Slashdot Mirror
Should ISPs Cut Off Bot-infected Users?
richi writes "There's no doubt that botnets are a major threat to the safety and stability of the internet — not to mention the cleanliness of your inbox. After years of failure to act, could we finally be seeing ISPs waking up to their responsibilities? While ISPs can't prevent users getting infected with bots, they are in a superb position to detect the signs of infection. Contractually, the ISP would be reasonably justified in cutting off a user from the internet, as bot infection would be contrary to the terms of the ISP's acceptable-use policy."
Should ISPs cut off P2P users that infringe copyrights? Contractually, the ISP would be reasonably justified in cutting off a user from the internet, as copyright infringement would be contrary to the terms of the ISP's acceptable-use policy.
What about posting opinions that the ISP company doesn't like? It's not like its suppressing free speech as they are a private company.
Or what about if we just let ISPs be what they are supposed to be, common carriers, before this goes to slippery slope?
Should ISPs Cut Off Bot-infected Users?
Yes. Some ISPs already cut off P2P users. By comparison botnets are a real threat.
Trolling is a art,
Yes, yes! A million times YES!
A doctor would quarantine a contagious patient. An ISP should quarantinean infected PC.
If I were God, wouldn't I protect my churches from acts of me?
>"Should ISPs Cut Off Bot-infected Users?"
After a suitable warning to the customer/administrator, yes. Absolutely. But it should be made very easy for the customer/administrator to reactivate their service, too.
This is an open door for abuse by ISPs to shut off anyone they think is costing them to much bandwidth.
This would be contrary to net neutrality principles. Any ISP I hear doing that is going to get bad press very quickly.
That way, the users would have no way of downloading information to help them fix the infection.
Yes.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
How do they I its not really me sending a bazillion emails about my er3ctile dysfunt10n?
Maybe I like being a node foe the mothership?
Maybe I just want to mess up the Internets for everyone!
My money, my bandwidth.
Heybiff
-Even the Sun goes down...
If it was spelled out this would constitute a usage violation, then fine, I see no problem.
"I use a Mac because I'm just better than you are."
Of cour
They should not, for the same reason ISP's should not filter ports (25 anyone) like a lot of them are doing now. Also to see if someone has an infection you would have to monitor the traffic. While that can be automated it is none of their business. They just rent an internetpipe to me. How I care for the security of that pipe is up to me. That's what I am paying for. I can see that this would benefit some users and would help make the internet 'safer' but installing a good firewall and virusscanner wil keep you reasonable safe also. And one thing still goes btw... if your system is mission critical... consider if it really has to be on a public network. A lot of times it doesn't have to be.
Yes, but not before first providing ample warning notifications by e-mail, SMS, and robocall.
If you cut somebody off from the net straight away, that prevents the person from downloading the necessary file to take the steps necessary to remove the bot.
To blog is sublime
Don't you cut out gangrene flesh?
I say no, because that's too much power. However, I think it might be time for ISP's to offer some kind of cloud-based anti-malware ala hitmanPro or maybe hire a cadre of IT ninjas to help their users on-site and off-site. How much would you pay extra for something like that?
Just some ideas that maybe will get modded up and discussed.
So...my kid goes off and surfs somewhere stupid and the family computer gets infected. The ISP cuts me off from the rest of the world, making the internet a safer place for everyone else.
Great. What happens next? Am I stuck in Paypal-like purgatory where they're "reviewing" my account ad nauseum while I have no access to the outside? Do they start snail-mailing me CDs with antivirus software? What would be the EXACT path a customer follows to get back online? Until that's unquestionably clear, nobody should be cutting anybody off.
Yes - followed up with a disinfect your PC like this, update regularly, don't do this how-to that lands in their inbox. Maybe a good geolocation for independant repair peeps to contact to follow-up if they aren't too clued up in said how-to
the downside is that bot-infected users are MICROSOFT addicted customers.
who comprise 75% of Internet users.
Ooops.............
Deleting 75% of the Internet users is an additional BENEFIT.
Yours In Minsk,
K. Trout
My cable ISP cut me off in 2001, when my roomate got a worm/bot infection due to bad P2P settings. I understand the good intentions, but it then became difficult to reach the right person who could reinstate service once I convinced them my network was clean.
For all the information the ISPs track from us, they have a responsibility. Pleasing cost (razor thin margins) is no excuse to engage in restless behavior. In a capitalist society we recognize that if you can't pay for the costs of doing business, you go out of business and your competitors eat your lunch. Preventing crime that involves using your service is a reasonable and legitamate business cost. After all, the botnets tend to be one of the major user of ISP resources - particularly if they are doign a Denial of Service attack. So shutting them down lowers the ISP costs, increasing their thin margins.
excitingthingstodo.blogspot.com
Sure it's fair.
Once you're infected the rest of the Internet with crap, you're costing them more money in tech support calls from people complaining about you. Why would they pay to keep launching your crap packets into the core? Be your own ISP if that's your agenda. If you take care of your network, you won't run into this.
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
who will be moving to metered billing soon, I say the more botnets, the better! We'll be raking it in!
Restrict them to a subnet that only contains pages related to removing the malicious software.
ISPs should be responsible for filtering out bot activity, but it's not really fair to anyone to cut them off entirely. After all, it's not entirely their fault they got infected... hell even if they're responsible with updates and activity they could have been compromised by some new vulnerability.
Has firewall technology not been able to keep up with bulk ISP traffic or something?
I understand that users ought to control their own home firewall, but ISPs should have firewalls / filters they control further upstream, where they can add rules to block certain types of traffic only when necessary. But I guess if they have it, then that means they're kinda liable for configuring it effectively and can thus be held responsible for attack traffic that does get through.
Anyway, I don't like the idea of being cut off from network access without at least a few weeks' advance notice and time to respond. Which is virtually an eternity in botnet time... which makes that whole approach somewhat pointless.
They could just redirect them to a portal, where they get informed that their computer is sending out viruses.
The portal would offer a free virus scanner and the option to have several ports closed by the ISP (checked by default) ;)
- ports that could later be reopened by going to the "experts"-page
If the user insists, they of course can go on and use the internet anyway. But only after clicking "ok" to a sentence declaring that they are now informed and
"solely liable to any damage they might do to the internet"
"Your internet service has been suspended due to a virus infection. Please call or email us to get reconnected". .
