Forgot your password?
typodupeerror
Botnet Security

Should ISPs Cut Off Bot-infected Users? 486

Posted by CmdrTaco
from the excising-the-tumor dept.
richi writes "There's no doubt that botnets are a major threat to the safety and stability of the internet — not to mention the cleanliness of your inbox. After years of failure to act, could we finally be seeing ISPs waking up to their responsibilities? While ISPs can't prevent users getting infected with bots, they are in a superb position to detect the signs of infection. Contractually, the ISP would be reasonably justified in cutting off a user from the internet, as bot infection would be contrary to the terms of the ISP's acceptable-use policy."
This discussion has been archived. No new comments can be posted.

Should ISPs Cut Off Bot-infected Users?

Comments Filter:
  • Yes (Score:5, Insightful)

    by grub (11606) * <slashdot@grub.net> on Tuesday October 05, 2010 @04:17PM (#33798996) Homepage Journal

    Should ISPs Cut Off Bot-infected Users?

    Yes. Some ISPs already cut off P2P users. By comparison botnets are a real threat.
    • Re:Yes (Score:5, Insightful)

      by mark72005 (1233572) on Tuesday October 05, 2010 @04:19PM (#33799056)
      I agree. Sounds like a good policy.

      Not being able to get online is probably the surest (maybe only) way to get a novice (or under) computer user to take their bot machine offline.
      • Would ye two guys still feel the same way if it was YOU who was cutoff, and it turns-out you've an infection you don't know how to get rid of?
        .

        • Re:Yes (Score:5, Insightful)

          by Joce640k (829181) on Tuesday October 05, 2010 @05:00PM (#33799750) Homepage

          So long as the "I'm clean now, let me back in!" part is easy, then, yes.

          • Re: (Score:3, Interesting)

            by shadowbearer (554144)

            ...and if there's a local tech who isn't going to horridly over charge you for removing infections.

            It's incredible what some of these people charge for a few hours of running a few tools on a computer. I've seen prices upward of $250 for removing simple (non-rootkit) infections (Geek Squad, I'm thinking of you). That's insane. I capped my virus/rootkit cleaning charge at $75 over five years ago, and I rarely make less than $20/hr doing so, considering the actual time I spend in front of t

        • Re:Yes (Score:4, Insightful)

          by Dthief (1700318) on Tuesday October 05, 2010 @05:46PM (#33800404)
          As long as they don't charge me during the period I'm cut off.
      • Re:Yes (Score:4, Insightful)

        by TubeSteak (669689) on Tuesday October 05, 2010 @04:49PM (#33799554) Journal

        I agree. Sounds like a good policy.

        Not being able to get online is probably the surest (maybe only) way to get a novice (or under) computer user to take their bot machine offline.

        I can't wait for a browser exploit that spoofs the walled garden, thus allowing the botmaster to force you to install something really nasty.

        Imagine being able to pwn a low privilege account and then having them log in as administrator to install your custom "virus removal" software. You'd never have to bypass any of those fancy OS protections again!.

        • Re: (Score:3, Interesting)

          by Tridus (79566)

          Because getting the user to say yes to installing things is hard now? There's no fancy OS stuff to avoid when an administrator user on the computer opens the front door in order to see the dancing cat video.

    • Yeah, my main worry is they'd use it as an excuse to cut people off for other reasons. But since they're already doing that, I guess that worry is moot.

      But I think an ISP should do some investigation to make sure they're cutting off the right people. No being cut off for running a mail server for example.

      • by Da_Biz (267075)

        Yeah, my main worry is they'd use it as an excuse to cut people off for other reasons.

        This is the potential harm from any sort of "rule" or "policy": it's always open for abuse.

        That said, I don't believe this should be a reason why ISPs should not act. It doesn't take a rocket scientist to ascertain activity from a spambot or open relay, with a little more research to ascertain whether or not a zombie node is being used for a DDoS attack.

        Said another way: just because you own a car doesn't mean you get to

    • No kidding. (Score:3, Interesting)

      by Sycraft-fu (314770)

      I mean they don't already? My ISP (Cox) does. Back in the day one of my roommates got a worm. Didn't know this, of course. I came home, my Internet wasn't working. Called the ISP, they told me what was up. I said "Ok computer is unplugged I'll have him clean it when he gets home." They said "Good deal, your net is back on."

