Australian ISPs To Disconnect Botnet "Zombies"

jibjibjib writes "Some of Australia's largest ISPs are preparing an industry code of conduct to identify and respond to users with botnet-infected computers. The Internet Industry Association, made up of over 200 ISPs and technology companies, is preparing the code in response to an ultimatum from the federal government. ISPs will try to contact the user, slow down their connection, and ultimately terminate the connection if the user refuses to fix the problem. It is hoped that this will reduce the growth of botnets in Australia, which had the world's third-highest rate of new 'zombies' (behind the US and China)."

why not directly disconnect every Windows machine?

Not quite an accurate solution, but statistically close enough...

Bad Precedent?

I'd rather not have my ISP decide what is a "virus" or "inappropriate communications" thank you. If the users are consuming too much bandwidth then disconnect them on those grounds, but please don't set this precedent.

Re:Bad Precedent?

[houstonbofh]

Exactly what defines "zombie?" I am just betting p2p is in that list...

Re:Bad Precedent?

[v1]

They usually watch for excessive traffic on specific ports. Since the most immediately profitable use of a botnetted machine is spam, the majority of botnetted PCs are either running open mail relays or are themselves functioning as outgoing mailservers. Many ISPs (including two in my area) watch for excessive traffic going OUT on TCP port 25. Unless you are running a mailserver, your computer has no legitimate reason to send out over that port in volume. Most ISP mailservers are SSL nowadays anyway and are off port 25 so you don't even need to use that if you are connecting to your ISP's mailserver from off-network. (and many ISPs outright block port 25 outgoing from anything in their network besides their mailserver) Many ISPs react the same if your computer is listening on port 25 (acting as an open relay)

So if you are pushing megs (or gigs) a day every day on port 25, there's better than 99% chance your machine is botnetted. It doesn't take speculation to figure that out, and the odds of false-positives are very close to zero.

That said, I have no sympathy for someone that knows their computer has a problem that's causing other people grief. That's the most basic understanding of the problem that is given when your ISP gives you a phonecall or email saying you have a problem and need to fix it or we will cut you off. If you're too stupid to acknowledge this and take responsibility for fixing it, or just plain don't care, I'd much rather see you off the internet and out of my Inbox. If you don't care that someone else has violated you by hijacking your computer that's fine with me, until they start using it to violate me, and that's when I start having a say in the matter.

If you want a fun example to separate the computer from the problem, here's something easier to understand: ABC Construction company does building demolitions. They leave their explosives on site and not locked up. They keep getting their explosives stolen. OK I don't care about that, it's their loss. But then stuff around town start getting blown up and the explosives are easily traced back to you. That's when it's time for the police to come have a talk with you about securing your explosives. You do not have the right to continue leaving dangerous things so easily accessible that the public is constantly being hurt by them. Even if you want to ignore your moral responsibility for it, the public won't stand for it and you lose your say in the matter. You WILL secure your things or you WILL go away.

Another excellent example is how several states legally require you to have a lock on your anhydrous ammonia tanks to prevent theft and use in drug manufacture. Also, most universities now are requiring students to install AV software on their computers before they're allowed to use the campus net. Your precedents have already been set.

Could it be a Good Thing to prune some leaf nodes?

[LordWill]

What would happen if those ISPs notice increased profit and customer satisfaction (overall) when they are paying less for resources used up by bots? (Assuming they don't have problems with false-positives or find far too many customers being cut off, etc.)

Re:why not directly disconnect every Windows machi

[thinktech]

having a computer beneath the notice of hackers is a great idea. that's why I only post on slashdot using my web-tv console.

Free botnet removal support?

[Drethon]

Its not like everyone knows how to (and in some cases cannot afford to hire someone to) remove botnets from their machine. I hope the ISPs will provide this kind of support as part of standard service before they consider disconnecting users...

Re:Free botnet removal support?

[amorsen]

If they can't afford to keep their machine clean, they don't go on the Internet. Sucks to be them. They don't get to pass on the cost of their mistakes to everyone else, like they do if you just keep their connection alive.

Yes I work for an ISP. Yes that's in our terms and conditions.

Re:Free botnet removal support?

[gmuslera]

Then don't disconnect zombies. Redirect any request from those IPs to a web page that explain the situation and why that computer shouldnt be in the net for their own good, and have as direct download most typical cleaning and other essential at that stage applications, and maybe listing local companies that do the cleaning if the person dont want to fresh format.

Who will fix the problem?

[ATestR]

if the user refuses to fix the problem

The users who are likely to be infected by a bot are the least likely to be able to "fix the problem".

Re:Who will fix the problem?

