Major Aussie ISP Disconnecting Trojaned PCs 388
daria42 writes "Australia's largest ISP, Telstra BigPond, has started disconnecting customers that it suspects have excess traffic-causing trojans installed on their PCs. The trojans have been flooding BigPond's DNS servers and causing extremely slow DNS requests for around a month now. Despite nightly additions of DNS servers, BigPond appears to be unable to cope with the extra traffic on its network." Note that the article says the disconnections are temporary and accompanied by communication with the affected customers, not just a big yanking-of-carpet.
My 1st Thoughts (Score:5, Insightful)
"It's about Time"
"Glad somebody is finally taking an interesting in keeping the neighborhood cleaned up"
"Oh crap, is this the first chink in the armor, ISP's can disconnect people based on their traffic... Virus, Trojan, P2P, Torrent"
This is a good thing (Score:5, Insightful)
Is this really news? (Score:2, Insightful)
Where's the story?
Hmm... makes sense to me! (Score:5, Insightful)
Right- I can smell a cake burning. Let's add more flour! Come on- more flour!
Seems a sensible thing to do to me- tackle the computers causing the problems, rather than trying to react to the problem itself.
Re:Why is this news!?! (Score:3, Insightful)
Re:My 1st Thoughts (Score:3, Insightful)
Fortunately, they can yank the plug because these machines are attacking their DNS servers. Not because these computers are just sending out a lot of DNS requests.
Catch-22 (Score:5, Insightful)
Thats not to say it isn't impossible, but it wouldn't surprise me that taking a laptop/ipod/some other storage device big enough around to another friends house and getting all the updates is going to be beyond most people.
Also, last time I checked, I can't download all the updates that have been developed after XP SP2 was released from a machine running Windows 2000.
(side note: I'm on a 56k modem at home and therefore don't have a spare 3 weeks to get the several hundred megabytes of updates - and autopatcher xp hasn't been updated after sp2 was released)
Re:This is a good thing (Score:5, Insightful)
Re:Hmm... makes sense to me! (Score:3, Insightful)
I'd give Telstra a big round of applause for at least appearing to try other options before cutting customers off. A significant minority (maybe majority?) of the customers who get cut are going to be *very* uncomfortable when they get called by Telstra. Telling people that their rough driving finally caused their car to break down isn't easy. Many CSRs will be threatened this week.
I'm only been in AU for 2 months but from what I'm told, Telstra (until the past 7 years or so) has been a very benevolent monopoly. Being from Canada, most people at least disliked Bell and Rogers (our local telephone and cable monopolies, respectively). When Telstra's customer service tanked, opinion of the company apparently changed quickly. Or maybe was expressed more often, who knows.
Either way, Telstra seems to have done the right thing. Kudos to the manager who made this decision... it must not have been easy.
Re:My 1st Thoughts (Score:5, Insightful)
They've always been able to do that.
Slow response times? (Score:5, Insightful)
If Telestra is like any other large ISP I've seen, I figure that the first thing they should do is hire (or allocate) a good gaggle of AUP investigators so that their intelligence on this problem is reasonably real-time.
They could also write some scripts to log and categorize the DNS queries that they're getting from their customers. It should be fairly easy to automatically identify the worst offenders. You could then send notes to their owners, and if there's no reasonable response, pull the plug. Over the last few years, I think that I've written scripts to do pretty much everything but the last step, so I know it's doable. (that last step should almost always be manual).
Re:This is a good thing (Score:2, Insightful)
"If you don't disconect the offending computer, how will the idiot who owns it know they've been an idiot? Disconecting it totally is a great way to handle the problem, because it forces the idiot to call customer services to find out why their connection no longer works, at which point you can lart them for being an idiot and force them to clean up their idiot-box before you reconnect them. Just silently droping the offending packets does nothing to educate the idiot involved."
So mods, please mod up the post I'm quoting if you feel inclined, otherwise ignore this post, thanks!
Re:Hmm... makes sense to me! (Score:3, Insightful)
internet, what do you think happens next?
They call the ISP on the phone.
