Internet Engineering Task Force (IETF)                      J. Livingood
Request for Comments: 6561                                       N. Mody
Category: Informational                                     M. O'Reirdan
ISSN: 2070-1721                                                  Comcast
                                                              March 2012
        
Internet Engineering Task Force (IETF)                      J. Livingood
Request for Comments: 6561                                       N. Mody
Category: Informational                                     M. O'Reirdan
ISSN: 2070-1721                                                  Comcast
                                                              March 2012
        

Recommendations for the Remediation of Bots in ISP Networks

ISP网络中机器人修复的建议

Abstract

摘要

This document contains recommendations on how Internet Service Providers can use various remediation techniques to manage the effects of malicious bot infestations on computers used by their subscribers. Internet users with infected computers are exposed to risks such as loss of personal data and increased susceptibility to online fraud. Such computers can also become inadvertent participants in or components of an online crime network, spam network, and/or phishing network as well as be used as a part of a distributed denial-of-service attack. Mitigating the effects of and remediating the installations of malicious bots will make it more difficult for botnets to operate and could reduce the level of online crime on the Internet in general and/or on a particular Internet Service Provider's network.

本文档包含有关Internet服务提供商如何使用各种补救技术来管理恶意机器人侵扰对其订阅者使用的计算机的影响的建议。拥有受感染计算机的互联网用户面临着个人数据丢失和网络欺诈风险。此类计算机还可能成为在线犯罪网络、垃圾邮件网络和/或网络钓鱼网络的无意参与者或组件,并被用作分布式拒绝服务攻击的一部分。减轻恶意僵尸程序的影响并对其进行补救将使僵尸网络更加难以运行,并可能降低总体互联网和/或特定互联网服务提供商网络上的在线犯罪水平。

Status of This Memo

关于下段备忘

This document is not an Internet Standards Track specification; it is published for informational purposes.

本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6561.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6561.

Copyright Notice

版权公告

Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2012 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

Table of Contents

目录

   1. Introduction ....................................................3
      1.1. Key Terminology ............................................3
           1.1.1. Malicious Bots, or Bots .............................3
           1.1.2. Bot Networks, or Botnets ............................4
           1.1.3. Host ................................................5
           1.1.4. Malware .............................................5
           1.1.5. Fast Flux ...........................................5
   2. Problem Statement ...............................................6
   3. Important Notice of Limitations and Scope .......................7
   4. Detection of Bots ...............................................8
   5. Notification to Internet Users .................................12
      5.1. Email Notification ........................................13
      5.2. Telephone Call Notification ...............................13
      5.3. Postal Mail Notification ..................................14
      5.4. Walled Garden Notification ................................14
      5.5. Instant Message Notification ..............................16
      5.6. Short Message Service (SMS) Notification ..................16
      5.7. Web Browser Notification ..................................17
      5.8. Considerations for Notification to Public Network
           Locations .................................................18
      5.9. Considerations for Notification to Network
           Locations Using a Shared IP Address .......................18
      5.10. Notification and End User Expertise ......................19
   6. Remediation of Hosts Infected with a Bot .......................19
      6.1. Guided Remediation Process ................................21
      6.2. Professionally Assisted Remediation Process ...............22
   7. Failure or Refusal to Remediate ................................23
   8. Sharing of Data from the User to the ISP .......................23
   9. Security Considerations ........................................23
   10. Privacy Considerations ........................................24
   11. Acknowledgements ..............................................24
   12. Informative References ........................................26
   Appendix A.  Examples of Third-Party Malware Lists ................28
        
   1. Introduction ....................................................3
      1.1. Key Terminology ............................................3
           1.1.1. Malicious Bots, or Bots .............................3
           1.1.2. Bot Networks, or Botnets ............................4
           1.1.3. Host ................................................5
           1.1.4. Malware .............................................5
           1.1.5. Fast Flux ...........................................5
   2. Problem Statement ...............................................6
   3. Important Notice of Limitations and Scope .......................7
   4. Detection of Bots ...............................................8
   5. Notification to Internet Users .................................12
      5.1. Email Notification ........................................13
      5.2. Telephone Call Notification ...............................13
      5.3. Postal Mail Notification ..................................14
      5.4. Walled Garden Notification ................................14
      5.5. Instant Message Notification ..............................16
      5.6. Short Message Service (SMS) Notification ..................16
      5.7. Web Browser Notification ..................................17
      5.8. Considerations for Notification to Public Network
           Locations .................................................18
      5.9. Considerations for Notification to Network
           Locations Using a Shared IP Address .......................18
      5.10. Notification and End User Expertise ......................19
   6. Remediation of Hosts Infected with a Bot .......................19
      6.1. Guided Remediation Process ................................21
      6.2. Professionally Assisted Remediation Process ...............22
   7. Failure or Refusal to Remediate ................................23
   8. Sharing of Data from the User to the ISP .......................23
   9. Security Considerations ........................................23
   10. Privacy Considerations ........................................24
   11. Acknowledgements ..............................................24
   12. Informative References ........................................26
   Appendix A.  Examples of Third-Party Malware Lists ................28
        
1. Introduction
1. 介绍

This document contains recommendations on how Internet Service Providers can use various remediation techniques to manage the effects of malicious bot infestations on computers used by their subscribers. Internet users with infected computers are exposed to risks such as loss of personal data and increased susceptibility to online fraud. Such computers can also become inadvertent participants in or components of an online crime network, spam network, and/or phishing network as well as be used as a part of a distributed denial-of-service attack. Mitigating the effects of and remediating the installations of malicious bots will make it more difficult for botnets to operate and could reduce the level of online crime on the Internet in general and/or on a particular Internet Service Provider's network.

本文档包含有关Internet服务提供商如何使用各种补救技术来管理恶意机器人侵扰对其订阅者使用的计算机的影响的建议。拥有受感染计算机的互联网用户面临着个人数据丢失和网络欺诈风险。此类计算机还可能成为在线犯罪网络、垃圾邮件网络和/或网络钓鱼网络的无意参与者或组件,并被用作分布式拒绝服务攻击的一部分。减轻恶意僵尸程序的影响并对其进行补救将使僵尸网络更加难以运行,并可能降低总体互联网和/或特定互联网服务提供商网络上的在线犯罪水平。

1.1. Key Terminology
1.1. 关键术语

This section defines the key terms used in this document.

本节定义了本文件中使用的关键术语。

1.1.1. Malicious Bots, or Bots
1.1.1. 恶意机器人程序

A malicious or potentially malicious bot (derived from the word "robot", hereafter simply referred to as a "bot") refers to a program that is installed on a system in order to enable that system to automatically (or semi-automatically) perform a task or set of tasks typically under the command and control of a remote administrator, or "bot master". Bots are also known as "zombies". Such bots may have been installed surreptitiously, without the user's full understanding of what the bot will do once installed, unknowingly as part of another software installation, under false pretenses, and/or in a variety of other possible ways.

恶意或潜在恶意的bot(源于“robot”一词,以下简称“bot”)指安装在系统上的程序,其目的是使该系统能够自动(或半自动)执行一项任务或一组任务,通常由远程管理员或“bot master”命令和控制. 机器人也被称为“僵尸”。这类机器人可能是秘密安装的,用户不完全了解机器人一旦安装后会做什么,在不知情的情况下作为另一个软件安装的一部分,以虚假的借口,和/或以各种其他可能的方式。

It is important to note that there are "good" bots. Such good bots are often found interacting with a computing resource in environments such as gaming and Internet Relay Chat (IRC) [RFC1459], where a continual, interactive presence can be a requirement for participating in the games. Since such good bots are performing useful, lawful, and non-disruptive functions, there is no reason for a provider to monitor for their presence and/or alert users to their presence.

值得注意的是,有“好”的机器人。在游戏和互联网中继聊天(IRC)[RFC1459]等环境中,这样好的机器人经常与计算资源进行交互,在这些环境中,持续、交互的存在可能是参与游戏的一个要求。由于这些优秀的机器人程序正在执行有用、合法和无中断的功能,提供商没有理由监视它们的存在和/或提醒用户它们的存在。

While there may be good, or harmless bots, for the purposes of this document, all mention of bots shall assume that the bots involved are malicious or potentially malicious in nature. Such malicious bots shall generally be assumed to have been deployed without the permission or conscious understanding of a particular Internet user. Thus, without a user's knowledge, bots may transform the user's

虽然可能存在良好或无害的机器人,但就本文件而言,所有提及的机器人均应假定所涉及的机器人具有恶意或潜在恶意。通常应假定此类恶意机器人是在未经特定互联网用户许可或未经其自觉理解的情况下部署的。因此,在用户不知情的情况下,机器人可能会改变用户的行为

computing device into a platform from which malicious activities can be conducted. In addition, included explicitly in this category are potentially malicious bots, which may initially appear neutral but may simply be waiting for remote instructions to transform and/or otherwise begin engaging in malicious behavior. In general, installation of a malicious bot without user knowledge and consent is considered in most regions to be unlawful, and the activities of malicious bots typically involve unlawful or other maliciously disruptive activities.

将计算设备转换为可以进行恶意活动的平台。此外,该类别中明确包含潜在的恶意机器人,它们最初可能看起来是中立的,但可能只是等待远程指令转换和/或以其他方式开始参与恶意行为。一般来说,在大多数地区,未经用户知情和同意安装恶意机器人被视为非法,恶意机器人的活动通常涉及非法或其他恶意破坏性活动。

1.1.2. Bot Networks, or Botnets
1.1.2. 机器人网络,或僵尸网络

A "bot network", or "botnet", is defined as a concerted network of bots capable of acting on instructions generated remotely. The malicious activities are either focused on the information on the local machine or acting to provide services for remote machines. Bots are highly customizable so they can be programmed to do many things. The major malicious activities include but are not limited to identity theft, spam, spim (spam over Instant Messaging (IM)), spit (spam over Internet telephony), email address harvesting, distributed denial-of-service (DDoS) attacks, key-logging, fraudulent DNS pharming (redirection), hosting proxy services, fast flux (see Section 1.1.5) hosting, hosting of illegal content, use in man-in-the-middle attacks, and click fraud.

“机器人网络”或“僵尸网络”被定义为能够根据远程生成的指令进行操作的协调机器人网络。恶意活动要么集中在本地计算机上的信息上,要么为远程计算机提供服务。机器人是高度可定制的,因此它们可以编程来做很多事情。主要恶意活动包括但不限于身份盗窃、垃圾邮件、spim(即时消息(IM)上的垃圾邮件)、spit(互联网电话上的垃圾邮件)、电子邮件地址捕获、分布式拒绝服务(DDoS)攻击、密钥记录、欺诈性DNS欺骗(重定向)、托管代理服务、fast flux(见第1.1.5节)托管、,托管非法内容,使用中间人攻击和点击欺诈。

Infection vectors (infection pathways) include un-patched operating systems, software vulnerabilities (which include so-called zero-day vulnerabilities where no patch yet exists), weak/non-existent passwords, malicious web sites, un-patched browsers, malware, vulnerable helper applications, inherently insecure protocols, protocols implemented without security features switched on, and social engineering techniques to gain access to the user's computer. The detection and destruction of bots is an ongoing issue and also a constant battle between the Internet security community and network security engineers on the one hand and bot developers on the other.

感染媒介(感染途径)包括未修补的操作系统、软件漏洞(包括尚未修补的所谓零日漏洞)、弱/不存在的密码、恶意网站、未修补的浏览器、恶意软件、易受攻击的助手应用程序、固有的不安全协议、,在未开启安全功能的情况下实施的协议,以及获取用户计算机访问权限的社会工程技术。机器人的检测和销毁是一个持续的问题,也是互联网安全社区和网络安全工程师与机器人开发者之间的一场持续战斗。

Initially, some bots used IRC to communicate but were easy to shut down if the command and control server was identified and deactivated. Newer command and control methods have evolved, such that those currently employed by bot masters make them much more resistant to deactivation. With the introduction of peer-to-peer (P2P) architectures and associated protocols, the use of HTTP and other resilient communication protocols, and the widespread adoption of encryption, bots are considerably more difficult to identify and isolate from typical network usage. As a result, increased reliance is being placed on anomaly detection and behavioral analysis, both locally and remotely, to identify bots.

