Slashdot Mirror
Should ISPs Cut Off Bot-infected Users?
richi writes "There's no doubt that botnets are a major threat to the safety and stability of the internet — not to mention the cleanliness of your inbox. After years of failure to act, could we finally be seeing ISPs waking up to their responsibilities? While ISPs can't prevent users getting infected with bots, they are in a superb position to detect the signs of infection. Contractually, the ISP would be reasonably justified in cutting off a user from the internet, as bot infection would be contrary to the terms of the ISP's acceptable-use policy."
Should ISPs Cut Off Bot-infected Users?
Yes. Some ISPs already cut off P2P users. By comparison botnets are a real threat.
Trolling is a art,
Yes, yes! A million times YES!
A doctor would quarantine a contagious patient. An ISP should quarantinean infected PC.
If I were God, wouldn't I protect my churches from acts of me?
>"Should ISPs Cut Off Bot-infected Users?"
After a suitable warning to the customer/administrator, yes. Absolutely. But it should be made very easy for the customer/administrator to reactivate their service, too.
If it was spelled out this would constitute a usage violation, then fine, I see no problem.
"I use a Mac because I'm just better than you are."
Of cour
Yes, but not before first providing ample warning notifications by e-mail, SMS, and robocall.
If you cut somebody off from the net straight away, that prevents the person from downloading the necessary file to take the steps necessary to remove the bot.
To blog is sublime
My cable ISP cut me off in 2001, when my roomate got a worm/bot infection due to bad P2P settings. I understand the good intentions, but it then became difficult to reach the right person who could reinstate service once I convinced them my network was clean.
For all the information the ISPs track from us, they have a responsibility. Pleasing cost (razor thin margins) is no excuse to engage in restless behavior. In a capitalist society we recognize that if you can't pay for the costs of doing business, you go out of business and your competitors eat your lunch. Preventing crime that involves using your service is a reasonable and legitamate business cost. After all, the botnets tend to be one of the major user of ISP resources - particularly if they are doign a Denial of Service attack. So shutting them down lowers the ISP costs, increasing their thin margins.
excitingthingstodo.blogspot.com
Sure it's fair.
Once you're infected the rest of the Internet with crap, you're costing them more money in tech support calls from people complaining about you. Why would they pay to keep launching your crap packets into the core? Be your own ISP if that's your agenda. If you take care of your network, you won't run into this.
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
Because you've apparently never been blacklisted because one of your members sent comcast.net 250,000 spam emails in a 24-hour period. Because you've never had your SMTP server so overloaded with botnetted messages that delays of up to an hour were occurring for legit traffic. Because you've never had to block port 25 for out-of-area SMTP traffic because of complaints from other local partner ISPs. Yes, we disable access for identified botnet members and spammers. The infections of a handful of our members' PCs aren't going to ruin the experience for our other 6500 members.
All the more reason to use a structured definition of what constitutes an infected machine instead of pure judgement.
That door has always been wide open.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Restrict them to a subnet that only contains pages related to removing the malicious software.
ISPs should be responsible for filtering out bot activity, but it's not really fair to anyone to cut them off entirely. After all, it's not entirely their fault they got infected... hell even if they're responsible with updates and activity they could have been compromised by some new vulnerability.
Has firewall technology not been able to keep up with bulk ISP traffic or something?
I understand that users ought to control their own home firewall, but ISPs should have firewalls / filters they control further upstream, where they can add rules to block certain types of traffic only when necessary. But I guess if they have it, then that means they're kinda liable for configuring it effectively and can thus be held responsible for attack traffic that does get through.
Anyway, I don't like the idea of being cut off from network access without at least a few weeks' advance notice and time to respond. Which is virtually an eternity in botnet time... which makes that whole approach somewhat pointless.
They could just redirect them to a portal, where they get informed that their computer is sending out viruses.
The portal would offer a free virus scanner and the option to have several ports closed by the ISP (checked by default) ;)
- ports that could later be reopened by going to the "experts"-page
If the user insists, they of course can go on and use the internet anyway. But only after clicking "ok" to a sentence declaring that they are now informed and
"solely liable to any damage they might do to the internet"
"Your internet service has been suspended due to a virus infection. Please call or email us to get reconnected". .
