Shutting Down Worm-Infected Broadband Users

disc-chord writes "Frustrated by Code Red and now Nimda, the DSL provider DSL.net (a CLEC and reseller of Covad) has shut off 800+ infected customers. They claim they cannot get in touch with all of their customers, so they're just shutting them all down, and waiting for the customer to call them. When/if the customer does call they are informed that they are infected with the Nimda virus and must remove it before they will be reactivated. But how are customers supposed to fix the problem when their internet connection is shut down? " I say tough beans: If you get infected, it's your responsibility to get yourself cleaned up. The Internet is a peer-to-peer system where one peer can piss in the public pool. These ISPs are doing a good thing by keeping this crap off the net. Sure, a nicer tactic would be to disable low port numbers for infected users (my provider doesn't let them through in the first place) but this would likely just confuse users. At least this way they know what's up. Flame if you will, but all these worms are going to only get worse since Microsoft will never fix the problem without making sure people have to pay a monthly subscription for their OS, and users are unaware that they have to patch their boxes. ISPs shouldn't have to be responsible for their users this way, but they are responsible for keeping their other users online, and a few infected boxes can cause a lot of havoc for the whole net.

MS never fix?

[onion2k]

Microsoft will never fix the problem without making sure people have to pay a monthly subscription

I could have sworn both the Code Red and Nimda (multiple) exploits were patched in October *last year*.

Yes its the fault of the users not keeping their machines up-to-date, but please, don't blame this on MS when they released, and advertised, a patch promptly. Heck, it'd be like some idiot running an old version of Sendmail blaming the sendmail author(s) on his box getting hacked. If you're on the net, its you responibility to stay safe.

Re:MS never fix?

[Syberghost]

He said "fix the problem", not "bandaid the current exploits".

The problem is that security is nothing resembling a priority to Microsoft. Security is something to be added after the fact, by people who know little about designing a secure OS, in response to complaints. And at that, only if the complaints come from big customers.

case in point.

Re:MS never fix?

[Captain_Chaos]

Don't worry, in a patent petition, I'll write Microsoft. But here, I'll keep saying Micro$oft, since it is my opinion that Micro$oft is far more profit oriented than most companies.

The way Micro$oft behaves is not normal capitalism. Normal capitalism is trying to make money by providing a useful and quality service or product to consumers, preferably in competition with others. Micro$oft's form of capitalism is to try and make as much money as possible and avoid competing with others by any means possible, legal or no, with no regard for any consumer interests other than those that will make them buy M$ products (such as the superficial qualities of speed and good looks). The result (among other things) is software that is full of security holes, since those are not listed on the box...

I'm not saying that no other company acts this way, I'm saying that most don't and that Micro$oft is probably the worst of all that do.

Re:Yet Another Linux Bigot (YALB)

[aallan]

Turning off people's connection is rude. Asking a 75 year old senior citizen, who is just happy to read a few web pages and send mail to his grandkids to keep up an endless stream of patches because a bunch of hackers can disrupt the net is backwards.

Why? Internet access isn't a right, just like (despite what your average American might think) driving a car is not a right. If you want access to the internet (a peer to peer network) its your problem to make sure you don't have a broken setup that will annoy people. In other words your part of the bargin is not to do anything that will break the network, its your responsibility. Having a broken web server that gets infected by the latest worm is breaking the bargin.

Al.

The stick and carrot

[CunningPike]

I'm in favour of ISPs locking out infected machines that have demonstrated no attempt at fixing the problem. After all, these people have shown a blatant distregard of basic sysadmin responsibilies: how long has CodeRed been known about now?

However, here's a suggestion for a better response than simply removing Internet access to/from infected machines. The ISP runs some kind of DMZ server, but on the DSL side. All web traffic from infect machines is redirected to that one server (via transparent proxying), all other traffic is blocked. That way the end user can instantly see what's wrong. The ISP can also mirror the relevant patches on the DMZ so the end-user can get back up again as fast as possible.

It would take some setting up initially, but would reap substantial rewards in the long run.

the purge effort (longish?)