And they are told to clean their computer.
And the computer either gets cleaned,
or they remain off the internet.
Your cake analogy is flawed. Instead, think
of an analogy involving quarantine, computers,
viruses, ISPs and such. Wait. Instead of
an analogy, why not just reason about what's
going on in this situation.
What confusion of facts lets you believe that
quarantine is not addressing the infection
directly? It UNAVOIDABLY causes the customer
to fix the infection, or cease to piss in
the public internet pool.
Re:This is a good thing (Score:5, Insightful)
I think for 99.9999% of a residential ISP's customers, having their access to DNS blocked would not be noticably different from disconnection.
Besides, is someone has an infected PC, disconnection is a friendly action. It kicks them up the arse so they have to find out what is going on, and it prevents them being zombied.
We have a collective problem that many many people have PCs on the internet but don't have the kind of basic understanding we demand before we'd allow them onto the road in a car. Sending them back to the garage for a day or two with a hint to learn what the windscreen wipers are for is good for everyone.
Re:Catch-22 (Score:2, Insightful)
NTL (Score:5, Insightful)
Other people with this problem have speculated that Linux machines (which NTL allows but "doesn't support") are sometimes mis-detected as Netsky-infected Windows PCs.
The moral is, if this sort of thing is going to become widespread, they need good detection of many different types of network usage, and they need to tell them by phone instead of just giving them what looks like a default-homepage highjack.
In a similar vein, remember MS marking VNC as spyware? Imagine if an ISP starts taking down VNC servers for the users own security, etc, etc.
Re:My 1st Thoughts (Score:4, Insightful)
Yeah, that's a valid concern. I think what we are talking about here is the difference between being pragmatic and idealistic.
Idealistically, the ISP would never look at your traffic, and just deliver the pipe. Practically, zombies are degrading the service of other customers significantly, and the ISP is going to know what the problem is.
It's not a perfect Internet yet, we all know that, so I think it's pretty reasonable that certain measures are taken in cases like this.
Just remember to scream really loud when there is an incident of an ISP disconnecting you for something that is perfectly legal.
(PS. It's good to see that the use of Torrents appears to have a high legal/questionable content ratio, whereas the last time I looked at P2P, it was really hard to argue that it wasn't used mainly for illegally copying stuff)
Re:This is a good thing (Score:4, Insightful)
You just assume that the people will suffice by installing (purchasing?) some equivalent to a windscreen wiper such as antivirus software but that won't be enough for the really nasty ones.
Since the ISP can apparenty distinguish between good and bad traffic, can't they filter out any traffic which contains the troyans? They are assuming their non-IT clients can.
Re:This is a good thing (Score:5, Insightful)
Re:My 1st Thoughts (Score:2, Insightful)
Re:This is a good thing (Score:4, Insightful)
If someone targets you for a sophisticated attack, you are probably not a normal internet user (eg you're commercial or a political site or something), you need professional IT support and shouldn't be using a normal retail ISP.
Th threat to normal customers is generic worms and trojans and so on. Things which the basic security everyone should be usig will protect against. Just the equivalnt of using windscreen wipers when it is raining.
IIRC my ISP supplies some kind of firewall/antivirus package for all customers. (I've had my connection since before this kind of thing became really necessary and don't connect from Windows, so I've never investigated what they are offerring). I can't imagine why any ISP would not do that -- the saving in customer support calls alone would more than pay for it.
Re:sick are put in quarantaine net (on this uni) (Score:1, Insightful)
Who can keep up with all the patches? One-strike means, that when you have downloaded the needed patches and run windows update, you can click onestrike and be back online without(!) isp-intervention.
It saves time for the user and especially for the isp, since detection is automated. Not only for blaster, but for alot of worms and virii.
Re:This is a good thing (Score:2, Insightful)
Cutting them off has a much higher pain-in-the-ass factor, however, which might lead to a more long term solution of user education. If the users actually have to jump through hoops to get back online, they might take greater steps to keep their machines patched and protected.