"Common sense will be the death of us all"
ISPs should hand out routers which utilize Network Access Protection by default.
The router should verify if the endpoint is clear for internet access, and if it's not, it should limit user access to antivirus vendors, known OS upgrade services etc and requesting user to follow this link to repair their computer(or have it cleaned by someone skilled enough).
There are (or should be!) multi-platform NAP/NAC solutions to do this.
Of course, users should have opt-out option, which allows them to disable the NAP, and take responsibility of maintaining their systems themselves without "middle-maintenance".
Opted out systems would receive direct disconnect until user verifies by phone to the operator that their misbehaving system has been fixed. (for example, spam zombie)
There are no atheists when recovering from tape backup.
My local UK ISP has been doing this for a while,a good 20% of my work has been from people who have been cut off until their PC has the infection removed NICE
At the ISP I used to work at more than a decade ago, if we had a customer who wasn't responding to notices by e-mail, we'd move them to a special IP pool, where given ports would be redirected to proxies to make sure they got the message (eg, you're behind on your payments).
You could use this to give them a message they've been infected, while still giving them access to domains / hosts or their anti-virus software.
Of course, in those days, it was all dial-up, so we assigned IP addresses as they came in ... you could still do something when they refresh their DHCP lease. If they get static addresses, your router rules could get big pretty quickly, and you risk a bad rule screwing everyone's traffic up.
Build it, and they will come^Hplain.
They're Internet SERVICE Providers. Not Internet Police, nor Internet Guardians. They exist to provide people with access to the Internet for a fee. Now a lot of ISPs already do plenty that is contrary to the best Interests of the customers. Bad behaviour ranges from price gouging and using misleading advertising, to draconian terms of service (usually because they're able to due to a monopoly or collusion), to playing fast and loose with customer's private data (often in the name of anti-piracy). Do you really want to give these same ISPs the power to take a customer's money and provide them with nothing based on nothing other than their own conclusion that a customer is infected? That's madness. An ISP should be providing a customer with help to remove the infection, not removing their access to the Internet.
These posts express my own personal views, not those of my employer
My parents PC was a fully functional mail server sending out 4-5 GB of e-mail a day, they didn't know this of course and complained about internet speeds all the time, the ISP figured it out pretty fast though and sent someone over to get it off the network and clean it for 'em.
I was quite surprised at how civil they were about it.
crazy dynamite monkey
So on one hand, ISPs should not regulate the type of traffic and should not sniff, etc...
On the other hand, ISPs should cut off virus-infected computers. Apparently, they ARE sniffing or monitoring in some way in order to cut you off.
Just wait for a company to decide that being a torrent feeder is being part of a botnet and thus torrent feeders must be cut off. Good luck getting back on again.
If it is really botnet activity, why not just block the botnet activity but not the non-botnet activity? If you can't determine if it's botnet activity well enough, then how are you going to choose who gets cut off?
(I am not necessarily decidedly against this, but at the moment, it seems to be somewhat hypocritical to be against ISP filtering and for ISP cutting off [on their own]. Enlighten me. :) )
10 years ago when I was in college, my computer was disconnected from the network because someone had hacked in through my imap server on to my Linux box and was DDoSing some other server at some other university. It took awhile before I was finally allowed to activate my port again. I think they should do this, but they should also be reasonable and help their users get back up and running safely as quickly as possible.
I work at a decent sized regional ISP. If a customer is disrupting the network with blatantly viral traffic (like tens of thousands of simultaneous SMTP connections) we shut them off and have tech support walk them through disinfecting their PC. The exception is if they also have VOIP through us since we don't want to be in the position of having cut off someone's only link to 911. The network engineers don't sit around all day looking for infected boxes, but if performance issues are traced to an infected customer they definitely get cut off.
Rock over London, Rock on Chicago. Wheaties: Breakfast of Champions.
I'm pretty sure I remember Rogers in Toronto cutting me off a years ago due to malware-related data they detected coming from my IP address. They gave me 24hrs notice (but I was away at the time) before cutting me. How a bot-net is considered different is beyond me.
I'm surprised this kind of thing isn't done already worldwide.
At my last university the IT department routinely scanned machines attached to the network and blocked infected machines. Students were required to bring their computers to an IT desk to have the malicious software removed and were instructed on how to properly use a virus scanner or malware removal tool. From what I understand, this policy continues to work well to this day. If ISPs should follow Comcast example by informing individuals their machines are infected, and go the extra step of directing affected parties to paid (or free) scanners that will remove the offending software. Only repeat offenders should lose their privileges (temporarily) to ensure responsible computing habits develop. Just my two cents.
my mom posts on slashdot.
A more serious question should be, why don't we just cut off China and Russia, the botnet controllers, from the Net?
That would make more sense.
-- Tigger warning: This post may contain tiggers! --
What is it about spam and malware that causes people to completely lose their minds? What are you worried about botnets anyway? Either your system is secure and it won't be a problem for you, or your system is not secure and you are, by your own admission, "part of the problem." This isn't like quarantining carriers of a deadly disease. It's not exactly difficult to secure your own system against the nasties on the internet. But people are here supporting the idea of severing a person's internet connectivity because they've been a victim of some asshole on the internet. I think we can all agree that the internet is culturally revolutionizing, and has already proven itself to be an extremely important tool in the promulgation of free speech. But once you throw this crap in the mix we have people asserting these authoritarian opinions which, quite honestly, scare the shit out of me.
At the very least, if there is some set of criteria for disconnecting somebody from the internet, there must also be criteria for how to get reconnected and a very clear and doable set of instructions how to get back online. Otherwise you will end up permanently silencing people.
The solution is not censoring the internet. It is for PC users to ditch Windows and have a safe, modern operating system like Ubuntu installed.
Tried ditching windows for Ubuntu but couldn't make everything work and the installation was a nightmare with endless problems. Sure I'm only one among many but my own experiences said that Ubuntu was not really ready for all desktops, at least not mine.
This has happened to me once. I got a virus and a couple hours later, my internet was off. I called the service desk and I was told that my computer was infected and get this, I need to download a patch to fix it. "How do I download a patch when my internet is off, I asked." "Bring your computer to the service center when we open on Monday." I instantly canceled my service. I was a college student at that time. Some tasks required the internet. In fact the only way to turn in my physics homework was to upload it to the server by 2am on Tuesdays and Thursdays. I don't need to be worrying about my internet shutting off at random times and having to make a midnight dash to campus to use the library computer.
