Should ISPs Cut Off Bot-infected Users? 486
richi writes "There's no doubt that botnets are a major threat to the safety and stability of the internet — not to mention the cleanliness of your inbox. After years of failure to act, could we finally be seeing ISPs waking up to their responsibilities? While ISPs can't prevent users getting infected with bots, they are in a superb position to detect the signs of infection. Contractually, the ISP would be reasonably justified in cutting off a user from the internet, as bot infection would be contrary to the terms of the ISP's acceptable-use policy."
Lets ask in different context (Score:1, Insightful)
Should ISPs cut off P2P users that infringe copyrights? Contractually, the ISP would be reasonably justified in cutting off a user from the internet, as copyright infringement would be contrary to the terms of the ISP's acceptable-use policy.
What about posting opinions that the ISP company doesn't like? It's not like its suppressing free speech as they are a private company.
Or what about if we just let ISPs be what they are supposed to be, common carriers, before this goes to slippery slope?
Yes (Score:5, Insightful)
Should ISPs Cut Off Bot-infected Users?
Yes. Some ISPs already cut off P2P users. By comparison botnets are a real threat.
Yes! (Score:5, Insightful)
A doctor would quarantine a contagious patient. An ISP should quarantinean infected PC.
Yes would be the answer (Score:5, Insightful)
>"Should ISPs Cut Off Bot-infected Users?"
After a suitable warning to the customer/administrator, yes. Absolutely. But it should be made very easy for the customer/administrator to reactivate their service, too.
Re:Yes (Score:5, Insightful)
Not being able to get online is probably the surest (maybe only) way to get a novice (or under) computer user to take their bot machine offline.
Yes* (Score:3, Insightful)
Yes, but not before first providing ample warning notifications by e-mail, SMS, and robocall.
If you cut somebody off from the net straight away, that prevents the person from downloading the necessary file to take the steps necessary to remove the bot.
Who said they don't already? (Score:2, Insightful)
My cable ISP cut me off in 2001, when my roomate got a worm/bot infection due to bad P2P settings. I understand the good intentions, but it then became difficult to reach the right person who could reinstate service once I convinced them my network was clean.
No reason not to do the following (Score:3, Insightful)
For all the information the ISPs track from us, they have a responsibility. Pleasing cost (razor thin margins) is no excuse to engage in restless behavior. In a capitalist society we recognize that if you can't pay for the costs of doing business, you go out of business and your competitors eat your lunch. Preventing crime that involves using your service is a reasonable and legitamate business cost. After all, the botnets tend to be one of the major user of ISP resources - particularly if they are doign a Denial of Service attack. So shutting them down lowers the ISP costs, increasing their thin margins.
of course they should shut you off (Score:4, Insightful)
Sure it's fair.
Once you're infected the rest of the Internet with crap, you're costing them more money in tech support calls from people complaining about you. Why would they pay to keep launching your crap packets into the core? Be your own ISP if that's your agenda. If you take care of your network, you won't run into this.
Re:No Way! (Score:2, Insightful)
Re:No Way! (Score:3, Insightful)
That door has always been wide open.
Don't stop there. (Score:2, Insightful)
Cut off vs. filtered (Score:5, Insightful)
ISPs should be responsible for filtering out bot activity, but it's not really fair to anyone to cut them off entirely. After all, it's not entirely their fault they got infected... hell even if they're responsible with updates and activity they could have been compromised by some new vulnerability.
Has firewall technology not been able to keep up with bulk ISP traffic or something?
I understand that users ought to control their own home firewall, but ISPs should have firewalls / filters they control further upstream, where they can add rules to block certain types of traffic only when necessary. But I guess if they have it, then that means they're kinda liable for configuring it effectively and can thus be held responsible for attack traffic that does get through.
Anyway, I don't like the idea of being cut off from network access without at least a few weeks' advance notice and time to respond. Which is virtually an eternity in botnet time... which makes that whole approach somewhat pointless.