[MrMr]

Being unwilling to learn, or unwilling to ask someone who does know, would still qualify as refusing to fix the problem.
Here's a car analogy for you:
The users who are likely to crash by failing breaks are the least likely to be able to repair their own brakes...

Re:Who will fix the problem?

[gad_zuki!]

Who cares? He owns it, its his responsibility to fix it. Pay someone if he cant figure it out and stop clicking on NAKED_PHOTOS.EXE or doesnt understand why he should be doing those Microsoft updates. Should we also coddle drivers with unsafe cars because they arent mechanics?

Its only when there's a financial incentive to keep a machine patched and thinking before clicking that people will begin doing so. Or switching to OSX or Linux. The status quo of not taking responsibility for your own computer isnt sustainable and isnt helping anyone.

Re:Who will fix the problem?

[stirz]

Well, at least the intended mechanism will make sure that people notice that their PC is abused. Furthermore, it imposes pressure on people to care about some basic security measures. I think, many of them will soon take care - in whatever way. But if they refuse to realize that their data is in trouble and that they are (passively) involved in online crimes, why not shut down their net access? Someone who does not exactly know what to do will know the shop where (s)he bought the equipment or even a local shop that offers paid support - there is no excuse in that case.

I've made some similar experience on my own some years ago while living on campus connected to a network of about 1,000 machines. The admins enforced a "three strikes" directive: if someone's machine was spreading viruses via internet access or via FTP/SMB shares or misbehaved in other ways (disturbing the DHCP and break-in attempts on internal servers, mainly), (s)he got a notice in her/his (real life!) post box to stop misbehaving/to fix the computer. As I recall, the note contained a paragraph offering help in case people weren't able to cope with the problem themselves. They only had to block less that 10 Machines during the time I lived there (4 years, approx.), as people really reacted quickly and we could even observe a (small) learning curve because new inhabitants mostly were briefed by their neighbours shortly after they had moved in.

So: Go ahead, Aussie ISPs! That's definitely the way to go - and to further sysadmin appreciation, but that's a different piece of.....

Re:Who will fix the problem?

[Syberz]

OK, I just had to jump in here. I'm tired of the people who say "Switch to linux and the spam/virus/worm problem will be solved!". It wouldn't solve sh*t! The spammers and virus/worm makers would just develop for the new platform, and the only reason that Linux is so secure is that the malware devs aren't developping payloads that attack it.

Re:Stop tinkering with things they don't understan

Quit trying to speak for the whole rest of the world. You are not qualifyied.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Privacy

[DavidTC]

Actually, it's more like your phone company disconnecting you for repeatedly making prank calls.

Which, in fact, they will.

Re:Privacy

[Nerdfest]

They don't discover that by listening in to content though. They do it after there have been complaints.

Open invite to hackers: Come steal our stuff!!

This SOUNDS like a good idea in theory, but what will end up happening is that Hackers will start to send fake notices to Australian users and will easily be able to trick people into giving personal information (ie account numbers, CC numbers, ect.) by claiming to be from the government and/or ISP. They need to create some sort of control around this, but I only see it causing problems....

Re:Open invite to hackers: Come steal our stuff!!

[imroy]

...will easily be able to trick people into giving personal information (ie account numbers, CC numbers, ect.)

I don't know why the emails would ask for personal information. I can however see this as a great opportunity for virus emails: The government has noticed your computer is infected and sending out spams. Now run this attached executable to remove it.

Give a discount to those running clean systems.

They don't need to disconnect bad users. They should just give a discount to users who are running secure operating systems that are more resilient to malware infections than Windows is.

For example, give OpenBSD users a 50% discount, since it's quite unlikely that their system will ever get infected or compromised. The same can probably be done for users using Solaris, NetBSD, FreeBSD and commercial UNIXes.

Linux and Mac OS X are more widely used than the aforementioned systems, so the chance of them getting compromised is greater, although still virtually non-existent. Give such users a 25% discount.

Assume that the latest version of Windows is somewhat immune. Give Windows 7 and Windows Server 2008 users no discount. That is, they pay the base rate.

Assume that older versions of Windows have been compromised. Give them a negative discount. A Windows XP user pays an extra 25%. A Windows 9x user pays 50% more.

Nobody needs to get disconnected this way. Disconnecting people from the Internet over something they're not willingly doing is completely absurd, and in may ways should be considered criminal in the Western world.

Re:Give a discount to those running clean systems.

[bickerdyke]

Goog Idea. But will end up with "Give discount for anyone who installs a closed-source, windows-only Punkbuster-lookalike"

Re:Give a discount to those running clean systems.

[asdf7890]

I've never heard people suggest that before, but the idea of "using open source = discount on your internet bill" is a good idea.

Nope. Market for software/services to try make a Windows machine actively running IE look to the outside like a Linux machine running FF/Konq in 3... 2...