I try to keep my computer clean. I run firewalls and I have virus scanners, but if you haven't been infected with a virus before then you haven't been on the internet long enough. Sooner or later you'll get infected and god forbid if you rely on the internet. IE VoIP or server hosting. Why do I get punished for what other people do? Should car manufacturers be able to remotely turn off your car when your car starts to leak oil or freon?
I mean generally 'yes' but why not quarantine them to a network that allows them only access to a handful of services needed to get things working again: - Microsoft ? - a non-partisan collection of anti-virus vendor websites - ISP specific help pages - ISP specific log entries outlining proof and nature of infection. - a page that allows, once a day to get service restored on a probationary period to test for successful eradication. - netbsd.org/freebsd.org/ubuntu.com/fedora.com/etc ...
Yes they should, but only after offering the opportunity to fix the infection (how are users going to download patches or find the fix without internet access?)
But I think it's time to go at least one step further. The ISPs are going to have to take the responsibility of blocking access to countries, ISPs, and sites that are infected or the source of infections. Like it or not, one of the biggest problems we have right now is that a massive amount of the traffic on the internet is related to criminal activities. If people came to your door every day and left 50 fliers for bogus prescription drugs, there would be an outcry. If you received 100 phone calls a day offering porn, there would be an outcry. If 200 people very day walked up to you on the street and tried to trick you out of your bank account numbers, there would be panic in the streets.
But all of this happens to internet users every day, and nothing is done because the perpetrators hide in other countries that can't be bothered to enforce laws, or they have a different interpretation of the word "fraud".
If on the other hand, no one in China, Estonia, Russia, or South Korea could reach the Internet outside their country because the backbone providers were required to cut off all traffic to or from those countries until they make an attempt to enforce laws, things would change.
As a user of a superior operating system, these bots may not pose a direct threat to me. However, it may hamper my ability to enjoy online games or watch Youtube. If people don't take steps to secure their machines, I don't think they should be able to interfere with my gaming. It isn't like I care about them or anything. If they're doing nothing but causing problems, terminate their service!
Where I used to work (the ResNet at my alma mater), the policy was to take people off the network who were infected. I would hope that if ISPs were to implement this kind of policy, that they would also include customer support to the individuals unknowingly infected (e.g., "ooo, sweet... I've got a buddy and its name is Bonzi!", or "I just wanted to see the pictures my friend sent to me on AIM...."). /me shrugs.
While you're there, throw them a lot of information about why they should have an anti-virus - why they should scan regularly, and while downloading from 'that shady place' is a bad idea.
Maybe it'll stick once they realise they have no internet.
ISPs should be able to identify the IP addresses the bot is contacting and block it from getting out of the ISP.
Then it should track down those IP addresses and inform their ISPs that they are hosting a control node for a botnet.
Backbone providers should shut down access from any ISP that refuses to shut down botnet control nodes.
So if they shut off the connection, then how is the average person (without multiple boxes etc) supposed to access the tools and information they would need to clean it? And what happens when a bot gets loose that doesn't yet have a public fix? Then you just black out large swaths of the internet until somebody gets around to fixing it (again without internet access)?
At that point the ISPs are doing the work of the hackers themselves. Now you don't need a sophisticated attack to shut down huge chunks of the internet, just a good looking threat. Soon we will see attacks that do nothing more than mimic a botnet enough trigger whatever automated shut-off the IPS's implement.
Like Communism, this is an idea that looks great on paper, but is doomed to not only fail, but make everything worse in the process.
Common Sense isn't as Common as people think...
Doing it via the browser is a very bad idea. Not only can it be spoofed, it undermines the "don't click those things" mantra that we are trying to ingrain in users' minds.
Cut them off, instant phone call and/or mailing. If they need it, allow them access to antivirus (I believe Comcast has a deal with McAfee) or mail them a CD.
to help him fix the problem. The customer is probably not the villian here and probably doesn't even know that he is botnet infested (after all, ALL windows machines slow down eventually and have to have the OS re-installed, right?). The ISP should try to contact the customer by phone, email or snail mail and first let him know of the problem. Perhaps send him some general information on how to fix his problem, or just point him to the right URL's on the net where he can find the information he needs to fix his problem. (other than by using an Axe on the computer).
This is going to get more interesting as security (home alarm) companies and medical (help, I've fallen and I can't get up) companies are moving all their services to the user's web connection. Once there are a couple of deaths and a fire that don't get reported, these services are going to come under a lot more pressure to not disconnect people without multiple notices through snail mail, etc. type of process.
Just because I can hook a shark from a boat, I do no offer to wrestle it in the water.
I'd actually appreciate a friendly email from my ISP informing me that they are detecting strange traffic from my IP address and suggesting that I might want to check for a Botnet infection. Detecting sneaky outgoing traffic and other malfeasance is beyond the technical range of many customers.
They might even provide links to resources I could use to detect and remove the Bot. They might even make these resources free, useful (Like pretested and configured against the current signature and MO of the Botnets they're seeing) and come off as concerned and helpful.
This is one area where our interests and the ISP's are aligned. Starting the process with a "cutoff" seems like a lose-lose...
"Knowing everything doesn't help..."
maybe. Though strictly speaking beyond most ISPs' remit, the internet still is a cooperative, and that means people ought to cooperate to fix wrongs, not merely point fingers and go ha-ha!
If you are going to "police" or at least act on reports something is amiss beyond the demarc, then put them in quarantaine with the tools to fix it, ask for assistance, get the quarantaine rectified if it was a false positive, and so on. Oh, and make very clear beforehand what you're doing, in fact put it in the Ts&Cs, and don't assume only one OS exists; it's behind the demarc so you have no right to assume anything unless you have proof. But above all: Simply cutting off isn't going to help.
It is not a slippery slope as some posters here replied. ISPs, as businesses, have the right to shut down any subscriber's internet anytime they want. Getting the bot networks offline is gonna require the cooperation of the ISPs. They should warn the user they are bot infected. They should warn them a second time. They should contact them via automated phone message. Then they should shut down the access until the user does something about it.
