Slashdot Mirror

← Back to Stories (view on slashdot.org)

Major Aussie ISP Disconnecting Trojaned PCs

Posted by timothy on from the sorry-fella-you're-wetting-the-sandbox dept.

daria42 writes "Australia's largest ISP, Telstra BigPond, has started disconnecting customers that it suspects have excess traffic-causing trojans installed on their PCs. The trojans have been flooding BigPond's DNS servers and causing extremely slow DNS requests for around a month now. Despite nightly additions of DNS servers, BigPond appears to be unable to cope with the extra traffic on its network." Note that the article says the disconnections are temporary and accompanied by communication with the affected customers, not just a big yanking-of-carpet.

19 of 388 comments (clear)

  1. My 1st Thoughts by reezle · · Score: 5, Insightful

    "Thank God"

    "It's about Time"

    "Glad somebody is finally taking an interesting in keeping the neighborhood cleaned up"

    "Oh crap, is this the first chink in the armor, ISP's can disconnect people based on their traffic... Virus, Trojan, P2P, Torrent"

  2. This is a good thing by kasperd · · Score: 5, Insightful

    More ISPs should handle compromised computers this way. Just leaving them around to harm the internet for the rest of is is irresponsible.

    --

    Do you care about the security of your wireless mouse?
    1. Re:This is a good thing by Anonymous Coward · · Score: 5, Insightful

      If you don't disconect the offending computer, how will the idiot who owns it know they've been an idiot? Disconecting it totally is a great way to handle the problem, because it forces the idiot to call customer services to find out why their connection no longer works, at which point you can lart them for being an idiot and force them to clean up their idiot-box before you reconnect them. Just silently droping the offending packets does nothing to educate the idiot involved.

    2. Re:This is a good thing by KiloByte · · Score: 5, Interesting

      block problematic port

      It's not that simple. The attack in question was done by a flood of DNS queries -- you're not really going to cut off port 53, as this is pretty much equal to knocking that person off the Net.

      The typical case involves a lot of outgoing connections on port 25 -- you can't really block this as well unless the user in question uses nothing but webmail.

      Traffic shaping won't help a lot, either -- it can protect the server, of course, but won't help the user himself. In this case, it will just make their legitimate use prohibitely slow -- their web browser/whatever will compete with the virus they have over the tiny allotted quota of allowed DNS queries.

      IMO it's much better to just cut them off outright, telling them that the fault is on their side.

      If you want to be nice, you can redirect all their traffic to a web server which gives them a nice idiot-proof message about what they need to do. This is what I've set up for a friend's basement ISP (~30 paying users) -- although in that case, the message was similar to "your payment is due for two months, you didn't heed our reminders".

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    3. Re:This is a good thing by Dulcise · · Score: 5, Interesting

      I think isp's should do what ntl did during the ms blaster worm out break, which is only allow the user to connect to ether the removal tool or a page that contains a link to it and how to use it. it would take more work, but its better for the customer.

    4. Re:This is a good thing by FireFury03 · · Score: 5, Insightful

      Disconecting it totally is a great way to handle the problem, because it forces the idiot to call customer services to find out why their connection no longer works

      Even better is to block all access and redirect web requests to a server that explains what's going on and provides patches, etc. That way people (with more than one brain cell) don't _have_ to phone customer support.

      --
      http://blog.nexusuk.org
  3. Hmm... makes sense to me! by PDA_Boy · · Score: 5, Insightful
    Despite nightly additions of DNS servers, BigPond appears to be unable to cope with the extra traffic on its network."

    Right- I can smell a cake burning. Let's add more flour! Come on- more flour!

    Oh- right- let's take the cake out the oven...

    Seems a sensible thing to do to me- tackle the computers causing the problems, rather than trying to react to the problem itself.

    Although, tackling the writers of the infecting programs would be good too, if somewhat harder.
  4. Drastic Measures by onosendai · · Score: 5, Interesting

    These are drastic measures, but given the average BigPond user is much less a geek than anyone frequenting these parts, this will probably be the first time that most of these users will know about it, and given BigPond's previous problems with mail-servers, perhaps they're striking before the problem gets too out of hand.

    Although I don't understand the purpose of a trojaned machine repeatedly hitting a DNS server, is this an attempt to cause an overflow and therefore making the DNS server itself vulnerable?

    --
    <? include ('signature.inc'); ?>
    1. Re:Drastic Measures by Arghdee · · Score: 5, Informative

      To expand on this, a lot of you non-australians should probably know that Telstra Bigpond is the ISP that people choose when they don't know any better.

      Value for money wise they rate very poorly compared to the opposition - for ADSL at least.

      For those of you that don't know, Telstra is a part government owned company, which owns much of the telco infrastructure in Australia. They like to make life difficult for any competitors.

      Also one of the few ISPs in Australia that charges traffic in both directions.