最初,一些机器人使用IRC进行通信,但如果命令和控制服务器被识别并停用,则很容易关闭。更新的命令和控制方法已经发展,例如,机器人主机目前使用的那些方法使它们更能抵抗停用。随着对等(P2P)体系结构和相关协议的引入,HTTP和其他弹性通信协议的使用,以及加密技术的广泛采用,机器人越来越难以识别和隔离典型的网络使用。因此,人们越来越依赖本地和远程的异常检测和行为分析来识别机器人。

1.1.3. Host
1.1.3. 主办

As used in the context of this document, the host or computer of an end user is intended to refer to a computing device that connects to the Internet. This encompasses devices used by Internet users such as personal computers (including laptops, desktops, and netbooks), mobile phones, smart phones, home gateway devices, and other end user computing devices that are connected or can connect to the public Internet and/or private IP networks.

在本文档的上下文中,最终用户的主机或计算机是指连接到互联网的计算设备。这包括互联网用户使用的设备,如个人计算机(包括笔记本电脑、台式机和上网本)、移动电话、智能手机、家庭网关设备以及其他连接或可以连接到公共互联网和/或专用IP网络的最终用户计算设备。

Increasingly, other household systems and devices contain embedded hosts that are connected to or can connect to the public Internet and/or private IP networks. However, these devices may not be under interactive control of the Internet user, such as may be the case with various smart home and smart grid devices.

越来越多的其他家用系统和设备包含连接到或可以连接到公共互联网和/或专用IP网络的嵌入式主机。然而,这些设备可能不受互联网用户的交互控制,例如各种智能家居和智能电网设备。

1.1.4. Malware
1.1.4. 恶意软件

Malware is short for "malicious software". In this case, malicious bots are considered a subset of malware. Other forms of malware could include viruses and other similar types of software. Internet users can sometimes cause their hosts to be infected with malware, which may include a bot or cause a bot to install itself, via inadvertently accessing a specific web site, downloading a file, or other activities.

恶意软件是“恶意软件”的缩写。在这种情况下,恶意机器人被视为恶意软件的子集。其他形式的恶意软件可能包括病毒和其他类似类型的软件。Internet用户有时会通过无意中访问特定网站、下载文件或其他活动,导致其主机感染恶意软件,其中可能包括一个bot或导致bot自行安装。

In other cases, Internet-connected hosts may become infected with malware through externally initiated malicious activities such as the exploitation of vulnerabilities or the brute force guessing of access credentials.

在其他情况下,Internet连接的主机可能通过外部发起的恶意活动感染恶意软件,例如利用漏洞或暴力猜测访问凭据。

1.1.5. Fast Flux
1.1.5. 快速流动

Domain Name System (DNS) fast fluxing occurs when a domain is bound in DNS using A records to multiple IP addresses, each of which has a very short Time-to-Live (TTL) value associated with it. This means that the domain resolves to varying IP addresses over a short period of time.

当域名系统(DNS)使用一个记录绑定到多个IP地址(每个IP地址都有一个与之关联的非常短的生存时间(TTL)值)时,就会发生域名系统(DNS)快速迁移。这意味着域在短时间内解析为不同的IP地址。

DNS fast flux is typically used in conjunction with proxies that are normally run on compromised user hosts. These proxies route the web requests to the real host, which serves the data being sought. The effect of this is to make the detection of the real host much more difficult and to ensure that the backend or hidden site remains up for as long as possible.

DNS fast flux通常与通常在受损用户主机上运行的代理一起使用。这些代理将web请求路由到真正的主机,该主机为正在查找的数据提供服务。这样做的效果是使真正主机的检测变得更加困难,并确保后端或隐藏站点尽可能长时间处于运行状态。

2. Problem Statement
2. 问题陈述

Hosts used by Internet users, which in this case are customers of an Internet Service Provider (ISP), can be infected with malware that may contain and/or install one or more bots on a host. They can present a major problem for an ISP for a number of reasons (not to mention, of course, the problems created for users). First, these bots can be used to send spam, in some cases very large volumes of spam [Spamalytics]. This spam can result in extra cost for the ISPs in terms of wasted network, server, and/or personnel resources, among many other potential costs and side effects. Such spam can also negatively affect the reputation of the ISP, their customers, and the email reputation of the IP address space used by the ISP (often referred to simply as "IP reputation"). A further potential complication is that IP space compromised by bad reputation may continue to carry this bad reputation even when used for entirely innocent purposes following reassignment of that IP space.

Internet用户使用的主机(在本例中为Internet服务提供商(ISP)的客户)可能感染恶意软件,这些恶意软件可能包含和/或在主机上安装一个或多个机器人程序。它们可能会为ISP带来一个主要问题,原因有很多(当然,更不用说为用户带来的问题)。首先,这些机器人可以用来发送垃圾邮件,在某些情况下会发送大量垃圾邮件[Spamalytics]。这种垃圾邮件会导致ISP在浪费网络、服务器和/或人力资源方面的额外成本,以及许多其他潜在成本和副作用。此类垃圾邮件还会对ISP及其客户的声誉以及ISP使用的IP地址空间的电子邮件声誉(通常简称为“IP声誉”)产生负面影响。另一个潜在的复杂因素是,受到坏名声损害的IP空间可能会继续承载这种坏名声,即使在重新分配该IP空间后用于完全无害的目的。

In addition, these bots can act as platforms for directing, participating in, or otherwise conducting attacks on critical Internet infrastructure [Threat-Report]. Bots are frequently used as part of coordinated DDoS attacks for criminal, political, or other motivations [Gh0st][Dragon][DDoS]. For example, bots have been used to attack Internet resources and infrastructure ranging from web sites to email servers and DNS servers, as well as the critical Internet infrastructure of entire countries [Estonia][Combat-Zone]. Motivations for such coordinated DDoS attacks can range from criminal extortion attempts through to online protesting and nationalistic fervor [Whiz-Kid]. DDoS attacks may also be motivated by simple personal vendettas or by persons simply seeking a cheap thrill at the expense of others.

此外,这些机器人可以充当平台,指导、参与或以其他方式对关键互联网基础设施进行攻击[威胁报告]。机器人经常被用作协调DDoS攻击的一部分,用于犯罪、政治或其他动机[Gh0st][Dragon][DDoS]。例如,机器人被用来攻击互联网资源和基础设施,从网站到电子邮件服务器和DNS服务器,以及整个国家[爱沙尼亚][战区]的关键互联网基础设施。这种协同DDoS攻击的动机可能从犯罪勒索企图到在线抗议和民族主义狂热[Whiz Kid]。DDoS攻击的动机也可能是简单的个人仇杀,也可能是简单地以牺牲他人为代价寻求廉价刺激的人。

There is good evidence to suggest that bots are being used in the corporate environment for purposes of corporate espionage including the exfiltration of corporate financial data and intellectual property. This also extends to the possibility of bots being used for state-sponsored purposes such as espionage.

有很好的证据表明,机器人正在企业环境中被用于企业间谍活动,包括过滤企业财务数据和知识产权。这也扩大了机器人被用于国家赞助目的的可能性,如间谍活动。

While any computing device can be infected with bots, the majority of bot infections affect the personal computers used by Internet end users. As a result of the role of ISPs in providing IP connectivity, among many other services, to Internet users, these ISPs are in a unique position to be able to attempt to detect and observe botnets operating in their networks. Furthermore, ISPs may also be in a unique position to be able to notify their customers of actual, potential, or likely infection by bots or other infection.

虽然任何计算设备都可能感染机器人,但大多数机器人感染都会影响互联网终端用户使用的个人计算机。由于ISP在向互联网用户提供IP连接和其他许多服务方面的作用,这些ISP处于独特的位置,能够尝试检测和观察其网络中运行的僵尸网络。此外,ISP还可能处于一个独特的位置,能够通知其客户机器人或其他感染的实际、潜在或可能感染。

From the perspective of end users, being notified that they may have an infected computer on their network is important information. Once they know this, they can take steps to remove the bots, resolve any problems that may stem from the bot infection, and protect themselves against future threats. It is important to notify users that they may be infected with a bot because bots can consume vast amounts of local computing and network resources, enable theft of personal information (including personal financial information), enable the host to be used for criminal activities (that may result in the Internet user being legally culpable), and destroy or leave the host in an unrecoverable state via "kill switch" bot technologies.

从最终用户的角度来看,通知他们网络上可能有受感染的计算机是重要的信息。一旦他们知道这一点,他们就可以采取措施移除机器人,解决机器人感染可能导致的任何问题,并保护自己免受未来的威胁。重要的是要通知用户他们可能感染了bot,因为bot会消耗大量的本地计算和网络资源,使个人信息(包括个人财务信息)被盗,使主机被用于犯罪活动(这可能导致互联网用户承担法律责任),并通过“kill switch”机器人技术破坏主机或使主机处于不可恢复状态。

As a result, the intent of this document is to provide guidance to ISPs and other organizations for the remediation of hosts infected with bots, so as to reduce the size of botnets and minimize the potential harm that bots can inflict upon Internet infrastructure in general as well as on individual Internet users. Efforts by ISPs and other organizations can, over time, reduce the pool of hosts infected with bots on the Internet, which in turn could result in smaller botnets with less capability for disruption.

因此,本文件的目的是为ISP和其他组织提供指导,以补救受僵尸程序感染的主机,从而减少僵尸网络的规模,并将僵尸程序对互联网基础设施以及个人互联网用户造成的潜在危害降至最低。随着时间的推移,ISP和其他组织的努力可以减少互联网上感染僵尸程序的主机池,这反过来可能会导致更小的僵尸网络,破坏能力更低。

The potential mitigation of bots is accomplished through a process of detection, notification to Internet users, and remediation of bot infections with a variety of tools, as described later in this document.

如本文件下文所述,通过检测、通知互联网用户以及使用各种工具补救机器人感染的过程,可以实现机器人的潜在缓解。

3. Important Notice of Limitations and Scope
3. 限制和范围的重要通知

The techniques described in this document in no way guarantee the remediation of all bots. Bot removal is potentially a task requiring specialized knowledge, skills, and tools; it may be beyond the ability of average users. Attempts at bot removal may frequently be unsuccessful, or only partially successful, leaving the user's system in an unstable and unsatisfactory state or even in a state where it is still infected. Attempts at bot removal can result in side effects ranging from a loss of data to partial or complete loss of system usability.

本文档中描述的技术无法保证修复所有机器人。机器人移除可能是一项需要专业知识、技能和工具的任务;这可能超出了普通用户的能力。删除bot的尝试可能经常不成功,或仅部分成功,从而使用户的系统处于不稳定和不满意的状态,甚至处于仍受感染的状态。尝试删除bot可能会导致从数据丢失到系统可用性部分或完全丧失的副作用。

In general, the only way a user can be sure they have removed some of today's increasingly sophisticated malware is by "nuking-and-paving" the system: reformatting the drive, reinstalling the operating system and applications (including all patches) from scratch, and then restoring user files from a known clean backup. However, the introduction of persistent memory-based malware may mean that, in some cases, this may not be enough and may prove to be more than any end user can be reasonably expected to resolve [BIOS]. Experienced users would have to re-flash or re-image persistent memory sections or components of their hosts in order to remove persistent memory-

一般来说,用户能够确保他们已删除一些当今日益复杂的恶意软件的唯一方法是对系统进行“核爆和铺路”:重新格式化驱动器,从头开始重新安装操作系统和应用程序(包括所有补丁),然后从已知的干净备份中恢复用户文件。然而,引入基于持久内存的恶意软件可能意味着,在某些情况下,这可能是不够的,并且可能被证明比任何最终用户合理期望解决的[BIOS]都要多。有经验的用户必须重新闪存或重新映像其主机的持久内存部分或组件,以便删除持久内存-

based malware. However, in some cases, not even nuking-and-paving the system will solve the problem, which calls for hard drive replacement and/or complete replacement of the host.