"Thank you for buying our data/voice bundle." (Score:2, Insightful)
Re:Of course... (Score:5, Insightful)
No. You have a DOCTOR cut it out. The question here is whether or not most ISP's are competent in determining what really is bot activity. A bunch of false positives will be miserable -- as will having to prove to some first-tier customer support person that your system is not infected (as in never was) or that it is actually cleaned and should be allowed back online.
And pity the person that has their ISP connection blocked that uses voice over IP to call customer support. If the ISP blocks the MODEM life is going to be interesting.
Oh, and you won't need to look up that phone number, will you?
Overall, getting infected systems of the net is a wonderful idea, but one that could be a complete mess if done poorly.
Re:Yes would be the answer (Score:3, Insightful)
Second this. You don't want the solution to be punitive to the infected computer owner, you want it to be disruptive to the botnet operators. A simple "your zombie PC has been disconnected, please contact us to reconnect" followed by instructions on cleaning malware would cut the problem in half. Added bonus, after it happened to them for the first time, the end user would hopefully wise up a bit about security and adopt minimum standards of prevention and safety.
The serivce in ISP (Score:4, Insightful)
They're Internet SERVICE Providers. Not Internet Police, nor Internet Guardians. They exist to provide people with access to the Internet for a fee. Now a lot of ISPs already do plenty that is contrary to the best Interests of the customers. Bad behaviour ranges from price gouging and using misleading advertising, to draconian terms of service (usually because they're able to due to a monopoly or collusion), to playing fast and loose with customer's private data (often in the name of anti-piracy). Do you really want to give these same ISPs the power to take a customer's money and provide them with nothing based on nothing other than their own conclusion that a customer is infected? That's madness. An ISP should be providing a customer with help to remove the infection, not removing their access to the Internet.
Re:Cut off vs. filtered (Score:4, Insightful)
So much for "network neutrality".
It's easy to avoid getting infected.
Re:No Way! (Score:3, Insightful)
They already do that, and their right to do so is written in their contracts.
Slight hypocrisy. (Score:5, Insightful)
So on one hand, ISPs should not regulate the type of traffic and should not sniff, etc...
On the other hand, ISPs should cut off virus-infected computers. Apparently, they ARE sniffing or monitoring in some way in order to cut you off.
Just wait for a company to decide that being a torrent feeder is being part of a botnet and thus torrent feeders must be cut off. Good luck getting back on again.
If it is really botnet activity, why not just block the botnet activity but not the non-botnet activity? If you can't determine if it's botnet activity well enough, then how are you going to choose who gets cut off?
(I am not necessarily decidedly against this, but at the moment, it seems to be somewhat hypocritical to be against ISP filtering and for ISP cutting off [on their own]. Enlighten me. :) )
Re:Lets ask in different context (Score:2, Insightful)
GP may be exaggerating the problems of the slippery slope, but I think there is a point there. Cutting infected computers completely off the internet is unacceptable, how the hell do you fix the problem with no internet access? If my desktop were to get infected, I'd use my laptop to look up instructions and/or programs I'd need to clean it.
The "walled garden" approach is more justifiable, but I still see it as a dangerous game, because the ISP winds up controlling who is in the walled garden. I would assume that you'd be able to access at least some sites of antivirus vendors, but whose? Does the ISP get to pick? What stops them from selling those rights to a specific vendor? Do I have to purchase Symantec to clear my infection because my ISP won't let me access Kaspersky? Lots of infections require specialized programs to clean infections when they first hit, do I have to wait while my ISP updates to allow access to those programs? What if I get an infection with no currently known cure, do I have to just wait it out? Meanwhile having no ability to contribute to or follow the discussion.
How do I prove that I'm no longer infected? If my desktop is infected, and I turn it off and turn on my laptop, am I still walled off? I agree with the idea conceptually, but logistically it seems completely unworkable, and the fact is it's just not an ISPs job, I pay them to give me internet access, not run my network.
