Major Aussie ISP Disconnecting Trojaned PCs 388
daria42 writes "Australia's largest ISP, Telstra BigPond, has started disconnecting customers that it suspects have excess traffic-causing trojans installed on their PCs. The trojans have been flooding BigPond's DNS servers and causing extremely slow DNS requests for around a month now. Despite nightly additions of DNS servers, BigPond appears to be unable to cope with the extra traffic on its network." Note that the article says the disconnections are temporary and accompanied by communication with the affected customers, not just a big yanking-of-carpet.
Good. (Score:0, Interesting)
Should be the standard (Score:0, Interesting)
All responsible ISPs should apply that logic. Too bad money often replaces responsibility so much.
Drastic Measures (Score:5, Interesting)
Although I don't understand the purpose of a trojaned machine repeatedly hitting a DNS server, is this an attempt to cause an overflow and therefore making the DNS server itself vulnerable?
Good idea to me (Score:5, Interesting)
Waste of time? (Score:5, Interesting)
Not all people pick up the phone and tolerate the script. Some people actually try to diagnose the problem first.
Most ISPs have language in their terms of service that permits this action. It is a shame that an ISP need to have their services almost knocked out before taking action.
I'd like to see some ISPs that ignore trojaned machines or support spammers get sued by other customers when their IP blocks end up on block lists.
Re:This is a good thing (Score:2, Interesting)
All ISPs should be doing this. (Score:5, Interesting)
Nothing new (Score:5, Interesting)
Re:Why is this news!?! (Score:2, Interesting)
How will the user tell the difference? (Score:5, Interesting)
I can see it now:
Customer: My broadband is down again.
Bigpond: Oh, I see. Well from time to time this does happen for a brief moment...
Customer: It's been down all day, and it's happened every day this week.
Bigpond: I see.. What's your account *clickety* Oh yes, we've marked you as a computer with a trojan. Please do a virus scan and call us back, if it comes back negative we'll re-connect you.
I'd go with someone else but they're the only broadband provider for my area. And I live in Sydney (the suburbs, an hour from the city itself)
suspected PCs? (Score:2, Interesting)
Why not simply do a precise measurement (get the netflow from the router) and take actions based on correct data rather then guessing?
I for one wouldn't want to be cut off by my ISP because of someone at the ISP is guessing.
Re:This is a good thing (Score:5, Interesting)
It's not that simple. The attack in question was done by a flood of DNS queries -- you're not really going to cut off port 53, as this is pretty much equal to knocking that person off the Net.
The typical case involves a lot of outgoing connections on port 25 -- you can't really block this as well unless the user in question uses nothing but webmail.
Traffic shaping won't help a lot, either -- it can protect the server, of course, but won't help the user himself. In this case, it will just make their legitimate use prohibitely slow -- their web browser/whatever will compete with the virus they have over the tiny allotted quota of allowed DNS queries.
IMO it's much better to just cut them off outright, telling them that the fault is on their side.
If you want to be nice, you can redirect all their traffic to a web server which gives them a nice idiot-proof message about what they need to do. This is what I've set up for a friend's basement ISP (~30 paying users) -- although in that case, the message was similar to "your payment is due for two months, you didn't heed our reminders".
Re:My 1st Thoughts (Score:3, Interesting)
Why the fuck should an ISP want to disconnect a user because of his P2P or Torrent uses? If the ISP can't cope with the amount of data flowing through, it shouldn't disconnect a user. If I pay for a 2mbit DSL with no limitations to usage, I want a 2mbit DSL with no limitations. My ISP shouldn't fucking cut off my internet access. Besides, P2P and Torrent can actually be used for something useful. The last 10 times I've used bittorrent, it was for downloading WoW updates and Gentoo and Debian ISOs.
Yes, I know that some people will call me naive, and I DO know that not everyone uses P2P and torrent for these purposes, but that shouldn't change the fact that the ISP shouldn't disconnect a user depending on how he uses his connection as long as he pays for it.
