Internet service providers responsibilities in botnet mitigation: a Nigerian perspective

ABSTRACT


INTRODUCTION
A network of infected computers or machines is called a Botnet and each of these computers is referred to as a Bot. Hence, a botnet is a connection of compromised computers controlled by a Botmaster who distributes attacks over hundreds of computers across the Internet [1]. The cumulative bandwidth and large number of attacks make botnet-based attacks dangerous and difficult to overcome. In 2009 for instance, BredoLab created an estimated thirty million bots, the 'Star Wars' twitter botnet. Though its purpose is still unknown, the botnet is said to have compromised over 350,000 twitter accounts [2]. One of the popular and largest botnets attack was Citadel [3] where keyloggers were installed onto victim's computers thereby enabling botmaster to monitor keystrokes on the infected systems. Over five million keystrokes of users across the globe were logged resulting to over five hundred million dollars loss [1,3].
Unlike other Internet malware, the control communication network of a botnet is its unique feature. As illustrated in Figure 1 with the arrows showing the direction of network connections, bots in the botnet connect to special hosts -command-and-control (C&C) servers, who forward commands from botmaster to the other bots in the network for a possible attack.
Nigeria is a country with a very high internet coverage with quality wired and wireless connections. Unfortunately, she is a key player in cybercrime and has become an ideal target for botnets being a major source of Spam [4,5]. This may be linked to the fast growth of Internet usage owing to the explosion of internet service providers (ISPs) -organisations that provide Internet services as well as software packages and e-mail accounts [6].  Figure 1. How a botnet work [7] Prior to 2013, four primary methods commonly being used to mitigate DDoS attacks were commercial security software, criminal enforcement, botnet seizure by federal agencies, and private civil action [8]. However, such efforts, though valuable, are passive and limited by their focus on prevention [9,10]. A leading cloud based service provider, CloudFlare, therefore offered DDoS protection capable of matching sophisticated DDoS attacks. This was more effective but Sood et al., [3] and Lone et al., [8] argued that improved result is possible with boundless and collaborative efforts of both the private and public organizations in Nigeria including the ISPs, economic and financial crimes commission (EFCC) and Cybercrime Prevention Working Group. This study therefore aims at investigating the role of ISPs in Nigeria towards ascertaining their capability of combating botnets in isolation. Following a review of related studies in the next section, an overview of incentives that attract ISPs to botnet mitigation is provided along with a reference model, while a table of mitigation measures for ISP are summarized in the later part of this study.

RELATED WORK
Modular Integrated Services Limited [11] highlighted a bigger picture of numerous recommendations developed by International Telecommunication Union to secure telecommunications infrastructure and associated services or applications where implementation of the international information society management standard was presented as the most comprehensive approach to combat botnet. Nonetheless, quantitative analysis [7,8] have always presenting ISPs as the better guide against botnets due to their functional indispensable responsibilities. Nabil [12] therefore gave a classification that reflects the lifecycle and current resilience techniques of botnets by analysing commonalities from a network providers' perspective to design and implement mitigation strategies against botnets.
ISPs view customers-security role as voluntary since they have no legal binding to secure their customers [6] but they are in an optimal position to provide security to internet users [9]. Meanwhile, Empirical study and literature review of Timo et al. [5] claimed that no organisation can effectively combat botnets in isolation but in conjunction with one and other. However, Van Eeten et al. [13], recognised ISPs as a key control point, in their study of spam traffic where data were collected on the location of infected machines over time to examine the role of ISPs in mitigating botnets. This validates Stamatoudi's functional definition of an ISP as "a passive carrier that must block material access upon receiving notice of an alleged malware" [14].
Noting that ISPs in Nigeria may be unaware of the vulnerabilities the use of their infrastructure is posing, Longe et al., [1] conducted a survey on the impact of ISPs against botnet. Leaving chi-square at 0.05 level of significance, their descriptive statistics showed that the level of security provided against crime by ISPs are relatively low resulting in a positive relationship between the level of internet crime and the attitudes of ISPs to their networks safety. Hence, Brent et al., [9] believed that ISPs should be motivated and therefore proposed a further study to identify how best ISPs could be incentivised.

RESEARCH METHOD
A literature survey and empirical study were conducted to examine mitigation measures (Nigerian) ISPs have taken, those they could have taken, and others they plan to take against botnet. This specific was to identify botnets C&C-structures and their relevant features. A 'reference model' summarising mitigation measures such as technical, organisational and juridical measures was used. The empirical study was restricted to Nigeria as interviews were conducted to validate results obtained from the literature study. The interviewees are security officers and service managers at top Nigerian ISPs who have a clear understanding of the incentives and mitigation measures.