I see hitting people's wallets as a good ides in another case though. Some will take the being cut off as a simple inconvenience and will after reconnection continue to behave as before and get cut off again after a couple of months - lather, rinse, repeat. Charging them a reconnection fee the second and subsequent time might be extra useful encouragement.

Your discount idea might be good if reversed though: Give people 5% discount if they stay malware free for, say, three months. Maybe offering a higher discount after a longer period (10% after 12 months?). This would hopefully encourage careful behavior (behaviour is the key, not just software choice - someone who is fooled into runnin random crap that secretly sends out junk mail on a Windows box will be just as likely to run the Linux/Mac/what-ever equivalent) from the outset, and might be popular with the ISPs as a user retention policy (if you move, you have to wait the few months to get your discount back) if the discount is managed on a per ISP basis. In any case the ISP would have to be very careful to be sure that the traffic they see is a problem, that it is properly logged/recorded (being careful not to step on any privacy laws that may be in effect over there) and that there is some sort of appeals process in place in case the system somehow misidentifies the source of a problem, otherwise they might be opening themselves to compensation claims down the line - which is all starting to sound like far too much hassle to me...

Re:Give a discount to those running clean systems.

[dc29A]

I've never heard people suggest that before, but the idea of "using open source = discount on your internet bill" is a good idea.

Do it in a very simple way: if you're not running windows or OSX, you get a 5% discount your bill. Some might differ on whether to put OSX in the "Do not run" category.

The rest is too discriminatory and too extreme.

There are people out there who are able to configure Windows to be as secure as *Nix or Mac OS. Why penalize them? Penalize the retards who run Windows/*nix/Mac OS as administrator. Penalize the retards who are infected with the botnet zombie 'du jour'. Penalize the retards who mindlessly click on every 'OMGZ YOU WIN IPOD TOUCH CLICK HERE PLZ!111!!!!!!oneoneeleventy!~one!' banners.

Re:Stop tinkering with things they don't understan

[houstonbofh]

Seriously? This needed to be done for all countries 10 years ago.

Assuming you trust them to stop at botnets and not include p2p, vpn, uunet, private mail servers out of the country, list servers, and other legitimate traffic.

Sad, isn't it?

[bbbaldie]

Buy a computer and/or a supposedly secure operating system, and then, unless the customer proactively protects against security breaches, they won't be allowed on the internet. Pardon me, but isn't protection against security breaches the OPERATING SYSTEM'S JOB???

Re:Sad, isn't it?

[arotenbe]

Pardon me, but isn't protection against security breaches the OPERATING SYSTEM'S JOB???

Partially, but it isn't the operating system's job to stop the user from being an idiot. If you want to run executables from suspicious websites, that's your right. And if the rest of the world wants a device to stab you in the face over the internet, that's their right, too.

Re:Privacy

[Volante3192]

They don't discover that by listening in to content though. They do it after there have been complaints.

And you don't think ISPs have been getting complaints about spam?

Re:why not directly disconnect every Windows machi

[John+Hasler]

> Of course I'm OK if that software isn't particularly Mac compatible ;)

So you wouldn't mind being required to switch to Microsoft Windows 7? Because that is what your proposal would lead to.

so what?

[circletimessquare]

everyone talks about their rights, but few speak up about their responsibilities

if people don't live up to their responsibilities, they lose their rights. not as a matter of some government mandate, but as a simple logical, natural consequence of ruining things- the internet, safe roads, a healthy economy, etc., for other people

Criteria

[lattyware]

Botnet - Collection of computers using large amount of bandwidth.
Largest Botnet - BitTorrent
ISP - "Job's a good 'un lads, let's go home."

yes sir mister policeman

[troll+-1]

Sounds like another case of politicians regulating something they don't understand. Define botnet.

Good idea if implemented properly

[russotto]

ISPs should be disconnecting zombied machines. The catch is they need a test which catches most zombie machines while not catching any non-zombies, and most ISPs are neither competent enough nor interested enough to do so. If their procedure has systemic problems which disconnects non-zombies, then the cure is worse than the disease.

I think this has already been done in finland.

[Oasiz]

I didn't completely RTFA, but.. If this works anything like the same way it does in here, it basically redirects you to a generic page where you can download virus / etc checks and fix your system. You can't simply reach other places (or no connection with other protocols) in that state. The ISP has basically just IP blocked you at that point (other systems under the same connection function like normal). The ISP also re-checks your system every hour or two to see if the issue has been resolved. This is also explained in the page with more detail. If it follows the same formula then I am all for it due to it working flawlessly so far. No false alarms so far in my rather heavy use. Oh yes, and I first ran into this on 2004.