Re:This is a good thing (Score:5, Interesting)
sick are put in quarantaine net (on this uni) (Score:5, Interesting)
Pretty Standard (Score:5, Interesting)
It's amazing how quickly you can get your network under control doing this. And 9 times out of 10 the end user is greatful that you were willing to work with them to help them correct the problem.
Fixing infected machines on your network only makes the network a better place for everyone using it.
Breaking news??? (Score:2, Interesting)
Re:Good idea to me (Score:4, Interesting)
A better alternative for the ISPs, IMHO, would be to start behaving like the network administration team in a big company. Joe Sixpack would be better off if the ISP would install a centrally adminsitered system administration client on his machine that automatically scans and deploys the latest anti-virus program. I know that computer-savvy folks wouldn't like to give this much of control of their PCs to ISPs. However, for Joe, this would be the ideal hassle-free solution. With a proper security policy, privacy concerns would also not be an issue.
The ISP could also have an opt-out policy that non-clueless people could make use of.
Does this make sense?
Re:Why is this news!?! (Score:3, Interesting)
http://img56.echo.cx/my.php?image=phnetspamprotec
You are also allowed access to another page with more details:
http://img56.echo.cx/my.php?image=phnetspamprotec
Doubt it (Score:1, Interesting)
Easy fix (Score:1, Interesting)
I've complained repeatedly to telstra about slow DNS servers and they pretended they had never heard of the problem. However, the DNS servers are not the only thing being swamped. It can take over 2 hours to get through to there call centre.
The fix I used: the Optus DNS. Works well. Maybe telstra should have a chat to optus on how to run an ISP.
That's nothing (Score:5, Interesting)
Blows my mind.
Re:My 1st Thoughts (Score:3, Interesting)
Cox Business ISP Does This (Score:3, Interesting)
Haven't had to deal with their nice security people myself (No Windows or Linux or Sendmail here!), but I've laughed at colleagues who have. Mostly the same people who believe a $70/month cablemodem or DSL connection can replace their $800/month fiber line for serious webhosting enterprises.
SoupIsGood Food
Re:Cox Business ISP Does This (Score:2, Interesting)
What Crap (Score:1, Interesting)
Compromised PCs are not the cause of Telstra's problem. Their unscalable DNS server cannot cope with the large amount of subscribers. Telstra will not admit that they failed to plan accordingly, so after adding more DNS servers they blame it on the end user. Same problem happened with email a while ago. It was taking up to 30 days for email to pass through Telstra's servers. They blamed it on a mail based worm and their solution was to install more mail servers by the truckload. They blamed Sun's ONE products and HP servers (HP/UX) also for this incident.
Re:My 1st Thoughts (Score:1, Interesting)
404 File Not Found? (Score:3, Interesting)
Another said: "I am having problems loading Web pages, I get the 404 [page not found] error. I have to retry five to 10 times to get some places."
I may be daft but I don't understand how a DNS or network capacity problem could cause a web server to respond with an explicit "404 File Not Found" HTML error. I could see a timeout, DNS error, or any number of other errors, but a 404 would mean literally that you contacted the web server, it was unable to find the specific file you requested, and it successfully reported that back to you.
Hopefully the forum poster that is quoted in the article just thinks every HTML error is a 404.
Re:This is a good thing (Score:3, Interesting)
On the other hand, most people who don't know enough to keep their machines virus/trojan free are probably using the software that nearly every ISP sends out to "help" you connect to their services, which means they should be able to include enough diagnostic tools to be able to tell what's running on the machine.
Re:My 1st Thoughts (Score:2, Interesting)
Just last week, I lodged many many complaints to Telstra Bigpond regarding zombies sending excessive spams to my network. I even went to the trouble of submitting over 400+ zombie IP addresses (dynamic IPs with session times).
Good to see that they are listening to their complaints hotline for once.
Keep it up I'd say. (Score:1, Interesting)