ISPs AND SECURITY INCENTIVES
Since ISPs know what traffic traverses their network, they are in the best position to detect malicious traffics and quarantine the infected computers in their network [4]. Hence, they are mostly expected to take the responsibility of mitigating spam, computer viruses, fraudulent email, and spyware [15] However, since they are not the root cause of attacks and mitigation comes with its own cost, ISPs may be unwilling to take action if the responsibility does not attract incentives/factors. Hence, Quantitative analysis [7,8] attributes lack of incentives as a major factor responsible for a low action rate in botnet mitigation since. Since ISPs naturally respond to economic (customers support, price, etc.) and non-economic (peer pressure, peer recognition, etc.) incentives [16], incentives are those factors considered by both the individual and organizational decision-makers to mitigate botnets.

Organisational incentives
These are factors that ISPs have some levels of controls over which may include business model. priority given to security, cyber-insurance, awareness and training, participation in security efforts, size of customer base, cost of customer support, cost of management abuse, and cost of infrastructure expansion [17]. The bigger ISPs generally perform better but they experience high security attacks and possibly high invention [16], thereby invest more in cyber-insurance. Similarly, the higher the usage of pirated software, the higher the ISP's exposure to botnet, and the higher the security awareness of customers and staff, the higher the competences and the lower the level of botnet attacks.
Since "Very large ISPs are effectively exempted from peer pressure as others cannot afford to cut them off, much of the world bad traffic comes from the networks of these too big to block" providers" [14]. However, large ISPs has lower infection rates than small ISPs [17] because they are highly automated to identify, notify and mitigate infected customers thereby making the mitigation process economically efficient [4].

Institutional incentives
These are factors beyond ISPs' direct control but instituted by the policy makers or market conditions. They are defined legal frameworks in which ISPs operate and include cyber-security laws and regulations, blacklisting, peer pressure, reputation effects, competitive cost pressure, cost of customer acquisition, and cost of technology mitigation [17]. Regulation -an effective incentive [18] -requires cyber security incidents be nationally mitigated [19] since national anti-botnet centre usually are hardly infected. National initiatives on botnet mitigation should therefore be promoted and good models circulated [20] while policy makers give ISPs more incentives for taking action [2]. Hence, ISPs are being pushed by regulatory bodies such as internet engineering task force (IETF) and Organisation for Economic Cooperation and Development (OECD) to clean-up their customers infected computers [21].
Where ISPs are mostly driven by institutional incentives, they are expected to perform same in terms of botnet mitigation as incentive structure may have to be changed if they are to increase their efforts [16]. However, since ISPs perform very differently when exposed to both comparable institutional incentives and economic circumstances [16], the country-level mitigation measures cannot be sufficient unless organizational incentives are addressed and realigned together.

Organisational vs institutional incentives
The incentive structure of an ISP is a function of the institutional and organizational factorsthe sets that are closely interrelated and very difficult to separate. While policy makers postulate institutional incentives, organizational ones are being determined by the individual ISPs in line with the institutional incentives. Much [18,22] have been done on the incentives of ISPs to improve security, and some have been identified as enhancing security while others work against it. However, the net effects of these incentives on each ISP is still unclear as the ISPs behave differently when exposed to similar incentives. It is therefore important to know how much discretion each ISP has for botnet mitigation. Every

4171
ISP should decide how to mitigate botnet and determine their organisational incentives even when faced with a common set of institutional incentives as defined by the country legal framework [16]. ISPs' attitude towards botnet mitigation is mostly determined by institutional incentives. However, their varying behaviour when subjected to same incentives suggests that legal framework on its own cannot be sufficient to mitigate botnet unless organisational incentives are also addressed and properly aligned [8].

