Major Aussie ISP Disconnecting Trojaned PCs

daria42 writes "Australia's largest ISP, Telstra BigPond, has started disconnecting customers that it suspects have excess traffic-causing trojans installed on their PCs. The trojans have been flooding BigPond's DNS servers and causing extremely slow DNS requests for around a month now. Despite nightly additions of DNS servers, BigPond appears to be unable to cope with the extra traffic on its network." Note that the article says the disconnections are temporary and accompanied by communication with the affected customers, not just a big yanking-of-carpet.

Why is this news!?!

[pctainto]

ISPs around the world have been doing this for a while now! I live in a house with 12 people and one person had a hijacked computer sending out mail and Adelphia cut us off. Although they never told us that they did (a quick call to customer support hooked us back up).

Seriously, why is this news?

Re:Why is this news!?!

[Yrd]

And? NTL are one of the biggest ISPs in the UK and they do the same thing.

Re:Drastic Measures

[Arghdee]

To expand on this, a lot of you non-australians should probably know that Telstra Bigpond is the ISP that people choose when they don't know any better.

Value for money wise they rate very poorly compared to the opposition - for ADSL at least.

For those of you that don't know, Telstra is a part government owned company, which owns much of the telco infrastructure in Australia. They like to make life difficult for any competitors.

Also one of the few ISPs in Australia that charges traffic in both directions.

Just in case you guys care :)

Plusnet has a better way.

[Zeussy]

My isp (plus.net) monitors any communications on port 135 etc and if it dedicates any when your connected. You get redirected to a Plus.net you may have been effected with MSBlast page etc. And give you the links to tools to fix it.

Very handy indeed.

Re:Waste of time?

[Raumkraut]

I was 'disconnected' from my ADSL a while back, not because any of my machines were infected, but because I'd tried scanning my company's IP.
My ISP had detected traffic on port 135 (some Windows thing exploited by malware), and automatically stopped forwarding any connections to or from my home machines. The only port which was allowed was port 80, and every web page request was redirected to a help page explaining what had happened. :)

After blocking port 135 at my router, all it took was clicking a link on the aforementioned web page, and my connection was restored automagically.

Rather well implemented, I thought.

Just traffic? Or trojan traffic?

[SlashDread]

Look, I ALL for ISP's disconnecting "polluting" PC's. They just better make damn sure its not legit traffic.

My ISP does exactly this, if it suspects trojan traffic it shuts you down (and snail mail you). You subsequently call the helpdesk, they ask what you did to resolve the matters (The ISP provides FREE anti-virus and firewall software). If they rae happy with your counter measures, theyll reconnect you in a jiffy.
If you can explain you have a legit reason to hit DNS 9765 times per second, I suspect they'll unlock you too.

I love it.

Other ISPs block ports in order to reduce threats

[goonerw]

Aussie ISP Internode (one of the better alternatives to BigPond) deliberately block various types of malware (usually port blocking but other means have been employed such as IP blocking a client's IP) and an advisory is placed on the service status page indicating what is blocked and for how long.

My permanent boycott of Telstra

[petrus4]

Attempting to strangle ADSL adoption, killing the national BBS community when the Internet first became mainstream in Australia in order to force adoption of Big Pond, and a host of other offenses meant that after an extended period of shopping around, I finally stopped using Telstra as a carrier completely last year, and they can now consider themselves permanently boycotted as far as I'm concerned. They are one of the most short-sighted, destructive, and generally amoral corporations I've heard of. They were also vocally criticised by Bill Gates during one of his visits here, for their strangulation of broadband adoption.

Apart from the above, to some degree there are now price incentives to use other carriers as well, particularly for voice. If you've got a credit card, you also might want to check out TPG for ADSL...they probably have the best deals I've seen.

Re:Potential boon for alternative OSes

[grolschie]

Except on most Linux dists:
1). the default user is not an administrator
2). 99.9% of malware cannot run. If it did, then it'd cause minimal damage (see 1.)
3). There is no ActiveX
4). etc, etc, etc

The average Linux (non root) user can be as clueless as he/she likes and won't get into trouble.

Not really

[Craig+Ringer]

With most such set-ups your Internet connection is generally not totally blocked, just severely restricted. Any web request gets proxy-redirected to a page with instructions on how to clean your machine up, and download links from the ISPs local mirrors. Anything else is locked down.

I don't know if this is what bigpond are doing, but that's the usual way to handle this and it seems to work extremely well. My ISP uses a similar trick when users go over quota.

My ISP does this regularly

[tmk]

My ISP Netcologne disconnects PCs that are infected with trojans and try to infect others. The connection is interrupted and when the costumer tries to connect again he can only access one page, that shows an information. He can download Antivir there, too.

There are two restrictions: Netcologne certainly does not monitor all traffic - they react on abuse-messages. And this "service" is not available to business costumers.

Re:My 1st Thoughts

[Squiddl3]

most likely he was reffering to the law in germany, that every logged connection data must be either anonymized (for technical logs) or must be needed for accounting procedures (but maximum is AFAIK 3 months).
With a flatrate there is no such thing as "need for accounting", so the ISP isn't allowed to make logs, which are personalized.

so the original poster most likely meant , if they can't have personalized logs, they ca n't shut you down.

Re:This is a good thing

[sadler121]

I think for 99.9999% of a residential ISP's customers, having their access to DNS blocked would not be noticably different from disconnection.

Have you BEEN on the Comcast forums recently? Comcast is having a lOT of trouble with their DNS servers and it is effecting EVERYBODY.

Last week when it happened I just switched my DNS addresses to MIT's, (though now I have a nice list of addy's just in case MIT's goes down). I have been instructing my friends on how to change the default DNS listings because they are being effected themselves. Once they change them, they have no problems. Hell, I didn't even know Comcast was having problems AGIAN yesterday because I just kept system with the MIT addy's.

I have to think that if trojans are effectivly DDOSing Comcast's servers, if there is not some ultior motive behind this. DNS servers are the life blood of the Internet, to take them down means we would all have to know numbers to get around the Internet, and while I keep a few IP addy's in my bookmarks just in case, to except joe user to is rediculus.

Of course it is probably just Comcast, who, as a regulated monopoly, has no incentive to upgrade services, because for many, Cable Internet is the only "broadband" (HA!) available. I would wouldn't be surprised if rates go up agian to cover the cost of whatever "upgrade" Comcast comes up with to solve this problem.

Until then I am keeping my DNS addresses pointed to MIT's servers and I am NOT going to be using Comcasts.