      Seems like a good idea to me.

  • Yes! (Score:5, Insightful)

    by Capt.DrumkenBum (1173011) on Tuesday October 05, 2010 @04:18PM (#33799030)
    Yes, yes! A million times YES!
    A doctor would quarantine a contagious patient. An ISP should quarantinean infected PC.
    • I like the idea, but would this open a whole new denial of service attack vector? Still, the botnet operators are in it for profit nowadays and this would not make money for them. Perhaps ISPs could detect and shutdown the command and control servers on their networks and perhaps blacklist routes to ISPs that host uncontrolled servers. This would probably work for a while until the botnets become even more agile.
      • "...But would this open a whole new denial of service attack vector?"

        Yes.

        But to continue the metaphor:
        Just because a new virus / disease will come out at some point does not mean that time spent treating the existing problems is a waste.
    • by mlts (1038732) *

      Any sane enterprise has a mechanism in place where their network fabric will contain a segment if the IDS detects a definite threat.

      This really shouldn't be a question -- ISPs should mitigate damage done by customers with poor or no security. It is debatable to stick the customer with the bill for cleanup, but it might be a good idea so Joe Sixpack actually learns to either zip up his fly or pay someone to do it for him. Perhaps a warning or two, then start billing for the janitor work.

    • by c0lo (1497653)

      Yes, yes! A million times YES! A doctor would quarantine a contagious patient. An ISP should quarantinean infected PC.

      Is the ISP a qualified doctor?
      Another bad analogy: road-side accident - would you expect the police arriving to the scene to do more than make the person safe and, at most, deliver some basic CPR? Should the road be closed only because it is a irresponsible driver at large?

  • by markdavis (642305) on Tuesday October 05, 2010 @04:19PM (#33799038)

    >"Should ISPs Cut Off Bot-infected Users?"

    After a suitable warning to the customer/administrator, yes. Absolutely. But it should be made very easy for the customer/administrator to reactivate their service, too.

    • Re: (Score:3, Insightful)

      by RsG (809189)

      Second this. You don't want the solution to be punitive to the infected computer owner, you want it to be disruptive to the botnet operators. A simple "your zombie PC has been disconnected, please contact us to reconnect" followed by instructions on cleaning malware would cut the problem in half. Added bonus, after it happened to them for the first time, the end user would hopefully wise up a bit about security and adopt minimum standards of prevention and safety.

      • Re: (Score:3, Insightful)

        by Local ID10T (790134)

        Second this. You don't want the solution to be punitive to the infected computer owner, you want it to be disruptive to the botnet operators. A simple "your zombie PC has been disconnected, please contact us to reconnect" followed by instructions on cleaning malware would cut the problem in half. Added bonus, after it happened to them for the first time, the end user would hopefully wise up a bit about security and adopt minimum standards of prevention and safety.

        This could be done in an acceptable manner:

        • Redirect ports 80, 443 to an ISP hosted page that warns you of infection, and provides simple information and tools for cleaning common infections (possibly including a free AV/firewall application) and a telephone number to call for reconnection of standard service.
        • Block all other ports.
        • Contact customer via telephone+e-mail to alternate e-mail address+snail mail to let them know of the situation.

        It could also become a nightmare for customers if implemented poorly

      • by sjames (1099) on Tuesday October 05, 2010 @05:18PM (#33800024) Homepage

        The answer might be to do something like Comcast's approach of redirecting flagged accounts through a web proxy with a frame at the top and blocking other ports. You don't want to cut them off entirely, since the fix for their problem will go a lot better if they can browse the web and download AV software.

        The danger is that they will implement "policies and procedures" and have know-nothing flunkies carry them out mindlessly, but then that's a danger anyway. They will need to actually have knowledgeable people willingly review cases that don't fit on the flow charts. Things like, NO, I do not have Windows virus XYZ, I don't do Windows.

        Fully agreed, there must be no punitive element to this. There should be an educational component since most home Windows users simply don't know any better. Even the restrictive aspect should be the minimum necessary to contain the damage and inform the user.