Best practices and incentives
Although, most Nigerian organisations are ill-equipped to mitigate malware threats, studies have shown that organisations cannot effectively mitigate botnet in isolation [5]. Both private and public organisations collaborate to fight botnet but the individuals and corporate entities in the private sector still remains the biggest victim of cybercrime [23][24][25]. Towards fighting against all forms of financial and cyber-crimes therefore EFCC was setup and empowered by Nigerian government to work hand in hand with the cybercrime Prevention Working Group to combat financial crimes.
Internationally, organizations such as anti-phishing working group (APWG), communications security, reliability and interoperability (CSRIC), European network and information security agency (ENISA), IT Association for telecommunications, messaging, malware, and mobile anti-abuse working group (M3AAWG), and online trust alliance (OTA) have come together for the sole purpose of mitigating botnet. Different initiatives such as internet exchange point of Nigeria (IXPN) and Association of Telecommunications Companies of Nigeria are empowering stakeholders on capacity building and encouraging synergy amongst the various agencies. This is because training, awareness, and public empowerment on cyber security services, strategy, and intelligent building should go ahead of cyber criminals [1,26], as public and private organisations have to reconsider their approaches to cyber threats in order to establish the required security practices on the critical IT infrastructure [23]. ISPs should therefore consider, as a top practice, awareness and training, continuous monitoring and log analysis, vulnerability and patch management, continuous risk assessment and treatment, management services and independent reviews [23]. Nigeria as a country, also has to continuously invest in research, build local cyber threat management infrastructure to improve her ability to anticipate, detect, respond and contain cyber threats.

THE REFERENCE MODEL
This section presents a reference model (Table 1) similar to [4] where botnet mitigation measures for ISP are summarised. The model is in line with structure of anti-botnet lifecycle and ecosystem defined by the online trust alliance -OTA [20]. The sequence of the five stages -prevention, detection, notification, remediation and recovery -makes up an anti-botnet lifecycle presented in Figure 2 where:  Prevention -proactive measures of an ISP to avert user's devices from potential attacks.  Detection -measures to identify threats, vulnerabilities or attacks on the ISP's network.  Notification: measures taken by ISP to alert customers of security breaches.  Remediation: corrective measures initiated by an ISP to clean compromised system of malicious software.  Recovery: activities of an ISP targeted at regaining the impact of an attack.

Mitigation measures
Telecommunications Act [27] mandates ISPs to protect their customers against cybercrime following Technical, organizational and legal measures as postulated by Asghari [28]. Similarly, ISPs are expected to tell their customers the risks related to the use of web services they offered by the ISPs, as well as what customers ought to do to scale down these risks. However, the Act [27] is silent on the role of ISPs when botnet is detected in its network thereby implying that ISPs action against botnet is not obligated by law. Having elaborated on the general botnet mitigation measures, this study adapted those measures derived by [4] to determine whether each measure observed by ISPs is aimed at their customers, the ISP itself or other stakeholders. The study is also aiming at knowing whether the measure is technical, organizational, or legal. The research findings are as presented on Table 1 following a detailed explanation of the lifecycle stage.

Prevention
Prevention is the first and most important security measure against potential cyber-attacks. Anticipatory measures such as anti-virus, anti-worms and secured routers are good endpoint security solutions (PC-1) that have proven effective against botnet infections when provided by the ISPs. Similarly, ISPs usually come up with series of security awareness programmes (training, conferences, etc.) to raise their customers' awareness on botnet threats and mitigation (PC-2). Countries have associations (national and international) of ISPs and institutions (cyber security centre, etc.) where issues regarding security are discussed and initiatives to mitigate botnets are developed (PO-4). They collaborate to share information and experiences towards mitigating botnets (PO-3).
Having realized that the safety of their customers' data also lies on the platform [8,14], ISPs embrace measures that safeguard their operations and infrastructures. They update themselves with security information (PI-7) and apply intrusion prevention system -IPS (PI-5) and other technical measures against

Detection
Even when adequate preventions are in place, security breaches may still occur leading to system being infected and added to a botnet. This is because control may not be total especially in risk management processes such as change management where process failure is possible. Detective control is therefore required to identify errors, irregularities or attacks after their occurrences [10,29]. Botnet detection can be classified by botmasters, bots or C&C servers. The detection could be active if classified by honeynets but passive if by IDS using either DNS-based, host-based, network-based or hybrid-detection [4]. However, for reasons yet to be fully investigated, ISPs prefer to focus on bots.
ISPs provide portals that allow their customers to self-identify bot-malware infection (DC-1) and in return, obtain information on possible attack from customers (DC-2). Similarly, ISPs share information on detected botnet infections with other shareholders (DC-3) and in return, receive information on possible attacks from both the AbuseHub (DO-5) and external parties (DO-4). ISPs apply IDSs (DI-7) to detect issues on their network, and honeynets (DI-6) for security issues around their internal operation and infrastructure. On detection of any infection, they validate the attack (DI-8) to avoid false positive and subsequently institute abuse team to handle the infection (DI-9).