"Common sense will be the death of us all"
ISPs should hand out routers which utilize Network Access Protection by default.
The router should verify if the endpoint is clear for internet access, and if it's not, it should limit user access to antivirus vendors, known OS upgrade services etc and requesting user to follow this link to repair their computer(or have it cleaned by someone skilled enough).
There are (or should be!) multi-platform NAP/NAC solutions to do this.
Of course, users should have opt-out option, which allows them to disable the NAP, and take responsibility of maintaining their systems themselves without "middle-maintenance".
Opted out systems would receive direct disconnect until user verifies by phone to the operator that their misbehaving system has been fixed. (for example, spam zombie)
There are no atheists when recovering from tape backup.
No. You have a DOCTOR cut it out. The question here is whether or not most ISP's are competent in determining what really is bot activity. A bunch of false positives will be miserable -- as will having to prove to some first-tier customer support person that your system is not infected (as in never was) or that it is actually cleaned and should be allowed back online.
And pity the person that has their ISP connection blocked that uses voice over IP to call customer support. If the ISP blocks the MODEM life is going to be interesting.
Oh, and you won't need to look up that phone number, will you?
Overall, getting infected systems of the net is a wonderful idea, but one that could be a complete mess if done poorly.
Life is short: void the warranty.
My local UK ISP has been doing this for a while,a good 20% of my work has been from people who have been cut off until their PC has the infection removed NICE
They're Internet SERVICE Providers. Not Internet Police, nor Internet Guardians. They exist to provide people with access to the Internet for a fee. Now a lot of ISPs already do plenty that is contrary to the best Interests of the customers. Bad behaviour ranges from price gouging and using misleading advertising, to draconian terms of service (usually because they're able to due to a monopoly or collusion), to playing fast and loose with customer's private data (often in the name of anti-piracy). Do you really want to give these same ISPs the power to take a customer's money and provide them with nothing based on nothing other than their own conclusion that a customer is infected? That's madness. An ISP should be providing a customer with help to remove the infection, not removing their access to the Internet.
These posts express my own personal views, not those of my employer
My parents PC was a fully functional mail server sending out 4-5 GB of e-mail a day, they didn't know this of course and complained about internet speeds all the time, the ISP figured it out pretty fast though and sent someone over to get it off the network and clean it for 'em.
I was quite surprised at how civil they were about it.
crazy dynamite monkey
They already do that, and their right to do so is written in their contracts.
"Prefiero morir de pie que vivir siempre arrodillado!"
So on one hand, ISPs should not regulate the type of traffic and should not sniff, etc...
On the other hand, ISPs should cut off virus-infected computers. Apparently, they ARE sniffing or monitoring in some way in order to cut you off.
Just wait for a company to decide that being a torrent feeder is being part of a botnet and thus torrent feeders must be cut off. Good luck getting back on again.
If it is really botnet activity, why not just block the botnet activity but not the non-botnet activity? If you can't determine if it's botnet activity well enough, then how are you going to choose who gets cut off?
(I am not necessarily decidedly against this, but at the moment, it seems to be somewhat hypocritical to be against ISP filtering and for ISP cutting off [on their own]. Enlighten me. :) )
GP may be exaggerating the problems of the slippery slope, but I think there is a point there. Cutting infected computers completely off the internet is unacceptable, how the hell do you fix the problem with no internet access? If my desktop were to get infected, I'd use my laptop to look up instructions and/or programs I'd need to clean it.
The "walled garden" approach is more justifiable, but I still see it as a dangerous game, because the ISP winds up controlling who is in the walled garden. I would assume that you'd be able to access at least some sites of antivirus vendors, but whose? Does the ISP get to pick? What stops them from selling those rights to a specific vendor? Do I have to purchase Symantec to clear my infection because my ISP won't let me access Kaspersky? Lots of infections require specialized programs to clean infections when they first hit, do I have to wait while my ISP updates to allow access to those programs? What if I get an infection with no currently known cure, do I have to just wait it out? Meanwhile having no ability to contribute to or follow the discussion.