基于恶意软件。但是,在某些情况下,即使对系统进行核处理和铺设也不能解决问题,这需要更换硬盘驱动器和/或完全更换主机。

Devices with embedded operating systems, such as video gaming consoles and smart home appliances, will most likely be beyond a user's capability to remediate by themselves and could therefore require the aid of vendor-specific advice, updates, and tools. However, in some cases, such devices will have a function or switch to enable the user to reset that device to a factory default configuration, which may sometimes enable the user to remediate the infection. Care should be taken when imparting remediation advice to Internet users given the increasingly wide array of computing devices that can be, or could be, infected by bots in the future.

带有嵌入式操作系统的设备,如视频游戏控制台和智能家用电器,很可能超出用户自己的补救能力,因此可能需要特定于供应商的建议、更新和工具的帮助。然而,在某些情况下,此类设备将具有功能或开关,使用户能够将该设备重置为出厂默认配置,这有时可能使用户能够补救感染。考虑到未来可能会或可能会被机器人程序感染的计算设备越来越广泛,在向互联网用户提供补救建议时应小心。

This document is not intended to address the issues relating to the prevention of bots on an end user device. This is out of the scope of this document.

本文档无意解决与终端用户设备上的防机器人程序相关的问题。这超出了本文件的范围。

4. Detection of Bots
4. 探测机器人

An ISP must first identify that an Internet user is infected or likely to have been infected with a bot (a user is assumed to be their customer or otherwise connected to the ISP's network). The ISP should attempt to detect the presence of bots using methods, processes, and tools that maintain the privacy of the personally identifiable information (PII) of their customers. The ISP should not block legitimate traffic in the course of bot detection and should instead employ detection methods, tools, and processes that seek to be non-disruptive and transparent to Internet users and end user applications.

ISP必须首先确定Internet用户已感染或可能已感染bot(假定用户是其客户或以其他方式连接到ISP网络)。ISP应尝试使用维护其客户个人身份信息(PII)隐私的方法、流程和工具来检测是否存在机器人。ISP不应在bot检测过程中阻止合法流量,而应采用无中断且对互联网用户和最终用户应用程序透明的检测方法、工具和流程。

Detection methods, tools, and processes may include analysis of specific network and/or application traffic flows (such as traffic to an email server), analysis of aggregate network and/or application traffic data, data feeds received from other ISPs and organizations (such as lists of the ISP's IP addresses that have been reported to have sent spam), feedback from the ISP's customers or other Internet users, as well as a wide variety of other possibilities. In practice, it has proven effective to confirm a bot infection through the use of a combination of multiple bot detection data points. This can help to corroborate information of varying dependability or consistency, as well as to avoid or minimize the possibility of false positive identification of hosts. Detection should also, where possible and feasible, attempt to classify the specific bot infection type in order to confirm that it is malicious in nature, estimate the variety and severity of threats it may pose (such as spam bot, key-logging bot, file distribution bot, etc.), and determine potential

检测方法、工具和过程可能包括对特定网络和/或应用程序流量(例如到电子邮件服务器的流量)的分析、对聚合网络和/或应用程序流量数据的分析、从其他ISP和组织接收的数据馈送(例如已报告发送垃圾邮件的ISP IP地址列表),ISP客户或其他互联网用户的反馈,以及各种其他可能性。实践证明,通过使用多个机器人检测数据点的组合来确认机器人感染是有效的。这有助于证实不同可靠性或一致性的信息,并避免或者最大限度地减少主机误报的可能性。在可能和可行的情况下,检测还应尝试对特定的机器人感染类型进行分类,以确认其本质上是恶意的,并估计其可能造成的威胁的种类和严重性(如垃圾邮件机器人、密钥记录机器人、文件分发机器人等),并确定潜力

methods for eventual remediation. However, given the dynamic nature of botnet management and the criminal incentives to seek quick financial rewards, botnets frequently update or change their core capabilities. As a consequence, botnets that are initially detected and classified by the ISP as made up of one particular type of bot need to be continuously monitored and tracked in order to correctly identify the threat the botnet poses at any particular point in time.

最终补救的方法。然而,鉴于僵尸网络管理的动态性和寻求快速经济回报的犯罪动机,僵尸网络经常更新或改变其核心能力。因此,ISP最初检测并分类为由一种特定类型的机器人组成的僵尸网络需要持续监控和跟踪,以便正确识别僵尸网络在任何特定时间点造成的威胁。

Detection is also time sensitive. If complex analysis is required and multiple confirmations are needed to verify a bot is indeed present, then it is possible that the bot may cause some damage (to either the infected host or a remotely targeted system) before it can be stopped. This means that an ISP needs to balance the desire or need to definitively classify and/or confirm the presence of a bot, which may take an extended period of time, with the ability to predict the likelihood of a bot in a very short period of time. Such determinations must have a relatively low false positive rate in order to maintain the trust of users. This "definitive-versus-likely" challenge is difficult and, when in doubt, ISPs should err on the side of caution by communicating that a bot infection has taken place. This also means that Internet users may benefit from the installation of client-based security software on their host. This can enable rapid heuristically based detection of bot activity, such as the detection of a bot as it starts to communicate with other botnets and execute commands. Any bot detection system should also be capable of adapting, either via manual intervention or automatically, in order to cope with a rapidly evolving threat.

检测也是时间敏感的。如果需要进行复杂的分析,并且需要多次确认以验证bot是否确实存在,则bot可能会在停止之前造成一些损坏(对受感染的主机或远程目标系统)。这意味着ISP需要平衡对机器人进行最终分类和/或确认的愿望或需要,这可能需要较长的时间,并且能够在很短的时间内预测机器人的可能性。为了维护用户的信任,此类确定必须具有相对较低的误报率。这种“确定与可能”的挑战是困难的,当有疑问时,ISP应该通过告知已经发生了机器人感染而犯谨慎的错误。这也意味着互联网用户可以从在其主机上安装基于客户端的安全软件中获益。这可以实现对bot活动的快速启发式检测,例如在bot开始与其他botnet通信并执行命令时检测bot。任何机器人检测系统也应能够通过手动干预或自动适应,以应对快速演变的威胁。

As noted above, detection methods, tools, and processes should ensure that privacy of customers' personally identifiable information (PII) is maintained. This protection afforded to PII should also extend to third parties processing data on behalf of ISPs. While bot detection methods, tools, and processes are similar to spam and virus defenses deployed by the ISP for the benefit of their customers (and may be directly related to those defenses), attempts to detect bots should take into account the need of an ISP to take care to ensure any PII collected or incidentally detected is properly protected. This is important because just as spam defenses may involve scanning the content of email messages, which may contain PII, then so too may bot defenses similarly come into incidental contact with PII. The definition of PII varies from one jurisdiction to the next so proper care should be taken to ensure that any actions taken comply with legislation and good practice in the jurisdiction in which the PII is gathered. Finally, depending upon the geographic region within which an ISP operates, certain methods relating to bot detection may need to be included in relevant terms of service documents or other documents that are available to the customers of a particular ISP.

如上所述,检测方法、工具和流程应确保维护客户个人身份信息(PII)的隐私。向PII提供的这种保护也应扩展到代表ISP处理数据的第三方。虽然bot检测方法、工具和流程类似于ISP为其客户的利益而部署的垃圾邮件和病毒防御(可能与这些防御直接相关),检测机器人的尝试应考虑ISP的需要,以确保收集或偶然检测到的任何PII得到适当保护。这一点很重要,因为正如垃圾邮件防御可能涉及扫描可能包含PII的电子邮件内容一样,机器人防御也可能与PII偶然接触。PII的定义因司法管辖区而异,因此应采取适当措施,确保所采取的任何行动符合收集PII所在司法管辖区的立法和良好做法。最后,根据ISP运营所在的地理区域,可能需要在相关服务条款文档或特定ISP客户可用的其他文档中包含与机器人检测相关的某些方法。

There are several bot detection methods, tools, and processes that an ISP may choose to utilize, as noted in the list below. It is important to note that the technical solutions available are relatively immature and are likely to change over time, evolving rapidly in the coming years. While these items are described in relation to ISPs, they may also be applicable to organizations operating other networks, such as campus networks and enterprise networks.

ISP可以选择使用几种机器人检测方法、工具和过程,如下表所示。值得注意的是,现有的技术解决方案相对不成熟,可能会随着时间的推移而变化,并在未来几年迅速发展。虽然这些项目是针对ISP进行描述的,但它们也可能适用于运营其他网络的组织,如校园网和企业网。

a. Where it is not legally proscribed and an accepted industry practice in a particular market region, an ISP may in some manner "scan" its IP space in order to detect un-patched or otherwise vulnerable hosts or to detect the signs of infection. This may provide the ISP with the opportunity to easily identify Internet users who appear already to be infected or are at great risk of being infected with a bot. ISPs should note that some types of port scanning may leave network services in a hung state or render them unusable due to common frailties and that many modern firewall and host-based intrusion detection implementations may alert the Internet user to the scan. As a result, the scan may be interpreted as a malicious attack against the host. Vulnerability scanning has a higher probability of leaving accessible network services and applications in a damaged state and will often result in a higher probability of detection by the Internet user and subsequent interpretation as a targeted attack. Depending upon the vulnerability for which an ISP may be scanning, some automated methods of vulnerability checking may result in data being altered or created afresh on the Internet user's host, which can be a problem in many legal environments. It should also be noted that due to the prevalence of Network Address Translation devices, Port Address Translation devices, and/or firewall devices in user networks, network-based vulnerability scanning may be of limited value. Thus, while we note that this is one technique that may be utilized, it is unlikely to be particularly effective and has problematic side effects, which leads the authors to recommend against the use of this particular method.

a. 如果某一特定市场区域没有法律禁止和公认的行业惯例,ISP可能会以某种方式“扫描”其IP空间,以检测未打补丁或其他易受攻击的主机,或检测感染迹象。这可能为ISP提供了一个机会,使其能够轻松识别那些似乎已经被感染或极有可能被机器人感染的互联网用户。ISP应注意,某些类型的端口扫描可能会使网络服务处于挂起状态,或由于常见的缺陷而使其无法使用,许多现代防火墙和基于主机的入侵检测实现可能会提醒Internet用户进行扫描。因此,扫描可能被解释为对主机的恶意攻击。漏洞扫描使可访问的网络服务和应用程序处于受损状态的概率更高,并且通常会导致互联网用户更高的检测概率,并随后将其解释为目标攻击。根据ISP可能扫描的漏洞,某些自动漏洞检查方法可能会导致Internet用户主机上的数据被更改或重新创建,这在许多法律环境中可能是一个问题。还应注意,由于网络地址转换设备、端口地址转换设备和/或防火墙设备在用户网络中的普及,基于网络的漏洞扫描的价值可能有限。因此,虽然我们注意到这是一种可以使用的技术,但它不太可能特别有效,并且有问题的副作用,因此作者建议不要使用这种特殊方法。

b. An ISP may also communicate and share selected data, via feedback loops or other mechanisms, with various third parties. Feedback loops are consistently formatted feeds of real-time (or nearly real-time) abuse reports offered by threat data clearinghouses, security alert organizations, other ISPs, and other organizations. The formats for feedback loops include those defined in both the Abuse Reporting Format (ARF) [RFC5965] and the Incident Object Description Exchange Format (IODEF) [RFC5070]. The data may include, but is not limited to, IP addresses of hosts that appear to be either definitely or

b. ISP还可以通过反馈回路或其他机制与各种第三方通信和共享选定的数据。反馈循环是由威胁数据交换所、安全警报组织、其他ISP和其他组织提供的实时(或接近实时)滥用报告的一致格式提要。反馈回路的格式包括滥用报告格式(ARF)[RFC5965]和事件对象描述交换格式(IODEF)[RFC5070]中定义的格式。数据可能包括但不限于主机的IP地址,这些主机的IP地址看起来是确定的或不确定的

probably infected, IP addresses, domain names or fully qualified domain names (FQDNs) known to host malware and/or be involved in the command and control of botnets, recently tested or discovered techniques for detecting or remediating bot infections, new threat vectors, and other relevant information. A few good examples of data sharing are noted in Appendix A.