      Just in case you guys care :)

  5. Mathematically... by Shag · · Score: 5, Funny

    if BIGNUM% of PC's are malware-infested (I've heard 80% tossed around) and they get disconnected, suddenly anyone who's looking at their web logs will think that an unusually high number of Big Pond users are on Linux boxen, Macs, etc.

    If more ISPs did this, maybe we'd see a decline in sites that only work in MSIE...

    --
    Village idiot in some extremely smart villages.
  6. Good idea to me by Rainwulf · · Score: 5, Interesting

    i think this is a good idea as well. I work in technical support, and the amount of infected machines i have to deal with is just phenomenal. Cutting of the machines access to internet both fixes the problem. The customer goes "WTF" and i say.. yea your machine is infected. Either install nix or go to a computer store. However its open to abuse... define excessive traffic.. and what traffic is malware or legitimate traffic. However... since a good 90 percent of spam comes from infected machines as well (go windows you good thing go) its all thumbs up from me.

  7. Waste of time? by www.sorehands.com · · Score: 5, Interesting
    They should at least make a phone call to the party so they don't waste time trying to figure out the problem.

    Not all people pick up the phone and tolerate the script. Some people actually try to diagnose the problem first.


    Most ISPs have language in their terms of service that permits this action. It is a shame that an ISP need to have their services almost knocked out before taking action.

    I'd like to see some ISPs that ignore trojaned machines or support spammers get sued by other customers when their IP blocks end up on block lists.

    --
    Fight Spammers!
  8. Plusnet has a better way. by Zeussy · · Score: 5, Informative

    My isp (plus.net) monitors any communications on port 135 etc and if it dedicates any when your connected. You get redirected to a Plus.net you may have been effected with MSBlast page etc. And give you the links to tools to fix it.

    Very handy indeed.

    --
    Automation - The Car Company Tycoon Game
  9. All ISPs should be doing this. by Anonymous Coward · · Score: 5, Interesting

    All of these infected Windows boxes are killing the net. If ISPs would simply yank them as they show signs of infection (trojan, worms, etc) UNTIL the customers can demonstrate that they have taken care of problems, then things would be a lot easier.

  10. How will the user tell the difference? by aussie_a · · Score: 5, Interesting

    Lucky they're ringing up the user, because otherwise the user will just assume that they've been disconnected. Yet again. Bigpond is terrible with keeping it's users online (I'm talking broadband here), and believe that two to three disonnects per day is perfectly fine, even when those disconnects last for an hour or more.

    I can see it now:
    Customer: My broadband is down again.
    Bigpond: Oh, I see. Well from time to time this does happen for a brief moment...
    Customer: It's been down all day, and it's happened every day this week.
    Bigpond: I see.. What's your account *clickety* Oh yes, we've marked you as a computer with a trojan. Please do a virus scan and call us back, if it comes back negative we'll re-connect you.

    I'd go with someone else but they're the only broadband provider for my area. And I live in Sydney (the suburbs, an hour from the city itself)

  11. sick are put in quarantaine net (on this uni) by Anonymous Coward · · Score: 5, Interesting

    When computers here (utwente.nl) are infected it is usually automatically detected, resulting in every webrequest going to "you're in quarantaine, you can download clean-up tools HERE, and when you're clean send us a message HERE. apart from that you can connect to nothing." If you're interested, it's run by the guys from http://snt.student.utwente.nl

  12. Best Practice by MrNonchalant · · Score: 5, Insightful

    Send the effected customers (better yet, all customers) a CD with a free anti-virus, free anti-spyware, a free firewall, an alternative browser, and the latest updates for all of the above plus Windows and Office (including support for ME, NT, 2000, 98 SE, 98, and 95). With it include a letter explaining courtiously and simply why security is important. Sure, you'd probably have to get permission from a dozen different legal departments to do distribution of nominally free software on a wide scale like that, but some companies I know would jump at having their demo version shipped.

    Back this up with your regular tech support. Yes, some users will be too clueless but a good deal won't. A fair percentage of the clueless ones will catch on quickly when their internet gets shut off and stays off. I can guarentee you the network traffic they'd get would drop to a third of the levels seen before.

    Actually, in this perspective AOL's lackluster virus and spyware protection make perfect sense.

  13. Re:Why is this news!?! by MyLongNickName · · Score: 5, Funny

    Then the French started outsourcing that "monarch overthrowing" job to the Germans.

    --
    See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
  14. Shut up by Hrothgar+The+Great · · Score: 5, Insightful

    I really hate you "WHY IS THIS NEWS?!!!!" crybabies. It's news because this particular ISP is doing something which it previously was not. See how that works? Something HAPPENS, and then someone REPORTS that it happened, and then the story gets posted here because its subject matter appeals to a large portion of this site's readership. Are you so blindingly stupid as to actually need this explained to you? It's the fucking dictionary definition of news.

    By the way, most ISPs still are NOT doing this. Time Warner's Road Runner, for instance, never even looks in the direction of a trojaned machine on their network - at least in my area.