How do I prove that I'm no longer infected? If my desktop is infected, and I turn it off and turn on my laptop, am I still walled off? I agree with the idea conceptually, but logistically it seems completely unworkable, and the fact is it's just not an ISPs job, I pay them to give me internet access, not run my network.
What is it about spam and malware that causes people to completely lose their minds? What are you worried about botnets anyway? Either your system is secure and it won't be a problem for you, or your system is not secure and you are, by your own admission, "part of the problem." This isn't like quarantining carriers of a deadly disease. It's not exactly difficult to secure your own system against the nasties on the internet. But people are here supporting the idea of severing a person's internet connectivity because they've been a victim of some asshole on the internet. I think we can all agree that the internet is culturally revolutionizing, and has already proven itself to be an extremely important tool in the promulgation of free speech. But once you throw this crap in the mix we have people asserting these authoritarian opinions which, quite honestly, scare the shit out of me.
At the very least, if there is some set of criteria for disconnecting somebody from the internet, there must also be criteria for how to get reconnected and a very clear and doable set of instructions how to get back online. Otherwise you will end up permanently silencing people.
This has happened to me once. I got a virus and a couple hours later, my internet was off. I called the service desk and I was told that my computer was infected and get this, I need to download a patch to fix it. "How do I download a patch when my internet is off, I asked." "Bring your computer to the service center when we open on Monday." I instantly canceled my service. I was a college student at that time. Some tasks required the internet. In fact the only way to turn in my physics homework was to upload it to the server by 2am on Tuesdays and Thursdays. I don't need to be worrying about my internet shutting off at random times and having to make a midnight dash to campus to use the library computer.
I try to keep my computer clean. I run firewalls and I have virus scanners, but if you haven't been infected with a virus before then you haven't been on the internet long enough. Sooner or later you'll get infected and god forbid if you rely on the internet. IE VoIP or server hosting. Why do I get punished for what other people do? Should car manufacturers be able to remotely turn off your car when your car starts to leak oil or freon?
I'd actually appreciate a friendly email from my ISP informing me that they are detecting strange traffic from my IP address and suggesting that I might want to check for a Botnet infection. Detecting sneaky outgoing traffic and other malfeasance is beyond the technical range of many customers.
They might even provide links to resources I could use to detect and remove the Bot. They might even make these resources free, useful (Like pretested and configured against the current signature and MO of the Botnets they're seeing) and come off as concerned and helpful.
This is one area where our interests and the ISP's are aligned. Starting the process with a "cutoff" seems like a lose-lose...
"Knowing everything doesn't help..."
Exactly. Whats from stopping an ISP from simply cutting you off because you were using too much bandwidth, stating that you are infected?
Nothing. Just like nothing is stopping them from doing it now.
The first time, we take the member's word that they've cleaned or replaced the computer. After that, if it recurs, we need to see either an invoice from a repair shop or retail shop for repair of purchase of a computer. We provide CDs here in our office with removal tools, and we do provide removal and cleanup services.
We also provide download links for security software right from our tech support portal, and a complimentary CD with the same software with every new subscriber. 3 times a year we offer a class on intro to pc and internet security. If someone's still getting infected after all the resources we've made available, then tough love may be just what's needed.
Brilliant! Also, that makes good business sense, as they would have to use the email service that you, as an ISP, kindly provide ... for a fee. We really can't allow those lusers to manage their own mail, oh no sirree.
I would think it was fine if ISP's set up new accounts with most ports closed *and then provided a good, efficient interface for users to open what they want to be open* ... but most (most! there are some good ones out there) ISP staff get that deer-caught-in-the-headlights look when you start to ask questions about outgoing ports. Seriously; I've had the privilege of being told that yes, I would certainly be able to surf the web, when I asked about accessing my own file/media server from the WAN side. Sigh.
"Good news, everyone!"
Being able to connect to any port and to receive connections on any port is the definition of Internet access. I absolutely should be able to run a mail server on my home machine.
Now, if the ISP were to block incoming port 25 by default, and people who wanted it could fill out a quick form or something, maybe that would be okay.