But other ISP's that route the traffic of an ISP with a certain percentage of infected users should cut cut off the entire lower order ISP until the problem is solved as an impetus. That would leave pretty much only the ISP's that knowingly allow such traffic or knowingly host the targets of the machine and even those would be isoloated without a monetary incentive to continue as they had been.
If you want businesses to change rapidly, make them feel it in their revenue stream. Very pavlovian response.
I find it somewhat alarming that given this story and the one from earlier this week, that suddenly everyone is suggesting that ISPs start using deep packet inspection to find potential bots and, even worse, injecting their own content into their users' connections.
I remember when ISPs started deep packet inspection to try and find bit torrent connections how everyone was up-in-arms and clamoring for encrypted everything but now that it's ISPs using deep packet inspection on 'common joe' users, that's suddenly fine.
Finally, to those suggesting the ISP redirect them to a page offering a free virus scan and download... really? If you were redirected to such a page would you trust/download ANYTHING from it?
How many dupes of this same story and idea are on /. already?
actually, maggots get rid of gangrene quite effectively, no MD needed.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Be careful what powers you give to anyone with power already, they're hard to take away once they're given, especially in the monopoly like environment we're in. It's easy to see how this could lead to cutting your service for other reasons that are "bad" for their network.
Does anyone else see how this sounds like that story of boiling the frog alive by slowly turning the heat up?
Note to anyone supporting this, this contradicts net-neutrality which states ISPs can't make decisions on content.
It doesn't matter how "secure" your network is. If your inbound pipe starts getting flooded with garbage data and fills your pipe, your service is now unavailable. Your local firewall may be super secure and drop all the packets so your server runs along swimmingly - totally irrelevant if your pipe is overloaded. This is the kind of damage that is TRIVIAL for a botnet.
Can just tell by your attitude that you are somehow connected with the people who want more government snooping and control.
Go back to your Ministry of Truth and do not presume to attempt mind control on me again.
But I tend to rely to Internet for information about removal of malware or software download to remove them. What about a ISP level antivirus/malware detection mechanism. If I pay for my bandwidth and I got cut-off because of malware, I expect a full refund for the loss of service plus compensation for the trouble.
Tomorrow is another day...
Yes, and then send them to a 'captive portal' when they try to access the web telling them what has happened and what they need to do to fix it - along with the ISP's contact number and maybe even a reference or case number.
fak3r.com
If ISP's care about how their bandwidth is being used up, they should/would definitely disconnect users for even unintentional abusive behavior for this.
Used to work at a WISP, and malware infected customers were a huge source of network problems. Anyone suspected of being infected was contacted immediately, and potentially disconnected from the network if they were unreachable and/or immediate attempts to resolve their spyware problems weren't successful.
Perhaps wired ISP's aren't so concerned about this...
I used to do computer work for a guy that was contacted by his ISP (Insight communications) and they told him he had a virus and would only be allowed back online once he was cleaned up. He only noticed when he woke up the next day and had no service. This was the first and only time I witnessed an ISP taking a role in cutting off an infected PC.
Back in the dark ages of dial-up access. They would lock out the account with a message to call an 800 number. They would step you through the process of getting rid of it. I just had to update my son's scanner and run it. Of course, that meant all 5 of us were locked out, even though 2 of them were at college!
Never trust a man wearing a coat and tie!
Brilliant! Also, that makes good business sense, as they would have to use the email service that you, as an ISP, kindly provide ... for a fee. We really can't allow those lusers to manage their own mail, oh no sirree.
I would think it was fine if ISP's set up new accounts with most ports closed *and then provided a good, efficient interface for users to open what they want to be open* ... but most (most! there are some good ones out there) ISP staff get that deer-caught-in-the-headlights look when you start to ask questions about outgoing ports. Seriously; I've had the privilege of being told that yes, I would certainly be able to surf the web, when I asked about accessing my own file/media server from the WAN side. Sigh.
"Good news, everyone!"
Being able to connect to any port and to receive connections on any port is the definition of Internet access. I absolutely should be able to run a mail server on my home machine.
Now, if the ISP were to block incoming port 25 by default, and people who wanted it could fill out a quick form or something, maybe that would be okay.
So you propose that as soon as an ISP detects an infected computer, they send someone to wipe the computer and install Ubuntu? :-)
The Tao of math: The numbers you can count are not the real numbers.
Getting users to download an "antivirus" every time they see a page like that is a BAD idea.
No sig today...
In the scenario you propose the person is ignorant, which is not an insult but rather a word describing someone who doesn't know any better. That person might at first be upset, but then the ISP could offer a very simple solution, to wit stop running a petri dish for an OS and switch to a real OS such as Linux or OS X. The same person that was originally upset would soon be forever thanking me for cutting them off until they stopped being ignorant and became educated to the fact that they actually have a much better alternative at their disposal. This is not speculation, by the way. People thank me all the time for introducing them to other options, as they had no idea that they even had any.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
No, they should cut them off or leave them be. There is already too much filtering going on. If something doesn't work, how will I know if it's something that's not working right on my end, something not working right on the other end, something not working right in-between or if it's willful interference from my ISP or the ISP at the other end? There are already ports which can not be used reliably anymore because at some point they've been used by widespread malware infections which prompted some ISPs to silently drop packets to these ports.
STOP FILTERING THE FUCKING INTERNET!
They're not gonna stop though, so the future of the Internet is encrypted end-to-end, and then all the work that has gone into deviating from the "dumb network" approach will have been wasted. If you are an ISP and drop or redirect packets for any other reason than congestion or having no route, then you're doing it wrong. TCP and UDP are payloads and none of your business. Can you imagine the post office not delivering a letter because of the letter's text?
Fuck you. The internet is not a consumer distribution network. Each host is a client and a server. And if i want to receive mail at my home it is not of your business.
Peer should be killed for their bad behavior, not for their capability. They should be disconnected for sending spam, not because they have a mta or a botd. It should be up to the owner to decide if he want to 1. Remain disconected, 2. Stop willingly sending spam or 3. Remove the botd that send spam without his knowledge.
I mean they don't already? My ISP (Cox) does. Back in the day one of my roommates got a worm. Didn't know this, of course. I came home, my Internet wasn't working. Called the ISP, they told me what was up. I said "Ok computer is unplugged I'll have him clean it when he gets home." They said "Good deal, your net is back on."