Aesthetically I favor the latter situation as it really drives the point home. I'm not sure if the market would bare this out though. If a user can just jump ship to another ISP that doesn't cut them off they will probably do so in most cases.
I think all ISP's should cut off trojaned users. Trojaned windows machines have really made the net hell for all of us. I'm certain everyone's spam count would drop considerably if those machines were just plain knocked off the net until patched.
Anyway, long story short:
I think the tactic the article is covering is great, however your suggestion, while not totally ideal in my little world, provides a happy pseudo medium ground that would also remedy a lot of my concerns. Cheers and pardon my drunken ramblings
Re:My 1st Thoughts (Score:2, Insightful)
Re:My 1st Thoughts (Score:5, Insightful)
Best Practice (Score:5, Insightful)
Back this up with your regular tech support. Yes, some users will be too clueless but a good deal won't. A fair percentage of the clueless ones will catch on quickly when their internet gets shut off and stays off. I can guarentee you the network traffic they'd get would drop to a third of the levels seen before.
Actually, in this perspective AOL's lackluster virus and spyware protection make perfect sense.
Re:My 1st Thoughts (Score:3, Insightful)
when I was running an ISP I had many clauses for termination and had to use them on rare occasion.
If you think an ISP did not have this ability you are horribly niave.
How acquire spyware removal tools if disconnected? (Score:4, Insightful)
A better idea would be to restrict bandwidth and connections on infected computers. The ISP should also post everyone they disconnect a CD with the usual free tools and instructions on how to use them. Along with Firefox and Thunderbird, of course.
I agree though, action should be taken against owners of zombie computers. They're irresponsibly spoiling the internet for others. Such users who think 'Internet Explorer' is the internet and believe the internet = the web.
While such ignorant users should be allowed to run computers in private, once they're connected to the internet, they become a danger to everyone else. The way I see it, I'm not allowed to drive a car on the road without first taking a test to make sure I can use it safely, and recognise and repair common problems (or at least take the car to the garage). This requires knowledge of both how the mechanics of the engine work, and of the highway code. So why are people who have never even seen the inside of computer and don't realise that connecting an unpatched WinXP box to broadband is as dangerous as speeding down a motorway in the opposite direction to all traffic, allowed to do exactly that?
Re:Catch-22 (Score:2, Insightful)
hell updating their virusscanner is beyond them.
Re:Good idea to me (Score:3, Insightful)
You can't realistically expect Joe SixPack, who doesn't know the difference between the CD tray and a coffee cup holder, to keep his computer up to date with the latest service pack or patch.
Why not? Most people don't know anything about how their cars work but do know that the oil needs to be changed at regular intervals and when the "Service Engine Soon" light comes on, it's time to visit a mechanic. They also know that if they don't do this their car will cease to function.
I'm really sick of the whole "people who don't know computers should be exempt from the rules" attitude. You know? Personal computers have been around for a very long time now, they aren't novelty items and people who use them should be expected to be courteous enough to keep them virus-free.
I for one am glad a major ISP is finally cutting off people who are too lazy to keep their computers secure. I hope more ISPs do this.
Routine? (Score:3, Insightful)
However it never used to be, this aggressive step of securing our network was prompted by the ISP being threatened with a Usenet Death Penalty, twice.
Whether this BigPond story is any different (Because it deals with Trojans rather than mail relays) is another matter...
Re:Potential boon for alternative OSes (Score:1, Insightful)
This is certainly within precedent (Score:4, Insightful)
(Uni computing services) != (commercial ISP) (Score:5, Insightful)
So our ISP (U of R computing services) not only disconnected him from the network,
So you get your Internet feed through Uni computing services - noted.
but refused to let him back on the network unless he agreed to give them his computer and let *them* run an antivirus scan on it , after which it would be returned.
That's actually not a bad idea. They want to be sure that the system in question is no longer a problem. I'm sure you can see where a user would have motivation to lie about the scan if it would get him back on the network.
but the point is that our ISP can not only watch your internet traffic(as they have been), but if you "get a virus" they can disconnect you and demand they have access to all your personal files at will.
