Recently I’ve published several articles on Identity Management. I’d like to give some background here what motivated me to dig into that subject and why I’m even publishing about it. As some of you may know, I’ve recently contributed some code to vuurmuur, a firewalling application for Linux. Also, it appears that one or more botnets have found my tiny and very irrelevant Mediawiki server and they’re trying hard, all 2700 unique IP addresses so far, to obscure the data on there with linkspam. Earlier today an insane botnet scout has apparently also found my family social network and made it past the trivial and essentially non-existing defenses. Bravo botnet scout, you have found a site with weak security! I am a bit curious now to find out how many botnet zombies will return to do the same and if it will become as massive as the Wiki spambots. With a lot of the link spam attempts I see I look at the source IP address, do a whois on the IP address. Frequently the results make me frown, so what if I told you that:
It was your IP address that tried to spam my webserver. Yes, don’t look behind you. I mean you!
Of course I do not know this to be you for sure but a lot of the IP addresses I’ve been so faithfully monitoring are in fact IP addresses that resolve to regular PC’s standing on somebody’s desk, closet or otherwise, in other words your PC!
Hijacking
You may have clicked on the botnet link above, wondering what I’m even talking about. You may have even concluded that this article can not be about you, since you use very effective anti virus software. Well you may want to think again. The article on the effectiveness of anti virus software is a Dutch article so I’ll translate some highlights for those that don’t read Dutch:
- 32% of computers with up-to-date virus scanners is infected.
- 46% of computers without up-to-date virus scanners is infected.
- Windows 7 is already more vulnerable than Windows Vista
- 15% of computers with “the very best” virus scan software is infected.
So does this mean that there’s a 1 in 3 chance that your bank account information has been stolen from your PC and your bank account will be emptied soon? Does this mean there’s a 1 in 3 chance that all your personal photographs will be forcefully removed just to spite you? Does this mean that all those sexy websites you look at when you think nobody’s watching you get logged? Probably not. The chance that your PC is now a member of a botnet’s zombie squad and gets used to infect even more PC’s, send out more spam email, spam more websites with linkspam etc. is much larger. Should you care?
Energy
Currently most IP addresses on the internet are so called IPv4 addresses consisting of 4 integers between 0 and 255. Theoretically this means 255 * 255 * 255 * 255, or just about 4 billion IP addresses are in use. This is a very crude estimate, more accurate statistics about the internet can be found on infoplease. Let’s err on the side of caution and assume that there’s not really 4 billion IP addresses but:
- There are approximately 600 million active IP addresses in the world
Given the numbers about the anti virus software, let us next assume:
- Since approximately 1/3 of the computers is infected, there are 200 million infected computers on the internet.
On my own Mediawiki server I now have detected some 2700 infected IP addresses. On a random day, December 20th:
omega:~# grep DROP /var/log/vuurmuur/traffic.log|grep “Dec 20″|wc -l
5779
(this means 5779 connection attempts have been dropped by vuurmuur). So very very crudely, let’s assume every infected IP address makes 5779 / 2700 = 2 connection attempts per day and we must assume to all other internet addresses. This means:
- 200 million * 2 * 600 million = 2.4E+17 connection attempts are made by botnets on the planet every single day.
Let’s assume every connection attempt costs one microwatt of electricity. This means:
- 240 gigawatt of electricity is consumed by botnets every single day.
That’s a rather impressive yet totally unscientifically calculated amount of energy isn’t it? In fact, 300 gigawatt could power a laser that models a black hole! Meanwhile, our world leaders debate in Copenhagen if, and how much, they want to tax their citizens to prevent global warming from happening.
Take Control
So what can we do when anti virus tools are ineffective? We could of course install a firewall like vuurmuur, add all the IP addresses we could find to our blocklist and hope that the problem will go away. Well it won’t, and you will not only be adding energy consumption to the injury by making your computer filter every connection through a LONG list of blocked IP addresses, you will also have to give up your daytime job.
