Major Aussie ISP Disconnecting Trojaned PCs

daria42 writes "Australia's largest ISP, Telstra BigPond, has started disconnecting customers that it suspects have excess traffic-causing trojans installed on their PCs. The trojans have been flooding BigPond's DNS servers and causing extremely slow DNS requests for around a month now. Despite nightly additions of DNS servers, BigPond appears to be unable to cope with the extra traffic on its network." Note that the article says the disconnections are temporary and accompanied by communication with the affected customers, not just a big yanking-of-carpet.

Good.

[Anonymous Coward]

Good.

Should be the standard

[Rixel]

Burn up the SMTP servers, then take your lumps.

All responsible ISPs should apply that logic. Too bad money often replaces responsibility so much.

Drastic Measures

[onosendai]

These are drastic measures, but given the average BigPond user is much less a geek than anyone frequenting these parts, this will probably be the first time that most of these users will know about it, and given BigPond's previous problems with mail-servers, perhaps they're striking before the problem gets too out of hand.

Although I don't understand the purpose of a trojaned machine repeatedly hitting a DNS server, is this an attempt to cause an overflow and therefore making the DNS server itself vulnerable?

Good idea to me

[Rainwulf]

i think this is a good idea as well. I work in technical support, and the amount of infected machines i have to deal with is just phenomenal. Cutting of the machines access to internet both fixes the problem. The customer goes "WTF" and i say.. yea your machine is infected. Either install nix or go to a computer store. However its open to abuse... define excessive traffic.. and what traffic is malware or legitimate traffic. However... since a good 90 percent of spam comes from infected machines as well (go windows you good thing go) its all thumbs up from me.

Waste of time?

[www.sorehands.com]

They should at least make a phone call to the party so they don't waste time trying to figure out the problem.

Not all people pick up the phone and tolerate the script. Some people actually try to diagnose the problem first.

Most ISPs have language in their terms of service that permits this action. It is a shame that an ISP need to have their services almost knocked out before taking action.

I'd like to see some ISPs that ignore trojaned machines or support spammers get sued by other customers when their IP blocks end up on block lists.

Re:This is a good thing

[zimba-tm]

Well, there is no need to *disconnect* the computer if all you have to do is block the problematic port. It's so lazy to disconnect a computer. Do they know traffic shaping ?

All ISPs should be doing this.

[Anonymous Coward]

All of these infected Windows boxes are killing the net. If ISPs would simply yank them as they show signs of infection (trojan, worms, etc) UNTIL the customers can demonstrate that they have taken care of problems, then things would be a lot easier.

Nothing new

[Rob Kaper]

Dutch ISP Xs4All has been doing this for months/years, blocking all traffic (most notably SMTP) minus SSH and access to their HTTP proxy.

Re:Why is this news!?!

[GafferFish]

Save money? I figure they'll be loosing revenue based on excess data traffic charges generated by extra traffic caused by the trojans. Note to Non-Aussies: BigPond counts both uploads and downloads for data traffic with excess usage charged at A$0.15/mb. There have been cases of people being hit with very large internet bills for one month (IIRC the largest was in excess of $10,000)

How will the user tell the difference?

[aussie_a]

Lucky they're ringing up the user, because otherwise the user will just assume that they've been disconnected. Yet again. Bigpond is terrible with keeping it's users online (I'm talking broadband here), and believe that two to three disonnects per day is perfectly fine, even when those disconnects last for an hour or more.

I can see it now:
Customer: My broadband is down again.
Bigpond: Oh, I see. Well from time to time this does happen for a brief moment...
Customer: It's been down all day, and it's happened every day this week.
Bigpond: I see.. What's your account *clickety* Oh yes, we've marked you as a computer with a trojan. Please do a virus scan and call us back, if it comes back negative we'll re-connect you.

I'd go with someone else but they're the only broadband provider for my area. And I live in Sydney (the suburbs, an hour from the city itself)

suspected PCs?

[Anonymous Coward]

Why do they talk about 'likely source' and about cuting off 'suspected PCs'?

Why not simply do a precise measurement (get the netflow from the router) and take actions based on correct data rather then guessing?

I for one wouldn't want to be cut off by my ISP because of someone at the ISP is guessing.

Re:This is a good thing

[KiloByte]

block problematic port

It's not that simple. The attack in question was done by a flood of DNS queries -- you're not really going to cut off port 53, as this is pretty much equal to knocking that person off the Net.

The typical case involves a lot of outgoing connections on port 25 -- you can't really block this as well unless the user in question uses nothing but webmail.

Traffic shaping won't help a lot, either -- it can protect the server, of course, but won't help the user himself. In this case, it will just make their legitimate use prohibitely slow -- their web browser/whatever will compete with the virus they have over the tiny allotted quota of allowed DNS queries.