可能已感染,IP地址,域名或完全限定域名(FQDN),已知承载恶意软件和/或参与僵尸网络的指挥和控制,最近测试或发现的用于检测或修复机器人感染的技术,新的威胁向量,以及其他相关信息。附录A中给出了一些数据共享的好例子。

c. An ISP may use Netflow [RFC3954] or other similar passive network monitoring to identify network anomalies that may be indicative of botnet attacks or bot communications. For example, an ISP may be able to identify compromised hosts by identifying traffic destined to IP addresses associated with the command and control of botnets or destined to the combination of an IP address and control port associated with a command and control network (sometimes command and control traffic comes from a host that has legitimate traffic). In addition, bots may be identified when a remote host is under a DDoS attack, because hosts participating in the attack will likely be infected by a bot. This can often be observed at network borders although ISPs should beware of source IP address spoofing techniques that may be employed to avoid or confuse detection.

c. ISP可以使用Netflow[RFC3954]或其他类似的被动网络监控来识别可能指示僵尸网络攻击或僵尸通信的网络异常。例如,ISP可以通过识别目的地为与僵尸网络的命令和控制相关联的IP地址或目的地为与命令和控制网络相关联的IP地址和控制端口的组合的流量来识别受损主机(有时命令和控制流量来自具有合法流量的主机)。此外,当远程主机受到DDoS攻击时,可能会识别机器人,因为参与攻击的主机可能会受到机器人的感染。这通常可以在网络边界处观察到,尽管ISP应注意可能用于避免或混淆检测的源IP地址欺骗技术。

d. An ISP may use DNS-based techniques to perform detection. For example, a given classified bot may be known to query a specific list of domain names at specific times or on specific dates (in the example of the so-called "Conficker" bot (see [Conficker]), often by matching DNS queries to a well-known list of domains associated with malware. In many cases, such lists are distributed by or shared using third parties, such as threat data clearinghouses.

d. ISP可以使用基于DNS的技术来执行检测。例如,已知一个给定的分类bot在特定时间或特定日期查询特定域名列表(在所谓的“Conficker”bot示例中(参见[Conficker]),通常通过将DNS查询与已知的与恶意软件相关的域列表进行匹配。在许多情况下,此类列表由第三方(如威胁数据交换所)分发或共享。

e. Because hosts infected by bots are frequently used to send spam or participate in DDoS attacks, the ISP servicing those hosts will normally receive complaints about the malicious network traffic. Those complaints may be sent to role accounts specified in RFC 2142 [RFC2142], such as abuse@, or to other relevant addresses such as to abuse or security addresses specified by the site as part of its WHOIS (or other) contact data.

e. 由于受机器人程序感染的主机经常被用来发送垃圾邮件或参与DDoS攻击,为这些主机提供服务的ISP通常会收到有关恶意网络流量的投诉。这些投诉可发送至RFC 2142[RFC2142]中指定的角色帐户,如滥用@,或发送至其他相关地址,如滥用或网站指定的安全地址,作为其WHOIS(或其他)联系数据的一部分。

f. ISPs may also discover likely bot-infected hosts located on other networks. Thus, when legally permissible in a particular market region, it may be worthwhile for ISPs to share information relating to those compromised hosts with the relevant remote network operator, security researchers, and blocklist operators.

f. ISP还可能发现位于其他网络上的可能受bot感染的主机。因此,在特定市场区域法律允许的情况下,ISP可能值得与相关远程网络运营商、安全研究人员和封锁名单运营商共享与这些受损主机相关的信息。

g. ISPs may operate or subscribe to services that provide "sinkholing" or "honeynet" capabilities. This may enable the ISP to obtain near-real-time lists of bot-infected hosts as they attempt to join a larger botnet or propagate to other hosts on a network.

g. ISP可以运营或订阅提供“天坑”或“蜜网”功能的服务。这可以使ISP在尝试加入更大的僵尸网络或传播到网络上的其他主机时,获得受bot感染主机的近实时列表。

h. ISP industry associations should examine the possibility of collating statistics from ISP members in order to provide good statistics about bot infections based on real ISP data.

h. ISP行业协会应研究整理ISP成员统计数据的可能性,以便根据真实的ISP数据提供有关bot感染的良好统计数据。

i. An Intrusion Detection System (IDS) can be a useful tool to actually help identify the malware. An IDS tool such as Snort (open source IDS platform; see [Snort]) can be placed in a walled garden and used to analyze end user traffic to confirm malware type. This will help with remediation of the infected device.

i. 入侵检测系统(IDS)是帮助识别恶意软件的有用工具。可以将诸如Snort(开源IDS平台;参见[Snort])之类的IDS工具放置在有围墙的花园中,用于分析最终用户流量以确认恶意软件类型。这将有助于修复受感染的设备。

5. Notification to Internet Users
5. 通知互联网用户

Once an ISP has detected a bot, or the strong likelihood of a bot, steps should be undertaken to inform the Internet user that they may have a bot-related problem. An ISP should decide the most appropriate method or methods for providing notification to one or more of their customers or Internet users, depending upon a range of factors including the technical capabilities of the ISP, the technical attributes of its network, financial considerations, available server resources, available organizational resources, the number of likely infected hosts detected at any given time, and the severity of any possible threats. Such notification methods may include one or more of the methods described in the following subsections, as well as other possible methods not described below.

一旦ISP检测到一个机器人,或者很可能是一个机器人,就应该采取措施通知互联网用户他们可能有与机器人相关的问题。ISP应根据一系列因素(包括ISP的技术能力、其网络的技术属性、财务考虑、可用服务器资源、,可用的组织资源、在任何给定时间检测到的可能受感染主机的数量以及任何可能威胁的严重性。此类通知方法可包括以下小节中描述的一种或多种方法,以及下文未描述的其他可能方法。

It is important to note that none of these methods are guaranteed to be one hundred percent successful and that each has its own set of limitations. In addition, in some cases, an ISP may determine that a combination of two or more methods is most appropriate and effective and reduces the chance that malware may block a notification. As such, the authors recommend the use of multiple notification methods. Finally, notification is also considered time sensitive; if the user does not receive or view the notification in a timely fashion, then a particular bot could launch an attack, exploit the user, or cause other harm. If possible, an ISP should establish a preferred means of communication when the subscriber first signs up for service. As a part of the notification process, ISPs should maintain a record of the allocation of IP addresses to subscribers for a period long enough to allow any commonly used bot detection technology to be able to accurately link an infected IP address to a subscriber. This

值得注意的是,这些方法都不能保证百分之百的成功,而且每种方法都有自己的局限性。此外,在某些情况下,ISP可能会确定两种或两种以上方法的组合是最合适和有效的,并降低恶意软件阻止通知的可能性。因此,作者建议使用多种通知方法。最后,通知也被认为是时间敏感的;如果用户没有及时接收或查看通知,则特定的机器人可能会发起攻击、利用用户进行攻击或造成其他伤害。如果可能,ISP应在用户首次注册服务时建立首选通信方式。作为通知过程的一部分,ISP应在足够长的时间内保存向订户分配IP地址的记录,以使任何常用的机器人检测技术能够将受感染的IP地址准确链接到订户。这

record should only be maintained for a period of time that is necessary to support bot detection, but no longer, in order to protect the privacy of the individual subscriber.

记录只应保留一段支持bot检测所需的时间,但不能再保留,以保护单个订户的隐私。

One important factor to bear in mind is that notification to end users needs to be resistant to potential spoofing. This should be done to protect, as reasonably as possible, against the potential of legitimate notifications being spoofed and/or used by parties with intent to perform additional malicious attacks against victims of malware or even to deliver additional malware.

需要牢记的一个重要因素是,向最终用户发出的通知需要能够抵抗潜在的欺骗。这样做是为了尽可能合理地防止合法通知被欺骗和/或被意图对恶意软件受害者进行额外恶意攻击或甚至交付额外恶意软件的各方使用。

It should be possible for the end user to indicate the preferred means of notification on an opt-in basis for that notification method. It is recommended that the end user should not be allowed to opt out of notification entirely.

最终用户应能够在选择加入的基础上为该通知方法指明首选的通知方式。建议不允许最终用户选择完全退出通知。

When users are notified, an ISP should endeavor to give as much information as possible to the end user regarding which bot detection methods are employed at the ISP, consonant with not providing information to those creating or deploying the bots so that they would be able to avoid detection.

当用户收到通知时,ISP应尽力向最终用户提供尽可能多的信息,说明ISP采用了哪些机器人检测方法,与不向创建或部署机器人的人提供信息一致,以便他们能够避免检测。

5.1. Email Notification
5.1. 电子邮件通知

This is a common form of notification used by ISPs. One drawback of using email is that it is not guaranteed to be viewed within a reasonable time frame, if at all. The user may be using a different primary email address than the one they provided to the ISP. In addition, some ISPs do not provide an email account at all as part of a bundle of Internet services and/or do not have a need for or method by which to request or retain the primary email addresses of Internet users of their networks. Another possibility is that the user, their email client, and/or their email servers could determine or classify such a notification as spam, which could delete the message or otherwise file it in an email folder that the user may not check on a regular and/or timely basis. Bot masters have also been known to impersonate the ISP or trusted sender and send fraudulent emails to the users. This technique of social engineering often leads to new bot infestations. Finally, if the user's email credentials are compromised, then a hacker and/or a bot could simply access the user's email account and delete the email before it is read by the user.

这是ISP使用的一种常见通知形式。使用电子邮件的一个缺点是,它不能保证在一个合理的时间范围内被浏览,如果有的话。用户使用的主电子邮件地址可能与他们提供给ISP的主电子邮件地址不同。此外,一些ISP根本不提供电子邮件帐户作为互联网服务捆绑包的一部分,和/或没有要求或保留其网络的互联网用户的主要电子邮件地址的需要或方法。另一种可能性是,用户、其电子邮件客户端和/或其电子邮件服务器可以确定或将此类通知归类为垃圾邮件,这可能会删除邮件或以其他方式将其归档到用户可能无法定期和/或及时检查的电子邮件文件夹中。众所周知,Bot主机还冒充ISP或可信发件人,向用户发送欺诈性电子邮件。这种社会工程技术经常导致新的机器人横行。最后,如果用户的电子邮件凭据被泄露,那么黑客和/或机器人可以简单地访问用户的电子邮件帐户,并在用户阅读之前删除该电子邮件。

5.2. Telephone Call Notification
5.2. 电话通知

A telephone call may be an effective means of communication in particularly high-risk situations. However, telephone calls may not be feasible due to the cost of making a large number of calls, as

在特别高风险的情况下,电话可能是一种有效的沟通方式。然而,由于打大量电话的成本,电话可能不可行,因为

measured in either time, money, organizational resources, server resources, or some other means. In addition, there is no guarantee that the user will answer their phone. To the extent that the telephone number called by the ISP can be answered by the infected computing device, the bot on that host may be able to disconnect, divert, or otherwise interfere with an incoming call. Users may also interpret such a telephone notification as a telemarketing call and therefore not welcome it or not accept the call at all. Finally, even if a representative of the ISP is able to connect with and speak to a user, that user is very likely to lack the necessary technical expertise to understand or be able to effectively deal with the threat.

以时间、金钱、组织资源、服务器资源或其他方式衡量。此外,也不能保证用户会接听他们的电话。如果ISP呼叫的电话号码可以由受感染的计算设备应答,则该主机上的bot可以断开、转接或以其他方式干扰传入呼叫。用户也可能将此类电话通知理解为电话营销呼叫,因此不欢迎或根本不接受该呼叫。最后,即使ISP的代表能够与用户联系和交谈,该用户也很可能缺乏必要的技术专业知识,无法理解或有效应对威胁。

5.3. Postal Mail Notification
5.3. 邮寄通知

This form of notification is probably the least popular and effective means of communication, due to preparation time, delivery time, the cost of printing and paper, and the cost of postage.

