impose economic and social costs on affected users, service providers, network operators, and society as a whole. A number of issues must be considered when addressing the problem of botnets: Geographic dispersion Impacts on user rights Impacts on technology use and innovation Botnets pose threats to Internet users, service providers, network operators, and society as a whole, and are difficult to eliminate. However, steps can be taken to reduce their impact and associated risks. There are three key issues which must be considered when addressing the problem of botnets: Geographic dispersion: Botnets can spread around the world very quickly. Infected computers and botnet herders operate in different countries and locations. Botnets thus require a collaborative approach to detection, mitigation, and law enforcement. EXAMPLE: The technical architecture of the Internet was conceived as cross-border and non-territorial from the onset. As such, fighting botnets requires a transnational approach. No one country or entity can fight them because of the Internet’s global reach. Impacts on user rights: We must consider the impact of solutions on fundamental user rights and expectations when approaching strategies to combat botnets. Mitigation strategies must be narrow (not broad) and must not violate rights of legitimate Internet users. EXAMPLE: Blocking all traffic from an infected network could unintentionally keep innocent users from accessing the Internet and exercising rights, such as freedom of expression and opinion. Impacts on technology use and innovation: Technology-specific strategies are less likely to address the overall problem of botnets, as their creators may change tactics to avoid new obstacles, and might make innovation online harder. EXAMPLE: A technical solution that restricts access to suspected infected networks would be unacceptable. This is because it would have negative consequences on the Internet’s openness, innovation potential, and global reach.

Challenges 1 Botnet strategies, technologies, and techniques are constantly evolving in response to mitigation measures. Botnets are cheap to deploy, hard to uncover, and easily available for purchase or hire. Botnet creators and herders are geographically dispersed from the offending bots and are skillful at hiding their locations and identities. Botnet operators actively search for vulnerable systems to infect. Botnets take advantage of the Internet's fundamental properties and its architectural design. 2 3 4 A number of factors contribute to the ongoing challenge of combating botnets: Botnets are constantly evolving and adapting as mitigation measures are put in place. Botnets are popular because they are cheap to deploy and operate and hard to uncover. In some cases, cybercriminals will establish a large network of machines and then sell access to this network to other criminals. Spammers, for example, may rent or buy a network in order to operate a large-scale spam campaign. Botnet creators and herders are in different countries around the world and are skillful at hiding their locations and identities. There are vulnerable computers connected to the Internet (i.e. those that are not sufficiently secured or whose users are susceptible to being lured into introducing malware onto their computers) and vulnerable end devices (i.e. botnet command and control servers and infected computers) Botnets are designed to take advantage of the Internet’s fundamental properties (the Internet Invariants) and its architectural design. The network does not—and cannot by architecture—discriminate or differentiate traffic generated by different applications. 5

Internet Society’s Collaborative Security Approach Guiding Principles Fostering confidence and protecting opportunities Collective responsibility Fundamental properties and values Evolution and consensus Think globally, act locally Internet Society’s Collaborative Security Approach 1 2 3 Collaborative security approach: The Internet enables opportunities for economic and social prosperity globally. The starting point for botnet security solutions should be what solutions are needed to preserve those opportunities and to foster confidence in the Internet. Safe systems, safe devices, and containment are good ways to foster confidence. The security of the Internet is a shared responsibility. A collaborative, cross-border approach is important to combat the global threat of botnets. We will all be secure only when we are protecting ourselves – and our neighbors. Security solutions must preserve the fundamental, open nature of the Internet as well as fundamental human rights, values, and expectations. Achieving security objectives, while preserving these fundamental properties, rights and values is the real challenge. We must find solutions that build on lessons learned, which are developed by consensus, and which will evolve to meet whatever new threats emerge. Commercial competition, politics and personal motivation play a role in how well collaboration happens. But differences can and must be overcome to cooperate against a threat. Solutions should be implemented by people at the closest point where they can have the most impact. The most effective strategies against botnets are implemented by informal self-organizing groups that are built on trust among experts in the field. 4 5

Download the Briefing Paper. Conclusion: The most effective solutions to botnets are likely to be reached by relying on the expertise of a broad set of stakeholders. Collaboration must be proactive and not reactive and happen through bottom-up self-organization. Strategies should focus on addressing the root cause of the problem. Addressing symptoms (i.e. spam) without also addressing the root cause (the botnet) may neglect other malicious botnet activities (i.e. theft of personal data). Policies and solutions should be agile enough to remain effective given the rapid evolution of botnets. Instead, solutions should specify a general strategy, thereby enabling the detailed implementation to be adaptable over times to new technologies and built on trust among experts in the field.