Very true but... I would also point out that ISP customers are...paying customers.
It seems to me like cutting them off is an acceptable solution but, just like the use of deadly force may be legal in some situations, it shouldn't be a matter of "shoot first and ask questions later" either.
I would say, cutting them off is acceptable in circumstances when either a) the end user can't be contacted in a reasonable amount of time b) the end user refuses to acknowledge the problem or take steps to fix it in a reasonable amount of time
Reasonable amount of time, of course, depends on the situation. A machine that is actively participating in a DOS or impacting other users directly is a different case than one thats infected and idle. In any case, its just plain good customer service to contact your customers when there is a problem.
-Steve
"I opened my eyes, and everything went dark again"
Well here in the Netherlands I think there is 1 provider left who lets you run your own server. All the others block your traffic on 25, forcing you to use their mailservers. Which is a bitch when you also run some domains from home. I don't know how my comment made me a troll... What is wrong with free internet? What is the next step? Should ISP's cut of customers who search for a word that some goverment doesn't like? ISP's should not cut of anyone. They should make sure their internal network is ok and protected. The only reason I can see why someone would drop a connection is when someone is sending out so much data that the pipes get to full. And that would be the only case. In all other cases I would say: just give your customers some virussollution. So that the ones that care, can protect themselves and the ones that don't haven't to be bothered by it. Doesn't mean I can't see why some people are in favor of this. Just not me. But I am not trolling here lol :P
I mean they don't already? My ISP (Cox) does. Back in the day one of my roommates got a worm. Didn't know this, of course. I came home, my Internet wasn't working. Called the ISP, they told me what was up. I said "Ok computer is unplugged I'll have him clean it when he gets home." They said "Good deal, your net is back on."
Seems like a good idea to me.
In that process of training & service for PCs don't forget the possibility that it might not be the computer that is infected:
There are viruses now that can infect routers and modems.
I can only imagine how pissed off a customer is going to be if their ISP insisted that they pay a professional to clean their computer and are still being denied internet access because their router is infected.
Warning: This sig is not thread safe. For more information see Slashdot's sig policy.
how the hell do you fix the problem with no internet access? If my desktop were to get infected, I'd use my laptop to look up instructions and/or programs I'd need to clean it.
Sounds like you answered your own question. You don't use the infected computer to fix itself. If the computer is infected then step #1, even before diagnosis, is to remove the machine from any network connections, wired or otherwise. This is especially important in a business environment. If the infected computer is your only access to the internet, take it into a shop and let the pros deal with it. If it's not, spend some time to research the problem, burn the needed tools and documentation onto a CD, and try to clean it yourself.
Continuing to spam the network and reduce everyone else's bandwidth is not the right answer.
I pay them to give me internet access, not run my network.
Right. And their terms say that you're not allowed to send out large quantities of spam, I assume. When your computer starts doing that then the agreement ends, they no longer have to honor their end to provide you with service when you're abusing that service.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
When the latest Ubuntu ships I often leave my torrent client seeding for a couple weeks.
Didn't say Mcafee. Didn't allude to Mcafee. We provide links for Avast and Avira.
Now, who should try again?
This is a great thing! Within 3 days of this becoming standard practice, there won't be any windows users with an internet connection!
"People don't want to learn linux" hasn't been a valid excuse since '03.
"After that, if it recurs, we need to see either an invoice from a repair shop or retail shop for repair of purchase of a computer."
You assume that your users are incapable of cleaning an infection? It's quite possible that they know what they're doing but got infected twice. You're also assuming that any repair shop actually knows what they're doing. Geeksquad routinely misses malware after you pay them to clean it and they often mistake malware-filled laptops as "not fast enough to run windows xp".
-1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
Right, which is why the ISPs ought to be throttling rather than disconnecting end users. It greatly reduces the value of a compromised computer, allows the user to download necessary patches and lessens the impact on the rest of the net. Rather than sending 250 000 spam emails in 24 hours, you might throttle it down to only 25 000 messages. Or possibly less if you just block certain ports.
Right to broadband exists in Finland. Won't be long before all the backwards nations of the world catch on to the importance and follow suite.
mediocrity rules, man