[zerodvyd]

this worm is particularly nasty. it's really made my work week, that much is for sure.

in response to the growing storm regarding users vs ISPs... (/me dons his asbestos shorts)

yes users are responsible for their systems, they are responsible for watching patch levels, they are responsible for watching out for vulnerabilities. So many people throw up an IIS server or what-have-you on their DSL/Cable line it's not funny. Do you think all of them are subscribed to microsoft's Security advisory list? ...to NTBugTraq? Do they even service pack their server or workstation? The answer is: no not everyone. The information required to be a good MS product admin is there, you just need to get it. If you're a legit microsoft product owner it ought to be required that you get a digest format of their advisories in e-mail weekly. (An even better question is: how many of these IIS servers are properly licensed ???)

And for those of you that thought I was beating on the users hard up there...Yes it is the responsibility (nay, the duty) of the ISPs to protect their networks, and by mission of action the internet. I run apache as my webserver of choice, my logs flooded with attempts to find CMD.EXE and ROOT.EXE in all the right MS places tuesday night and into wednesday morning. A veritable denial of service attack. Here's the kicker: I'm on a dynamic IP! (nice about the randomization of searching in this worm...) Many requests were coming from my own ISPs network. Do you think they responded when I e-mailed them? no, they didn't.

A good ISP shuts off a user who (knowingly or unknowingly) abuses their connection. What if this worm were more malicious? What if it caused data loss? Think of the liability that could impose, so'n'so's unpatched web server infected my unpatched webserver and blew away my e-commerce site. Who takes the blame? so'n'so? or so'n'so's ISP? ...Both, in my estimation. While I agree that it is the responsibility of the user to keep themselves patched, ISPs monitor network traffic, they can easily pay attention when a known high risk virus or worm is flooding their network.

Don't even get me started on why worm/virus writers should be sending their exploits to anti-virus companies or other proper organizations instead of releasing them into the wild.

Re:Why?

[Simon+Brooke]

Why is it an ISPs job to have any concern over what's passing across the wires?

I pay a lot of money for my leased line. So do my ISP's other customers. A substantial fraction of my expensive bandwidth is being eaten up because other people (mostly also customers of my ISP) can't be bothered to patch their systems. The service my ISP is able to provide me is consequently degraded, and I'm not happy about it.

If an ISP emerges who only accepts clueful customers, I'm likely to move my account. ISPs know this: if they don't switch off the clueless (and consequently troublesome) customers, they will lose the clueful (and consequently more profitable) ones.

I'm getting to the point where I think there would be some merit in having to pass a test, like a driving test, before you can connect your computer to the public information infrastructure.

Regarding your case in point

That article you linked to offers a strange argument, that making a certain feature of the OS a little harder to get to (but not even close to difficult) is somehow security? Secondly, raw sockets don't violate the security of winXP in any way; if another computer can't handle badly formed network data coming in then that's a problem with the *other* system, not winXP. Thirdly, adding raw sockets is a very common add-on to windows and linux just to do these kinds of DoS attacks. Anyone who claims that keeping raw sockets somehow obscured is going to make any difference is living in a reality other than our own. Finally, they talk about how all winxp home boxes let programs run as "root" -- so what!? This is the same as win9x, macos, win2000 with users who run as administrator, and linux with users who run as root! Home users should have access to the entire functionality of their computer if they want to!

It's up to the operating system to be able to *handle* badly formed data, not other OSes to protect it from it! What happened to the dictum that "security through obscurity isn't security at all"? I bet if microsoft *removed* any raw sockets support we'd see a similar article saying how much they don't understand security, and how this won't solve any problems. Microsoft is always in the wrong. There's a huge double standard in the linux community.

Re:Arbitrary Decisions

[4iedBandit]