由于准备时间、交付时间、印刷和纸张成本以及邮费,这种形式的通知可能是最不受欢迎和有效的沟通方式。

5.4. Walled Garden Notification
5.4. 围墙花园通告

Placing a user in a walled garden is another approach that ISPs may take to notify users. A "walled garden" refers to an environment that controls the information and services that a subscriber is allowed to utilize and what network access permissions are granted. A walled garden implementation can range from strict to leaky. In a strict walled garden environment, access to most Internet resources is typically limited by the ISP. In contrast, a leaky walled garden environment permits access to all Internet resources, except those deemed malicious, and ensures access to those that can be used to notify users of infections.

将用户放置在有围墙的花园中是ISP通知用户的另一种方法。“围墙花园”是指一个环境,它控制允许订阅者使用的信息和服务以及授予的网络访问权限。一个有围墙的花园可以是严格的,也可以是漏洞百出的。在严格的围墙花园环境中,对大多数互联网资源的访问通常受到ISP的限制。相比之下,一个有围墙的花园环境允许访问所有的互联网资源,除了那些被认为是恶意的资源,并确保访问那些可以用来通知用户感染的资源。

Walled gardens are effective because it is possible to notify the user and simultaneously block all communication between the bot and the command and control channel. While in many cases the user is almost guaranteed to view the notification message and take any appropriate remediation actions, this approach can pose other challenges. For example, it is not always the case that a user is actively utilizing a host that implements a web browser, has a web browser actively running on it, or operates another application that uses ports that are redirected to the walled garden. In one example, a user could be playing a game online, via the use of a dedicated, Internet-connected game console. In another example, the user may not be using a host with a web browser when they are placed in the walled garden and may instead be in the course of a telephone conversation or may be expecting to receive a call using a Voice over IP (VoIP) device of some type. As a result, the ISP may feel the need to maintain a potentially lengthy white list of domains that are

围墙花园是有效的,因为它可以通知用户,同时阻止机器人和指挥控制通道之间的所有通信。在许多情况下,几乎可以保证用户可以查看通知消息并采取任何适当的补救措施,但这种方法可能会带来其他挑战。例如,用户并不总是主动使用实现web浏览器的主机、在其上主动运行web浏览器或操作另一个使用重定向到围墙花园的端口的应用程序。在一个示例中,用户可以通过使用专用的、连接互联网的游戏控制台在线玩游戏。在另一个示例中,当用户被放置在有围墙的花园中时,他们可能没有使用带有web浏览器的主机,而是可能正在进行电话对话,或者可能期望使用某种类型的IP语音(VoIP)设备来接收呼叫。因此,ISP可能会觉得需要维护一个可能很长的白名单

not subject to the typical restrictions of a walled garden, which could well prove to be an onerous task from an operational perspective.

不受围墙花园的典型限制,从操作角度来看,这可能是一项繁重的任务。

For these reasons, the implementation of a leaky walled garden makes more sense, but a leaky walled garden has a different set of drawbacks. The ISP has to assume that the user will eventually use a web browser to acknowledge the notification; otherwise, the user will remain in the walled garden and not know it. If the intent of the leaky walled garden is solely to notify the user about the bot infection, then the leaky walled garden is not ideal because notification is time sensitive, and the user may not receive the notification until the user invokes a request for the targeted service and/or resource. This means the bot can potentially do more damage. Additionally, the ISP has to identify which services and/or resources to restrict for the purposes of notification. This does not have to be resource specific and can be time based and/or policy based. An example of how notification could be made on a timed basis could involve notification for all HTTP requests every 10 minutes, or show the notification for one in five HTTP requests.

出于这些原因,实施漏洞百出的花园更有意义,但漏洞百出的花园有一系列不同的缺点。ISP必须假设用户最终将使用web浏览器确认通知;否则,用户将留在有围墙的花园中而不知道它。如果漏洞百出的花园仅仅是为了通知用户机器人感染,那么漏洞百出的花园并不理想,因为通知是时间敏感的,用户可能在用户调用对目标服务和/或资源的请求之前不会收到通知。这意味着机器人可能造成更大的伤害。此外,ISP必须确定出于通知目的限制哪些服务和/或资源。这不必是特定于资源的,可以是基于时间和/或基于策略的。如何定时发出通知的示例可能涉及每10分钟通知所有HTTP请求,或者显示每五个HTTP请求中就有一个的通知。

The ISP has several options to determine when to let the user out of the walled garden. One approach may be to let the user determine when to exit. This option is suggested when the primary purpose of the walled garden is to notify users and provide information on remediation only, particularly since notification is not a guarantee of successful remediation. It could also be the case that, for whatever reason, the user makes the judgment that they cannot then take the time to remediate their host and that other online activities that they would like to resume are more important. Exit from the walled garden may also involve a process to verify that it is indeed the user who is requesting exit from the walled garden and not the bot.

ISP有几个选项来决定何时让用户离开有围墙的花园。一种方法是让用户决定何时退出。当围墙花园的主要目的是通知用户并仅提供修复信息时,建议使用此选项,特别是因为通知并不能保证修复成功。也可能是这样,无论出于何种原因,用户做出判断,认为他们无法花时间修复主机,并且他们希望恢复的其他在线活动更为重要。从围墙花园中退出还可能涉及一个过程,以验证请求从围墙花园中退出的确实是用户,而不是机器人。

Once the user acknowledges the notification, they may decide either to remediate and exit the walled garden or to exit the walled garden without remediating the issue. Another approach may be to enforce a stricter policy and require the user to clean the host prior to permitting the user to exit the walled garden, though this may not be technically feasible depending upon the type of bot, obfuscation techniques employed by a bot, and/or a range of other factors. Thus, the ISP may also need to support tools to scan the infected host (in the style of a virus scan, rather than a port scan) and determine whether it is still infected or rely on user judgment that the bot has been disabled or removed. One challenge with this approach is that the user might have multiple hosts sharing a single IP address, such as via a common home gateway device that performs Network

一旦用户确认通知,他们可以决定补救并退出围墙花园,或者在不补救问题的情况下退出围墙花园。另一种方法可能是实施更严格的政策,并要求用户在允许用户离开围墙花园之前清洁主机,尽管这在技术上可能不可行,这取决于机器人的类型、机器人采用的模糊技术和/或一系列其他因素。因此,ISP可能还需要支持扫描受感染主机的工具(以病毒扫描的方式,而不是端口扫描的方式),并确定该主机是否仍然受感染,或者依靠用户判断bot已被禁用或删除。这种方法的一个挑战是,用户可能有多个主机共享一个IP地址,例如通过执行网络连接的公共家庭网关设备

Address Translation (NAT). In such a case, the ISP may need to determine from user feedback, or other means, that all affected hosts have been remediated, which may or may not be technically feasible.

地址转换(NAT)。在这种情况下,ISP可能需要根据用户反馈或其他方式确定所有受影响的主机都已修复,这在技术上可能可行,也可能不可行。

Finally, when a walled garden is used, a list of well-known addresses for both operating system vendors and security vendors should be created and maintained in a white list that permits access to these sites. This can be important for allowing access from the walled garden by end users in search of operating system and application patches. It is recommended that walled gardens be seriously considered as a method of notification as they are easy to implement and proven to be effective as a means of getting end user attention.

最后,当使用围墙花园时,应创建操作系统供应商和安全供应商的知名地址列表,并将其保存在允许访问这些站点的白名单中。这对于最终用户在搜索操作系统和应用程序补丁时允许从围墙花园访问非常重要。建议将围墙花园作为一种通知方式予以认真考虑,因为围墙花园易于实施,并被证明是引起最终用户注意的有效手段。

5.5. Instant Message Notification
5.5. 即时消息通知

IM provides the ISP with a simple means to communicate with the user. There are several advantages to using IM that make it an attractive option. If the ISP provides IM service and the user subscribes to it, then the user can be notified easily. IM-based notification can be a cost-effective means to communicate with users automatically from an IM alert system or by a manual process, involving the ISP's support staff. Ideally, the ISP should allow the user to register their IM identity in an ISP account management system and grant permission to be contacted via this means. If the IM service provider supports off-line messaging, then the user can be notified regardless of whether they are currently logged into the IM system.

IM为ISP提供了与用户通信的简单方法。使用IM有几个优点,使其成为一个有吸引力的选择。如果ISP提供IM服务并且用户订阅了它,那么用户可以很容易地得到通知。基于IM的通知可以是一种经济高效的方式,通过IM警报系统或由ISP支持人员参与的手动过程自动与用户通信。理想情况下,ISP应允许用户在ISP帐户管理系统中注册其IM身份,并授予通过这种方式联系的权限。如果IM服务提供商支持离线消息传递,则无论用户当前是否登录IM系统,都可以通知用户。

There are several drawbacks with this communications method. There is a high probability that a subscriber may interpret the communication to be spim and thus ignore it. Also, not every user uses IM and/or the user may not provide their IM identity to the ISP so some alternative means have to be used. Even in those cases where a user does have an IM address, they may not be signed onto that IM system when the notification is attempted. There may be a privacy concern on the part of users when such an IM notification must be transmitted over a third-party network and/or IM service. As such, should this method be used, the notification should be discreet and not include any PII in the notification itself.

这种通信方法有几个缺点。用户很有可能将通信解释为spim,从而忽略它。此外,并非每个用户都使用IM和/或用户可能不向ISP提供其IM身份,因此必须使用一些替代方法。即使在用户确实拥有IM地址的情况下,在尝试通知时,他们也可能不会登录到该IM系统。当必须通过第三方网络和/或IM服务传输此类IM通知时,用户可能存在隐私问题。因此,如果使用此方法,通知应谨慎,且通知本身不包含任何PII。

5.6. Short Message Service (SMS) Notification
5.6. 短消息服务(SMS)通知

SMS allows the ISP to send a brief description of the problem to notify the user of the issue, typically to a mobile device such as a mobile phone or smart phone. Ideally, the ISP should allow the user to register their mobile number and/or SMS address in an ISP account management system and grant permission to be contacted via this means. The primary advantage of SMS is that users are familiar with

SMS允许ISP发送问题的简要描述,以通知用户问题,通常发送到移动设备,如移动电话或智能电话。理想情况下,ISP应允许用户在ISP帐户管理系统中注册其手机号码和/或SMS地址,并授予通过这种方式联系的权限。SMS的主要优点是用户熟悉

receiving text messages and are likely to read them. However, users may not act on the notification immediately if they are not in front of their host at the time of the SMS notification.

接收短信,并可能阅读它们。但是,如果用户在发送SMS通知时不在主机前,则可能不会立即对通知采取行动。

One disadvantage is that ISPs may have to follow up with an alternate means of notification if not all of the necessary information may be conveyed in one message, given constraints on the number of characters in an individual message (typically 140 characters). Another disadvantage with SMS is the cost associated with it. The ISP has to either build its own SMS gateway to interface with the various wireless network service providers or use a third-party SMS clearinghouse (relay) to notify users. In both cases, an ISP may incur fees related to SMS notifications, depending upon the method used to send the notifications. An additional downside is that SMS messages sent to a user may result in a charge to the user by their wireless provider, depending upon the plan to which they subscribe and the country in which the user resides. Another minor disadvantage is that it is possible to notify the wrong user if the intended user changes their mobile number but forgets to update it with the ISP.

一个缺点是,考虑到单个消息中的字符数(通常为140个字符)的限制,如果不是所有必要信息都可以在一条消息中传送,则ISP可能必须采用替代通知方式进行跟进。SMS的另一个缺点是与之相关的成本。ISP必须建立自己的SMS网关,与各种无线网络服务提供商连接,或者使用第三方SMS交换所(中继)通知用户。在这两种情况下,ISP可能会产生与SMS通知相关的费用,具体取决于发送通知所使用的方法。另一个缺点是,发送给用户的SMS消息可能导致其无线提供商向用户收费,具体取决于用户订阅的计划和用户居住的国家。另一个小缺点是,如果目标用户更改了手机号码但忘记向ISP更新,则可能会通知错误的用户。

There are several other drawbacks with this communications method. There is a high probability that subscriber may interpret the communication to be spam and thus ignore it. Also, not every user uses SMS, and/or the user may not provide their SMS address or mobile number to the ISP. Even in those cases where a user does have an SMS address or mobile number, their device may not be powered on or otherwise available on a wireless network when the notification is attempted. There may also be a privacy concern on the part of users when such an SMS notification must be transmitted over a third-party network and/or SMS clearinghouse. As such, should this method be used, the notification should be discreet and not include any PII in the notification itself.

