Amid cyberattacks, ISPs try to clean up the internet

Level 3 Communications is among the ISPs notifying users about their infected computers

If your computer’s been hacked, Dale Drew might actually know something about that.

He's CSO (chief security officer) at Level 3 Communications, a major internet backbone provider that's routinely on the lookout for cyberattacks on the network level. The company has linked more than 150 million IP addresses to malicious activity worldwide.

That means all of those IP addresses have computers behind them that are probably involved in distributed denial-of-service attacks, email spam, or breaches of company servers, Drew said.

Hackers have managed to hijack those computers to "cause harm to the internet," but the owners don't always know that, Drew said. 

The tracking capabilities of Level 3 highlight how internet service providers can spot malicious patterns of activity over the internet, and even pinpoint the IP addresses that are being used for cybercrime.

In more extreme cases, Level 3 can essentially block bad traffic from harassing victims, and effectively shut down or disrupt the hackers’ attacks.

So why aren’t ISPs doing more to crack down on cybercrime? The issue is that an ISP's ability to differentiate between normal and malicious internet traffic has limits, and finding ways to properly respond can open a whole can of worms.

Malicious patterns

Level 3 has built up a database of 178 million IP addresses -- most of them static IP addresses -- that it has connected to suspected malicious activity. It’s done so by pinpointing patterns that deviate from “known good” internet traffic, Drew said. He compared it to running a post office. Although Level 3 isn’t examining the content of the internet traffic or the “envelopes” passing through, it does know who’s sending what and to whom.

For example, “every time this user gets a red envelope from person X, they complain its spam,” Drew said. “So I can start to build a heuristic off that behavior.”

Bad-behavior patterns have helped Level 3 build algorithms to identity suspicious traffic. Of the millions of IP addresses it’s been tracking, 60 percent are likely associated with botnets, or armies of infected computers that can be used for DDoS attacks.

Level 3 has associated another 22 percent with email phishing campaigns.

One might wonder why Level 3 doesn’t just block these IP addresses from the internet. But that can be problematic.  Often, users of hacked computers are unaware their machines have been compromised, and it may be unclear whether some of those machines are also being used for important purposes, such as legitimate financial transactions.

Blocking those machines could potentially mean stopping millions of dollars in transactions, Drew said.

Level 3 Dale Drew Level 3

Dale Drew, Level 3's chief security officer.

Instead, the company tries to notify the users of those IP addresses. In many cases, they are businesses, which can be quick to respond, Drew said. However, when it comes to consumers, there's no phonebook linking one person to an IP address. So Level 3 has to work with the hosting provider in order to reach the user.

Confronting the limits

Overall, it can be an uphill battle. “For every IP address we repair, more IP addresses are being compromised,” Drew said.

Other ISPs, including some in Europe, have also been notifying customers when their machines might be infected. It’s become a years-old, growing practice, but getting users to fix their infected computers isn’t always straightforward, said Richard Clayton, a security researcher at the University of Cambridge and director of its cloud cybercrime center. 

Even when ISPs send warning messages to users, what then? Not every PC user knows how to resolve a malware infection, Clayton said. For ISPs, it can also be a matter of cost.

“Of course we want to see ISPs helping, but they are in a competitive market,” he said. “They are trying to cut their costs wherever they can, and talking to customers and passing on a message is not a cheap thing to do.”

In addition, ISPs can’t identify every malicious cyberattack. Most hacking attacks masquerade as normal traffic and even ISP detection methods can occasionally generate errors, Clayton said.

“If you have a 99 percent detection rate, in an academic paper, that sounds fantastic,” he said. “But that basically means one out of 100 times, you’ll be plain wrong.”

No magic bullet

That’s why taking down suspected hackers usually requires collective action from law enforcement and security researchers who have thoroughly investigated a threat and confirmed that it is real. Governments and ISPs have also become involved in creating websites and services telling users how to effectively clean up their PCs.

It’s a difficult balancing act for ISPs, said Ed Cabrera, the chief cybersecurity officer at antivirus vendor Trend Micro. “They can do a lot of detection quite easily,” he said. “But the blocking piece is not something that they want to take responsibility for.”

Cybercriminals are also continually elevating their game, making them harder to detect. “The problem is nowhere near black and white,” Cabrera said. “We’re quick to say ISPs aren’t doing enough, but I think often times that’s unfair.”

Level 3’s Drew said it’s tempting to think that the world’s cybersecurity problems can be solved with a magic bullet. But for now, it will take a collective effort -- of ISPs, governments, businesses and consumers -- to clean up the internet and secure today's devices. 

"Even if we were able to deploy exhaustive technology to analyze the bad, ugly traffic, it still doesn't fix the infected devices," Drew said. "The end user still has a role to properly patch that device."

He also encourages all ISPs to take Level 3's approach and notify customers when their computers have been hijacked by hackers.

If more ISPs did this, Drew said, "we might make a dent."

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Michael Kan

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?