Craziness. (Score:4, Insightful)
What is it about spam and malware that causes people to completely lose their minds? What are you worried about botnets anyway? Either your system is secure and it won't be a problem for you, or your system is not secure and you are, by your own admission, "part of the problem." This isn't like quarantining carriers of a deadly disease. It's not exactly difficult to secure your own system against the nasties on the internet. But people are here supporting the idea of severing a person's internet connectivity because they've been a victim of some asshole on the internet. I think we can all agree that the internet is culturally revolutionizing, and has already proven itself to be an extremely important tool in the promulgation of free speech. But once you throw this crap in the mix we have people asserting these authoritarian opinions which, quite honestly, scare the shit out of me.
At the very least, if there is some set of criteria for disconnecting somebody from the internet, there must also be criteria for how to get reconnected and a very clear and doable set of instructions how to get back online. Otherwise you will end up permanently silencing people.
Re:No reason not to do the following (Score:5, Insightful)
Wait, your big plan is to:
1. Cut off their access (presumably also to e-mail)
2. Send them an e-mail that they must reply to if they want to be able to read email.
And where exactly are they supposed to read this email?
Re:No Way! (Score:4, Insightful)
Exactly. Whats from stopping an ISP from simply cutting you off because you were using too much bandwidth, stating that you are infected?
Nothing. Just like nothing is stopping them from doing it now.
Re:Yes (Score:4, Insightful)
I agree. Sounds like a good policy.
Not being able to get online is probably the surest (maybe only) way to get a novice (or under) computer user to take their bot machine offline.
I can't wait for a browser exploit that spoofs the walled garden, thus allowing the botmaster to force you to install something really nasty.
Imagine being able to pwn a low privilege account and then having them log in as administrator to install your custom "virus removal" software. You'd never have to bypass any of those fancy OS protections again!.
Re:Yes (Score:2, Insightful)
Well, that one would be simple: Have port 25 blocked by default, but have a way to enable it (protected by both password and captcha, so a bot cannot automatically enable it). That way, if you don't want to run a mail server (and especially if you have no idea about mail servers), your computer cannot be misused to send spam, and if you want to run a mail server, all you have to do is to go to the web interface and enable the port. The same could be done for other rarely used ports. Basically it would be an user-controlled firewall at the provider's end of the line, preconfigured for typical user behaviour.
Re:Yes would be the answer (Score:3, Insightful)
Second this. You don't want the solution to be punitive to the infected computer owner, you want it to be disruptive to the botnet operators. A simple "your zombie PC has been disconnected, please contact us to reconnect" followed by instructions on cleaning malware would cut the problem in half. Added bonus, after it happened to them for the first time, the end user would hopefully wise up a bit about security and adopt minimum standards of prevention and safety.
This could be done in an acceptable manner:
It could also become a nightmare for customers if implemented poorly...
Re:Yes (Score:5, Insightful)
So long as the "I'm clean now, let me back in!" part is easy, then, yes.
Could not be more wrong (Score:4, Insightful)
Being able to connect to any port and to receive connections on any port is the definition of Internet access. I absolutely should be able to run a mail server on my home machine.
Now, if the ISP were to block incoming port 25 by default, and people who wanted it could fill out a quick form or something, maybe that would be okay.
Re:Lets ask in different context (Score:3, Insightful)
Very true but... I would also point out that ISP customers are...paying customers.
It seems to me like cutting them off is an acceptable solution but, just like the use of deadly force may be legal in some situations, it shouldn't be a matter of "shoot first and ask questions later" either.
I would say, cutting them off is acceptable in circumstances when either a) the end user can't be contacted in a reasonable amount of time b) the end user refuses to acknowledge the problem or take steps to fix it in a reasonable amount of time
Reasonable amount of time, of course, depends on the situation. A machine that is actively participating in a DOS or impacting other users directly is a different case than one thats infected and idle. In any case, its just plain good customer service to contact your customers when there is a problem.
-Steve
Re:No way (Score:4, Insightful)
I've been on the Internet for about 25 years. No computer under my administration has ever been infected by malware of any sort.
