Botnet Detection and Mitigation in ISP Environments
Kickinger, T. (2015). Botnet Detection and Mitigation in ISP Environments (MSc Advanced Security & Digital Forensics). Edinburgh Napier University (Ramsay, B.,
Botnets are a computer security threat that evolved over the last few years. Typ-
ically, botnets are used for sending large volumes of spam emails, performing
coordinated network-based attacks, conducting identity theft or nancial fraud.
Internet service providers (ISPs) can play a major part in ghting botnets, as
they are able to detect and monitor botnet communication in their networks. It is
also in their self-interest to implement measures against botnets, as botnet threats
lead to signicant risks for business operations.
Because risks for ISPs have not been systematically analysed yet, this thesis aims
at a methodological risk analysis of botnets to enable an ISP to decide on measures
to minimise threats for its infrastructure. It answers the questions which threats
an ISP faces from botnets and which specic requirements and restrictions for
botnet detection and mitigation exist for an ISP environment.
After performing a literature review of relevant work, this thesis adopts the risk
assessment approach of the ISO/IEC 27005:2011 standard and applies it to an ISP
environment facing botnet threats. The process steps are applied to determine
the specics of botnets, to describe requirements and limiting factors of the ISP
environment, and to identify and analyse the resulting risks. The subsequent
qualitative evaluation of these risks regarding likelihood and business impact is
discussed to show which risks are most threatening for ISPs.
The identied top-rated risks of this work are: potential impact on ISP service
quality and performance, total loss of important services, getting blacklisted which
impairs legitimate trac, non-compliance of detection or mitigation measures, and
insucient performance or scalability of measures.
This work concludes with a discussion of the risk implications for ISPs and states
possible counter-measures. The results clearly show strong incentives to act on
these risks, however, still require a subsequent assessment of business value.