The Chairman of the US Federal Communications Commission has recently made known that he considers ISPs a crucial factor in the fight against botnets and has agitated for the implementation of a voluntary code of conduct aimed at keeping their customers and the Internet infrastructure safe from various threats.
The plan is practically foolproof, as Swedish telecommunication company TeliaSonera already proved by implementing all actions included in the code years ahead of it and consequently reaching the status as one of the cleanest ISPs in the world.
Arttu Lehmuskallio, Security Manager of TeliaSonera's CSIRT in Finland, shares details about the evolution of his company's automated monitoring and alerting system, the problems they had to face in its various stages and the solutions they came up with.
Although every ISP in the world has to battle malware, TeliaSonera is regarded as being the “cleanest of the clean.” You earned this reputation for safe computing by creating an automated monitoring and alerting system to identify infected devices, alert their owners, and remove the devices from the network until cleaned. How did the idea of this system come about and why do you think other ISPs are not doing the same?
Back in 1999 I started working on a team that, among other things, handled the abuse cases. Back then we didn't have any alerting systems, no abuse handling systems, no ticket systems. It was only about reading the abuse mailbox and reacting to cases on case-by-case basis by manually browsing the logs and notifying customers and/or shutting customers' connections. Our mindset was and still is that we'll handle every single case. When talking about abuse of our customers, handling consists of three things:
a) determining whether the source information is legit
b) identifying the customer behind the IP address + timestamp
c) mitigating the source of abuse.
In 2001 we had 1000 cases. In 2002 we had 2000 cases. In 2003 we had 130 000 cases. You can imagine when the idea of an automated system came about.
As for your second question, I really don't know what all the ISPs of the world are doing and to what extent; we're just doing our thing and it seems to work. We have no data of our own to be able to compare ourselves to other ISPs, so I enjoy reading 3rd parties stats and figures that always seems to point that Finland is doing a great job. This that indicates that plenty of other ISPs out there are not operating in a similar fashion.
My personal favorite of those studies is “The Role of Internet Service Providers in Botnet Mitigation: An Empirical Analysis Based on Spam Data”, 2010/05, OECD Publishing, available here.
It would actually be quite interesting to see the data drilled down even further, so instead of comparing countries, we would be comparing individual ISPs.
A lot of the public debate has been circling around whether handling abuse is the ISP's responsibility and whether the whack-the-mole game is the right approach or whether it is actually counter-productive in the fight against Internet crime. While these are interesting debates, we've always felt that this is really about the quality of the services that we provide.