Australian ISPs Asked To Cut Off Malware-Infected PCs 286
bennyboy64 writes "Australia's Internet Industry Association has put forward a new code of conduct that suggests ISPs contact, and in some cases disconnect, customers that have malware-infected computers.
'Once an ISP has detected a compromised computer or malicious activity on its network, it should take action to address the problem. ISPs should therefore attempt to identify the end user whose computer has been compromised, and contact them to educate them about the problem,' the new code states. The code won't be mandatory, but it's expected the ISP industry will take it up if they are to work with the Australian Government in preventing the many botnets operating in Australia."
There's already precedent for this, too... (Score:5, Informative)
Rogers, here in Canada, has been practising this for a few years now, and will notify and disconnect computers that are sending network packets that match known malware. I think it's an automated process, too.
It's sort of funny, there was once a time when someone set the DHCP lease length too short, and several customers wrongly got blasted off the internet as they had been "infected".
I think it's a great idea. (Score:4, Informative)
I've contacted ISP's about their customers attempting to "hack me" because they were infested with Code Red and Nimda and for some reason my Apache server on Linux looked incredibly tasty. They of course proceeded to ignore me and not even to contact their customers.
Re:Don't be a policeman (Score:5, Informative)
Since infected computers often lead to DDOS and spam botnets, I think this is a good idea.
Up for debate is the method they use to detect a rogue machine, but if they can perfect that then I'm all for this.
Clueless users probably go for months without realizing they're sending out hundreds of emails a day, or helping to bring down some remote server.
It's the next-best thing to requiring a license to use the 'net. ;)
Use Walled Gardens instead... (Score:2, Informative)
It is a much better practice to use a "walled garden"[1] to give them a very limited access to the net until they have cleaned up their infection. I have seen examples of this used to give the customers access to anti-virus software and Windows update only, in addition to a set of web pages that explains why they have limited access (and how to get out of it).
This is a much better solution than just blocking the customers access to the net.
Re:let's wait and see (Score:5, Informative)
ISPs regularly portscan connected clients to make sure that they aren't running a server in violation of the TOS... many large ISPs have terms of service that strictly forbid running such servers, and even the ones that don't have that prohibition will usually keep tabs on their users to see what they're running.
More than portscanning, they also monitor which ports account for the bulk of your traffic. If you're putting out more than 50MB/day average on port 25, it's a fairly safe bet that it's more than just personal e-mail use. Many large ISPs will also silently redirect all port 25 traffic directly to their own mail server, and some of htem won't be so silent about it, and will simply block outbound port 25 to anything other than their mail servers. When all outgoing mail has to go through their servers, it's pretty easy for them to check attachments for viruses.
Beyond active scanning, there's also abuse reports... those actually do get read, and if they have the appropriate information, then they can very easily be used to track down the user who's infected with a virus.
None of the methods are going to detect a user's virus infection the moment they're infected, but taking a few proactive steps as well as taking proper reactive steps can allow the ISP to pick up on suspicious activity, and to work with the user to clean things up.
Obligatory disclaimer: I used to work for an ISP that did exactly this. We would portscan our users, we would monitor their mail traffic for viruses, and we'd actively monitor the abuse mailbox. When we detected a virus-infected user, we'd send them an e-mail notifying them that they were infected. If they hadn't cleaned up or replied to the e-mail within 5 business days, we'd phone them, and if there was no response within 5 days of that, we'd segregate their connection so that the only sites they could navigate to were the company website, and several notable antivirus sites (McAfee, Norton, AVG, Avast, PC-Cillin). I suspect that the Australian policy described here will work very much the same, and I don't really understand why people are up in arms about it. There's other methods to deal with BitTorrent besides defining it as "malicious" and "viral" (traffic shaping anybody?), and besides that, most piracy these days doesn't even happen through bittorrent. Direct downloads + hjsplit, rename file extensions. They can't really know what's being downloaded, and they can't throttle direct downloads because it'd piss off their customer base.