Block the abused ports first, or firewall them

[davidwr]

Don't disconnect them. First, only block the ports being abused. If that doesn't work, confine them to a "walled garden" that tells them who to call and fix the problem. Then when the do call, help them fix the problem.

Comment removed

[account_deleted]

Comment removed based on user account deletion

There is an inherent responsibility

There is a responsibility by any user not to interfere with others. Being infected with a botnet is certainly one for this category. Not responding to warnings of infection is negating this and is abusive of others using the net. Why should users that interfere with others be tolerated?

To simply say that a significant number of the people that have botnets don't know how to remove them, even after warnings is far to simplistic an excuse. The same can be said about their ability to pay to have them removed. Format C:/ is the lowest cost. Having a friend help remove personal data is the next and last 1 hour labour by the local shop to retrieve the personal data is not unreasonable. However this same group most likely don't have any significant personal data they can retrieve even for normal use as they have no idea where it is once they it save. They have never bothered or are incapable to learn the concept of directories or the concept of organizing their work. So they really don't have in a practical sense any personal data to recover. Am I heartless? No actually, just pragmatic.

Why do those botnet infected people have any right to interfere with others wanting to share this net resource? Why is there a large group defending them seem to think there is no personal responsibility involved when going on the net? There is no right to interfere with me or is there? Be it simply by being a pest or anything else. I don't care what you do as long as it does not impact me within reason. We all share the net. We all generally have contracts with our ISP's with a code of conduct. I see no reason why those that don't head warnings to fix their systems shouldn't lose the privilege of access from that equipment.

We qualify people for many things in our society. Most of those things revolve around protecting the rights of others. Just as a license is a privilege and requires a test, there are rules for bicycles, being an obnoxious drunk in public, etc. There is no right to thieve, assault, stalk, or be a public nuisance. A person with a botnet infection is part of interfering with others and they have no right to do that. But there certainly is a responsibility not to do that.

But who is responsible to prevent it? Is it mine? Do I have to incur expense and time trying to keep these people from bothering and interfering with me? The practical aspects with today's technology says that at best it's only a partial solution anyway. So why limit only one approach? There is no rule that requires only one solution to deal with this menace that costs everyone time and money. Money reflected in everything from my time to the rates I pay for access to the net, on up the chain to the carriers.

If I had my way there would be a fixed IP for all home connections. It is practical technically and is not a security problem to have one. Dynamic IP's offer negligible protection if any at all. A fixed IP certainly offers a measure ability for me to solve part of the problem. I see no reason why a system based on complaint or by discovery should not be used to cut these repeat offenders from using their own hardware to connect. They mostly have other options to get on the net if they fail to maintain their own equipment when notified. Where do any of you get off saying they aren't responsible for their own stupidity. So ok, If they have no obligation to others, then using that logic. There is no obligation to give them access or at least to that access from their infected equipment. They may get access from the library computer or other methods. They may still get on, just not using their trainwreck of a computer from home. All is then fair enough.

So what of people that don't know how or can afford to remove the infection. Cry me a river. That's not an excuse to abuse others. They have no friends? Can't afford one hour of tech time? I maybe my brothers keeper but it doesn't mean you can't give then a slap upside the head when they act like a moron. The know it is wrong. So get off the net until they find a solut

Re:why not directly disconnect every Windows machi

[Runaway1956]

Wait - you are supposed to LOG IN to a hotspot? Seriously? Maybe I've been doing it wrong. I usually just spoof a MAC address, and take over an existing connection. Sometimes, I just log into the router, and change the settings more to my liking. There are so MANY imaginative ways to use a hotspot - why log in? Spoofing a MAC address has the advantage of making my terrorist network activities appear to be dozens of different people. Why, just last week I sold a suitcase nuke to an Ethiopian who had fallen on hard times.
I only deduced that he has fallen on hard times, because his certified cashier's check bounced. I'm still waiting to hear back from him.

Go away.....NOW!

[tacokill]

Oh god, no. This is a very very bad idea. We do not need to have our PC's "certified" by a Ministry, Department, or any 3rd party for that matter. Yes, they have done that for cars for pollution testing but it makes no sense for computers.

Do you seriously want some twithead bureaucrat telling you what a "safe" PC is and what a "dangerous" PC is?

I want you to choose a number from 1 to 60. This number represents the amount of seconds before Linux (or some other disliked-by-those-in-power application) goes onto the "dangerous" list. This number also represents how many days you have to install a properly maintained OS, such as those produced by Microsoft, onto your PC. Within 10 days, please bring us proof that you have made the correct repairs and we will waive your fine. Oh, but court costs are 200 euro. Thank you, drive through.


I am deadly serious when I say this: This is one of the all-time worst ideas I have ever read on Slashdot.