Major Aussie ISP Disconnecting Trojaned PCs

daria42 writes "Australia's largest ISP, Telstra BigPond, has started disconnecting customers that it suspects have excess traffic-causing trojans installed on their PCs. The trojans have been flooding BigPond's DNS servers and causing extremely slow DNS requests for around a month now. Despite nightly additions of DNS servers, BigPond appears to be unable to cope with the extra traffic on its network." Note that the article says the disconnections are temporary and accompanied by communication with the affected customers, not just a big yanking-of-carpet.

Why is this news!?!

[pctainto]

ISPs around the world have been doing this for a while now! I live in a house with 12 people and one person had a hijacked computer sending out mail and Adelphia cut us off. Although they never told us that they did (a quick call to customer support hooked us back up).

Seriously, why is this news?

Re:Drastic Measures

[Arghdee]

To expand on this, a lot of you non-australians should probably know that Telstra Bigpond is the ISP that people choose when they don't know any better.

Value for money wise they rate very poorly compared to the opposition - for ADSL at least.

For those of you that don't know, Telstra is a part government owned company, which owns much of the telco infrastructure in Australia. They like to make life difficult for any competitors.

Also one of the few ISPs in Australia that charges traffic in both directions.

Just in case you guys care :)

Re:Why is this news!?!

[Yrd]

And? NTL are one of the biggest ISPs in the UK and they do the same thing.

Re:Why is this news!?!

[TheScream]

pctainto wrote:
Seriously, why is this news?

Because it is surprising that BigPond is doing anything proactive in the customer support area given its horrible customer service track record [whirlpool.net.au]. Although, I guess their goal is to save money, not help its customers.

Plusnet has a better way.

[Zeussy]

My isp (plus.net) monitors any communications on port 135 etc and if it dedicates any when your connected. You get redirected to a Plus.net you may have been effected with MSBlast page etc. And give you the links to tools to fix it.

Very handy indeed.

Re:Waste of time?

[Raumkraut]

I was 'disconnected' from my ADSL a while back, not because any of my machines were infected, but because I'd tried scanning my company's IP.
My ISP had detected traffic on port 135 (some Windows thing exploited by malware), and automatically stopped forwarding any connections to or from my home machines. The only port which was allowed was port 80, and every web page request was redirected to a help page explaining what had happened. :)

After blocking port 135 at my router, all it took was clicking a link on the aforementioned web page, and my connection was restored automagically.

Rather well implemented, I thought.

Just traffic? Or trojan traffic?

[SlashDread]

Look, I ALL for ISP's disconnecting "polluting" PC's. They just better make damn sure its not legit traffic.

My ISP does exactly this, if it suspects trojan traffic it shuts you down (and snail mail you). You subsequently call the helpdesk, they ask what you did to resolve the matters (The ISP provides FREE anti-virus and firewall software). If they rae happy with your counter measures, theyll reconnect you in a jiffy.
If you can explain you have a legit reason to hit DNS 9765 times per second, I suspect they'll unlock you too.

I love it.

Other ISPs block ports in order to reduce threats

[goonerw]

Aussie ISP Internode (one of the better alternatives to BigPond) deliberately block various types of malware (usually port blocking but other means have been employed such as IP blocking a client's IP) and an advisory is placed on the service status page indicating what is blocked and for how long.

Re:Nothing new

[pe1chl]

They only put up this block after it has been shown that your system is virus or trojan infected and you have not responded to requests to do something about that.
Normally there is no filtering whatsoever.

My permanent boycott of Telstra

[petrus4]

Attempting to strangle ADSL adoption, killing the national BBS community when the Internet first became mainstream in Australia in order to force adoption of Big Pond, and a host of other offenses meant that after an extended period of shopping around, I finally stopped using Telstra as a carrier completely last year, and they can now consider themselves permanently boycotted as far as I'm concerned. They are one of the most short-sighted, destructive, and generally amoral corporations I've heard of. They were also vocally criticised by Bill Gates during one of his visits here, for their strangulation of broadband adoption.

Apart from the above, to some degree there are now price incentives to use other carriers as well, particularly for voice. If you've got a credit card, you also might want to check out TPG [tpg.com.au] for ADSL...they probably have the best deals I've seen.

Re:Potential boon for alternative OSes

[grolschie]

Except on most Linux dists:
1). the default user is not an administrator
2). 99.9% of malware cannot run. If it did, then it'd cause minimal damage (see 1.)
3). There is no ActiveX
4). etc, etc, etc

The average Linux (non root) user can be as clueless as he/she likes and won't get into trouble.

Re:Why is this news!?!

[Anonymous Coward]

This is news because when I used to use BIGPOND they would charge you 20 cents per megabyte when you went over a set limit.

