Should ISPs Cut Off Bot-infected Users? 486
richi writes "There's no doubt that botnets are a major threat to the safety and stability of the internet — not to mention the cleanliness of your inbox. After years of failure to act, could we finally be seeing ISPs waking up to their responsibilities? While ISPs can't prevent users getting infected with bots, they are in a superb position to detect the signs of infection. Contractually, the ISP would be reasonably justified in cutting off a user from the internet, as bot infection would be contrary to the terms of the ISP's acceptable-use policy."
Re:Yes (Score:1, Interesting)
Car analogy:
If your beat up old 1980s sedan was damaging the road as it drove, would it be smart for the police to take it off of the road until it is fit for driving?
I think we can all agree that the answer is yes.
User agreement (Score:3, Interesting)
Re:Lets ask in different context (Score:5, Interesting)
Re:Yes (Score:3, Interesting)
But how long until they are taking cars off the road simply because they are driven by the wrong kind of person, or at the wrong speed! This can't be allowed!
They could do it nicely (Score:5, Interesting)
They could just redirect them to a portal, where they get informed that their computer is sending out viruses.
The portal would offer a free virus scanner and the option to have several ports closed by the ISP (checked by default) ;)
- ports that could later be reopened by going to the "experts"-page
If the user insists, they of course can go on and use the internet anyway. But only after clicking "ok" to a sentence declaring that they are now informed and
"solely liable to any damage they might do to the internet"
NAP/NAC (Score:4, Interesting)
The router should verify if the endpoint is clear for internet access, and if it's not, it should limit user access to antivirus vendors, known OS upgrade services etc and requesting user to follow this link to repair their computer(or have it cleaned by someone skilled enough).
There are (or should be!) multi-platform NAP/NAC solutions to do this.
Of course, users should have opt-out option, which allows them to disable the NAP, and take responsibility of maintaining their systems themselves without "middle-maintenance".
Opted out systems would receive direct disconnect until user verifies by phone to the operator that their misbehaving system has been fixed. (for example, spam zombie)
Local ISP has been doing this for a while (Score:2, Interesting)
They do (or at least they did) (Score:3, Interesting)
My parents PC was a fully functional mail server sending out 4-5 GB of e-mail a day, they didn't know this of course and complained about internet speeds all the time, the ISP figured it out pretty fast though and sent someone over to get it off the network and clean it for 'em.
I was quite surprised at how civil they were about it.
No way (Score:5, Interesting)
This has happened to me once. I got a virus and a couple hours later, my internet was off. I called the service desk and I was told that my computer was infected and get this, I need to download a patch to fix it. "How do I download a patch when my internet is off, I asked." "Bring your computer to the service center when we open on Monday." I instantly canceled my service. I was a college student at that time. Some tasks required the internet. In fact the only way to turn in my physics homework was to upload it to the server by 2am on Tuesdays and Thursdays. I don't need to be worrying about my internet shutting off at random times and having to make a midnight dash to campus to use the library computer.
I try to keep my computer clean. I run firewalls and I have virus scanners, but if you haven't been infected with a virus before then you haven't been on the internet long enough. Sooner or later you'll get infected and god forbid if you rely on the internet. IE VoIP or server hosting. Why do I get punished for what other people do? Should car manufacturers be able to remotely turn off your car when your car starts to leak oil or freon?
Re:Yes (Score:4, Interesting)
But how long until they are taking cars off the road simply because they are driven by the wrong kind of person, or at the wrong speed! This can't be allowed!
It's already happening [abc.net.au].
Re:Yes would be the answer (Score:4, Interesting)
Telenor in Norway does this already in a limited way.
If they detect large amounts of email originating from your network they will block the sending of email. (by blocking outgoing connections to the standard mailserver ports).
From what I've read of their limited releases of information on the programme it works quite well. They of course contact you letting you know that you have this problem. Usually through email but if you do not reply they call you ;)
My brother got infected by a worm a while back and my father was not pleased :p Suddenly he couldnt send email... whops? :p
(Oh, and they allow you to email to 'internal' addresses though to allow you to contact them to resolve the issue..)
No kidding. (Score:3, Interesting)
I mean they don't already? My ISP (Cox) does. Back in the day one of my roommates got a worm. Didn't know this, of course. I came home, my Internet wasn't working. Called the ISP, they told me what was up. I said "Ok computer is unplugged I'll have him clean it when he gets home." They said "Good deal, your net is back on."
Seems like a good idea to me.
Re:Yes (Score:2, Interesting)
Re:No way (Score:4, Interesting)
"How do I download a patch when my internet is off, I asked." "Bring your computer to the service center when we open on Monday."
I did a stint at a college help desk. We would have patched your system fully, re-scanned it for anything else, and offered to defrag it if you had the time. And of course offered to install the college-provided office suite if you had time, or just drop the URL on your desktop for you to at your pleasure.
And we would have done it for FREE. Well, your parents did pay an obscene tuition, but with that comes the assumption that they don't want you wasting time with mundane tasks such as cleaning up your machine, and of course the interruption of being infested by your roomie's machine either. Boy, the first couple of weeks starting the Fall term were days and nights of cleaning up incoming machines that had spent the summer on facebook and pr0n.
Quit yer whinin. They probably put in the 80-hour weeks I did getting the incoming crew settled down, and can use a weekend off. Were they gonna charge you? I bet not.
Kids.
Oh, BTW, this was at a very prestigious Northeastern lberal arts and science college. Obscene barely describes the tuition, but the kids coming in were impressive; polite, patient, quick to understand what was going on. It renewed my faith in America, compared to your average state college rabble. Unfortunately, they will be indoctrinated in the most unfortunate theories and balderdash, but many of them overcome that and go on to be productive and valuable members of society. The rest become politicians.