Notification
An infected customer should be notified by ISPs (NC-1) once an infection is detected. Other ISPs should be adequately informed (NC-3) as well to increase awareness and avoid reoccurrence. Notification may be through email, phone calls or text/browser messages and should come with remedial measures (NC-2).

Remediation
Upon detection of infections and notifying the stakeholders (customers and other peer ISPs), ISPs take immediate remediation measures to address the compromised systems of a botnet. In which case, infected customers are isolated (RC-1) and Information to mitigate potential botnet attacks is publicised (RC-2) while links for professional supports are given to the customer (RC-3). Best practices for removal of infections is shared only to the stakeholders (RO-5) but information on processes to deal with the isolated compromised system is shared to both the customers and other stakeholders (RV-4).

Recovery
This is the final step of the mitigation measures and it is more of an extension of remediation stage. Once the infection is removed, ISPs reactivate customers' internet connection (Re-1) and provide effective customer supports throughout the recovery process (Re-2). Before recovery process commences, ISPs do ensure that customers are adequately informed of the possible impacts on their accounts and personal details (Re-3).

RESULTS AND DISCUSSION
This section validates the reference model used in this empirical study and interpreted the results discussed. The interviewees examined every part of the reference model for completeness and correctness to ascertain the validity and reliability of the research instrument. Common follow-up actions of mitigating botnets include: shutting down C&C-servers, hijacking C&C-servers to hack back or infiltration to dismantle the botnet from within, remote disinfection of compromised systems, unsolicited termination of customer's contracts after multiple attacks, and blocking of botmalware infected websites. This study recognises the importance of these additional actions. However, it does not extend the model to them since both the cyber security center (NCSC) and all the ISPs already affirmed that they hardly cover such actions.
This study also noticed that it is not every aspects of our model that are applicable to every ISP. This is depicted on Table 1 and summarised on Table 2 where colour Red represents aspects that are hardly applied by ISPs, Tan are adopted by just few ISPs, and Orange colour are those applied by all the ISPs in Nigeria. Although there are five security aspects that are generally not being attended to by the ISPs and nine others are being patronised by only a few, 16 out of 30 (representing 53.33%) security aspects are duly practiced by all Nigerian ISPs.
Despite that they are not the major causes of attacks [27,30] and botnet is even expensive to mitigate, ISPs still take safety against botnet attacks very seriously. Even though, nine security aspects are not covered by two of the ISPs for administrative reasons as shown in Table 2 Table 1 that these 16 aspects are in ratio 7:5:4 respectively representing customers, ISPs, and others. Hence, ISPs give higher priorities to their customers' safety and are capable of performing advanced detection and follow-up actions. Only one out of seven interviewed ISPs implement IPS (PI5) and another one receives information on potential botnet attacks (DC2). While none of the ISPs have a portal for customers to self-identify potential botnet infection (DC1), only two apply honeynet (DI6) and another two apply IDS (DI7) in their networks even though, on a very small scale. The ISPs are generally not performing Deep Packet Inspection as they fail to monitor the contents of the traffic generated by their customers. They all attribute this failure to possible high running cost and are therefore looking at commercialising the service.
Some notable numbers of ISPs apply technical measures such as password dualisation against botnet infections (PI6). Some offer SLAs to their customers (PI9) to bind their business relationship while others broadcast botnet infection when detected (DO3) and even notify other ISPs to raise security awareness (NO3). Despite that a good number of ISPs provide links for professional supports in case of infection (RC3), information sharing on walled garden procedure (RV4) as well as sharing of best practices for removal of infections (RO5) is limited. It is only some ISPs that apply remedial measures such as customer's supports (Re2) and awareness/enlightenment (Re3) on the potential impacts of recovery on personal data and accounts. Since prevention of attacks is always better than cure [30,31], ISPs are directing greater efforts on botnet prevention and notification. Even though they are not under any obligation to take such actions, they implement customer support processes for adequate prevention and detection [31] but little for remediation and recovery.

CONCLUSION
Fraudulent mails emanating from Nigeria have dented the image of Nigerian internet users. This is calling for further effective botnet mitigations as a significant number of systems are continuously being attacked. Criminals are increasingly launching sophisticated attacks on internet devices by deploying coordinated attacks such as malware threats, insider threats, data breaches (resulting from poor access controls) and system misconfigurations. Standard methods of reporting spam events, characterizing particular spam, and of sending spam control data may be helpful to fight cybercrime in Nigeria but a collaborative ISSN: 2088-8708 