Slashdot Mirror

← Back to Stories (view on slashdot.org)

Should ISPs Cut Off Bot-infected Users?

Posted by CmdrTaco on from the excising-the-tumor dept.

richi writes "There's no doubt that botnets are a major threat to the safety and stability of the internet — not to mention the cleanliness of your inbox. After years of failure to act, could we finally be seeing ISPs waking up to their responsibilities? While ISPs can't prevent users getting infected with bots, they are in a superb position to detect the signs of infection. Contractually, the ISP would be reasonably justified in cutting off a user from the internet, as bot infection would be contrary to the terms of the ISP's acceptable-use policy."

11 of 486 comments (clear)

  1. Yes by grub · · Score: 5, Insightful


    Should ISPs Cut Off Bot-infected Users?

    Yes. Some ISPs already cut off P2P users. By comparison botnets are a real threat.

    --
    Trolling is a art,
    1. Re:Yes by mark72005 · · Score: 4, Insightful

      I agree. Sounds like a good policy.

      Not being able to get online is probably the surest (maybe only) way to get a novice (or under) computer user to take their bot machine offline.

    2. Re:Yes by Joce640k · · Score: 4, Insightful

      So long as the "I'm clean now, let me back in!" part is easy, then, yes.

      --
      No sig today...
    3. Re:Yes by Jiro · · Score: 4, Insightful

      As long as they give the user a means to get back online through cleaning their system up, and they don't do something silly like requiring you to use a NAC that only runs on one operating system

      Of course, the ISP has every right to cut off bot-infected users, and should do so. (There's still the problem of not letting the user get online to get the bot removal software, but that's relatively minor and there are several ways around that).

      But a lot of Slashdotters, being more technically competent than the typical Internet user, have experience with ISPs who do, in fact, do something silly, and cutting off bot-infected users has great potential for the ISP to screw over the customer via silliness. ISPs could very well

      • Not provide enough information for the customer to figure out that a false alarm is one
      • Not have anyone who can understand a customer's explanation about a false alarm
      • Announce "we don't support Linux", and if you get a false alarm on it, tough, you just get cut off with no recourse
      • Just not have enough personnel to handle users who are cut off (or if they have such personnel, they are following a script in India and can't respond to things the customer might tell them which aren't in the script)
      • Cut off customers for other reasons using "botnet" as an excuse, which works especially well when combined with some of the other items above
  2. Yes! by Capt.DrumkenBum · · Score: 4, Insightful

    Yes, yes! A million times YES!
    A doctor would quarantine a contagious patient. An ISP should quarantinean infected PC.

    --
    If I were God, wouldn't I protect my churches from acts of me?
  3. Yes would be the answer by markdavis · · Score: 4, Insightful

    >"Should ISPs Cut Off Bot-infected Users?"

    After a suitable warning to the customer/administrator, yes. Absolutely. But it should be made very easy for the customer/administrator to reactivate their service, too.

    1. Re:Yes would be the answer by sjames · · Score: 4, Insightful

      The answer might be to do something like Comcast's approach of redirecting flagged accounts through a web proxy with a frame at the top and blocking other ports. You don't want to cut them off entirely, since the fix for their problem will go a lot better if they can browse the web and download AV software.

      The danger is that they will implement "policies and procedures" and have know-nothing flunkies carry them out mindlessly, but then that's a danger anyway. They will need to actually have knowledgeable people willingly review cases that don't fit on the flow charts. Things like, NO, I do not have Windows virus XYZ, I don't do Windows.

      Fully agreed, there must be no punitive element to this. There should be an educational component since most home Windows users simply don't know any better. Even the restrictive aspect should be the minimum necessary to contain the damage and inform the user.

  4. Cut off vs. filtered by rwa2 · · Score: 4, Insightful

    ISPs should be responsible for filtering out bot activity, but it's not really fair to anyone to cut them off entirely. After all, it's not entirely their fault they got infected... hell even if they're responsible with updates and activity they could have been compromised by some new vulnerability.

    Has firewall technology not been able to keep up with bulk ISP traffic or something?

    I understand that users ought to control their own home firewall, but ISPs should have firewalls / filters they control further upstream, where they can add rules to block certain types of traffic only when necessary. But I guess if they have it, then that means they're kinda liable for configuring it effectively and can thus be held responsible for attack traffic that does get through.

    Anyway, I don't like the idea of being cut off from network access without at least a few weeks' advance notice and time to respond. Which is virtually an eternity in botnet time... which makes that whole approach somewhat pointless.

  5. Re:Of course... by gunnk · · Score: 5, Insightful

    No. You have a DOCTOR cut it out. The question here is whether or not most ISP's are competent in determining what really is bot activity. A bunch of false positives will be miserable -- as will having to prove to some first-tier customer support person that your system is not infected (as in never was) or that it is actually cleaned and should be allowed back online.

    And pity the person that has their ISP connection blocked that uses voice over IP to call customer support. If the ISP blocks the MODEM life is going to be interesting.

    Oh, and you won't need to look up that phone number, will you?

    Overall, getting infected systems of the net is a wonderful idea, but one that could be a complete mess if done poorly.

    --
    Life is short: void the warranty.
  6. Slight hypocrisy. by CannonballHead · · Score: 5, Insightful

    So on one hand, ISPs should not regulate the type of traffic and should not sniff, etc...

    On the other hand, ISPs should cut off virus-infected computers. Apparently, they ARE sniffing or monitoring in some way in order to cut you off.

    Just wait for a company to decide that being a torrent feeder is being part of a botnet and thus torrent feeders must be cut off. Good luck getting back on again.

    If it is really botnet activity, why not just block the botnet activity but not the non-botnet activity? If you can't determine if it's botnet activity well enough, then how are you going to choose who gets cut off?

    (I am not necessarily decidedly against this, but at the moment, it seems to be somewhat hypocritical to be against ISP filtering and for ISP cutting off [on their own]. Enlighten me. :) )

  7. Re:No reason not to do the following by aardwolf64 · · Score: 4, Insightful

    Wait, your big plan is to:
    1. Cut off their access (presumably also to e-mail)
    2. Send them an e-mail that they must reply to if they want to be able to read email.

    And where exactly are they supposed to read this email?