There cutting into there profit margins with this one !!!!

Re:Hmm... makes sense to me!

[figment]

Another said: "I am having problems loading Web pages, I get the 404 [page not found] error. I have to retry five to 10 times to get some places."

Which also is totally not a symptom of DNS timeouts either. You need a response from a webserver to get a 404.

The article just seems poorly written, I wouldn't go out and assume that telstra just decided to throw 500 new dns servers at it.

Re:Drastic Measures

[droleary]

Although I don't understand the purpose of a trojaned machine repeatedly hitting a DNS server, is this an attempt to cause an overflow and therefore making the DNS server itself vulnerable?

Well, let's say you've got yourself a spam zombie sending out a million messages. How many unique domains would that average out to be? 500,000? 100,000? Let's generously give it another order of magnitude and say 10,000 (i.e., average of 100 inboxes spammed per domain). Compare that to Joe Average user; how many domains do regular folks hit in a day? 10? Upwards of 100? A far cry from the DNS traffic they're probably seeing from malware controlled customers.

Re:Hmm... makes sense to me!

[drsmithy]

I'm only been in AU for 2 months but from what I'm told, Telstra (until the past 7 years or so) has been a very benevolent monopoly.

Note that this coincides with its semi-privatisation (the government has a 50.1% stake in Telstra - which it can't wait to unload - the rest is publicly owned). Unsurprisingly, customer service has declined dramatically ever since "profit" became important. Telstra had previously been a "benevolent" monopoly because it had no reason to be anything else.

The idea of a fully privatised telstra is rather scary. Not that I'm a huge fan of government running businesses, but in some cases (like utilities and similarly fundamental/infrastructure type services) I think there's a strong case for it.

(The drive to fully privatise Telstra was one of the two main reasons I didn't vote Liberal (for the first time ever) at the last elections - the US-AU FTA being the other one.)

Not really

[Craig Ringer]

With most such set-ups your Internet connection is generally not totally blocked, just severely restricted. Any web request gets proxy-redirected to a page with instructions on how to clean your machine up, and download links from the ISPs local mirrors. Anything else is locked down.

I don't know if this is what bigpond are doing, but that's the usual way to handle this and it seems to work extremely well. My ISP uses a similar trick when users go over quota.

My ISP does this regularly

[tmk]

My ISP Netcologne disconnects PCs that are infected with trojans and try to infect others. The connection is interrupted and when the costumer tries to connect again he can only access one page, that shows an information. He can download Antivir there, too.

There are two restrictions: Netcologne certainly does not monitor all traffic - they react on abuse-messages. And this "service" is not available to business costumers.

Re:My 1st Thoughts

[strider44]

not so much in Australia. Though ISPs will forward emails sent from RIAA and MIAA etc there is no action taken, and the identity of the IP addresses aren't disclosed.

Re:Drastic Measures

[novakreo]

To expand on this, a lot of you non-australians should probably know that Telstra Bigpond is the ISP that people choose when they don't know any better.

Not necessarily. Please don't generalise.
Where I live I have the choice of Optus or Bigpond (Telstra) cable internet. Optus prohibits servers in their acceptable use policy, and according to the Whirlpool forums [whirlpool.net.au] they block certain ports to enforce this.

ADSL is also available, but it has a much lower download speed. We also have the Optus Local phone service running over their cable network, so to get ADSL we'd need to switch back to the (Telstra) copper phone line first.

When I signed up for broadband, Bigpond cable offered free installation and 2 months free access on a 24-month plan. Compared to getting the copper phone line reconnected and changing telcos, having ADSL activated, and whatever upfront fees were involved in getting an ADSL modem, and still only being able to download at a fraction of the speed, cable seemed the much better choice.

I'm not a big fan of Telstra, but right now there's nothing better out there. Hopefully by the time my contract expires my exchange will have ADSL2, and I can consider other options.

Re:My 1st Thoughts

[Squiddl3]

most likely he was reffering to the law in germany, that every logged connection data must be either anonymized (for technical logs) or must be needed for accounting procedures (but maximum is AFAIK 3 months).
With a flatrate there is no such thing as "need for accounting", so the ISP isn't allowed to make logs, which are personalized.

so the original poster most likely meant , if they can't have personalized logs, they ca n't shut you down.

Re:Why is this news!?!

[FireFury03]

NTL are one of the biggest ISPs in the UK and they do the same thing.

Hah, you're kidding right? NTL have one of the worst records [sucs.org] when it comes to responding to abuse reports. Trust me - I've had to deal with them several times about abuse matters and frankly they don't care.

Re:Why is this news!?!