    • by omglolbah (731566) on Tuesday October 05, 2010 @04:54PM (#33799644)

      Telenor in Norway does this already in a limited way.

      If they detect large amounts of email originating from your network they will block the sending of email. (by blocking outgoing connections to the standard mailserver ports).

      From what I've read of their limited releases of information on the programme it works quite well. They of course contact you letting you know that you have this problem. Usually through email but if you do not reply they call you ;)

      My brother got infected by a worm a while back and my father was not pleased :p Suddenly he couldnt send email... whops? :p
      (Oh, and they allow you to email to 'internal' addresses though to allow you to contact them to resolve the issue..)

  • User agreement (Score:3, Interesting)

    by 0racle (667029) on Tuesday October 05, 2010 @04:22PM (#33799090)
    If it was spelled out this would constitute a usage violation, then fine, I see no problem.
  • Yes (Score:2, Funny)

    by Korveck (1145695)
    Of cour
  • Yes* (Score:3, Insightful)

    by HenryKoren (735064) on Tuesday October 05, 2010 @04:22PM (#33799100) Homepage

    Yes, but not before first providing ample warning notifications by e-mail, SMS, and robocall.

    If you cut somebody off from the net straight away, that prevents the person from downloading the necessary file to take the steps necessary to remove the bot.

  • Don't you cut out gangrene flesh?
    • Re:Of course... (Score:5, Insightful)

      by gunnk (463227) <gunnk@mailERDOS. ... u minus math_god> on Tuesday October 05, 2010 @04:30PM (#33799238) Homepage

      No. You have a DOCTOR cut it out. The question here is whether or not most ISP's are competent in determining what really is bot activity. A bunch of false positives will be miserable -- as will having to prove to some first-tier customer support person that your system is not infected (as in never was) or that it is actually cleaned and should be allowed back online.

      And pity the person that has their ISP connection blocked that uses voice over IP to call customer support. If the ISP blocks the MODEM life is going to be interesting.

      Oh, and you won't need to look up that phone number, will you?

      Overall, getting infected systems of the net is a wonderful idea, but one that could be a complete mess if done poorly.

  • My cable ISP cut me off in 2001, when my roomate got a worm/bot infection due to bad P2P settings. I understand the good intentions, but it then became difficult to reach the right person who could reinstate service once I convinced them my network was clean.

  • by gurps_npc (621217) on Tuesday October 05, 2010 @04:25PM (#33799146) Homepage
    There is no reason not respectfully cut them off. Warn the user with an email that must be replied to before they get any further service.

    For all the information the ISPs track from us, they have a responsibility. Pleasing cost (razor thin margins) is no excuse to engage in restless behavior. In a capitalist society we recognize that if you can't pay for the costs of doing business, you go out of business and your competitors eat your lunch. Preventing crime that involves using your service is a reasonable and legitamate business cost. After all, the botnets tend to be one of the major user of ISP resources - particularly if they are doign a Denial of Service attack. So shutting them down lowers the ISP costs, increasing their thin margins.

    • by kwerle (39371)

      "Shutting Off" needs to be better defined. Isolated would be a better phrase.

      They should have all WWW traffic redirected to a "You have been infected" site. Complete with instructions about how to fix your machine and an automated way to assert your machine is now clean.

      Hell, it's a revenue opportunity - give them an optional page where they can buy [anti-virus software] and the ISP gets a cut.

      Am I evil enough to be in marketing?

    • by aardwolf64 (160070) on Tuesday October 05, 2010 @04:42PM (#33799448) Homepage

      Wait, your big plan is to:
      1. Cut off their access (presumably also to e-mail)
      2. Send them an e-mail that they must reply to if they want to be able to read email.

      And where exactly are they supposed to read this email?

  • by digitalsushi (137809) <slashdot@digitalsushi.com> on Tuesday October 05, 2010 @04:25PM (#33799148) Journal

    Sure it's fair.

    Once you're infected the rest of the Internet with crap, you're costing them more money in tech support calls from people complaining about you. Why would they pay to keep launching your crap packets into the core? Be your own ISP if that's your agenda. If you take care of your network, you won't run into this.