Seems like a good idea to me.
Else how could an ISP charge more for the same service re-labeled as "business Internet?" Meh. You're quite simply wrong, and apparently a noobie.
"National Security is the chief cause of national insecurity." - Celine's First Law
An (enlightened) ISP I used in the past kept traffic statistics on all customers. An automated daily check would occasionally spit out an e-mail that essentially said something like: "We noticed an unusual spike in upload activity from your network on port at . If you understand why, then ignore this message. Call if you need help." This was great, because it alerted you to a problem pretty much right away, but didn't try to second-guess what you were doing. Like credit card fraud protection, it only was triggered by unusual (for you) activity. Unfortunately, this kind of e-mail isn't all that helpful for the typical grandma, but for the customer base of this particular ISP it worked reasonably well.
If the ISP can detect the bot activity, then they can stop forwarding it. In the meantime they redirect the user's web traffic to a download page for the bot removal tool. If the user doesn't act within a reasonable timeframe, then they suspend the account. The only downside is that eventually all retail ISP customers will be forced to install security software from whichever vendor offers their ISP the greatest kickback.
Why should I be stopped from running my own mail server, which I'll keep with me wherever ISP I'll go ?
Yes, definitely remove bot-infected machines from the internet.
But, also provide a clear, readable description of the reasons for the cutoff.
And, most importantly, a simple way to quickly reestablish service once the infection has been removed.
And by the way, simple does NOT mean 45 minutes on hold waiting to talk to some dude in India
It is not the end user who wants bots on his computer. It is the criminal who arranges them to reside there. And those criminals should be the only ones to suffer. Sure it is easy to punish the owner of the infected PC. But how does easy become morally acceptable?
If everyone went to Linux, the malware wirites would start writing for *nix. End of story.
Why do so many people get tripped up by this fact?
We are a NS customer. We had an offsite machine with one of our email addresses get infected and started to send out spam. Within a few minutes, they shut down our entire email service. It crippled our business, then it happened again a few times before we found out what the problem was. We were hopping mad at NS until we found out it was our error.
I hate being bipolar; it's awesome!
Seriously? Yes, they should.
I've worked at an ISP for 10 years, and we cut people off the second we find out that they're infected with a bot and trying to infect others. When they call and ask why their Internet connection isn't working, we tell them strait up what the issue is and that the'll have to clean off their computer (have it done 'professionally' if they can't do it themselves) and then report back to us to get their connection reinstated.
It's a hard lesson to learn, but I think it's necessary.
To use the obligatory car metaphor; if your car starts to leak gasoline while driving down the road, you can't just keep driving it like that since it's 'not your fault' that you gas line ruptured. Even if you do all the preventative maintenance that is recommended, stuff can still happen and it's up to you to get it fixed, even if that means taking it to a professional to fix it.
Most large companies, I've worked for Intel and HP, will search their network for know "issues". I remember one time the worm was severe enough if you're system wasn't patched they turned off the port and blocked the MAC address until you patched your system. This was after 72 hours of blocking port 80 traffic to slow the thing down.
Combine the above realities with DMCA takedown notices and I think it's time. Most ISPs have a 3 strikes you are out policy for violating DMCA and Copyright. The precedent is already set. There are many ways to detect bots and it's time to have the ISPs turn them down and make folks take appropriate steps to clean up their own systems.
"Don't fear death... fear not living..." -me
I live in the student village of a tech uni in Finland. Our ISP, who provides us 100/100 mbit (they're installing gigabit already though), cuts off users who are spamming or infected. There is an internal newsgroup (the NNTP kind) where they post if someone's connection is closed. You have to contact the ISP to have your connection restored. It happens a two or three times a month (about 2000 customers).
They could identify pre-infringers even before the machine becomes a zombie, and cut off those Windows machines before they become a problem.
A few years back someone brought their computer over to my house for me to fix it. They had the usual excuse. "It's being slow". So I hook it up, and download the latest anti-malware stuff. (I was in a hurry, so I just plugged it into my router.)
About half an hour after doing that, I tried to access a website, and instead got a security notice from my ISP (a cable company) saying that my internet had been cut-off and asking me to call a number. I called them up, they told me that my connection was sending out an unusual amount of mail and that it had automatically been suspended. I told them what was up, and they agreed to release the suspension right away.
Know what? I was HAPPY that they did that. It means they're serious about proper network security. Not like the other big cable company around here (Rogers) that simply blocks all outgoing mail ports, making life difficult for everybody.
Does it make you happy you're so strange?
In that process of training & service for PCs don't forget the possibility that it might not be the computer that is infected:
There are viruses now that can infect routers and modems.
I can only imagine how pissed off a customer is going to be if their ISP insisted that they pay a professional to clean their computer and are still being denied internet access because their router is infected.
Warning: This sig is not thread safe. For more information see Slashdot's sig policy.
Unsecure by default, easily hacked and 80% of the users are almost computer illiterate.
I used to work for Shaw Cablesystems up here in Canada. While I was working there, they did this exact practice. It was handled by the AUP team, a Caller would call up Tech Support and say "Hey, my Internet isn't working, what gives?", the AUP team would say "Well, you've been (Spamming our Customers with Junk Mail, Participating as part of a Botnet, Etc)" and would offer solutions to how to fix this. If they were using our in house Anti Virus software, there was a team of Techs who would walk the customer through some fixes, reconnect the Internet so they could VPN in to fix it, or worst case scenario, send one of our own techs to go fix it. Getting the Internet turned back on was the easy part.
Seems like there should be a partial quarantine state where the infected user's service is severely reduced however the isp is still able to network with the computer to provide an avenue for removal tools and resolution. The Internet is the primary source of information for many, and the people unknowingly hosting sentinels in a malicious network are in severe need of information. There must be a compromise or providers risk losing customers..
When I worked for an ISP, we would habitually cut off users who were reported as being infected. We'd generally call them first and give them about 48 hours, and then cut them off. Often, they'd call back a week later saying they had their PC cleaned out and then we'd reinstate them right away.
How am I supposed to get my computer fixed if I get completely cut off from the Internet?
I would be much more in favor of rather than being completely cut off, such users were quarantined to a small sub-net with access to sites such as Microsoft.com, common anti-virus providers, etc.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
NO. Absolutely NOT. ISP should provide data and remain neutral.
