Major Aussie ISP Disconnecting Trojaned PCs 388
daria42 writes "Australia's largest ISP, Telstra BigPond, has started disconnecting customers that it suspects have excess traffic-causing trojans installed on their PCs. The trojans have been flooding BigPond's DNS servers and causing extremely slow DNS requests for around a month now. Despite nightly additions of DNS servers, BigPond appears to be unable to cope with the extra traffic on its network." Note that the article says the disconnections are temporary and accompanied by communication with the affected customers, not just a big yanking-of-carpet.
Why is this news!?! (Score:5, Informative)
Seriously, why is this news?
Re:Drastic Measures (Score:5, Informative)
Value for money wise they rate very poorly compared to the opposition - for ADSL at least.
For those of you that don't know, Telstra is a part government owned company, which owns much of the telco infrastructure in Australia. They like to make life difficult for any competitors.
Also one of the few ISPs in Australia that charges traffic in both directions.
Just in case you guys care
Re:Why is this news!?! (Score:5, Informative)
Re:Why is this news!?! (Score:2, Informative)
Plusnet has a better way. (Score:5, Informative)
Very handy indeed.
Re:Waste of time? (Score:3, Informative)
My ISP had detected traffic on port 135 (some Windows thing exploited by malware), and automatically stopped forwarding any connections to or from my home machines. The only port which was allowed was port 80, and every web page request was redirected to a help page explaining what had happened.
After blocking port 135 at my router, all it took was clicking a link on the aforementioned web page, and my connection was restored automagically.
Rather well implemented, I thought.
Just traffic? Or trojan traffic? (Score:5, Informative)
My ISP does exactly this, if it suspects trojan traffic it shuts you down (and snail mail you). You subsequently call the helpdesk, they ask what you did to resolve the matters (The ISP provides FREE anti-virus and firewall software). If they rae happy with your counter measures, theyll reconnect you in a jiffy.
If you can explain you have a legit reason to hit DNS 9765 times per second, I suspect they'll unlock you too.
I love it.
Other ISPs block ports in order to reduce threats (Score:3, Informative)
Re:Nothing new (Score:3, Informative)
Normally there is no filtering whatsoever.
My permanent boycott of Telstra (Score:5, Informative)
Apart from the above, to some degree there are now price incentives to use other carriers as well, particularly for voice. If you've got a credit card, you also might want to check out TPG [tpg.com.au] for ADSL...they probably have the best deals I've seen.
Re:Potential boon for alternative OSes (Score:5, Informative)
1). the default user is not an administrator
2). 99.9% of malware cannot run. If it did, then it'd cause minimal damage (see 1.)
3). There is no ActiveX
4). etc, etc, etc
The average Linux (non root) user can be as clueless as he/she likes and won't get into trouble.
Re:Why is this news!?! (Score:1, Informative)
There cutting into there profit margins with this one !!!!
Re:Hmm... makes sense to me! (Score:3, Informative)
Which also is totally not a symptom of DNS timeouts either. You need a response from a webserver to get a 404.
The article just seems poorly written, I wouldn't go out and assume that telstra just decided to throw 500 new dns servers at it.
Re:Drastic Measures (Score:3, Informative)
Although I don't understand the purpose of a trojaned machine repeatedly hitting a DNS server, is this an attempt to cause an overflow and therefore making the DNS server itself vulnerable?
Well, let's say you've got yourself a spam zombie sending out a million messages. How many unique domains would that average out to be? 500,000? 100,000? Let's generously give it another order of magnitude and say 10,000 (i.e., average of 100 inboxes spammed per domain). Compare that to Joe Average user; how many domains do regular folks hit in a day? 10? Upwards of 100? A far cry from the DNS traffic they're probably seeing from malware controlled customers.
Re:Hmm... makes sense to me! (Score:3, Informative)
Note that this coincides with its semi-privatisation (the government has a 50.1% stake in Telstra - which it can't wait to unload - the rest is publicly owned). Unsurprisingly, customer service has declined dramatically ever since "profit" became important. Telstra had previously been a "benevolent" monopoly because it had no reason to be anything else.
The idea of a fully privatised telstra is rather scary. Not that I'm a huge fan of government running businesses, but in some cases (like utilities and similarly fundamental/infrastructure type services) I think there's a strong case for it.
(The drive to fully privatise Telstra was one of the two main reasons I didn't vote Liberal (for the first time ever) at the last elections - the US-AU FTA being the other one.)
Not really (Score:5, Informative)
I don't know if this is what bigpond are doing, but that's the usual way to handle this and it seems to work extremely well. My ISP uses a similar trick when users go over quota.
My ISP does this regularly (Score:4, Informative)
There are two restrictions: Netcologne certainly does not monitor all traffic - they react on abuse-messages. And this "service" is not available to business costumers.
