Slashdot Mirror
Major Aussie ISP Disconnecting Trojaned PCs
daria42 writes "Australia's largest ISP, Telstra BigPond, has started disconnecting customers that it suspects have excess traffic-causing trojans installed on their PCs. The trojans have been flooding BigPond's DNS servers and causing extremely slow DNS requests for around a month now. Despite nightly additions of DNS servers, BigPond appears to be unable to cope with the extra traffic on its network." Note that the article says the disconnections are temporary and accompanied by communication with the affected customers, not just a big yanking-of-carpet.
These are drastic measures, but given the average BigPond user is much less a geek than anyone frequenting these parts, this will probably be the first time that most of these users will know about it, and given BigPond's previous problems with mail-servers, perhaps they're striking before the problem gets too out of hand.
Although I don't understand the purpose of a trojaned machine repeatedly hitting a DNS server, is this an attempt to cause an overflow and therefore making the DNS server itself vulnerable?
<? include ('signature.inc'); ?>
i think this is a good idea as well. I work in technical support, and the amount of infected machines i have to deal with is just phenomenal. Cutting of the machines access to internet both fixes the problem. The customer goes "WTF" and i say.. yea your machine is infected. Either install nix or go to a computer store. However its open to abuse... define excessive traffic.. and what traffic is malware or legitimate traffic. However... since a good 90 percent of spam comes from infected machines as well (go windows you good thing go) its all thumbs up from me.
Not all people pick up the phone and tolerate the script. Some people actually try to diagnose the problem first.
Most ISPs have language in their terms of service that permits this action. It is a shame that an ISP need to have their services almost knocked out before taking action.
I'd like to see some ISPs that ignore trojaned machines or support spammers get sued by other customers when their IP blocks end up on block lists.
Fight Spammers!
Well, there is no need to *disconnect* the computer if all you have to do is block the problematic port. It's so lazy to disconnect a computer. Do they know traffic shaping ?
All of these infected Windows boxes are killing the net. If ISPs would simply yank them as they show signs of infection (trojan, worms, etc) UNTIL the customers can demonstrate that they have taken care of problems, then things would be a lot easier.
Dutch ISP Xs4All has been doing this for months/years, blocking all traffic (most notably SMTP) minus SSH and access to their HTTP proxy.
Save money? I figure they'll be loosing revenue based on excess data traffic charges generated by extra traffic caused by the trojans. Note to Non-Aussies: BigPond counts both uploads and downloads for data traffic with excess usage charged at A$0.15/mb. There have been cases of people being hit with very large internet bills for one month (IIRC the largest was in excess of $10,000)
Lucky they're ringing up the user, because otherwise the user will just assume that they've been disconnected. Yet again. Bigpond is terrible with keeping it's users online (I'm talking broadband here), and believe that two to three disonnects per day is perfectly fine, even when those disconnects last for an hour or more.
I can see it now:
Customer: My broadband is down again.
Bigpond: Oh, I see. Well from time to time this does happen for a brief moment...
Customer: It's been down all day, and it's happened every day this week.
Bigpond: I see.. What's your account *clickety* Oh yes, we've marked you as a computer with a trojan. Please do a virus scan and call us back, if it comes back negative we'll re-connect you.
I'd go with someone else but they're the only broadband provider for my area. And I live in Sydney (the suburbs, an hour from the city itself)
Why not simply do a precise measurement (get the netflow from the router) and take actions based on correct data rather then guessing?
I for one wouldn't want to be cut off by my ISP because of someone at the ISP is guessing.
block problematic port
It's not that simple. The attack in question was done by a flood of DNS queries -- you're not really going to cut off port 53, as this is pretty much equal to knocking that person off the Net.
The typical case involves a lot of outgoing connections on port 25 -- you can't really block this as well unless the user in question uses nothing but webmail.
Traffic shaping won't help a lot, either -- it can protect the server, of course, but won't help the user himself. In this case, it will just make their legitimate use prohibitely slow -- their web browser/whatever will compete with the virus they have over the tiny allotted quota of allowed DNS queries.
IMO it's much better to just cut them off outright, telling them that the fault is on their side.
If you want to be nice, you can redirect all their traffic to a web server which gives them a nice idiot-proof message about what they need to do. This is what I've set up for a friend's basement ISP (~30 paying users) -- although in that case, the message was similar to "your payment is due for two months, you didn't heed our reminders".