The only reason for ISP to step in:
1) you are using excessive bandwidth (beyond your contract)
2) to stop common requests known to originate from a botnet attack (they should stop it to maintain service for others and/or assist in stopping the attack to institutions as requested by authority/law)
In other words... the ISP should only ever do something if their network is being used/abused in an obvious way which violates your contract or infringes on some others customers contract. They should not be shutting off an invaluable human service (the Internet) when the data communication (even coming from a bot) is not in violation of their data plan. The ISP is not responsible for the data sent across its network to subscribers. It's only concern is to maintain data bandwidth for it's subscriber base. To think otherwise... is to oppose lose net neutrality!
This is so obvious an attempt to put more power in the hands of ISP that they specifically should not have in the guise of a common good (ie: "can someone think of the children").
Come on slashdotters... this feeble solution is the problem not the bots!!!
I think the ISP has a duty to first provide a specific solution that any 5th grader could perform, allow one month for the fix to get applied. Perhaps send out a reminder to apply the fix after 2 weeks, a strong reminder after the thrird week and a very strong reminder the day before.
But the ISP needs to provide a specific fix - first and follow-up suggestions for after the fact.
I say yes. I work as an Internet tech support rep for a nationwide ISP (yeah, that one), and almost everyday I get at least a few callers who complain that computer is behaving oddly. After asking a few questions, it is clear that their computer has been compromised by "something". Sometime a virus, or a bot, or something. My employer provides a name brand security suite as a courtesy, but we do not force the customer to install it. Perhaps we should. Perhaps ISP's should insist as part of their TOS that customers have an "approved" security suite in their computer. Then that opens up another can of worms (pun intended) as to who approve, and who pays. Yeah, I know, the customers. But they will pay one way or another, If they do not protect their computers, then they will either pay to have their computer cleaned out, or restore it to factory condition.
Because you know, they're all salivating over metering based on bandwidth, where botnets will just raise their revenue. In the long run, the ISPs may end up being the actual source of some of those botnets.
At the very least, they're not in the habit of offering services without charging for them-- so you could expect to see a "botnet detection" fee on your bill if they work out a detection scheme that is workable.
We've all seen the excuses ISPs use to cut off P2P users, why are we seriously entertaining the thought of giving them even more power?
ISPs should only have captive connections for specific traffic, not all traffic. They should not disconnect anyone, rather, they should notify the user, but then let them continue onto the internet with a captive portal web intercept. At least 10 days notice should be provided before any disconnect happens.
Non-web traffic should continue unmolested. I'm guessing that for bot traffic, most of it is http. Slowing down the traffic would be ok, but stopping it is not ok.
What happens if you are a non-conventional internet user and you are not infected, but the ISP thinks that you are? How do you get full bandwidth and use back with minimal hassle?
Could p2p networks be considered a botnet?
So let me see if I have the objections correctly summarized. For nonspecific values of "you":
Does that cover it all?
Everybody gets what the majority deserves.
just kill all children that are born "sickly" and are pr0n to infection. ....
in other words just preemptive disconnect M$
Fuck yeah they should cut them off, and they should have started doing it years ago. In my mind, the fact that most ISPs don't do this makes them as much to blame for the situation as the people who create and run botnets.
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
If they tell the ISPs that they can "suspend" their service until they fix it but keep billing them and can't be sued over it, they'll pass that thing tomorrow in congress. In fact, they won't even wait for congress to make it a law, they'll just do it voluntarily. I mean free money + less expenses + seriously lower bandwidth usage over the long term + sticking it to assholes who catch viruses = YAY! That's equation is actually listed in every ISP's accounting materials. Seriously, go look it up on wikipedia, it's true lol.
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
what's next, not letting people on the bus because they have ebola?
Yep that's right, many EDUs, which are ISPs for many thousands, do not tolerate malware on the network and block infected systems upon detection.
Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
Just how are they supposed to fix the computer? Makes it a little tough to download MalwareBytes doesn't it? If you want to cut off port 25, I can see that. You could send them an email that tells them that they are infected. You can point them to a screen to re-activate after they have cleaned their system. You could even cut them off again if the botnet starts to send again (aka not-quite-clean). But, cutting off all access is just going to cause more problems.
I worked at an ISP in the midwest and we started doing this as early as late 2001/early 2002. Yes, customers were pissed and we lost some because of it. But as a result we saved alot more time and money then having to deal with abuse complaints, FBI subpoenas, saturated networks, etc. It is not the ISP's responsibility to protect the customer but it is their responsibility to protect their network. 'If you don't like you can blow me' should be the attitude of the network administrator.
Fuck Ajit Pai
Well, I've run a home email server since I was 16. In 1987 it was running a UUCP stack Dale Schumacher wrote/ported for Atari ST series computers, but I was on the UUCP map and had a bang path. I was just as real a server as anybody else.
I was one of the very first DSL customers in my area, and as soon as I had it I had my own SMTP server running. That was about 1998 or so.
The only time I've ever generated any kind of bot traffic is when I inadvisably provided hosting for a friend's Windows 2000 Server box. I figured out it quickly and disconnected his machine.
So, I think you're wrong. And while I think I'm pretty unusual, I do think there are a fair number of other people like me. Tossing me out on my keister because I'm just doing something you find to be somehow 'just wrong' is the wrong approach.
Need a Python, C++, Unix, Linux develop
Seems this is the toe-hold into deep packet inspection that they've always wanted. This is the rationalization that is needed for ISP operated behavioral data collection and now it is no big deal to sponsor inspection of user activities for the software and Hollywood cabals.
Don't like it? Well then I guess we can't turn off those dirty bot-nets.
Wow. The fact that this got upmodded to 4, Interesting says more about the state of slashdot demographics than any editorial could...
Not because it's against any policy but as good internet citizens, if they cut my connection I'm going to ask why, I find out it's because I'm infected, I just have to clean the infection and I'm back online. Whose rights, freedoms, expressions are being affected in any way from this?
Most internet users (don't just think /. crowd) would appreciate this type of action. One ISP where I live had this policy in place 4-5 years ago and I helped my cousin get rid of virii that he didn't know he had until this happened. Some advanced uses might be upset, just like pirateers are upset when TPB goes down, but those people will find ways around and still be able to do what they want to do.
