Home DM3Z BLOG New M3AAWG Bot Metrics Report Shares Network Operators’ Perspective

M3AAWG has issued its first report examining the level of bot infections on consumer networks and the percentage of subscribers notified.  This is significant in that it is the first cooperative effort by network service providers to quantify the extent of malicious bots infecting their subscribers.  The M3AAWG Bot Metrics Report also provides data on the implementation of a portion of the Anti-Bot Code of Conduct for ISPs developed at the FCC’s Communications Security Reliability and Interoperability Council (CSRIC) under the leadership of M3AAWG Chairman Emeritus Michael O’Reirdan.

The ABCs for ISPs calls for service providers to take “meaningful action” in each of five areas:  Education, Detection, Notification, Remediation and Collaboration.  M3AAWG has promoted this effort with a dedicated page on our website listing companies that support the code (www.m3aawg.org/abcs-for-ISP-code). We have also linked videos on this page from our public YouTube channel (www.youtube.com/maawg) explaining the importance of the code and a training session from a M3AAWG General Meeting where a network security expert explains how ISPs can implement the code.

Based on aggregated data provided voluntarily and confidentially by ISPs and network operators working within M3AAWG, and covering up to 43.5 million consumer subscribers in Europe and North America, the report concludes that in 2012 participating network operators reported the number of infected subscribers ranged from .84% to 1.18% with 99.13% to 98.41% of those subscribers being notified they had a bot.  In 2013, the number of infected subscribers varied from slightly over 1% to .80% with 99.82 to slightly under 94% of consumers being notified.  It is important to note that the M3AAWG data only includes information voluntarily provided by participating ISPs.

This demonstrates that participating ISPs are notifying the large majority of their customers when they are identified as having malware on their systems.  However, while ISPs are notifying infected users, subscribers must remove the malware from their systems themselves.  This task is a significant challenge for end users, many of whom may not be capable of providing their own IT support. This points to the importance of the entire Internet ecosystem working together to address this problem, including software vendors, end users and security vendors.  Another challenge is the effectiveness of end user notifications, which can be done in a variety of ways, and in some cases may be taken advantage of as an attack vector itself.  Thus, while many end users are being notified, both of these issues impact the overall effectiveness of these programs and the recidivism rate for malware infections.  As M3AAWG continues to look at this issue, both of these items are potential areas for future study.  

By Chris Boyer, M3AAWG Public Policy Co-Chair (AT&T)

The views expressed in DM3Z are those of the individual authors and do not necessarily reflect M3AAWG policy.