Blows my mind.
Re: watching traffic, disconnecting users - re-read the Terms of Service you signed when you accepted their Internet access; I suspect you will find they've had these capabilities all along.
However, your comment about demand... access to all your personal files at will is completely ridiculous.
First, computing services will only need to examine your PC if it causing a problem for other users; if things have gotten to this point you are either unable or unwilling to maintain the machine yourself and have effectively abdicated this responsibility.
Second, you probably already gave them permission to require such a scan when you agreed to the ToS (see above).
Third, who says your personal files have to remain on the machine if/when you turn it in for virus scanning?? Your roommate was told to deliver the computer; he can sanitize it before he does so. (This should be obvious.)
The University is not a commercial ISP. They provide the Internet access as a tool for you to use to further your education. It is a shared resource, and if you are causing problems they can rectify said problems as necessary based on the ToS. If you don't like their ToS you are free to go back to dial-up or pay for a T1.
Re:This is a good thing (Score:5, Insightful)
Even better is to block all access and redirect web requests to a server that explains what's going on and provides patches, etc. That way people (with more than one brain cell) don't _have_ to phone customer support.
Re:Last email they got (Score:3, Insightful)
2. If they had any smarts at all, they'd still allow the client access to a whitelist of sites - windowsupdate, symantec, etc, as well as allowing them access to their own web/ftp sites to download fixes. If they don't, they're only doing a half-ass job of helping to fix the problem.
Mod parent up (Score:2, Insightful)
Deal with it, and clean up your fucking computer.
Re:Potential boon for alternative OSes (Score:3, Insightful)
1). the default user is not an administrator
Wait until Linux goes mainstream. Most people will just log in as root for normal activities to avoid the hassle of "su". After all, they don't have to bother with such annoyances under Windows. If they don't log in as root, they will happily supply the root password and/or click "OK" for any popup - just like on Windows.
The problem is that the average Joe has no idea how computers work, and they don't want to think about it. They will follow the path of least resistance to pr0n or pirated music without thinking about the consequences.
Ah... this is unusual? (Score:4, Insightful)
Re:How acquire spyware removal tools if disconnect (Score:3, Insightful)
Really??
J.
Re:Good idea to me (Score:3, Insightful)
Not the state, but car manufacturers and dealers definitely do.
As people start treating their computers more and more as an "internet machine", the focus shifts from the hardware or software manufacturer to the ISP. To put it another way, if ISP X offers network and system management, and ISP Y only offers internet connectivity, i would definitely recommend ISP X to my friends and relatives. Even if X charges an extra 10 bucks a month for the service.
"My point: if joe six pack is not able to get his computer in good working order, he can pay someone to do it, just like he does to get his car fixed..."
Agreed. However, if the ISP is offering the same maintenance contract, i would definitely recommend it over the Dell contract.
My point is not that the ISP is *obligated* to provide this service. My point is that an ISP is the only entity that's permanently connected to the customer. Hence, it's in a unique position to offer services (such as security and even software support) that no-one else can. This is a unique opportunity for an ISP and they *should* make use of it.
If port 53 is blocked... (Score:2, Insightful)
Nothing stopping you from a setting up a local DNS server.
Unless this DNS server can connect to other DNS servers on port 53, having a DNS server isn't going to do you much good with respect to accessing the public Internet.
Shut up (Score:5, Insightful)
By the way, most ISPs still are NOT doing this. Time Warner's Road Runner, for instance, never even looks in the direction of a trojaned machine on their network - at least in my area.
Not Liability (Score:2, Insightful)
This is like the ISP Road Department analogy from a story yesterday, The ISP is not so much checking the contents of passing cars on a highway for contraband.
This is more like the Highway department kicking cars off the road because their owners have allowed them to degrade to horse drawn carts and all the horseshit on the road is causing problems with slow traffic and time and money to clean up the mess, I say this is a good move.
Re:Why is this news!?! (Score:2, Insightful)
One assumes that the links to the virus scanner and ad aware are allowed through.
Will it help linux? (Score:2, Insightful)