YES
i work at a computer repair shop. most the infected machines we work on have processes setup by malware to automatically proxy all internet traffic, making it pretty difficult for the user to even stay connected to the net. you don't hafta cut off bot infected machines, half the time they cut THEMSELVES off! =] windows users: enjoy paying money to fix that scrap pile. god i'd buy an apple if i had the money. btw i'm a linux user.
I wholeheartedly agree with the quarantine of infected computers.
If you take care of your network, you won't run into this.
You've never done user tech support, have you?
Tell that to Jo(e)(sephine) Average User, who has no idea what a virus, or even a network, is. Or even what an operating system is.
Proper and prompt notification of why you've been cut off - and perhaps suggestions as to local techs who can properly clean your system - are at least fair.
SB
It's old. The more humans I meet, the more I like my cats. At least they are honest.
Got a Trojan, was sending out spam, Road Runner shut my modem down, told me to fix the problem before they'd unlock it.
Being able to connect to any port and to receive connections on any port is the definition of Internet access.
If you want Internet access, upgrade to the ISP's plan that allows Internet access. Comcast, for example, calls its Internet access plan "business class".
A simple "your zombie PC has been disconnected, please contact us to reconnect" followed by instructions on cleaning malware would cut the problem in half.
If I saw a screen like that, my first instinct would be fake antivirus. I've had to clean it off Windows PCs four times.
My personal opinion is that aslong as there is a warrant for the specific child porn data then it is fine for them to enforce the requirement for him to provide the password. If he has nothing to hide in relation to child porn he should have no fear in giving it.
However I would want indemnity for all other content on the laptop that may or may not be of an illegal nature so that it cannot be used in other cases against him. The warrant needs to specifically pertain to ONLY childporn related material.
Speakeasy.net cut me off in 1999 when a Windows server I had at home was exploited (MSSQL Server...grr) and infected. I called them, they explained what was up and how to fix it. I 'fixed' it, called them back, and they put me back online...and then offline again 12 hours later because I hadn't cleaned it all up properly. (My then-girlfriend-now-wire really wanted to play Quake 3 Team Arena...I didn't have time to fight Windows!) I fixed it for real, and they put me right online again.
It was frustrating at the time, but I knew then and I know now that what they did was what I wish more companies did.
Time Warner (Austin, TX) has bee doing this going back at least 2003. I should know, I worked as TSR agent. If a customer calls in to troubleshoot a connectivity issue, their account might be flagged by security as a source of spam and viri activity. Once we re-activated their cable modem, they would be directed to http://www.rrsecurity-abuse.com/index.php. They would be then be forced to fill out an online form.
THIS IS OLD NEWS!!!
Life is not for the lazy.
When we had lots of little ISPs, they knew their users, and this kind of thing would be easy cheezy. Now that we've got big, "who gives a fuck" ISPs, it's some kind of dilemma, related to somehow making more money by doing less, and scale.
My smaller ISP simply called me on my cell, when it happened. We had a short conversation that went like this:
Hey user, it's Joel.
Hi Joel, what's going on?
User, I think one of your machines has been hacked.
Jesus! Really? What is it doing?
Right now, it's fetching a lot of data, and sending SPAM.
Crap!
What do you want to do?
Ok, pull the plug, wait three hours, then put it back in. I will have arrived home, taken the box offline to start the work of getting it all sorted.
No sweat, do I start right now?
Yeah, thanks.
*click*
So I went home, pulled the machines off line and waited for a time. Net came back up, and I powered on the machines, looking for the offending one. Found it. Bastards! Sent a quick note to Joel about the state of things, asking if he would keep a close eye out for the next day or two. Done.
Now I realize the average Joe is probably going to handle that poorly. I got my stuff sorted, and brought my Internet stuff back up, happy chappy.
I've since moved, and am just out of range for that ISP. My current one, big ass, ugly, ISP with a name you all would recognize, and cringe at, wouldn't give two shits. They would pull the plug, not tell the support people, and ask for a "reconnect fee", well just because they can.
Not sure what the real answers are here, but somehow I prefer a world where I can get that phone call, maybe be clueless, and know the folks on the other end are just trying to limit the damage, as opposed to it just not working, followed up DAYS later with a nasty-gram, and charges, but that's just me.
Blogging because I can...
Yes, but they shouldn't be allowed to bill you for the time you were disconnected. Thus their interest will be getting you cleaned and back on-line ASAP.
Ofcourse they should do that, reroute all traffic to a specific page which warns them, and if possible even have a cleanup tool ready to download.. I personally would like to be warned for a problem that is not recognized by a lot of anti-virus/malware software, and even with not being able to use the internet until the problem is fixed.
Can we please cut off Microsoft from the Internet for creating an unsecure OS, instead of random old ladies that are just trying to browse after some recipes and don't even know what a virus is, or that there is a support number to ISPs? Thank you.
Yet another potential problem that no one seems to have mentioned yet is that of shared houses. If my flatmate has a virus (which he doesn't any more because I cleaned it off last night) then the whole house is going to be seen as "infected" and four innocent people will be cut off the internet due to the indiscretions of one person. This could be made all the worse if the person owning the infected computer is on holiday for a week.
ISPs are in a great position to significantly impact bot activity but the first adopters of this kind of policy will lose customers to more forgiving ISPs as customers get angry about being cut off, whether this anger is justified or not. ISPs will have to ease their way into this kind of policy, being very careful not to alienate their customers.
Sig matters not. Judge me by my sig, do you?
What about bots or other infections on websites that are hosted at a specific hosting provider?
I work for a hosting provider and we see a few sites that are infected (usually an IFRAME or JS redirection to another site).
Should we suspend that site so that other users going to that site won't get redirected and then also infected?
I have done this and received lots of flack about it from the website owner, claiming it was the server that was hacked
not his/her site!!! Well, if it was the server, why would it just infect that one site?
Rogers Canada used to cuts my brothers internet off all the time (he lives in a house with like 12 people) I think its a good policy, though they are not very helpful in tracking it down. They also cut the internet at my work recently. On this occasion they were able to tell us the servers it was trying to access and the times it tried, which was helpful in tracking down the infection but for the most part they just tell you to get rid of the infection or else we cut you off for good.. I told my brother to make sure everyone in the house ran malwarebytes a few times every now and then and the problem went away.
you know you can fry stuff putting things into things that dont like the things you put into it...