Re:My 1st Thoughts (Score:3, Informative)
Re:Drastic Measures (Score:3, Informative)
To expand on this, a lot of you non-australians should probably know that Telstra Bigpond is the ISP that people choose when they don't know any better.
Not necessarily. Please don't generalise.
Where I live I have the choice of Optus or Bigpond (Telstra) cable internet. Optus prohibits servers in their acceptable use policy, and according to the Whirlpool forums [whirlpool.net.au] they block certain ports to enforce this.
ADSL is also available, but it has a much lower download speed. We also have the Optus Local phone service running over their cable network, so to get ADSL we'd need to switch back to the (Telstra) copper phone line first.
When I signed up for broadband, Bigpond cable offered free installation and 2 months free access on a 24-month plan. Compared to getting the copper phone line reconnected and changing telcos, having ADSL activated, and whatever upfront fees were involved in getting an ADSL modem, and still only being able to download at a fraction of the speed, cable seemed the much better choice.
I'm not a big fan of Telstra, but right now there's nothing better out there. Hopefully by the time my contract expires my exchange will have ADSL2, and I can consider other options.
Re:My 1st Thoughts (Score:3, Informative)
With a flatrate there is no such thing as "need for accounting", so the ISP isn't allowed to make logs, which are personalized.
so the original poster most likely meant , if they can't have personalized logs, they ca n't shut you down.
Re:Why is this news!?! (Score:3, Informative)
Hah, you're kidding right? NTL have one of the worst records [sucs.org] when it comes to responding to abuse reports. Trust me - I've had to deal with them several times about abuse matters and frankly they don't care.
Re:Why is this news!?! (Score:3, Informative)
Re:My 1st Thoughts (Score:2, Informative)
This happens in America too (Score:2, Informative)
Granted, this is a regional ISP in BFE North Dakota but it still counts and ISPs have the right to do this. My M-I-L gets DSL in two weeks, should make for interesting times.
Re:This is a good thing (Score:4, Informative)
Have you BEEN on the Comcast forums recently? Comcast is having a lOT of trouble with their DNS servers and it is effecting EVERYBODY.
Last week when it happened I just switched my DNS addresses to MIT's, (though now I have a nice list of addy's just in case MIT's goes down). I have been instructing my friends on how to change the default DNS listings because they are being effected themselves. Once they change them, they have no problems. Hell, I didn't even know Comcast was having problems AGIAN yesterday because I just kept system with the MIT addy's.
I have to think that if trojans are effectivly DDOSing Comcast's servers, if there is not some ultior motive behind this. DNS servers are the life blood of the Internet, to take them down means we would all have to know numbers to get around the Internet, and while I keep a few IP addy's in my bookmarks just in case, to except joe user to is rediculus.
Of course it is probably just Comcast, who, as a regulated monopoly, has no incentive to upgrade services, because for many, Cable Internet is the only "broadband" (HA!) available. I would wouldn't be surprised if rates go up agian to cover the cost of whatever "upgrade" Comcast comes up with to solve this problem.
Until then I am keeping my DNS addresses pointed to MIT's servers and I am NOT going to be using Comcasts.
Re:Drastic Measures (Score:3, Informative)
Although I don't understand the purpose of a trojaned machine repeatedly hitting a DNS server, is this an attempt to cause an overflow and therefore making the DNS server itself vulnerable?
In adition to the already commented use of sending spam, zombied machiens can be used to poison DNS servers. The poisoning basically involves sending lots of forged packets to the DNS server in what is known as a birthday attack [securityfocus.com]. There has recently been a rash of these kind of attacks as documented [sans.org] by SANS.
Roger's Cable Internet (Canada) Is Doing it Too (Score:3, Informative)
Both were very easy to remove, I even used Microsoft's Malicious Software Removal Tool [microsoft.com] (gasp) that was quick and easy. I wish they would kick all of these infected PC's offline and we wouldn't be dealing with these erratic spikes that have now made turned FPS gaming into a modem like affair.
I bet a few of the "free" antivirus companies, like AVP could make a killing sending out "AOL Like" demo cd's that cure the ails of all these banished network newbies.
Sending mail without Port 25 (Score:3, Informative)
But there are several other protocols for sending email that don't look like Port 25 to the ISP. There are a couple of SMTP-submission protocols which let you set up a connection to a mail server where you have an account and do various kinds of authentication, including some that use SSL encryption. Alternatively, you can do SSH or IPSEC or other VPN tunnels to your email provider. And then for us old folks, there's always "login to a shell account" :-) (Kids can use webmail instead.)
As far as email-over-telepathy goes, Dan Kaminsky recently demonstrated IP-over-DNS tunnelling at Codecon. It's really really evil - he was even able to do video-over-IP-over DNS by coopting about 25000 DNS servers. I'm pretty sure he was the guy who did a lot of the IP-over-HTTP tunnelling a couple of years back, and he;s done lots of other creative work with detailed protocol analysis.