这种通信方法还有其他一些缺点。订户很可能会将通信解释为垃圾邮件,从而忽略它。此外,并非每个用户都使用SMS,和/或用户可能不会向ISP提供其SMS地址或手机号码。即使在用户确实拥有SMS地址或移动电话号码的情况下,当尝试通知时,他们的设备也可能未通电或在无线网络上不可用。当此类SMS通知必须通过第三方网络和/或SMS交换所传输时,用户可能还存在隐私问题。因此,如果使用此方法,通知应谨慎,且通知本身不包含任何PII。

5.7. Web Browser Notification
5.7. Web浏览器通知

Near-real-time notification to the user's web browser is another technique that may be utilized for notifying the user [RFC6108], though how such a system might operate is outside the scope of this document. Such a notification could have a comparative advantage over a walled garden notification, in that it does not restrict traffic to a specified list of destinations in the same way that a walled garden would, by definition. However, as with a walled garden notification, there is no guarantee that a user is making use of a web browser at any given time, though such a system could certainly provide a notification when such a browser is eventually used. Compared to a walled garden, a web browser notification is probably

对用户web浏览器的近实时通知是可用于通知用户的另一种技术[RFC6108],尽管此类系统的操作方式超出了本文档的范围。这种通知与有围墙的花园通知相比可能具有相对优势,因为它不会像有围墙的花园的定义一样,将交通限制在指定的目的地列表中。然而,与围墙花园通知一样,不能保证用户在任何给定时间使用web浏览器,尽管这样的系统在最终使用浏览器时肯定会提供通知。与有围墙的花园相比,web浏览器通知可能更安全

preferred from the perspective of Internet users, as it does not have the risk of disrupting non-web sessions, such as online games, VoIP calls, etc. (as noted in Section 5.4).

从互联网用户的角度来看,这是首选,因为它没有中断非网络会话的风险,如在线游戏、VoIP呼叫等(如第5.4节所述)。

There are alternative methods of web browser notification offered commercially by a number of vendors. Many of the techniques used are proprietary, and it is not within the scope of this document to describe how they are implemented. These techniques have been successfully implemented at several ISPs.

许多供应商在商业上提供了web浏览器通知的替代方法。所使用的许多技术都是专有的,描述如何实现这些技术不在本文档的范围内。这些技术已在多家ISP上成功实施。

It should be noted that web notification is only intended to notify devices running a web browser.

应注意,web通知仅用于通知运行web浏览器的设备。

5.8. Considerations for Notification to Public Network Locations
5.8. 通知公共网络位置的注意事项

Delivering a notification to a location that provides a shared public network, such as a train station, public square, coffee shop, or similar location may be of low value since the users connecting to such networks are typically highly transient and generally not known to site or network administrators. For example, a system may detect that a host on such a network has a bot, but by the time a notification is generated, that user has departed from the network and moved elsewhere.

向提供共享公共网络的位置(例如火车站、公共广场、咖啡馆或类似位置)发送通知可能价值较低,因为连接到此类网络的用户通常是高度瞬时的,并且通常不为站点或网络管理员所知。例如,系统可以检测到这样的网络上的主机具有bot,但是在生成通知时,该用户已经离开网络并移动到其他地方。

5.9. Considerations for Notification to Network Locations Using a Shared IP Address

5.9. 使用共享IP地址通知网络位置的注意事项

Delivering a notification to a location that accesses the Internet routed through one or more shared public IP addresses may be of low value since it may be quite difficult to differentiate between users when providing a notification. For example, on a business network of 500 users, all sharing one public IP address, it may be sub-optimal to provide a notification to all 500 users if you only need one specific user to be notified and take action. As a result, such networks may find value in establishing a localized bot detection and notification system, just as they are likely to also establish other localized systems for security, file sharing, email, and so on.

向通过一个或多个共享公共IP地址访问Internet的位置发送通知的价值可能很低,因为在提供通知时可能很难区分用户。例如,在500个用户共享一个公共IP地址的业务网络上,如果您只需要通知一个特定用户并采取行动,则向所有500个用户提供通知可能是次优的。因此,这类网络可能会在建立本地化的机器人检测和通知系统方面找到价值,就像它们也可能建立其他本地化的安全、文件共享、电子邮件等系统一样。

However, should an ISP implement some form of notification to such networks, it may be better to simply send notifications to a designated network administrator at the site. In such a case, the local network administrator may like to receive additional information in such a notification, such as a date and timestamp, the source port of the infected system, and malicious sites and ports that may have been visited.

但是,如果ISP向此类网络实施某种形式的通知,则最好只向站点的指定网络管理员发送通知。在这种情况下,本地网络管理员可能希望在这种通知中接收附加信息,例如日期和时间戳、受感染系统的源端口以及可能已访问的恶意站点和端口。

5.10. Notification and End User Expertise
5.10. 通知和最终用户专业知识

The ultimate effectiveness of any of the aforementioned forms of notification is heavily dependent upon both the expertise of the end user and the wording of any such notification. For example, while a user may receive and acknowledge a notification, that user may lack the necessary technical expertise to understand or be able to deal effectively with the threat. As a result, it is important that such notifications use clear and easily understood language, so that the majority of users (who are non-technical) may understand the notification. In addition, a notification should provide easily understood guidance on how to remediate a threat as described in Section 6, potentially with one path for technical users to take and another for non-technical users.

上述任何形式通知的最终效力在很大程度上取决于最终用户的专业知识和任何此类通知的措辞。例如,虽然用户可能会收到并确认通知,但该用户可能缺乏必要的技术专业知识,无法理解或有效应对威胁。因此,此类通知必须使用清晰易懂的语言,以便大多数用户(非技术人员)能够理解通知。此外,通知应提供关于如何补救第6节所述威胁的易于理解的指导,可能为技术用户提供一条途径,为非技术用户提供另一条途径。

6. Remediation of Hosts Infected with a Bot
6. 修复受Bot感染的主机

This section covers the different options available to remediate a host, which means to remove, disable, or otherwise render a bot harmless. Prior to this step, an ISP has detected the bot, notified the user that one of their hosts is infected with a bot, and now may provide some recommended means to clean the host. The generally recommended approach is to provide the necessary tools and education to the user so that they may perform bot remediation themselves, particularly given the risks and difficulties inherent in attempting to remove a bot.

本节介绍修复主机可用的不同选项,这意味着删除、禁用或以其他方式使bot无害。在此步骤之前,ISP已检测到bot,通知用户其主机之一已感染bot,现在可能会提供一些建议的方法来清理主机。一般建议的方法是向用户提供必要的工具和教育,以便他们可以自己进行机器人修复,特别是考虑到试图移除机器人固有的风险和困难。

For example, this may include the creation of a special web site with security-oriented content that is dedicated for this purpose. This should be a well-publicized security web site to which a user with a bot infection can be directed to for remediation. This security web site should clearly explain why the user was notified and may include an explanation of what bots are and the threats that they pose. There should be a clear explanation of the steps that the user should take in order to attempt to clean their host and information on how users can keep the host free of future infections. The security web site should also have a guided process that takes non-technical users through the remediation process, on an easily understood, step-by-step basis.

例如,这可能包括创建一个专门用于此目的的具有面向安全内容的特殊网站。这应该是一个广为宣传的安全网站,有机器人感染的用户可以直接访问该网站进行补救。该安全网站应清楚地解释用户收到通知的原因,并可能包括对机器人及其构成的威胁的解释。应明确说明用户应采取的步骤,以尝试清理其主机,并提供有关用户如何使主机免受未来感染的信息。安全网站还应该有一个引导过程,引导非技术用户以易于理解的方式逐步完成修复过程。

In terms of the text used to explain what bots are and the threats that they pose, something simple such as this may suffice:

根据用于解释机器人是什么以及它们所构成的威胁的文本,像这样简单的东西可能就足够了:

What is a bot? A bot is a piece of software, generally installed on your machine without your knowledge, which either sends spam or tries to steal your personal information. They can be very difficult to spot, though you may have noticed that your computer is running much more slowly than usual or you may notice regular

什么是机器人?机器人是一种软件,通常在你不知情的情况下安装在你的机器上,它要么发送垃圾邮件,要么试图窃取你的个人信息。它们可能很难被发现,尽管你可能已经注意到你的计算机运行速度比平时慢得多,或者你可能会注意到它们的规律性

disk activity even when you are not doing anything. Ignoring this problem is risky to you and your personal information. Thus, bots need to be removed to protect your data and your personal information.

磁盘活动,即使您不做任何事情。忽略此问题对您和您的个人信息都有风险。因此,需要删除机器人程序以保护您的数据和个人信息。

Many bots are designed to work in a very stealthy manner, and as such, there may be a need to make sure that the Internet user understands the magnitude of the threat faced despite the stealthy nature of the bot.

许多机器人被设计成以一种非常隐蔽的方式工作,因此,可能需要确保互联网用户了解所面临的威胁的程度,尽管机器人的隐蔽性很强。

It is also important to note that it may not be immediately apparent to the Internet user precisely which devices have been infected with a particular bot. This may be due to the user's home network configuration, which may encompass several hosts, where a home gateway that performs Network Address Translation (NAT) to share a single public IP address has been used. Therefore, any of these devices can be infected with a bot. The consequence of this for an ISP is that remediation advice may not ultimately be immediately actionable by the Internet user, as that user may need to perform additional investigation within their own home network.

还需要注意的是,对于互联网用户来说,可能无法立即确定哪些设备感染了特定的机器人。这可能是由于用户的家庭网络配置造成的,家庭网络配置可能包含多个主机,其中使用了执行网络地址转换(NAT)以共享单个公共IP地址的家庭网关。因此,这些设备中的任何一个都可能被机器人感染。对于ISP来说,这样做的结果是,补救建议最终可能不会由互联网用户立即采取行动,因为该用户可能需要在自己的家庭网络内执行额外的调查。

An added complication is that the user may have a bot infection on a device such as a video console, multimedia system, appliance, or other end user computing device that does not have a typical desktop computing interface. As a result, diligence needs to be taken by the ISP where possible such that it can identify and communicate the specific nature of the device that has been infected with a bot and provide further appropriate remediation advice. If the ISP cannot pin down the device or identify its type, then it should make it clear to the user that any initial advice given is generic and further advice can be given (or is available) once the type of infected device is known.

另一个复杂情况是,用户可能在诸如视频控制台、多媒体系统、设备或其他没有典型桌面计算接口的终端用户计算设备上有机器人感染。因此,ISP需要在可能的情况下采取谨慎措施,以便能够识别和传达已感染机器人的设备的特定性质,并提供进一步适当的补救建议。如果ISP无法确定设备或识别其类型,则应向用户明确,给出的任何初始建议都是通用的,一旦知道受感染设备的类型,就可以给出(或提供)进一步的建议。

There are a number of forums that exist online to provide security-related support to end users. These forums are staffed by volunteers and often are focused around the use of a common tool set to help end users to remediate hosts infected with malware. It may be advantageous to ISPs to foster a relationship with one or more forums, perhaps by offering free hosting or other forms of sponsorship.

有许多在线论坛为最终用户提供安全相关支持。这些论坛由志愿者组成,通常侧重于使用一套通用工具来帮助最终用户修复感染恶意软件的主机。ISP与一个或多个论坛建立关系可能是有利的,可能是通过提供免费托管或其他形式的赞助。

It is also important to keep in mind that not all users will be technically adept, as noted in Section 5.10. As a result, it may be more effective to provide a range of suggestion options for remediation. This may include, for example, a very detailed "do it yourself" approach for experts, a simpler guided process for the average user, and even assisted remediation as described in Section 6.2.