IMO it's much better to just cut them off outright, telling them that the fault is on their side.

If you want to be nice, you can redirect all their traffic to a web server which gives them a nice idiot-proof message about what they need to do. This is what I've set up for a friend's basement ISP (~30 paying users) -- although in that case, the message was similar to "your payment is due for two months, you didn't heed our reminders".

Re:My 1st Thoughts

[Anonymous Coward]

"Oh crap, is this the first chink in the armor, ISP's can disconnect people based on their traffic... Virus, Trojan, P2P, Torrent"

I can agree with you on the first 3 statements, but that last is just crap.
Why the fuck should an ISP want to disconnect a user because of his P2P or Torrent uses? If the ISP can't cope with the amount of data flowing through, it shouldn't disconnect a user. If I pay for a 2mbit DSL with no limitations to usage, I want a 2mbit DSL with no limitations. My ISP shouldn't fucking cut off my internet access. Besides, P2P and Torrent can actually be used for something useful. The last 10 times I've used bittorrent, it was for downloading WoW updates and Gentoo and Debian ISOs.
Yes, I know that some people will call me naive, and I DO know that not everyone uses P2P and torrent for these purposes, but that shouldn't change the fact that the ISP shouldn't disconnect a user depending on how he uses his connection as long as he pays for it.

Re:This is a good thing

[Dulcise]

I think isp's should do what ntl did during the ms blaster worm out break, which is only allow the user to connect to ether the removal tool or a page that contains a link to it and how to use it. it would take more work, but its better for the customer.

sick are put in quarantaine net (on this uni)

[Anonymous Coward]

When computers here (utwente.nl) are infected it is usually automatically detected, resulting in every webrequest going to "you're in quarantaine, you can download clean-up tools HERE, and when you're clean send us a message HERE. apart from that you can connect to nothing." If you're interested, it's run by the guys from http://snt.student.utwente.nl

Pretty Standard

[jchawk]

I'm surprised it's taken them this long. When one of our customers gets infected with a virus / open proxy / etc... We *gasp* pay attention, shutdown their connection and immediately contact them and help them fix the problem.

It's amazing how quickly you can get your network under control doing this. And 9 times out of 10 the end user is greatful that you were willing to work with them to help them correct the problem.

Fixing infected machines on your network only makes the network a better place for everyone using it.

Breaking news???

[Eyeball97]

We've been doing this since the late 90's, what's "news" here? Customers get contacted in several ways, including personally by telephone. If they don't clean their open proxy/smtp relay/virus/worm after that, they get cut off. There'd be a lot less worms and spam around if all ISPs acted this responsibly, what a shame it's taken these guys until now to catch on.

Re:Good idea to me

[asliarun]

I agree with you. This IS a big problem for ISPs. However, i feel that the solution is not to pass the buck onto the customers. You can't realistically expect Joe SixPack, who doesn't know the difference between the CD tray and a coffee cup holder, to keep his computer up to date with the latest service pack or patch.

A better alternative for the ISPs, IMHO, would be to start behaving like the network administration team in a big company. Joe Sixpack would be better off if the ISP would install a centrally adminsitered system administration client on his machine that automatically scans and deploys the latest anti-virus program. I know that computer-savvy folks wouldn't like to give this much of control of their PCs to ISPs. However, for Joe, this would be the ideal hassle-free solution. With a proper security policy, privacy concerns would also not be an issue.

The ISP could also have an opt-out policy that non-clueless people could make use of.

Does this make sense?

Re:Why is this news!?!

[Anonymous Coward]

Here's what my ISP (Finnish PHNet) does when they detect a trojaned machine (all URLs you type into the browser give you this page):

http://img56.echo.cx/my.php?image=phnetspamprotect 13vb.jpg [img56.echo.cx]

You are also allowed access to another page with more details:

http://img56.echo.cx/my.php?image=phnetspamprotect 05zy.jpg [img56.echo.cx]

Doubt it

[antiphoton]

As soon as Bigpond starts disconnecting users based on P2P is the day Bigpond loses out on a HUGE customer base, and their already horrible rep will go further down the drain. No, they won't be disconnecting users based on p2p activities until there is some kind of law (AUSTRALIAN law) requiring them to do so.

Easy fix

[Anonymous Coward]

This is great. Especially since I don't have one of the trogans.

I've complained repeatedly to telstra about slow DNS servers and they pretended they had never heard of the problem. However, the DNS servers are not the only thing being swamped. It can take over 2 hours to get through to there call centre.

The fix I used: the Optus DNS. Works well. Maybe telstra should have a chat to optus on how to run an ISP.