  • Don't stop there. (Score:2, Insightful)

    by chemicaldave (1776600)
    Restrict them to a subnet that only contains pages related to removing the malicious software.
  • by rwa2 (4391) * on Tuesday October 05, 2010 @04:28PM (#33799202) Homepage Journal

    ISPs should be responsible for filtering out bot activity, but it's not really fair to anyone to cut them off entirely. After all, it's not entirely their fault they got infected... hell even if they're responsible with updates and activity they could have been compromised by some new vulnerability.

    Has firewall technology not been able to keep up with bulk ISP traffic or something?

    I understand that users ought to control their own home firewall, but ISPs should have firewalls / filters they control further upstream, where they can add rules to block certain types of traffic only when necessary. But I guess if they have it, then that means they're kinda liable for configuring it effectively and can thus be held responsible for attack traffic that does get through.

    Anyway, I don't like the idea of being cut off from network access without at least a few weeks' advance notice and time to respond. Which is virtually an eternity in botnet time... which makes that whole approach somewhat pointless.

    • by John Hasler (414242) on Tuesday October 05, 2010 @04:33PM (#33799282) Homepage

      ...ISPs should have firewalls / filters they control further upstream, where they can add rules to block certain types of traffic only when necessary.

      So much for "network neutrality".

      Anyway, I don't like the idea of being cut off from network access without at least a few weeks' advance notice and time to respond.

      It's easy to avoid getting infected.

  • by formfeed (703859) on Tuesday October 05, 2010 @04:29PM (#33799210)

    They could just redirect them to a portal, where they get informed that their computer is sending out viruses.

    The portal would offer a free virus scanner and the option to have several ports closed by the ISP (checked by default)
    - ports that could later be reopened by going to the "experts"-page ;)

    If the user insists, they of course can go on and use the internet anyway. But only after clicking "ok" to a sentence declaring that they are now informed and
    "solely liable to any damage they might do to the internet"

    • Re: (Score:2, Troll)

      by TheOldFart (578597)
      ... and the scanner would say: Malicious software found: Windows. Please replace it with anything else... Is it even possible to "clean" a Windows machine? How far behind are these so called "virus scanners"? Specially these freebees?
    • Re: (Score:3, Funny)

      by blair1q (305137)

      That happens to me every time I visit certain websites.

      I get a popup telling me I'm infected and to click "OK" to have my computer scanned.

      It's ever so nice of them to do that for me.

    • "Expert mode" won't work. [msdn.com] Neither will a dialog box [msdn.com].*

      * - Sure that article says "The default answer is Cancel" but it should probably say "The default answer is whatever makes everything appear to work again" which in this case is OK. And the user actually won't have to fix anything in your scenario.

  • "Your internet service has been suspended due to a virus infection. Please call or email us to get reconnected". .
  • NAP/NAC (Score:4, Interesting)

    by Keruo (771880) on Tuesday October 05, 2010 @04:30PM (#33799226)
    ISPs should hand out routers which utilize Network Access Protection by default.
    The router should verify if the endpoint is clear for internet access, and if it's not, it should limit user access to antivirus vendors, known OS upgrade services etc and requesting user to follow this link to repair their computer(or have it cleaned by someone skilled enough).
    There are (or should be!) multi-platform NAP/NAC solutions to do this.

    Of course, users should have opt-out option, which allows them to disable the NAP, and take responsibility of maintaining their systems themselves without "middle-maintenance".
    Opted out systems would receive direct disconnect until user verifies by phone to the operator that their misbehaving system has been fixed. (for example, spam zombie)
  • My local UK ISP has been doing this for a while,a good 20% of my work has been from people who have been cut off until their PC has the infection removed NICE
  • At the ISP I used to work at more than a decade ago, if we had a customer who wasn't responding to notices by e-mail, we'd move them to a special IP pool, where given ports would be redirected to proxies to make sure they got the message (eg, you're behind on your payments).

    You could use this to give them a message they've been infected, while still giving them access to domains / hosts or their anti-virus software.

    Of course, in those days, it was all dial-up, so we assigned IP addresses as they came in ...