同样重要的是要记住,并非所有用户都能熟练掌握技术,如第5.10节所述。因此,提供一系列补救建议选项可能更有效。例如,这可能包括为专家提供非常详细的“自己动手”方法,为普通用户提供更简单的指导过程,甚至如第6.2节所述的辅助补救。

6.1. Guided Remediation Process
6.1. 引导修复过程

Minimally, the Guided Remediation Process should include the following goals, with options and/or recommendations for achieving them:

指导补救过程至少应包括以下目标,以及实现这些目标的选项和/或建议:

1. Back up personal files. For example:

1. 备份个人文件。例如:

Before you start, make sure to back up all of your important data. (You should do this on a regular basis anyway.) You can back up your files manually or using a system backup software utility, which may be part of your Operating System (OS). You can back up your files to a USB Thumb Drive (aka USB Key), a writable CD/DVD-ROM, an external hard drive, a network file server, or an Internet-based backup service.

开始之前,请确保备份所有重要数据。(无论如何,您应该定期这样做。)您可以手动或使用系统备份软件实用程序备份文件,这可能是操作系统(OS)的一部分。您可以将文件备份到USB拇指驱动器(也称为USB密钥)、可写CD/DVD-ROM、外部硬盘驱动器、网络文件服务器或基于Internet的备份服务。

It may be advisable to suggest that the user backup is performed onto separate backup media or devices if they suspect bot infection.

如果用户怀疑存在bot感染,建议在单独的备份介质或设备上执行用户备份。

2. Download OS patches and Anti-Virus (A/V) software updates. For example, links could be provided to Microsoft Windows updates, Apple Mac OS updates, or other major operating systems that are relevant to users and their devices.

2. 下载操作系统补丁和防病毒(A/V)软件更新。例如,可以提供指向Microsoft Windows更新、Apple Mac OS更新或其他与用户及其设备相关的主要操作系统的链接。

3. Configure the host to automatically install updates for the OS, A/V, and other common web browsers such as Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera, and Google Chrome.

3. 配置主机以自动安装操作系统、A/V和其他常见web浏览器(如Microsoft Internet Explorer、Mozilla Firefox、Apple Safari、Opera和Google Chrome)的更新。

4. Get professional assistance if they are unable to remove the bots themselves. If purchasing professional assistance, then the user should be encouraged to predetermine how much they are willing to pay for that help. For example, if the host that is being remediated is old and can easily be replaced with a new, faster, larger, and more reliable system for a certain cost, then it makes no sense to spend more than that cost to fix the old host. On the other hand, if the customer has a brand-new host, it might make perfect sense to spend the money to attempt to remediate it.

4. 如果他们自己无法移除机器人,请获得专业帮助。如果购买专业帮助,则应鼓励用户预先确定他们愿意为该帮助支付多少费用。例如,如果正在修复的主机是旧的,并且可以以一定的成本轻松地用新的、更快的、更大的、更可靠的系统来替换,那么修复旧主机所花费的成本就没有意义了。另一方面,如果客户有一个全新的主机,那么花这笔钱尝试修复它可能是非常有意义的。

5. To continue, regardless of whether the user or a knowledgeable technical assistant is working on remediating the host, the first task should be to determine which of multiple potentially infected machines may be the one that needs attention (in the common case of multiple hosts in a home network). Sometimes, as in cases where there is only a single directly attached host, or the user has been noticing problems with one of their hosts, this can be easy. Other times, it may be more difficult, especially

5. 要继续,无论用户或知识渊博的技术助手是否正在修复主机,第一项任务应该是确定多台可能受感染的计算机中的哪台可能需要注意(在家庭网络中多台主机的常见情况下)。有时,在只有一个直接连接的主机的情况下,或者用户注意到其中一个主机出现问题的情况下,这样做很容易。其他时候,可能会更困难,尤其是

if there are no clues as to which host is infected. If the user is behind a home gateway/router, then the first task may be to ascertain which of the machines is infected. In some cases, the user may have to check all machines to identify the infected one.

如果没有关于哪个宿主被感染的线索。如果用户在家庭网关/路由器后面,那么第一项任务可能是确定哪台机器受到感染。在某些情况下,用户可能必须检查所有机器以识别受感染的机器。

6. ISPs may also look at offering a CD/DVD with remediation processes and software in the event that a host is so badly infected as to be unable to communicate over the Internet.

6. ISP还可以考虑在主机受到严重感染而无法通过互联网进行通信的情况下,提供带有修复过程和软件的CD/DVD。

7. User surveys to solicit feedback on whether the notification and remediation process is effective and what recommended changes could be made in order to improve the ease, understandability, and effectiveness the remediation process.

7. 用户调查,征求关于通知和补救流程是否有效的反馈意见,以及为了提高补救流程的易用性、可理解性和有效性,可以进行哪些建议的更改。

8. If the user is interested in reporting the host's bot infection to an applicable law enforcement authority, then the host effectively becomes a cyber "crime scene", and the infection should not be mitigated unless or until law enforcement has collected the necessary evidence. For individuals in this situation, the ISP may wish to provide links to local, state, federal, or other relevant computer crime offices. (Note: Some "minor" incidents, even if highly traumatic to the user, may not be sufficiently serious for law enforcement to commit some of their limited resources to an investigation.) In addition, individual regions may have other, specialized computer crime organizations to which these incidents can be reported. For example, in the United States, that organization is the Internet Crime Complaint Center, at http://www.ic3.gov.

8. 如果用户有兴趣向适用的执法机构报告主机的bot感染,则主机实际上成为网络“犯罪现场”,除非或直到执法部门收集到必要的证据,否则不应减轻感染。对于这种情况下的个人,ISP可能希望提供与当地、州、联邦或其他相关计算机犯罪办公室的链接。(注:一些“轻微”事件,即使对用户造成严重创伤,也可能不足以使执法部门投入其有限的资源进行调查。)此外,个别地区可能有其他专门的计算机犯罪组织可以向其报告这些事件。例如,在美国,该组织是互联网犯罪投诉中心,位于http://www.ic3.gov.

9. Users may also be interested in links to security expert forums, where other users can assist them.

9. 用户可能还对安全专家论坛的链接感兴趣,其他用户可以在那里为他们提供帮助。

6.2. Professionally Assisted Remediation Process
6.2. 专业辅助修复过程

It should be acknowledged that, based on the current state of remediation tools and the technical abilities of end users, that many users may be unable to remediate on their own. As a result, it is recommended that users have the option for professional assistance. This may entail online or telephone assistance for remediation, as well as working face to face with a professional who has training and expertise in the removal of malware. It should be made clear at the time of offering this service that this service is intended for those that do not have the skills or confidence to attempt remediation and is not intended as an up-sell by the ISP.

应当承认,根据补救工具的现状和最终用户的技术能力,许多用户可能无法自行补救。因此,建议用户选择专业协助。这可能需要在线或电话协助进行补救,以及与受过恶意软件清除培训和专业知识的专业人员面对面工作。在提供此项服务时,应明确指出,此项服务是为那些没有技能或信心尝试补救的人提供的,而不是由ISP追加销售。

7. Failure or Refusal to Remediate
7. 未能或拒绝补救

ISP systems should track the bot infection history of hosts in order to detect when users consistently fail to remediate or refuse to take any steps to remediate. In such cases, ISPs may need to consider taking additional steps to protect their network, other users and hosts on that network, and other networks. Such steps may include a progression of actions up to and including account termination. Refusal to remediate can be viewed as a business issue, and as such, no technical recommendation is possible.

ISP系统应跟踪主机的bot感染历史,以便检测用户何时始终未能补救或拒绝采取任何补救措施。在这种情况下,ISP可能需要考虑采取额外的措施来保护他们的网络、该网络上的其他用户和主机以及其他网络。这些步骤可能包括直至账户终止的一系列行动。拒绝补救可被视为一个业务问题,因此,不可能提出技术建议。

8. Sharing of Data from the User to the ISP
8. 从用户到ISP的数据共享

As an additional consideration, it may be useful to create a process by which users could choose, at their option and with their express consent, to share data regarding their bot infections with their ISP and/or another authorized third party. Such third parties may include governmental entities that aggregate threat data, such as the Internet Crime Complaint Center referred to earlier in this document, academic institutions, and/or security researchers. While in many cases the information shared with the user's ISP or designated third parties will only be used for aggregated statistical analysis, it is also possible that certain research needs may be best met with more detailed data. Thus, any such data sharing from a user to the ISP or authorized third party may contain some type of personally identifiable information, either by design or inadvertently. As a result, any such data sharing should be enabled on an opt-in basis, where users review and approve of the data being shared and the parties with which it is to be shared, unless the ISP is already required to share such data in order to comply with local laws and applicable regulations.

作为一个额外的考虑因素,创建一个过程可能是有用的,通过该过程,用户可以选择,在他们的选择和明确同意的情况下,与他们的ISP和/或另一个授权的第三方共享关于他们的机器人感染的数据。此类第三方可能包括收集威胁数据的政府实体,如本文件前面提到的互联网犯罪投诉中心、学术机构和/或安全研究人员。虽然在许多情况下,与用户的ISP或指定的第三方共享的信息仅用于汇总统计分析,但也有可能通过更详细的数据来满足某些研究需求。因此,从用户到ISP或授权第三方的任何此类数据共享可能包含某种类型的个人识别信息,无论是出于设计还是无意。因此,任何此类数据共享都应在选择加入的基础上启用,用户可在选择加入的基础上审查和批准共享的数据以及与之共享的各方,除非ISP已被要求共享此类数据,以遵守当地法律和适用法规。

9. Security Considerations
9. 安全考虑

This document describes in detail the numerous security risks and concerns relating to botnets. As such, it has been appropriate to include specific information about security in each section above. This document describes the security risks related to malicious bot infections themselves, such as enabling identity theft, theft of authentication credentials, and the use of a host to unwittingly participate in a DDoS attack, among many other risks. Finally, the document also describes security risks that may relate to the particular methods of communicating a notification to Internet users. Bot networks and bot infections pose extremely serious security risks, so readers should review this document carefully.

本文档详细描述了与僵尸网络相关的众多安全风险和问题。因此,在上面的每一节中都应包含有关安全性的具体信息。本文档描述了与恶意bot感染本身相关的安全风险,如身份盗窃、身份验证凭据盗窃和使用主机无意中参与DDoS攻击等风险。最后,本文件还描述了可能与向互联网用户传达通知的特定方法有关的安全风险。Bot网络和Bot感染带来了极其严重的安全风险,因此读者应仔细阅读本文档。

In addition, regarding notifications as described in Section 5, care should be taken to assure users that notifications have been provided by a trustworthy site and/or party, so that the notification is more difficult for phishers and/or malicious parties using social engineering tactics to mimic. Otherwise, care should be taken to ensure that the user has some level of trust that the notification is valid and/or that the user has some way to verify via some other mechanism or step that the notification is valid.

此外,关于第5节中所述的通知,应注意向用户保证通知是由可靠的网站和/或一方提供的,以便钓鱼者和/或使用社会工程策略的恶意方更难模仿该通知。否则,应注意确保用户对通知有效性有一定程度的信任,和/或用户有某种方式通过其他机制或步骤验证通知有效性。

10. Privacy Considerations
10. 隐私考虑

This document describes at a high level the activities to which ISPs should be sensitive, i.e., where the collection or communication of PII may be possible. In addition, when performing notifications to end users (see Section 5), those notifications should not include PII.

本文件从高层次上描述了ISP应敏感的活动,即可能收集或传播PII的活动。此外,在向最终用户执行通知时(参见第5节),这些通知不应包括PII。

As noted in Section 8, any sharing of data from the user to the ISP and/or authorized third parties should be done on an opt-in basis. Additionally the ISP and or authorized third parties should clearly state what data will be shared and with whom the data will be shared.

如第8节所述,用户向ISP和/或授权第三方共享数据时,应选择加入。此外,ISP和/或授权第三方应明确说明将共享哪些数据以及与谁共享数据。

Lastly, as noted in other sections, there may be legal requirements in particular legal jurisdictions concerning how long any subscriber-related or other data is retained. An ISP operating in such a jurisdiction should be aware of these requirements and should comply with them.