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Why the fuck should an ISP want to disconnect a user because of his P2P or Torrent uses? If the ISP can't cope with the amount of data flowing through, it shouldn't disconnect a user. If I pay for a 2mbit DSL with no limitations to usage, I want a 2mbit DSL with no limitations. My ISP shouldn't fucking cut off my internet access. Besides, P2P and Torrent can actually be used for something useful. The last 10 times I've used bittorrent, it was for downloading WoW updates and Gentoo and Debian ISOs.
Yes, I know that some people will call me naive, and I DO know that not everyone uses P2P and torrent for these purposes, but that shouldn't change the fact that the ISP shouldn't disconnect a user depending on how he uses his connection as long as he pays for it.
I think isp's should do what ntl did during the ms blaster worm out break, which is only allow the user to connect to ether the removal tool or a page that contains a link to it and how to use it. it would take more work, but its better for the customer.
When computers here (utwente.nl) are infected it is usually automatically detected, resulting in every webrequest going to "you're in quarantaine, you can download clean-up tools HERE, and when you're clean send us a message HERE. apart from that you can connect to nothing." If you're interested, it's run by the guys from http://snt.student.utwente.nl
I'm surprised it's taken them this long. When one of our customers gets infected with a virus / open proxy / etc... We *gasp* pay attention, shutdown their connection and immediately contact them and help them fix the problem.
It's amazing how quickly you can get your network under control doing this. And 9 times out of 10 the end user is greatful that you were willing to work with them to help them correct the problem.
Fixing infected machines on your network only makes the network a better place for everyone using it.
We've been doing this since the late 90's, what's "news" here? Customers get contacted in several ways, including personally by telephone. If they don't clean their open proxy/smtp relay/virus/worm after that, they get cut off. There'd be a lot less worms and spam around if all ISPs acted this responsibly, what a shame it's taken these guys until now to catch on.
Here's what my ISP (Finnish PHNet) does when they detect a trojaned machine (all URLs you type into the browser give you this page):
t 13vb.jpg
t 05zy.jpg
http://img56.echo.cx/my.php?image=phnetspamprotec
You are also allowed access to another page with more details:
http://img56.echo.cx/my.php?image=phnetspamprotec
Here at the University of Regina my roommate MachinationX had gotten a virus on his WinXP box (why didn't he have antivirus software?! he's an IT consultant!! but I digress) So our ISP (U of R computing services) not only disconnected him from the network, but refused to let him back on the network unless he agreed to give them his computer and let *them* run an antivirus scan on it , after which it would be returned. I happened to have some of my old backups on his machine at the time, but the point is that our ISP can not only watch your internet traffic(as they have been), but if you "get a virus" they can disconnect you and demand they have access to all your personal files at will.
Blows my mind.
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
It seemed like the customers are being ganked not because there was way too much "legitimate" traffic to handle, but because it was becoming a nuisance. The legitimacy of p2p applications is arguable so long as they have legal uses; the legitimacy of gaobot is not arguable as it has no legal uses on a public network.
The Business Class cablemodem accounts with Cox Communications are cut off if their security systems catch suspicious activity (DDOS packets, worm traffic, etc.) or open relays on your network connection. They're very polite about it, explain the problem and how to get it fixed. Their security department's not open after hours, either, so you're horked if you figure this out after midnight.
Haven't had to deal with their nice security people myself (No Windows or Linux or Sendmail here!), but I've laughed at colleagues who have. Mostly the same people who believe a $70/month cablemodem or DSL connection can replace their $800/month fiber line for serious webhosting enterprises.
SoupIsGood Food
I agree with your post completely, but from TFA:
Another said: "I am having problems loading Web pages, I get the 404 [page not found] error. I have to retry five to 10 times to get some places."
I may be daft but I don't understand how a DNS or network capacity problem could cause a web server to respond with an explicit "404 File Not Found" HTML error. I could see a timeout, DNS error, or any number of other errors, but a 404 would mean literally that you contacted the web server, it was unable to find the specific file you requested, and it successfully reported that back to you.
Hopefully the forum poster that is quoted in the article just thinks every HTML error is a 404.
I'm a big tall mofo.
That would only work if it were easy to figure what was infecting the computer based solely on the traffic it's sending out. It's more complicated that you'd think.
On the other hand, most people who don't know enough to keep their machines virus/trojan free are probably using the software that nearly every ISP sends out to "help" you connect to their services, which means they should be able to include enough diagnostic tools to be able to tell what's running on the machine.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
It sure is about time.
Just last week, I lodged many many complaints to Telstra Bigpond regarding zombies sending excessive spams to my network. I even went to the trouble of submitting over 400+ zombie IP addresses (dynamic IPs with session times).
Good to see that they are listening to their complaints hotline for once.