  • The serivce in ISP (Score:4, Insightful)

    by syousef (465911) on Tuesday October 05, 2010 @04:32PM (#33799258) Journal

    They're Internet SERVICE Providers. Not Internet Police, nor Internet Guardians. They exist to provide people with access to the Internet for a fee. Now a lot of ISPs already do plenty that is contrary to the best Interests of the customers. Bad behaviour ranges from price gouging and using misleading advertising, to draconian terms of service (usually because they're able to due to a monopoly or collusion), to playing fast and loose with customer's private data (often in the name of anti-piracy). Do you really want to give these same ISPs the power to take a customer's money and provide them with nothing based on nothing other than their own conclusion that a customer is infected? That's madness. An ISP should be providing a customer with help to remove the infection, not removing their access to the Internet.

    • Re: (Score:3, Insightful)

      by noidentity (188756)

      They're Internet SERVICE Providers. Not Internet Police, nor Internet Guardians. They exist to provide people with access to the Internet for a fee.

      Along with acceptable use restrictions. Running a botnet node is not acceptable. Doesn't matter whether it's intentional; it's bad for the network. Them cutting you off isn't punishment; it's containment. Terminate the malware and you can be reconnected.

  • by decipher_saint (72686) on Tuesday October 05, 2010 @04:32PM (#33799268) Homepage

    My parents PC was a fully functional mail server sending out 4-5 GB of e-mail a day, they didn't know this of course and complained about internet speeds all the time, the ISP figured it out pretty fast though and sent someone over to get it off the network and clean it for 'em.

    I was quite surprised at how civil they were about it.

  • by CannonballHead (842625) on Tuesday October 05, 2010 @04:33PM (#33799294)

    So on one hand, ISPs should not regulate the type of traffic and should not sniff, etc...

    On the other hand, ISPs should cut off virus-infected computers. Apparently, they ARE sniffing or monitoring in some way in order to cut you off.

    Just wait for a company to decide that being a torrent feeder is being part of a botnet and thus torrent feeders must be cut off. Good luck getting back on again.

    If it is really botnet activity, why not just block the botnet activity but not the non-botnet activity? If you can't determine if it's botnet activity well enough, then how are you going to choose who gets cut off?

    (I am not necessarily decidedly against this, but at the moment, it seems to be somewhat hypocritical to be against ISP filtering and for ISP cutting off [on their own]. Enlighten me. :) )

  • I work at a decent sized regional ISP. If a customer is disrupting the network with blatantly viral traffic (like tens of thousands of simultaneous SMTP connections) we shut them off and have tech support walk them through disinfecting their PC. The exception is if they also have VOIP through us since we don't want to be in the position of having cut off someone's only link to 911. The network engineers don't sit around all day looking for infected boxes, but if performance issues are traced to an infected
  • I'm pretty sure I remember Rogers in Toronto cutting me off a years ago due to malware-related data they detected coming from my IP address. They gave me 24hrs notice (but I was away at the time) before cutting me. How a bot-net is considered different is beyond me.

    I'm surprised this kind of thing isn't done already worldwide.

  • Craziness. (Score:4, Insightful)

    by pclminion (145572) on Tuesday October 05, 2010 @04:36PM (#33799340)

    What is it about spam and malware that causes people to completely lose their minds? What are you worried about botnets anyway? Either your system is secure and it won't be a problem for you, or your system is not secure and you are, by your own admission, "part of the problem." This isn't like quarantining carriers of a deadly disease. It's not exactly difficult to secure your own system against the nasties on the internet. But people are here supporting the idea of severing a person's internet connectivity because they've been a victim of some asshole on the internet. I think we can all agree that the internet is culturally revolutionizing, and has already proven itself to be an extremely important tool in the promulgation of free speech. But once you throw this crap in the mix we have people asserting these authoritarian opinions which, quite honestly, scare the shit out of me.

    At the very least, if there is some set of criteria for disconnecting somebody from the internet, there must also be criteria for how to get reconnected and a very clear and doable set of instructions how to get back online. Otherwise you will end up permanently silencing people.

    • Re:Craziness. (Score:4, Informative)

      by Haedrian (1676506) on Tuesday October 05, 2010 @04:42PM (#33799444)

      You're not exactly 100% right.

      Firstly, people who are infected often spread the infection amongst other computers, using the social aspect. Maybe you won't open an email from someone you don't know, but your best friend?

      Secondly, you're protecting them as much as you're protecting yourself - if they buy something online, their details might be stolen.

