Should ISPs Cut Off Bot-infected Users?

richi writes "There's no doubt that botnets are a major threat to the safety and stability of the internet — not to mention the cleanliness of your inbox. After years of failure to act, could we finally be seeing ISPs waking up to their responsibilities? While ISPs can't prevent users getting infected with bots, they are in a superb position to detect the signs of infection. Contractually, the ISP would be reasonably justified in cutting off a user from the internet, as bot infection would be contrary to the terms of the ISP's acceptable-use policy."

Re:Yes

[natehoy]

I'm with Comcast, and they already offer a free subscription to the Norton Security Suite as part of my subscription.

I don't use it, but it's readily available, and free, to Comcast customers.

Hint: If you're with almost any ISP and you're paying for Antivirus you're almost certainly wasting your money. I don't think I've ever been with an ISP that didn't provide free Antivirus if I wanted to download it.

Of course, I'm running Linux, so Norton doesn't do me a lot of good for any of my machines. But there are a few AV scanners for Linux (I run ClamAV).

Re:Craziness.

[Haedrian]

You're not exactly 100% right.

Firstly, people who are infected often spread the infection amongst other computers, using the social aspect. Maybe you won't open an email from someone you don't know, but your best friend?

Secondly, you're protecting them as much as you're protecting yourself - if they buy something online, their details might be stolen.

Thirdly, they might not realise, and spread the virus anyway through other means, but disconnection makes it sure.

Fourthly, even if your computer is uber-filtered, DDOS attacks, spam sending and other nasties can be done using a botnet, so even if you're not part of it, there's no way around that.

Reframe this as a friendly Win-Win

[Invisible Now]

I'd actually appreciate a friendly email from my ISP informing me that they are detecting strange traffic from my IP address and suggesting that I might want to check for a Botnet infection. Detecting sneaky outgoing traffic and other malfeasance is beyond the technical range of many customers.

They might even provide links to resources I could use to detect and remove the Bot. They might even make these resources free, useful (Like pretested and configured against the current signature and MO of the Botnets they're seeing) and come off as concerned and helpful.

This is one area where our interests and the ISP's are aligned. Starting the process with a "cutoff" seems like a lose-lose...

Re:Lets ask in different context

[Yalius]

The first time, we take the member's word that they've cleaned or replaced the computer. After that, if it recurs, we need to see either an invoice from a repair shop or retail shop for repair of purchase of a computer. We provide CDs here in our office with removal tools, and we do provide removal and cleanup services.

We also provide download links for security software right from our tech support portal, and a complimentary CD with the same software with every new subscriber. 3 times a year we offer a class on intro to pc and internet security. If someone's still getting infected after all the resources we've made available, then tough love may be just what's needed.

Re:No Home Email Servers!!!!

[KlaymenDK]

Brilliant! Also, that makes good business sense, as they would have to use the email service that you, as an ISP, kindly provide ... for a fee. We really can't allow those lusers to manage their own mail, oh no sirree.

I would think it was fine if ISP's set up new accounts with most ports closed *and then provided a good, efficient interface for users to open what they want to be open* ... but most (most! there are some good ones out there) ISP staff get that deer-caught-in-the-headlights look when you start to ask questions about outgoing ports. Seriously; I've had the privilege of being told that yes, I would certainly be able to surf the web, when I asked about accessing my own file/media server from the WAN side. Sigh.

Re:Yes

[paulej72]

We have implemented this at Princeton University. Port 25 blocked, unless you specifically ask for it. All users who were using outside email services also had to change to use port 587 to connect to their mail servers.

We are trying to be good net citizens an not have mail bots running from our network.

Re:No

[santax]

Well here in the Netherlands I think there is 1 provider left who lets you run your own server. All the others block your traffic on 25, forcing you to use their mailservers. Which is a bitch when you also run some domains from home. I don't know how my comment made me a troll... What is wrong with free internet? What is the next step? Should ISP's cut of customers who search for a word that some goverment doesn't like? ISP's should not cut of anyone. They should make sure their internal network is ok and protected. The only reason I can see why someone would drop a connection is when someone is sending out so much data that the pipes get to full. And that would be the only case. In all other cases I would say: just give your customers some virussollution. So that the ones that care, can protect themselves and the ones that don't haven't to be bothered by it. Doesn't mean I can't see why some people are in favor of this. Just not me. But I am not trolling here lol :P

Re:Craziness.

[sjames]

Because botnets send spam and botnets coordinate DDOS attacks. I run all Linux, yet I can be affected by botnets every single morning when I first check my mail. An Apache web server running on Linux can be DDOSed by a botnet that cannot infect it.

Fully agreed that there must be a clear way to get back on the internet that doesn't involve submitting to an anal probe. The restriction also shouldn't be complete, just enough to block the botnet until it can be sorted out. It must never be punitive in nature.

Re:Lets ask in different context

[Yalius]

Didn't say Mcafee. Didn't allude to Mcafee. We provide links for Avast and Avira.

Now, who should try again?

lawlawlalwl

[Anonymous Coward]

i work at a computer repair shop. most the infected machines we work on have processes setup by malware to automatically proxy all internet traffic, making it pretty difficult for the user to even stay connected to the net. you don't hafta cut off bot infected machines, half the time they cut THEMSELVES off! =] windows users: enjoy paying money to fix that scrap pile. god i'd buy an apple if i had the money. btw i'm a linux user.

Re:No way

[L4t3r4lu5]

Bad analogy. The manufacturer is not shutting off your car. The toll-road operator is telling you to leave and not come back until you fix your oil leak.

Bad analogy. The toll road operator is telling you can't drive you car on the road, so you can't get it back home where you have all the tools required to fix the job yourself. Instead, he tells you he runs a repair service which is chargeable and only after you've proven your car is not leaking oil anymore (can't drive it on the road, remember?) you can't drive it on the road.

Sounds like racketeering to me.