That's nothing

[themusicgod1]

Here at the University of Regina my roommate MachinationX had gotten a virus on his WinXP box (why didn't he have antivirus software?! he's an IT consultant!! but I digress) So our ISP (U of R computing services) not only disconnected him from the network, but refused to let him back on the network unless he agreed to give them his computer and let *them* run an antivirus scan on it , after which it would be returned. I happened to have some of my old backups on his machine at the time, but the point is that our ISP can not only watch your internet traffic(as they have been), but if you "get a virus" they can disconnect you and demand they have access to all your personal files at will.

Blows my mind.

Re:My 1st Thoughts

[jotok]

It seemed like the customers are being ganked not because there was way too much "legitimate" traffic to handle, but because it was becoming a nuisance. The legitimacy of p2p applications is arguable so long as they have legal uses; the legitimacy of gaobot is not arguable as it has no legal uses on a public network.

Cox Business ISP Does This

[SoupIsGood Food]

The Business Class cablemodem accounts with Cox Communications are cut off if their security systems catch suspicious activity (DDOS packets, worm traffic, etc.) or open relays on your network connection. They're very polite about it, explain the problem and how to get it fixed. Their security department's not open after hours, either, so you're horked if you figure this out after midnight.

Haven't had to deal with their nice security people myself (No Windows or Linux or Sendmail here!), but I've laughed at colleagues who have. Mostly the same people who believe a $70/month cablemodem or DSL connection can replace their $800/month fiber line for serious webhosting enterprises.

SoupIsGood Food

Re:Cox Business ISP Does This

[Anonymous Coward]

I got taken off my Cox connex last year for five days due to a bogus Torrent claim (it was FOSS not Copyright Infringement). Upon investigating the reason I was offline (checked the bills, etc) I decided to call Cox. Sure enough, they d/c'd me. I asked them about this policy, and the rep compared it to a "3 Strikes" policy. Now, I was bummed about being taken offline, and even convionced the rep that I wasn't a pirate and this was a mistake, but after I got back online I stared thinking about this "3 Strikes" thing. I actually agreed with it.

What Crap

[Anonymous Coward]

I wish timothy would post actual news but anyway...

Compromised PCs are not the cause of Telstra's problem. Their unscalable DNS server cannot cope with the large amount of subscribers. Telstra will not admit that they failed to plan accordingly, so after adding more DNS servers they blame it on the end user. Same problem happened with email a while ago. It was taking up to 30 days for email to pass through Telstra's servers. They blamed it on a mail based worm and their solution was to install more mail servers by the truckload. They blamed Sun's ONE products and HP servers (HP/UX) also for this incident.

Re:My 1st Thoughts

[Anonymous Coward]

You're not just naive, you're idealistic and possibly also stupid, but when you grow up you'll realize that "shouldn't" is never the same as "won't".

404 File Not Found?

[bigtallmofo]

I agree with your post completely, but from TFA:

Another said: "I am having problems loading Web pages, I get the 404 [page not found] error. I have to retry five to 10 times to get some places."

I may be daft but I don't understand how a DNS or network capacity problem could cause a web server to respond with an explicit "404 File Not Found" HTML error. I could see a timeout, DNS error, or any number of other errors, but a 404 would mean literally that you contacted the web server, it was unable to find the specific file you requested, and it successfully reported that back to you.

Hopefully the forum poster that is quoted in the article just thinks every HTML error is a 404.

Re:This is a good thing

[SatanicPuppy]

That would only work if it were easy to figure what was infecting the computer based solely on the traffic it's sending out. It's more complicated that you'd think.

On the other hand, most people who don't know enough to keep their machines virus/trojan free are probably using the software that nearly every ISP sends out to "help" you connect to their services, which means they should be able to include enough diagnostic tools to be able to tell what's running on the machine.

Re:My 1st Thoughts

[cd_serek]

It sure is about time.

Just last week, I lodged many many complaints to Telstra Bigpond regarding zombies sending excessive spams to my network. I even went to the trouble of submitting over 400+ zombie IP addresses (dynamic IPs with session times).

Good to see that they are listening to their complaints hotline for once.

Keep it up I'd say.

[ErZo]

I know an swedish internet provider named Telia, Who also does this. Accept what they do, Is redirect all your HTTP request's to an site with "You've been blocked off." And information about why this have been done. My school mate (An girl :O :P) wanted me to help her out, since they'd got blocked off the internet. I spent 3 hours cleaning off like 30 diffrent kinds of viruses, 5-7 of the same one. 400 spyware, ETC ETC. Well, Atleast I got payed to do it. I like her Dad, coming in.. and he's like.. "oh finaly.. Thanks for helping us out, would you like some payment?" I mean.. Should I say no? Haha :D Hope more of theese ISP's do this. (P.S) By the way, all other port's traffic was disabled. So only traffic on 80 (to their "Your blocked page") was "activated". w00p