NO CONTRACT SHOULD EVER LIMIT FUNDEMENTAL HUMAN RIGHTS. Hello? Are we living on the same planet? We're talking about a virus that aggressivly scans the net and attempts to replicate itself. This virus sucks up bandwidth which is not, despite one /.er statement to the contrary, plentiful. Those who aren't yet infected are at risk of infection, or at the very minimum a DoS attack from those who are infected. To equate running an infected server to Freedom of Speech is ludicrous. To extend your analogy, by allowing infected customers to soak up bandwidth and DoS attack other customers (even if it is unknowingly), you are actively denying the rights of the uninfected customers. Now you have a decision to make; cut off those who are aiding the attacks, or cut off those who are not. Why should my system be removed from the net if it isn't doing anything harmful? If your system is spamming mine at such a ferocious rate that I can't serve legitimate traffic then you are denying me the service I have paid for. At this point your right to service ends, even if you are paying for your own connection. In the US we have freedom of speech, but that dosen't mean we can spread outright lies about others. We have the right to keep and bear arms, but that doesn't give us the right to shoot others indescriminately. Your rights end where others rights begin. And finally, access to the net is not a right. It is not garenteed in the Constitution. It's a service and a privilege that we pay to use. Can it facilitate free speech? Sure. Is it the sole medium for free speech? No. Like any other service if you abuse it you can, and should, be denied access. In the same manor in which you can have your drivers license revoked for abusing the privilage of driving.

Blow em off

[47F0]

We are clearly in a time when we are increasingly vulnerable. If we are not capable of stopping these types of attacks in their tracks, we can count on remaining vulnerable not just to the mafia boys of the world, but to nations and organizations who are deadly intent on causing as much destruction as possible.

1) ISPs should allow any and all traffic - they're just service providers. Great idea - and the highway system (ok, let's say toll roads) should let folks drive down them with an M1 Abrahams tank. Armed. Fact is, service providers must for both idealistic ethical and pragmatic financial reasons must choose the greater good of the majority of users - not the imagined rights of any individual to screw it up for everyone else.

2) Cutting users off from the Internet seems a bit harsh. Bull. Having suffered through the Code Red degradation of service, I can guarantee that is a trivial harshness that is necessary. I turned over my scan lists to @home and they politely replied that they were "notifying" the offenders. If these guys were in charge of quarantining an Ebola outbreak we'd all be barfing blood. Blanket port blocking, on the other hand, wrongly damages and restricts responsible users.

3) M$ "fixes" their problems. More pure bull. M$ historically doesn't "fix" problems - they deny, accuse the evil virus writers, then finally stick bandaids on gaping holes - after suggesting that the users employee unworkable workarounds. The real problems are deeply rooted in fundamental design flaws and cannot truly be fixed without a major overhaul - oh yeah, I guess that would be Windows ME.

If enough users who purchase and use defective software get blown off the internet, then maybe, just maybe we'll see fewer ignorant (not stupid - there's a difference) users blundering down the electronic highways in battle tanks just cause some slick salesman in Seattle told them tanks made great family cars.

xo.com doing something similar

[xdeadbeef]

For the past 48 hours my XO DSL (formerly concentric) has been blocking port 80 traffic. Originally all port 80 traffic was blocked, and on and off parts have been open, but now outbound is open. But my hosted sites here are down, and have been for nearly 48 hours. Here is a copy of the email I got from xo:


As a consequence of the increased traffic generated by NIMDA worm, XO will
continue to use filters for Internet traffic on some of our networks. We
will continue to monitor these filters and remove them from the network as
the traffic decreases. In addition, we will continue to investigate
alternative options to filter this traffic.

The filters we have recently implemented block the most common methods used
by the worm to spread via the UDP port 69 (used for TFTP or Trivial File
Transfer Protocol) and inbound TCP traffic on port 80 (used for HTTP or
Hyper Text Transfer Protocol). This filter set may prevent others from
accessing sites on your web servers. These filters will remain in place
until the attacks have been brought under control.

XO customers are encouraged to secure their systems. If the worm has
affected a machine on your network, it must be removed from the network and
reformatted. You can find more information on these attacks and available
remedies from the following links, using an alternate Internet connection if
necessary:


Note that even if I was never infected (I wasn't -- mainly I run FreeBSD, and my win32 machines were patched months ago), I have no option to have them turn it on by telling them I'm clean. I confirmed this on the phone, there's nothing I can do. I am going to call and bitch and make them refund part of my monthly fee. This is bullshit.

I can see blocking people who appear to be infected, but blocking everybody? Ick.

-Justin

Re:unreasonable

[talks_to_birds]

If my snort logs show that I was infected by something from your box (which won't happen, 'cause all your stupid crap would just bounce off my firewall, but *if*...), what's your mailing address so my very expensive, and very, very agressive lawyer can get a hold of you and sue you for damages?

t_t_b