Re:Yes (Score:3, Interesting)
Because getting the user to say yes to installing things is hard now? There's no fancy OS stuff to avoid when an administrator user on the computer opens the front door in order to see the dancing cat video.
Re:No way (Score:1, Interesting)
So you just did what most of the public did: turn security software on, turn your own brain off.
I've quite literally never gotten an infection from the internet, and I've been using it since 1995. Anything that seems remotely fishy, be it from friends or the open internet, I avoid letting it do anything I don't want it to. Before you ask: yes, I've seen plenty of e-mails and web pages attempting to infect my system, so I'm not a statistical outlier that just never sees attempts at infections. I don't use applications with tons of known vulnerabilities and attempts at exploiting them. I have a linux system operating as a NAT/firewall system for 3 Windows 7 machines, 3 Ubuntu 10.04 desktops, a MacBook, a Windows 2003 server, and a Ubuntu 10.04 server. I keep everything patched up to date. l I do not use realtime anti-virus software. Haven't since 1998 or so, in fact. I run the occasional scan using ClamAV with my system running from a boot disk, just to be sure I've got nothing nasty sitting on my drive. It never finds a thing.
My roommate is the same way. He has a similar record.
What happened to you, despite your "I couldn't help it! The security software didn't work!" attitude, was your own fault. The only good anti-virus system out there is the human brain paying attention to what it does with a computer coupled with a properly configured firewall. Anything else is simply a placebo sold to you by a snake-oil salesman from the computer "security" software industry.
ISPs should figure out a way to leave VoIP systems running, sure. Everything else? Cut it off after a reasonable attempt to inform the user. If somebody got infected, I can say with 100% confidence it was their own fault. And FYI, the cops CAN issue you a ticket that you must comply with requiring repairs to safety or pollution problems on your car before it is allowed on the road again. They typically give you 10 days to fix the issue, unless it's particularly grievous. If you can't get to work or school without your car, that's your problem. I don't see how a virus infected computer is any different. Fix it for the safety of other internet users, or get off the internet.
How is this so hard? Why did anyone mod this up?
Re: Yes* (Score:2, Interesting)
Precisely. I was inadvertently infected by the sdra42.exe Trojan, which installed a spam server on my PC.
My ISP disconnected my 22Mbps ADSL link, and then called me to inform me of what they'd done. When I asked for information and help in detecting and removing the infection, they simply gave me their ticket/case reference and said to call when I had found and eliminated the offending virus, and then hung up. And that was their Security department.
Thank goodness that I had an iPhone 3G to surf the 'Web and bone up on the infection, and could use my work connection to download the tools I needed to defeat this virus. It took several days, with no help from my ISP whatsoever.
Re:Lets ask in different context (Score:3, Interesting)
Re:Yes (Score:3, Interesting)
It's incredible what some of these people charge for a few hours of running a few tools on a computer. I've seen prices upward of $250 for removing simple (non-rootkit) infections (Geek Squad, I'm thinking of you). That's insane. I capped my virus/rootkit cleaning charge at $75 over five years ago, and I rarely make less than $20/hr doing so, considering the actual time I spend in front of the computer. $20/hr might not sound like much to some people, but when I am working on four or five computers at once, it adds up. I'm not getting rich on it - in this small town, ten calls a week is good - but it's a damned sight better money than I make working for anyone else. (I do carpentry/remodeling/maintenance work to fill in the gaps; and for fun)
In case anyone is wondering, I have a very simple toolkit that I've used for three years now with near 100% success: Combofix, Avast!, Malwarebytes, and HijackThis.* With knowledge of how those work and what they detect, and how to use them, there is (currently) no computer I've run across that can't be cleaned. Other than the ocasional stubborn porn-site/screensaver surfing morons (hosts file blocks work for them) I've not had a callback in over five years for any infected system that I've cleaned. (Now I have to find a bit of pristine lumber to bruise my knuckles on *g*, or perhaps a tree)
Combofix and HijackThis do require that one have a fairly intimate knowledge of how Windows works, which is why I don't recommend that the average person uses them.
Host file blocks are nice for some of the worst users, but I generally don't use them on most customer's computers, I prefer to give them a lecture the first time. ;-)
Remember, folks, also purge the System Restore, Temp files (both user and system)** and downloads folder/recycle bin; and take a quick look at the user's browsing history; sometimes you can find where they are getting infected from (more often not, but it's worth a look) and look at EVERY user's folders, not just the commonly logged in user. Oh, and passwords, passwords, passwords... particularly on the admin account.
* Live Windows Bootcds are also your friend; especially those with remote registry editing programs. Just make sure you know what you are doing.
** Saves time on the antivirus scans
I'm not paid to do advertising for Avast!, but I do have to say that I've found it the best free antivirus solution out there for home users. YMMV, opinion, etc, but it works great for my customers. ...and yes, I pass my knowledge on locally, as well. That is what being a geek is all about. Any infinitesimal damage to my own business income is far outweighed by the knowledge that somewhere, I helped someone else solve a problem. I share what I discover with all the other tech outfits in town who are willing to share back with me (three out of the five, one of the other two is a suit&tie outfit, and the other one "does it for fun"). We each have our strengths and weaknesses, and in sharing back and forth we help our customers out more - and generates more business for all of us.
Yes, I run Linux at home and build my own boxes ;-) my home machines have to be reliable. I have no time for downtime.
This post probably contains immodest material, or perhaps something approaching boasting. I don't give a good goddamn.
SB
Re: Non Justice of Convenience (Score:3, Interesting)