So let’s get to the point here, finally. On the vuurmuur IRC channel we’ve been discussing the possibility to make vuurmuur daemons communicate with each other. If one vuurmuur will detect a botnet probe of any kind, it will first block the IP address and then pass on the offending IP address to all it’s peers so they can block the offending IP address as well. So far, there’s nothing new or revolutionary to this plan, there are already great spam IP databases out there like for example the Spamhaus Zen database. The Spamhaus database, like many others, is based on a so called DNS (domain name server) lookup of the suspicious IP address to verify if it is indeed a spamming IP address. As indicated by the name which includes ‘spam‘, spamhaus is originally a service to find out whether a certain IP address sends out spam. The IP address typically gets verified by an MTA (mail transfer agent) which then decides how to act, as opposed to stopping the connection attempt at the gate (of the receiving computer) by blocking any connection attempt, so in effect we have thereby made very busy applications like MTA’s even busier, thus consuming more energy, by letting them verify the validity of a sender’s IP address.
- A better approach to block such connections from an IP address by the MTA would be to stop that connection at the gate of the receiving computer. I’m not aware of any such things already being done but I’m quite certain some interest groups have worked on this as it’s relatively simple to do.
- An even better approach would be to not only block the IP at our own gate but to block it at the gate of all our vuurmuur peers.
- An even better approach would be if the sender’s IP’s ISP is also a peer in our vuurmuur web and would block out the offending IP altogether!
The last measure is rather dramatic indeed. However, since France and the UK seem to have no problems forcing people from the internet if they commit vile terrorist acts of downloading things from the internet, why shouldn’t ISP’s protect their clients and millions of other computers by (temporarily) taking them off the internet? And if they won’t, why would we not take the whole ISP off the internet by putting a block on the entire ISP’s netblock in order to protect our planet? (yes, I am indeed exaggerating a tiny little bit here 
)
But Seriously now…
So far in this article I’ve been pulling some numbers out of a hat and exaggerated to a point of ridicule the amount of resources botnets consume globally and what terrible countermeasures we all could take to prevent this. The technical possibilities to deal with botnets are plentiful but as a wise man once said:
We all agree that it is better for 10 guilty IP addresses to go free than for one innocent IP address to be blocked.
However
Is it better for 200 million guilty IP addresses to walk free rather than have one innocent IP address to be blocked? The cost-benefit policy answer is no.
I tend to agree! So while it is clear that nobody wants to block legitimate internet users incorrectly from the internet, if the numbers above even come close to reality, it is indeed past time to act.
One very sensitive subject on the internet is whether it should be possible to track every IP address back to an individual or organization. It’s already possible to track an IP address back to an organization but the organization may be outside of the reach of the law or in a country that has not yet criminalized cybercrime. For individuals it is not easy or possible to track an IP address back to an individual inside that organization. Most frequently this has something to do with privacy regulations.
What if somebody realizes that by the above paragraphs his or her computer may actually be taken for a ride to send out the spam we all dislike and to put out millions upon millions of viagra and other spam links out there on our internet? What if this person realizes that by doing so, their computer actually contributes to global warming? What if, simply put, this person realizes that their computer is being stolen, their bandwidth is being stolen, the energy is being stolen and they have been turned into the proverbial idiot that sees no evil, hears no evil so there must not be any evil? Would this person, yes this person is you, then be inclined to say ‘so where do I sign up to stop this?’.
So that’s why I’m working on a theory, and later on a tool, that can store not only your identity in a reliable way and link your identity to temporary resources like your IP address. There’s more to it, but in the vuurmuur context it would be very nice to, say:
- Check an IP address for anomalies in the traffic coming from there
- If such anomalies are found, look up the identity that owns the IP address. Contact them if possible and inform them.
- Temporarily block their IP address from accessing resources through which they may infect friends and family.
- Inform them of ways to clean up their computer
That would be one noble goal indeed 