      Thirdly, they might not realise, and spread the virus anyway through other means, but disconnection makes it sure.

      Fourthly, even if your computer is uber-filtered, DDOS attacks, spam sending and other nasties can be done using a botnet, so even if you're not part of it, there's no way around that.

    • Re: (Score:3, Insightful)

      by TubeSteak (669689)

      What is it about spam and malware that causes people to completely lose their minds?

      http://en.wikipedia.org/wiki/Tragedy_of_the_commons [wikipedia.org]
      The internet is a public space.
      We have laws that prevent people from harassing you in public or shitting (literally and figuratively) in public spaces.
      People who violate these laws frequently end up summoned before a judge &/or in a psych ward.

      Are you suggesting that because we're applying these standards to the internet that suddenly all the old arguments do not apply?

    • Re: (Score:3, Informative)

      by sjames (1099)

      Because botnets send spam and botnets coordinate DDOS attacks. I run all Linux, yet I can be affected by botnets every single morning when I first check my mail. An Apache web server running on Linux can be DDOSed by a botnet that cannot infect it.

      Fully agreed that there must be a clear way to get back on the internet that doesn't involve submitting to an anal probe. The restriction also shouldn't be complete, just enough to block the botnet until it can be sorted out. It must never be punitive in nature.

  • No way (Score:5, Interesting)

    by quatin (1589389) on Tuesday October 05, 2010 @04:37PM (#33799356)

    This has happened to me once. I got a virus and a couple hours later, my internet was off. I called the service desk and I was told that my computer was infected and get this, I need to download a patch to fix it. "How do I download a patch when my internet is off, I asked." "Bring your computer to the service center when we open on Monday." I instantly canceled my service. I was a college student at that time. Some tasks required the internet. In fact the only way to turn in my physics homework was to upload it to the server by 2am on Tuesdays and Thursdays. I don't need to be worrying about my internet shutting off at random times and having to make a midnight dash to campus to use the library computer.

    I try to keep my computer clean. I run firewalls and I have virus scanners, but if you haven't been infected with a virus before then you haven't been on the internet long enough. Sooner or later you'll get infected and god forbid if you rely on the internet. IE VoIP or server hosting. Why do I get punished for what other people do? Should car manufacturers be able to remotely turn off your car when your car starts to leak oil or freon?

    • by Dalzhim (1588707)

      Precisely what I was about to argue.
      Being cut off the internet sure as hell won't help you clean up your mess.
      Nice car analogy as well.

      +1.

    • Re:No way (Score:4, Insightful)

      by John Hasler (414242) on Tuesday October 05, 2010 @05:18PM (#33800018) Homepage

      I run firewalls and I have virus scanners, but if you haven't been infected with a virus before then you haven't been on the internet long enough.

      I've been on the Internet for about 25 years. No computer under my administration has ever been infected by malware of any sort.

      Why do I get punished for what other people do?

      You aren't being punished. The Net is being protected.

      Should car manufacturers be able to remotely turn off your car when your car starts to leak oil or freon?

      Bad analogy. The manufacturer is not shutting off your car. The toll-road operator is telling you to leave and not come back until you fix your oil leak.

      • Re: (Score:3, Informative)

        by L4t3r4lu5 (1216702)

        Bad analogy. The manufacturer is not shutting off your car. The toll-road operator is telling you to leave and not come back until you fix your oil leak.

        Bad analogy. The toll road operator is telling you can't drive you car on the road, so you can't get it back home where you have all the tools required to fix the job yourself. Instead, he tells you he runs a repair service which is chargeable and only after you've proven your car is not leaking oil anymore (can't drive it on the road, remember?) you can't drive it on the road.

        Sounds like racketeering to me.

    • Re:No way (Score:4, Interesting)

      by rickb928 (945187) on Tuesday October 05, 2010 @05:32PM (#33800238) Homepage Journal

      "How do I download a patch when my internet is off, I asked." "Bring your computer to the service center when we open on Monday."

      I did a stint at a college help desk. We would have patched your system fully, re-scanned it for anything else, and offered to defrag it if you had the time. And of course offered to install the college-provided office suite if you had time, or just drop the URL on your desktop for you to at your pleasure.