However, ISPs can offer several types of service:
* A level where they cut you off if you appear to be infected,
* A level where they monitor you and page you and if you don't fix the problem within a few hours, fine you or if you prefer, cut you off.
* A level where you do not want monitoring and take responsibility for your own network, and they find you if you are infected.
In any case, if you are interfering with their other customers, they have a right to block traffic from you to their other customers. If you are causing physical or electrical harm e.g. if you connect something other than proper equipment to their wires and it disrupts their equipment, they have a right to cut you off. If you or your infected computer is attempting to attack their equipment they have a right to cut you off.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I work for an ISP and we already do this, two warnings and if it's not fixed then we either block certain ports or just cut them off
I wonder how many of the supporting posters also claim they are for net nuetrality....
>the ISP would be reasonably justified in cutting off a user from the internet,
the ISP would be reasonably justified in temporarily cutting off a user from the internet while contacting the client with proper info as to which infection they had, or which port they were sending info from, or even some basic help to figure out what to look for , maybe even offer a qualified technician's number, all the while making sure that the user was not billed for those days where they were cut off from the internet, as it is in the contract that they can not stop the service,....
There fixed that for you.!
They should block all internet access, except to remediation websites (antivirus, OS updates, etc.). The problem would be maintaining those lists of remediation websites.
Further, any request to a non-remediation website could redirect them to the most appropriate FAQ listing why they are being blocked and what steps should be done to clean their system (links to the remediation websites).
For crying out loud - how about we stop demanding that the victims be punished (ie: cut off from the net) and try to figure out how to detect and kill these Bot-nets on the infected computer. What are you guys? The RIAA? People with Bot-net infected PCs are victims just as much as those who receive the deluge of spam they produce. Maybe more-so since most spam gets caught by the ISPs these days. I got hit by a bot-net infection recently that stole 15GB of traffic off me before I had a chance to spot the problem. I'm astounded that after all this time the so-called leaders in anti-malware software still seem to be unable to prevent, detect, or remove Bot-net infections (and maybe I'm just under-informed about the nature of the problem). But since they don't seem to have a handle on a solution, how about the Slashdot community just stops fantasising about how great it would be if all the noobs got taken off the internet and start realising that the noobs PAY for the services we all enjoy (we couldn't afford this thing on our own). We have to understand that ISPs don't have the luxury of cutting access to huge chunks of their customer base just to stop bot-nets. They'd go broke and we'd lose OUR access (unless of course we had millions from our startup successes to pay for our own private uplinks, but without noobs to buy our new online services there won't BE any more startup sucess stories). So the real solution to Bot-nets is YOU. Not the ISPs, because they CAN'T solve it. Not simply to "ban the noobs" because we'd suffer too. YOU guys need to spin up the brain-turbines and figure out how to find and kill these day things, because you're the only ones who CAN. We're counting on you. Go for it, and good luck.
I run the network and servers for a small church. When I built their email and groupware server, I made a very small mistake in the SMTP server config - I allowed any system on the subnet to be treated as a trusted server which could relay. Unfortunately, I forgot that external requests would appear to be coming from the router . . . which is part of the subnet.
The result was that about a week later, I got a call from my ISP. "One of your clients has a virus, and is sending out thousands of emails per minute. We're cutting you off until you manually verify the clients are cleaned of all virus' and running up-to-date virus software".
Some group in China had found my open relay and was using it in an attempt to overload Yahoo's Taiwan servers (which makes me wonder if maybe the Chinese government was involved?). Anyhow, I fixed the problem and actually did take the time to ensure all the anti-virus software was up to date.
What's my point? My ISP was on the ball and did the right thing. Thankfully they allowed me to correct it, but cutting me off was the right action, legally, morally, and ethically. So yes, I think that under certain circumstances, ISPs should take action to protect themselves, their other clients, and in some ways the internet itself.
A lot of folks here have spoken to the competency of the ISPs techs. My previous (anonymous) post regarding my ISP for the church I help shows an example of a GOOD one. They actually called me within minutes of cutting me off, told me the problem (thousands of emails per minute, bandwidth affecting other customers, etc.) and gave me a path to fix it. I had access to virus scanning install files from my home, and told them so, because they offered to bring their laptop to the church to provide the installer. As I said, they didn't need to as I had a good one, but they offered.
Now an example of a bad experience:
Years ago (1998) I moved to my current state and got a small apartment. I immediately signed up with a local dial-up provider. Over the course of the next few weeks, I sent a few emails to my previous employer asking for money they owed me. After being ignored, I sent one demanding payment.
The next day, I can't get online. I call my ISP. "We got a complaint that you were hacking into XXXX company's email servers. We've even got a copy of the email, and the headers prove it. You violated our terms of service, your account is closed.".
So, what led them to believe that I had hacked into XXX company's email servers? My emails had come from . . . "root@localhost". THAT was their "evidence" that I had hacked their email servers and sent demanding emails from within it. When I explained that I ran Linux, hadn't bothered to change the default hostname, and that linux machines were perfectly capable of sending their own email without having to SMTP into some external server, all I got was a "huh? what are you talking about? That's not how email works, you're full of crap, yada yada yada".
The moral of the story? I will respect, allow, and encourage an ISP to monitor for such things as massive amounts of emails going out (NOT bandwidth) when they are competent and understand the nature of their own business and technology, and are respectful and helpful in correcting the problem. I CANNOT support these actions by an ISP run by a pack of morons, fools, and brutish ignorant jackasses.
Competency counts when exercising authority.
Blocking some ports is sane....
One of the root cause problems is the design
of WindowZ... While improved there should be
NO REASON FOR the type of anti virus software
many people have to run.
My ISP 'gives' anti-virus software away. I guess it is like power companies helping you to insulate your home so they do not need to add capacity or
can sell capacity and at the same time increase their customer base.
It also makes sense for ISPs to invoice the likes of Microsoft for damages inherent in flawed products. The ISP can quantify damages and make a good case
It was customary for the sysadmin to block users that he saw a lot of traffic on various ports the bots use (back when bots always used a specific port). The part that I didn't aggree with was he would just cut them off. Then when they call in to tech support pissed off that their internets are down we realize they were shutoff because they had spyware. It was mainly cut the user off so they didn't waste company resources than it was looking out for the users.