Is Network-Level Blocking the Right Solution to Limiting Botnet Traffic?

Is Network-Level Blocking the Right Solution to Limiting Botnet Traffic?

The Government of Canada, through the Canadian Radio-television and Telecommunications Commission, recently called on stakeholders to comment on its proposal to develop a network-level blocking framework that will limit the harm botnets cause to Canadians.

In the "Call for comments – Development of a network-level blocking framework to limit botnet traffic and strengthen Canadians’ online safety," the Commission said it’s the principal enforcement agency for the Personal Information Protection and Electronic Documents Act and the Telecommunications Act – Canada’s Anti-Spam Legislation, also known as CASL. “Botnet activity is by definition a CASL violation, as is the botnet itself,” the Commission said. “One way that TSPs [telecommunications service providers] can limit anti-CASL behaviour is by blocking botnet traffic.”

What Are Botnets?

Botnets are networks of hijacked computers that are infected by malicious software (malware). One way by which this malware arrives on the hijacked computer is through phishing – a type of cyberattack in which the attacker masquerades as a trusted entity and tricks an email receiver to click on a malicious attachment or link.

Clicking this malicious attachment or link could lead to the downloading and running of malware on the email recipient’s computer. Once the malware is inside the victim’s computer, it contacts the attacker’s command and control center, allowing the attacker to control the malware-infected computer and using it to commit cybercrimes such as further phishing campaigns, credential stuffing, ransomware, or distributed denial-of-service (DDoS).

Botnets Cybercrimes

According to Commission, botnets are the basis for an increasingly large proportion of cyber threats to individuals, corporations, and institutions in Canada.

In mid-March this year, Canada Revenue Agency (CRA) announced that it locked out 800,000 CRA user IDs and passwords as they may have been obtained by unauthorized third parties or have been identified as being available to unauthorized individuals.

CRA said, “We wish to reiterate that these user IDs and passwords were not compromised as a result of a breach of CRA’s online systems, rather they may have been obtained by unauthorized third parties and through a variety of means by sources external to the CRA, such as email phishing schemes or third party data breaches.”

In August 2020, the Government of Canada, through the Treasury Board of Canada Secretariat, reported that attackers fraudulently accessed nearly 5,500 CRA accounts. In a press conference in August 2020, Marc Brouillard, acting Chief Technology Officer for the Treasury Board of Canada Secretariat said that at one point, the CRA web portal was attacked by a large amount of traffic using a "botnet to attempt to attack the services through credential stuffing".

Credential stuffing, also known as account takeover, uses a large number of stolen username and password combinations from other websites and tests these stolen credentials to login to a target website. Credential stuffing are launched through botnets and across different IP addresses.

Network-Level Blocking Framework Proposal

The Commission proposes that telecommunications service providers can introduce network-level blocking using a variety of techniques such as domain-based blocking, Internet Protocol (IP)-based blocking, and protocol-based blocking.

“Internet users access websites by clicking on links or by entering domains (www.example.com) into a browser,” Commission said. “To access a webpage, the domain has to first be translated into the IP address of the server that hosts the webpage. This translation happens through the Domain Name System (DNS), which maps domain names to IP addresses. Once the IP address is found, the Internet user’s device can then route communication to the website’s server and download the webpage.”

In domain-based blocking when an infected device requests a blocklisted command and control domain, the DNS will either reply that the domain is unknown or will redirect the user to a site stating that the requested domain isn’t permitted.

In IP-based blocking, a firewall is used to prevent communication to the IP addresses of suspected command and control servers while letting other communication through. Protocol-based blocking, meanwhile, refers to a targeted form of IP-based blocking limited to a select group of services on a specified server.

In its reply to the network-level blocking framework proposal, the Royal Canadian Mounted Police (RCMP) said it supports the Commission’s proposal as “criminal botnet operations and infrastructure continues to underpin various cybercrime threats, such as ransomware, Distributed Denial of Service (DDoS) attacks, campaign-level phishing activities, among other cyber intrusions.”

RCMP said that in 2016, it took part in a global effort to dismantle the network called “Avalanche,” which included a botnet infrastructure that facilitated the widespread malware attacks targeting financial institutions and other sectors. RCMP said that the dismantlement of the Avalanche network, which spread across 30 countries, resulted in multiple arrests, seizures of command and control server infrastructure, and over 800,000 domains were seized, sinkholed, or blocked.

In response to the Commission’s proposal, Bell Canada said, “There is no one-size-fits-all detection and mitigation method.” It added that once the Commission approves one type of blocking “malicious actors can be expected to change their techniques and implement new botnet strategies to evade the regulated mandatory form of blocking.”

In response to the Commission’s proposal, Rogers Communications said, “Blocking of botnet traffic is a highly technical matter that requires in-depth security intelligence.” It added that the “proposal for a single network blocking framework is not the best approach to tackle cyber crime.”

Telus Communications, for its part, said, “The Commission’s proposal to focus on TSPs in an effort to limit botnets is a narrow approach that, absent other stakeholder action, will be ineffective.” It added that network-level blocking is a “reactive measure – it is not implemented until malicious traffic is detected from an already

infected device.”