      And we would have done it for FREE. Well, your parents did pay an obscene tuition, but with that comes the assumption that they don't want you wasting time with mundane tasks such as cleaning up your machine, and of course the interruption of being infested by your roomie's machine either. Boy, the first couple of weeks starting the Fall term were days and nights of cleaning up incoming machines that had spent the summer on facebook and pr0n.

      Quit yer whinin. They probably put in the 80-hour weeks I did getting the incoming crew settled down, and can use a weekend off. Were they gonna charge you? I bet not.

      Kids.

      Oh, BTW, this was at a very prestigious Northeastern lberal arts and science college. Obscene barely describes the tuition, but the kids coming in were impressive; polite, patient, quick to understand what was going on. It renewed my faith in America, compared to your average state college rabble. Unfortunately, they will be indoctrinated in the most unfortunate theories and balderdash, but many of them overcome that and go on to be productive and valuable members of society. The rest become politicians.

  • I mean generally 'yes' but why not quarantine them to a network that allows them only access to a handful of services needed to get things working again: - Microsoft ? - a non-partisan collection of anti-virus vendor websites - ISP specific help pages - ISP specific log entries outlining proof and nature of infection. - a page that allows, once a day to get service restored on a probationary period to test for successful eradication. - netbsd.org/freebsd.org/ubuntu.com/fedora.com/etc ...
    • by nblender (741424)
      oh crap. I should have hit preview... I mean generally 'yes' but why not quarantine them to a network that allows them only access to a handful of services needed to get things working again:
      - Microsoft ?
      - a non-partisan collection of anti-virus vendor websites
      - ISP specific help pages
      - ISP specific log entries outlining proof and nature of infection.
      - a page that allows, once a day to get service restored on a probationary period to test for successful eradication.
      - netbsd.org/freebsd.org/ubun
  • While you're there, throw them a lot of information about why they should have an anti-virus - why they should scan regularly, and while downloading from 'that shady place' is a bad idea.

    Maybe it'll stick once they realise they have no internet.

  • ISPs should be able to identify the IP addresses the bot is contacting and block it from getting out of the ISP.

    Then it should track down those IP addresses and inform their ISPs that they are hosting a control node for a botnet.

    Backbone providers should shut down access from any ISP that refuses to shut down botnet control nodes.

  • From an AC comment [slashdot.org] on yesterday's story [slashdot.org] about Comcast presenting a web-based overlay warning of an infection...

    ComcastAntiVirus have detected a infection or your computer. To run free virus removal click here!
    www.c0mcast.net/antivirus.exe

    Doing it via the browser is a very bad idea. Not only can it be spoofed, it undermines the "don't click those things" mantra that we are trying to ingrain in users' minds.
    Cut them off, instant phone call and/or mailing. If they need it, allow them access to antivirus (I b

  • to help him fix the problem. The customer is probably not the villian here and probably doesn't even know that he is botnet infested (after all, ALL windows machines slow down eventually and have to have the OS re-installed, right?). The ISP should try to contact the customer by phone, email or snail mail and first let him know of the problem. Perhaps send him some general information on how to fix his problem, or just point him to the right URL's on the net where he can find the information he needs to

  • This is going to get more interesting as security (home alarm) companies and medical (help, I've fallen and I can't get up) companies are moving all their services to the user's web connection. Once there are a couple of deaths and a fire that don't get reported, these services are going to come under a lot more pressure to not disconnect people without multiple notices through snail mail, etc. type of process.
  • by Invisible Now (525401) on Tuesday October 05, 2010 @04:45PM (#33799496)

    I'd actually appreciate a friendly email from my ISP informing me that they are detecting strange traffic from my IP address and suggesting that I might want to check for a Botnet infection. Detecting sneaky outgoing traffic and other malfeasance is beyond the technical range of many customers.

    They might even provide links to resources I could use to detect and remove the Bot. They might even make these resources free, useful (Like pretested and configured against the current signature and MO of the Botnets they're seeing) and come off as concerned and helpful.

    This is one area where our interests and the ISP's are aligned. Starting the process with a "cutoff" seems like a lose-lose...

An optimist believes we live in the best world possible; a pessimist fears this is true.

Working...