Slashdot Mirror

← Back to Stories (view on slashdot.org)

Major Aussie ISP Disconnecting Trojaned PCs

Posted by timothy on from the sorry-fella-you're-wetting-the-sandbox dept.

daria42 writes "Australia's largest ISP, Telstra BigPond, has started disconnecting customers that it suspects have excess traffic-causing trojans installed on their PCs. The trojans have been flooding BigPond's DNS servers and causing extremely slow DNS requests for around a month now. Despite nightly additions of DNS servers, BigPond appears to be unable to cope with the extra traffic on its network." Note that the article says the disconnections are temporary and accompanied by communication with the affected customers, not just a big yanking-of-carpet.

11 of 388 comments (clear)

  1. Drastic Measures by onosendai · · Score: 5, Interesting

    These are drastic measures, but given the average BigPond user is much less a geek than anyone frequenting these parts, this will probably be the first time that most of these users will know about it, and given BigPond's previous problems with mail-servers, perhaps they're striking before the problem gets too out of hand.

    Although I don't understand the purpose of a trojaned machine repeatedly hitting a DNS server, is this an attempt to cause an overflow and therefore making the DNS server itself vulnerable?

    --
    <? include ('signature.inc'); ?>
  2. Good idea to me by Rainwulf · · Score: 5, Interesting

    i think this is a good idea as well. I work in technical support, and the amount of infected machines i have to deal with is just phenomenal. Cutting of the machines access to internet both fixes the problem. The customer goes "WTF" and i say.. yea your machine is infected. Either install nix or go to a computer store. However its open to abuse... define excessive traffic.. and what traffic is malware or legitimate traffic. However... since a good 90 percent of spam comes from infected machines as well (go windows you good thing go) its all thumbs up from me.

  3. Waste of time? by www.sorehands.com · · Score: 5, Interesting
    They should at least make a phone call to the party so they don't waste time trying to figure out the problem.

    Not all people pick up the phone and tolerate the script. Some people actually try to diagnose the problem first.


    Most ISPs have language in their terms of service that permits this action. It is a shame that an ISP need to have their services almost knocked out before taking action.

    I'd like to see some ISPs that ignore trojaned machines or support spammers get sued by other customers when their IP blocks end up on block lists.

    --
    Fight Spammers!
  4. All ISPs should be doing this. by Anonymous Coward · · Score: 5, Interesting

    All of these infected Windows boxes are killing the net. If ISPs would simply yank them as they show signs of infection (trojan, worms, etc) UNTIL the customers can demonstrate that they have taken care of problems, then things would be a lot easier.

  5. Nothing new by Rob+Kaper · · Score: 4, Interesting

    Dutch ISP Xs4All has been doing this for months/years, blocking all traffic (most notably SMTP) minus SSH and access to their HTTP proxy.

  6. How will the user tell the difference? by aussie_a · · Score: 5, Interesting

    Lucky they're ringing up the user, because otherwise the user will just assume that they've been disconnected. Yet again. Bigpond is terrible with keeping it's users online (I'm talking broadband here), and believe that two to three disonnects per day is perfectly fine, even when those disconnects last for an hour or more.

    I can see it now:
    Customer: My broadband is down again.
    Bigpond: Oh, I see. Well from time to time this does happen for a brief moment...
    Customer: It's been down all day, and it's happened every day this week.
    Bigpond: I see.. What's your account *clickety* Oh yes, we've marked you as a computer with a trojan. Please do a virus scan and call us back, if it comes back negative we'll re-connect you.

    I'd go with someone else but they're the only broadband provider for my area. And I live in Sydney (the suburbs, an hour from the city itself)

  7. Re:This is a good thing by KiloByte · · Score: 5, Interesting

    block problematic port

    It's not that simple. The attack in question was done by a flood of DNS queries -- you're not really going to cut off port 53, as this is pretty much equal to knocking that person off the Net.

    The typical case involves a lot of outgoing connections on port 25 -- you can't really block this as well unless the user in question uses nothing but webmail.

    Traffic shaping won't help a lot, either -- it can protect the server, of course, but won't help the user himself. In this case, it will just make their legitimate use prohibitely slow -- their web browser/whatever will compete with the virus they have over the tiny allotted quota of allowed DNS queries.

    IMO it's much better to just cut them off outright, telling them that the fault is on their side.

    If you want to be nice, you can redirect all their traffic to a web server which gives them a nice idiot-proof message about what they need to do. This is what I've set up for a friend's basement ISP (~30 paying users) -- although in that case, the message was similar to "your payment is due for two months, you didn't heed our reminders".

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  8. Re:This is a good thing by Dulcise · · Score: 5, Interesting

    I think isp's should do what ntl did during the ms blaster worm out break, which is only allow the user to connect to ether the removal tool or a page that contains a link to it and how to use it. it would take more work, but its better for the customer.

  9. sick are put in quarantaine net (on this uni) by Anonymous Coward · · Score: 5, Interesting

    When computers here (utwente.nl) are infected it is usually automatically detected, resulting in every webrequest going to "you're in quarantaine, you can download clean-up tools HERE, and when you're clean send us a message HERE. apart from that you can connect to nothing." If you're interested, it's run by the guys from http://snt.student.utwente.nl

  10. Pretty Standard by jchawk · · Score: 4, Interesting

    I'm surprised it's taken them this long. When one of our customers gets infected with a virus / open proxy / etc... We *gasp* pay attention, shutdown their connection and immediately contact them and help them fix the problem.

    It's amazing how quickly you can get your network under control doing this. And 9 times out of 10 the end user is greatful that you were willing to work with them to help them correct the problem.

    Fixing infected machines on your network only makes the network a better place for everyone using it.

  11. That's nothing by themusicgod1 · · Score: 4, Interesting

    Here at the University of Regina my roommate MachinationX had gotten a virus on his WinXP box (why didn't he have antivirus software?! he's an IT consultant!! but I digress) So our ISP (U of R computing services) not only disconnected him from the network, but refused to let him back on the network unless he agreed to give them his computer and let *them* run an antivirus scan on it , after which it would be returned. I happened to have some of my old backups on his machine at the time, but the point is that our ISP can not only watch your internet traffic(as they have been), but if you "get a virus" they can disconnect you and demand they have access to all your personal files at will.

    Blows my mind.

    --
    GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.