最后,如其他章节所述,在特定的法律管辖区,可能存在关于任何与订户相关的数据或其他数据保留多长时间的法律要求。在这种管辖区内运营的ISP应了解这些要求,并应遵守这些要求。

11. Acknowledgements
11. 致谢

The authors wish to acknowledge the following individuals and groups for performing a detailed review of this document and/or providing comments and feedback that helped to improve and evolve this document:

作者希望感谢以下个人和团体对本文件进行详细审查和/或提供有助于改进和发展本文件的意见和反馈:

Mark Baugher

马克·鲍格尔

Richard Bennett

本纳特

James Butler

詹姆斯·巴特勒

Vint Cerf

温顿·瑟夫

Alissa Cooper

艾莉莎·库珀

Jonathan Curtis

乔纳森·柯蒂斯

Jeff Chan

杰夫-陈

Roland Dobbins

罗兰·多宾斯

Dave Farber

戴夫·法伯

Stephen Farrell

法雷尔

Eliot Gillum

艾略特·吉勒姆

Joel Halpern

乔尔·哈尔本

Joel Jaeggli

乔尔贾格利

Scott Keoseyan

斯科特·科塞扬

Murray S. Kucherawy

默里·S·库切拉维

The Messaging Anti-Abuse Working Group (MAAWG)

反虐待信息工作组(MAAWG)

Jose Nazario

纳扎里奥

Gunter Ollmann

冈特·奥尔曼

David Reed

里德

Roger Safian

罗杰·萨芬

Donald Smith

唐纳德·史密斯

Joe Stewart

主管乔恩·斯图沃特

Forrest Swick

福里斯特·斯威克

Sean Turner

肖恩·特纳

Robb Topolski

罗布·托波尔斯基

Maxim Weinstein

马克西姆·温斯坦

Eric Ziegast

埃里克·齐加斯特

12. Informative References
12. 资料性引用

[BIOS] Sacco, A. and A. Ortega, "Persistent BIOS Infection", March 2009, <http://www.coresecurity.com/files/ attachments/Persistent_BIOS_Infection_CanSecWest09.pdf>.

[BIOS]Sacco,A.和A.Ortega,“持续性BIOS感染”,2009年3月<http://www.coresecurity.com/files/ 附件/Persistent\u BIOS\u Infection\u CanSecWest09.pdf>。

[Combat-Zone] Alshech, E., "Cyberspace as a Combat Zone: The Phenomenon of Electronic Jihad", February 2007, <http:// www.memrijttm.org/content/en/report.htm?report=1822>.

[作战区]Alshech,E.,“网络空间作为作战区:电子圣战现象”,2007年2月,<http://www.memrijttm.org/content/en/report.htm?report=1822>。

[Conficker] Porras, P., Saidi, H., and V. Yegneswaran, "An Analysis of Conficker's Logic and Rendezvous Points", March 2009, <http://mtc.sri.com/Conficker/>.

[Conficker]Porras,P.,Saidi,H.,和V.Yegneswaran,“Conficker的逻辑和集合点分析”,2009年3月<http://mtc.sri.com/Conficker/>.

[DDoS] Saafan, A., "Distributed Denial of Service Attacks: Explanation, Classification and Suggested Solutions", March 2009, <www.exploit-db.com/download_pdf/14738/>.

[DDoS]Saafan,A.,“分布式拒绝服务攻击:解释、分类和建议的解决方案”,2009年3月,<www.exploit-db.com/download_pdf/14738/>。

[Dragon] Nagaraja, S. and R. Anderson, "The snooping dragon: social-malware surveillance of the Tibetan movement", March 2009, <http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf>.

[龙]Nagaraja,S.和R.Anderson,“窥探龙:西藏运动的社会恶意软件监视”,2009年3月<http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf>.

[Estonia] Evron, G., "Battling Botnets and Online Mobs: Estonia's Defense Efforts during the Internet War", 2008, <http:// journal.georgetown.edu/wp-content/uploads/9.1-Evron.pdf>.

[爱沙尼亚]Evron,G.,“与僵尸网络和在线暴徒作战:爱沙尼亚在互联网战争中的防御努力”,2008年,<http://journal.georgetown.edu/wp content/uploads/9.1-Evron.pdf>。

[Gh0st] Vallentin, M., Whiteaker, J., and Y. Ben-David, "The Gh0st in the Shell: Network Security in the Himalayas", February 2010, <http://www.infowar-monitor.net/wp-content/ uploads/2010/02/cs294-28-paper.pdf>.

[Gh0st]Vallentin,M.,Whiteaker,J.,和Y.Ben David,“壳中的Gh0st:喜马拉雅山的网络安全”,2010年2月<http://www.infowar-monitor.net/wp-content/ 上传/2010/02/cs294-28-paper.pdf>。

[RFC1459] Oikarinen, J. and D. Reed, "Internet Relay Chat Protocol", RFC 1459, May 1993.

[RFC1459]Oikarinen,J.和D.Reed,“互联网中继聊天协议”,RFC 1459,1993年5月。

[RFC2142] Crocker, D., "MAILBOX NAMES FOR COMMON SERVICES, ROLES AND FUNCTIONS", RFC 2142, May 1997.

[RFC2142]Crocker,D.,“公共服务、角色和功能的邮箱名称”,RFC 2142,1997年5月。

[RFC3954] Claise, B., "Cisco Systems NetFlow Services Export Version 9", RFC 3954, October 2004.

[RFC3954]Claise,B.,“Cisco Systems NetFlow服务导出版本9”,RFC 3954,2004年10月。

[RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "The Incident Object Description Exchange Format", RFC 5070, December 2007.

[RFC5070]Danyliw,R.,Meijer,J.,和Y.Demchenko,“事件对象描述交换格式”,RFC 50702007年12月。

[RFC5965] Shafranovich, Y., Levine, J., and M. Kucherawy, "An Extensible Format for Email Feedback Reports", RFC 5965, August 2010.

[RFC5965]Shafranovich,Y.,Levine,J.,和M.Kucherawy,“电子邮件反馈报告的可扩展格式”,RFC 59652010年8月。

[RFC6108] Chung, C., Kasyanov, A., Livingood, J., Mody, N., and B. Van Lieu, "Comcast's Web Notification System Design", RFC 6108, February 2011.

[RFC6108]Chung,C.,Kasyanov,A.,Livingood,J.,Mody,N.,和B.Van Liue,“康卡斯特的网络通知系统设计”,RFC 61082011年2月。

[Snort] Roesch, M., "Snort Home Page", March 2009, <http://www.snort.org/>.

[Snort]Roesch,M.,“Snort主页”,2009年3月<http://www.snort.org/>.

[Spamalytics] Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G., Paxson, V., and S. Savage, "Spamalytics: An Empirical Analysis of Spam Marketing Conversion", October 2008, <http://www.icir.org/christian/publications/ 2008-ccs-spamalytics.pdf>.

[Spamalytics]Kanich,C.,Kreibich,C.,Levchenko,K.,Enright,B.,Voelker,G.,Paxson,V.,和S.Savage,“Spamalytics:垃圾邮件营销转化的实证分析”,2008年10月<http://www.icir.org/christian/publications/ 2008 ccs spamalytics.pdf>。

[Threat-Report] Ahamad, M., Amster, D., Barret, M., Cross, T., Heron, G., Jackson, D., King, J., Lee, W., Naraine, R., Ollman, G., Ramsey, J., Schmidt, H., and P. Traynor, "Emerging Cyber Threats Report for 2009: Data, Mobility and Questions of Responsibility will Drive Cyber Threats in 2009 and Beyond", October 2008, <http://smartech.gatech.edu/ bitstream/1853/26301/1/CyberThreatsReport2009.pdf>.

[威胁报告]Ahamad,M.,Amster,D.,Barret,M.,Cross,T.,Heron,G.,Jackson,D.,King,J.,Lee,W.,Naraine,R.,Ollman,G.,Ramsey,J.,Schmidt,H.,和P.Traynor,“2009年新出现的网络威胁报告:数据、移动性和责任问题将推动2009年及以后的网络威胁”,2008年10月, <http://smartech.gatech.edu/ bitstream/1853/26301/1/CyberThreatsReport2009.pdf>。

[Whiz-Kid] Berinato, S., "Case Study: How a Bookmaker and a Whiz Kid Took On a DDOS-based Online Extortion Attack", May 2005, <http://www.csoonline.com/article/220336/ How_a_Bookmaker_and_a_Whiz_Kid_Took_On_a_DDOS_based_Online _Extortion_Attack>.

[Whiz Kid]Berinato,S.,“案例研究:一名收受赌注者和一名Whiz Kid如何应对基于DDOS的在线勒索攻击”,2005年5月<http://www.csoonline.com/article/220336/ 你是如何收受赌注的?你是一个天才?你是如何接受基于DDOS的?在线?勒索?攻击>。

Appendix A. Examples of Third-Party Malware Lists
附录A.第三方恶意软件列表示例

As noted in Section 4, there are many potential third parties that may be willing to share lists of infected hosts. This list is for example purposes only, is not intended to be either exclusive or exhaustive, and is subject to change over time.

如第4节所述,有许多潜在的第三方可能愿意共享受感染主机的列表。此列表仅供示例之用,并非排他性或详尽无遗,可能会随着时间的推移而发生变化。

o Arbor - Atlas, see http://atlas.arbor.net/

o Arbor-Atlas,见http://atlas.arbor.net/

o Internet Systems Consortium - Secure Information Exchange (SIE), see https://sie.isc.org/

o 互联网系统联盟-安全信息交换(SIE),参见https://sie.isc.org/

o Microsoft - Smart Network Data Services (SNDS), see https://postmaster.live.com/snds/

o Microsoft-智能网络数据服务(SNDS),请参阅https://postmaster.live.com/snds/

o SANS Institute / Internet Storm Center - DShield Distributed Intrusion Detection System, see http://www.dshield.org/about.html

o SAN研究所/互联网风暴中心-DShield分布式入侵检测系统,请参阅http://www.dshield.org/about.html

o ShadowServer Foundation, see http://www.shadowserver.org/

o 影子服务器基金会,请参见http://www.shadowserver.org/

o Spamhaus - Policy Block List (PBL), see http://www.spamhaus.org/pbl/

o Spamhaus-策略阻止列表(PBL),请参阅http://www.spamhaus.org/pbl/

o Spamhaus - Exploits Block List (XBL), see http://www.spamhaus.org/xbl/

o Spamhaus-漏洞阻止列表(XBL),请参阅http://www.spamhaus.org/xbl/

o Team Cymru - Community Services, see http://www.team-cymru.org/

o Cymru团队-社区服务,参见http://www.team-cymru.org/

Authors' Addresses

作者地址

Jason Livingood Comcast Cable Communications One Comcast Center 1701 John F. Kennedy Boulevard Philadelphia, PA 19103 USA

Jason Livingood Comcast有线通信一号Comcast中心美国宾夕法尼亚州费城肯尼迪大道1701号,邮编:19103

   EMail: jason_livingood@cable.comcast.com
   URI:   http://www.comcast.com
        
   EMail: jason_livingood@cable.comcast.com
   URI:   http://www.comcast.com
        

Nirmal Mody Comcast Cable Communications One Comcast Center 1701 John F. Kennedy Boulevard Philadelphia, PA 19103 USA

美国宾夕法尼亚州费城肯尼迪大道1701号Nirmal Mody Comcast有线通信一号Comcast中心,邮编:19103

   EMail: nirmal_mody@cable.comcast.com
   URI:   http://www.comcast.com
        
   EMail: nirmal_mody@cable.comcast.com
   URI:   http://www.comcast.com
        

Mike O'Reirdan Comcast Cable Communications One Comcast Center 1701 John F. Kennedy Boulevard Philadelphia, PA 19103 USA

Mike O'Reirdan Comcast有线通信一号Comcast中心美国宾夕法尼亚州费城肯尼迪大道1701号,邮编:19103

   EMail: michael_oreirdan@cable.comcast.com
   URI:   http://www.comcast.com
        
   EMail: michael_oreirdan@cable.comcast.com
   URI:   http://www.comcast.com