[Andy_R]

How can you tell? I doubt that compromised machines drop off the net more often than everyone else on NTL does. I have friends tied ito a 12 month contract with NTL who were told that a 7-day outage was 'normal', as was 30% packet loss.

Re:My 1st Thoughts

[vasqzr]

Charter Communications in Michigan does that all the time.

This happens in America too

[Eezy Bordone]

My mother-in-law had her PC removed from the network by her ISP 2 years ago and she was on dial up. They [polarcomm.com] did email and phone her to tell her that until she removed the offending software that she wouldn't be able to connect.

Granted, this is a regional ISP in BFE North Dakota but it still counts and ISPs have the right to do this. My M-I-L gets DSL in two weeks, should make for interesting times.

Re:This is a good thing

[sadler121]

I think for 99.9999% of a residential ISP's customers, having their access to DNS blocked would not be noticably different from disconnection.

Have you BEEN on the Comcast forums recently? Comcast is having a lOT of trouble with their DNS servers and it is effecting EVERYBODY.

Last week when it happened I just switched my DNS addresses to MIT's, (though now I have a nice list of addy's just in case MIT's goes down). I have been instructing my friends on how to change the default DNS listings because they are being effected themselves. Once they change them, they have no problems. Hell, I didn't even know Comcast was having problems AGIAN yesterday because I just kept system with the MIT addy's.

I have to think that if trojans are effectivly DDOSing Comcast's servers, if there is not some ultior motive behind this. DNS servers are the life blood of the Internet, to take them down means we would all have to know numbers to get around the Internet, and while I keep a few IP addy's in my bookmarks just in case, to except joe user to is rediculus.

Of course it is probably just Comcast, who, as a regulated monopoly, has no incentive to upgrade services, because for many, Cable Internet is the only "broadband" (HA!) available. I would wouldn't be surprised if rates go up agian to cover the cost of whatever "upgrade" Comcast comes up with to solve this problem.

Until then I am keeping my DNS addresses pointed to MIT's servers and I am NOT going to be using Comcasts.

Re:Drastic Measures

[XSforMe]

Although I don't understand the purpose of a trojaned machine repeatedly hitting a DNS server, is this an attempt to cause an overflow and therefore making the DNS server itself vulnerable?
In adition to the already commented use of sending spam, zombied machiens can be used to poison DNS servers. The poisoning basically involves sending lots of forged packets to the DNS server in what is known as a birthday attack [securityfocus.com]. There has recently been a rash of these kind of attacks as documented [sans.org] by SANS.

Roger's Cable Internet (Canada) Is Doing it Too

[quakeroatz]

I've had some phone calls lately from clients that were disconnected from Roger's Highspeed Cable becuase they were trojaned or mass mailing. After inspecting 3 systems, they were all infected with NetskyP and Bugbear.

Both were very easy to remove, I even used Microsoft's Malicious Software Removal Tool [microsoft.com] (gasp) that was quick and easy. I wish they would kick all of these infected PC's offline and we wouldn't be dealing with these erratic spikes that have now made turned FPS gaming into a modem like affair.

I bet a few of the "free" antivirus companies, like AVP could make a killing sending out "AOL Like" demo cd's that cure the ails of all these banished network newbies.

Sending mail without Port 25

[billstewart]

First of all, most ISPs that "Block Port 25" don't block it for connections to their own mail server - only for connections that don't use their servers, either because they're going directly to the recipient or because they're going to some other mail server. If you're using the ISP's outgoing mail server, then they've got a handle for rate-limiting your mail (so they can detect or at least inhibit spammers, and possibly even spam-filter email), and they can provide whatever quality of email administration they want. For dialup users, this is often useful, because mailers benefit from being directly connected to the net in case the recipient can't handle their mail immediately (an especially frequent problem due to grey-listing.) But for broadband Linux users, it's often annoying, because the cable companies especially are often not very good at it. Some ISPs, mostly cable, used to be really obnoxious and not only block non-port-25 email but also require your From: address to be an address on their mail server. Fortunately, most of them have been beaten into submission by the market.

But there are several other protocols for sending email that don't look like Port 25 to the ISP. There are a couple of SMTP-submission protocols which let you set up a connection to a mail server where you have an account and do various kinds of authentication, including some that use SSL encryption. Alternatively, you can do SSH or IPSEC or other VPN tunnels to your email provider. And then for us old folks, there's always "login to a shell account" :-) (Kids can use webmail instead.)

As far as email-over-telepathy goes, Dan Kaminsky recently demonstrated IP-over-DNS tunnelling at Codecon. It's really really evil - he was even able to do video-over-IP-over DNS by coopting about 25000 DNS servers. I'm pretty sure he was the guy who did a lot of the IP-over-HTTP tunnelling a couple of years back, and he;s done lots of other creative work with detailed protocol analysis.