Slashdot Mirror
Major Aussie ISP Disconnecting Trojaned PCs
daria42 writes "Australia's largest ISP, Telstra BigPond, has started disconnecting customers that it suspects have excess traffic-causing trojans installed on their PCs. The trojans have been flooding BigPond's DNS servers and causing extremely slow DNS requests for around a month now. Despite nightly additions of DNS servers, BigPond appears to be unable to cope with the extra traffic on its network." Note that the article says the disconnections are temporary and accompanied by communication with the affected customers, not just a big yanking-of-carpet.
These are drastic measures, but given the average BigPond user is much less a geek than anyone frequenting these parts, this will probably be the first time that most of these users will know about it, and given BigPond's previous problems with mail-servers, perhaps they're striking before the problem gets too out of hand.
Although I don't understand the purpose of a trojaned machine repeatedly hitting a DNS server, is this an attempt to cause an overflow and therefore making the DNS server itself vulnerable?
<? include ('signature.inc'); ?>
i think this is a good idea as well. I work in technical support, and the amount of infected machines i have to deal with is just phenomenal. Cutting of the machines access to internet both fixes the problem. The customer goes "WTF" and i say.. yea your machine is infected. Either install nix or go to a computer store. However its open to abuse... define excessive traffic.. and what traffic is malware or legitimate traffic. However... since a good 90 percent of spam comes from infected machines as well (go windows you good thing go) its all thumbs up from me.
Not all people pick up the phone and tolerate the script. Some people actually try to diagnose the problem first.
Most ISPs have language in their terms of service that permits this action. It is a shame that an ISP need to have their services almost knocked out before taking action.
I'd like to see some ISPs that ignore trojaned machines or support spammers get sued by other customers when their IP blocks end up on block lists.
Fight Spammers!
All of these infected Windows boxes are killing the net. If ISPs would simply yank them as they show signs of infection (trojan, worms, etc) UNTIL the customers can demonstrate that they have taken care of problems, then things would be a lot easier.
Dutch ISP Xs4All has been doing this for months/years, blocking all traffic (most notably SMTP) minus SSH and access to their HTTP proxy.
Lucky they're ringing up the user, because otherwise the user will just assume that they've been disconnected. Yet again. Bigpond is terrible with keeping it's users online (I'm talking broadband here), and believe that two to three disonnects per day is perfectly fine, even when those disconnects last for an hour or more.
I can see it now:
Customer: My broadband is down again.
Bigpond: Oh, I see. Well from time to time this does happen for a brief moment...
Customer: It's been down all day, and it's happened every day this week.
Bigpond: I see.. What's your account *clickety* Oh yes, we've marked you as a computer with a trojan. Please do a virus scan and call us back, if it comes back negative we'll re-connect you.
I'd go with someone else but they're the only broadband provider for my area. And I live in Sydney (the suburbs, an hour from the city itself)
block problematic port
It's not that simple. The attack in question was done by a flood of DNS queries -- you're not really going to cut off port 53, as this is pretty much equal to knocking that person off the Net.
The typical case involves a lot of outgoing connections on port 25 -- you can't really block this as well unless the user in question uses nothing but webmail.
Traffic shaping won't help a lot, either -- it can protect the server, of course, but won't help the user himself. In this case, it will just make their legitimate use prohibitely slow -- their web browser/whatever will compete with the virus they have over the tiny allotted quota of allowed DNS queries.
IMO it's much better to just cut them off outright, telling them that the fault is on their side.
If you want to be nice, you can redirect all their traffic to a web server which gives them a nice idiot-proof message about what they need to do. This is what I've set up for a friend's basement ISP (~30 paying users) -- although in that case, the message was similar to "your payment is due for two months, you didn't heed our reminders".
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Why the fuck should an ISP want to disconnect a user because of his P2P or Torrent uses? If the ISP can't cope with the amount of data flowing through, it shouldn't disconnect a user. If I pay for a 2mbit DSL with no limitations to usage, I want a 2mbit DSL with no limitations. My ISP shouldn't fucking cut off my internet access. Besides, P2P and Torrent can actually be used for something useful. The last 10 times I've used bittorrent, it was for downloading WoW updates and Gentoo and Debian ISOs.
Yes, I know that some people will call me naive, and I DO know that not everyone uses P2P and torrent for these purposes, but that shouldn't change the fact that the ISP shouldn't disconnect a user depending on how he uses his connection as long as he pays for it.
I think isp's should do what ntl did during the ms blaster worm out break, which is only allow the user to connect to ether the removal tool or a page that contains a link to it and how to use it. it would take more work, but its better for the customer.
When computers here (utwente.nl) are infected it is usually automatically detected, resulting in every webrequest going to "you're in quarantaine, you can download clean-up tools HERE, and when you're clean send us a message HERE. apart from that you can connect to nothing." If you're interested, it's run by the guys from http://snt.student.utwente.nl
I'm surprised it's taken them this long. When one of our customers gets infected with a virus / open proxy / etc... We *gasp* pay attention, shutdown their connection and immediately contact them and help them fix the problem.
It's amazing how quickly you can get your network under control doing this. And 9 times out of 10 the end user is greatful that you were willing to work with them to help them correct the problem.
Fixing infected machines on your network only makes the network a better place for everyone using it.
Here's what my ISP (Finnish PHNet) does when they detect a trojaned machine (all URLs you type into the browser give you this page):
t 13vb.jpg
t 05zy.jpg
http://img56.echo.cx/my.php?image=phnetspamprotec
You are also allowed access to another page with more details:
http://img56.echo.cx/my.php?image=phnetspamprotec
Here at the University of Regina my roommate MachinationX had gotten a virus on his WinXP box (why didn't he have antivirus software?! he's an IT consultant!! but I digress) So our ISP (U of R computing services) not only disconnected him from the network, but refused to let him back on the network unless he agreed to give them his computer and let *them* run an antivirus scan on it , after which it would be returned. I happened to have some of my old backups on his machine at the time, but the point is that our ISP can not only watch your internet traffic(as they have been), but if you "get a virus" they can disconnect you and demand they have access to all your personal files at will.
Blows my mind.
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
It seemed like the customers are being ganked not because there was way too much "legitimate" traffic to handle, but because it was becoming a nuisance. The legitimacy of p2p applications is arguable so long as they have legal uses; the legitimacy of gaobot is not arguable as it has no legal uses on a public network.