You aren't being punished. The Net is being protected.
Bad analogy. The manufacturer is not shutting off your car. The toll-road operator is telling you to leave and not come back until you fix your oil leak.
Re:Yes would be the answer (Score:5, Insightful)
The answer might be to do something like Comcast's approach of redirecting flagged accounts through a web proxy with a frame at the top and blocking other ports. You don't want to cut them off entirely, since the fix for their problem will go a lot better if they can browse the web and download AV software.
The danger is that they will implement "policies and procedures" and have know-nothing flunkies carry them out mindlessly, but then that's a danger anyway. They will need to actually have knowledgeable people willingly review cases that don't fit on the flow charts. Things like, NO, I do not have Windows virus XYZ, I don't do Windows.
Fully agreed, there must be no punitive element to this. There should be an educational component since most home Windows users simply don't know any better. Even the restrictive aspect should be the minimum necessary to contain the damage and inform the user.
Re:Craziness. (Score:3, Insightful)
What is it about spam and malware that causes people to completely lose their minds?
http://en.wikipedia.org/wiki/Tragedy_of_the_commons [wikipedia.org]
The internet is a public space.
We have laws that prevent people from harassing you in public or shitting (literally and figuratively) in public spaces.
People who violate these laws frequently end up summoned before a judge &/or in a psych ward.
Are you suggesting that because we're applying these standards to the internet that suddenly all the old arguments do not apply?
Re:Yes (Score:5, Insightful)
Of course, the ISP has every right to cut off bot-infected users, and should do so. (There's still the problem of not letting the user get online to get the bot removal software, but that's relatively minor and there are several ways around that).
But a lot of Slashdotters, being more technically competent than the typical Internet user, have experience with ISPs who do, in fact, do something silly, and cutting off bot-infected users has great potential for the ISP to screw over the customer via silliness. ISPs could very well
Re:Virus infection is NOT a given (Score:1, Insightful)
Or you could take the easy way and educate users
You don't work in IT, do you?
Sometimes it isn't so simple (Score:3, Insightful)
There are viruses now that can infect routers and modems.
I can only imagine how pissed off a customer is going to be if their ISP insisted that they pay a professional to clean their computer and are still being denied internet access because their router is infected.
Re:Lets ask in different context (Score:3, Insightful)
how the hell do you fix the problem with no internet access? If my desktop were to get infected, I'd use my laptop to look up instructions and/or programs I'd need to clean it.
Sounds like you answered your own question. You don't use the infected computer to fix itself. If the computer is infected then step #1, even before diagnosis, is to remove the machine from any network connections, wired or otherwise. This is especially important in a business environment. If the infected computer is your only access to the internet, take it into a shop and let the pros deal with it. If it's not, spend some time to research the problem, burn the needed tools and documentation onto a CD, and try to clean it yourself.
Continuing to spam the network and reduce everyone else's bandwidth is not the right answer.
I pay them to give me internet access, not run my network.
Right. And their terms say that you're not allowed to send out large quantities of spam, I assume. When your computer starts doing that then the agreement ends, they no longer have to honor their end to provide you with service when you're abusing that service.
Re:Yes (Score:4, Insightful)
Re:Lets ask in different context (Score:4, Insightful)
When the latest Ubuntu ships I often leave my torrent client seeding for a couple weeks.
Re:Lets ask in different context (Score:3, Insightful)
You assume that your users are incapable of cleaning an infection? It's quite possible that they know what they're doing but got infected twice. You're also assuming that any repair shop actually knows what they're doing. Geeksquad routinely misses malware after you pay them to clean it and they often mistake malware-filled laptops as "not fast enough to run windows xp".
Re:The serivce in ISP (Score:3, Insightful)
Along with acceptable use restrictions. Running a botnet node is not acceptable. Doesn't matter whether it's intentional; it's bad for the network. Them cutting you off isn't punishment; it's containment. Terminate the malware and you can be reconnected.