Should ISPs Cut Off Bot-infected Users?

richi writes "There's no doubt that botnets are a major threat to the safety and stability of the internet — not to mention the cleanliness of your inbox. After years of failure to act, could we finally be seeing ISPs waking up to their responsibilities? While ISPs can't prevent users getting infected with bots, they are in a superb position to detect the signs of infection. Contractually, the ISP would be reasonably justified in cutting off a user from the internet, as bot infection would be contrary to the terms of the ISP's acceptable-use policy."

Yes

[grub]

Should ISPs Cut Off Bot-infected Users?

Yes. Some ISPs already cut off P2P users. By comparison botnets are a real threat.

Re:Yes

[mark72005]

I agree. Sounds like a good policy.

Not being able to get online is probably the surest (maybe only) way to get a novice (or under) computer user to take their bot machine offline.

Re:Yes

[c0lo]

But how long until they are taking cars off the road simply because they are driven by the wrong kind of person, or at the wrong speed! This can't be allowed!

It's already happening.

Re:Yes

[TubeSteak]

I agree. Sounds like a good policy.

Not being able to get online is probably the surest (maybe only) way to get a novice (or under) computer user to take their bot machine offline.

I can't wait for a browser exploit that spoofs the walled garden, thus allowing the botmaster to force you to install something really nasty.

Imagine being able to pwn a low privilege account and then having them log in as administrator to install your custom "virus removal" software. You'd never have to bypass any of those fancy OS protections again!.

Re:Yes

[Joce640k]

So long as the "I'm clean now, let me back in!" part is easy, then, yes.

Re:Yes

[paulej72]

We have implemented this at Princeton University. Port 25 blocked, unless you specifically ask for it. All users who were using outside email services also had to change to use port 587 to connect to their mail servers.

We are trying to be good net citizens an not have mail bots running from our network.

Re:Yes

[Jiro]

As long as they give the user a means to get back online through cleaning their system up, and they don't do something silly like requiring you to use a NAC that only runs on one operating system

Of course, the ISP has every right to cut off bot-infected users, and should do so. (There's still the problem of not letting the user get online to get the bot removal software, but that's relatively minor and there are several ways around that).

But a lot of Slashdotters, being more technically competent than the typical Internet user, have experience with ISPs who do, in fact, do something silly, and cutting off bot-infected users has great potential for the ISP to screw over the customer via silliness. ISPs could very well

• Not provide enough information for the customer to figure out that a false alarm is one
• Not have anyone who can understand a customer's explanation about a false alarm
• Announce "we don't support Linux", and if you get a false alarm on it, tough, you just get cut off with no recourse
• Just not have enough personnel to handle users who are cut off (or if they have such personnel, they are following a script in India and can't respond to things the customer might tell them which aren't in the script)
• Cut off customers for other reasons using "botnet" as an excuse, which works especially well when combined with some of the other items above

Re:Yes

[Dthief]

As long as they don't charge me during the period I'm cut off.

Yes!

[Capt.DrumkenBum]

Yes, yes! A million times YES!
A doctor would quarantine a contagious patient. An ISP should quarantinean infected PC.

Yes would be the answer

[markdavis]

>"Should ISPs Cut Off Bot-infected Users?"

After a suitable warning to the customer/administrator, yes. Absolutely. But it should be made very easy for the customer/administrator to reactivate their service, too.

Re:Yes would be the answer

[omglolbah]

Telenor in Norway does this already in a limited way.

If they detect large amounts of email originating from your network they will block the sending of email. (by blocking outgoing connections to the standard mailserver ports).

From what I've read of their limited releases of information on the programme it works quite well. They of course contact you letting you know that you have this problem. Usually through email but if you do not reply they call you ;)

My brother got infected by a worm a while back and my father was not pleased :p Suddenly he couldnt send email... whops? :p
(Oh, and they allow you to email to 'internal' addresses though to allow you to contact them to resolve the issue..)

Re:Yes would be the answer

[sjames]

The answer might be to do something like Comcast's approach of redirecting flagged accounts through a web proxy with a frame at the top and blocking other ports. You don't want to cut them off entirely, since the fix for their problem will go a lot better if they can browse the web and download AV software.

The danger is that they will implement "policies and procedures" and have know-nothing flunkies carry them out mindlessly, but then that's a danger anyway. They will need to actually have knowledgeable people willingly review cases that don't fit on the flow charts. Things like, NO, I do not have Windows virus XYZ, I don't do Windows.

Fully agreed, there must be no punitive element to this. There should be an educational component since most home Windows users simply don't know any better. Even the restrictive aspect should be the minimum necessary to contain the damage and inform the user.

of course they should shut you off

[digitalsushi]

Sure it's fair.

Once you're infected the rest of the Internet with crap, you're costing them more money in tech support calls from people complaining about you. Why would they pay to keep launching your crap packets into the core? Be your own ISP if that's your agenda. If you take care of your network, you won't run into this.

Re:Lets ask in different context

[Yalius]

Because you've apparently never been blacklisted because one of your members sent comcast.net 250,000 spam emails in a 24-hour period. Because you've never had your SMTP server so overloaded with botnetted messages that delays of up to an hour were occurring for legit traffic. Because you've never had to block port 25 for out-of-area SMTP traffic because of complaints from other local partner ISPs. Yes, we disable access for identified botnet members and spammers. The infections of a handful of our members' PCs aren't going to ruin the experience for our other 6500 members.

Cut off vs. filtered

[rwa2]

ISPs should be responsible for filtering out bot activity, but it's not really fair to anyone to cut them off entirely. After all, it's not entirely their fault they got infected... hell even if they're responsible with updates and activity they could have been compromised by some new vulnerability.

Has firewall technology not been able to keep up with bulk ISP traffic or something?

I understand that users ought to control their own home firewall, but ISPs should have firewalls / filters they control further upstream, where they can add rules to block certain types of traffic only when necessary. But I guess if they have it, then that means they're kinda liable for configuring it effectively and can thus be held responsible for attack traffic that does get through.

Anyway, I don't like the idea of being cut off from network access without at least a few weeks' advance notice and time to respond. Which is virtually an eternity in botnet time... which makes that whole approach somewhat pointless.

Re:Cut off vs. filtered

[John+Hasler]

...ISPs should have firewalls / filters they control further upstream, where they can add rules to block certain types of traffic only when necessary.

So much for "network neutrality".

Anyway, I don't like the idea of being cut off from network access without at least a few weeks' advance notice and time to respond.

It's easy to avoid getting infected.

They could do it nicely

[formfeed]

They could just redirect them to a portal, where they get informed that their computer is sending out viruses.

The portal would offer a free virus scanner and the option to have several ports closed by the ISP (checked by default)
- ports that could later be reopened by going to the "experts"-page ;)

If the user insists, they of course can go on and use the internet anyway. But only after clicking "ok" to a sentence declaring that they are now informed and
"solely liable to any damage they might do to the internet"

NAP/NAC

[Keruo]

ISPs should hand out routers which utilize Network Access Protection by default.
The router should verify if the endpoint is clear for internet access, and if it's not, it should limit user access to antivirus vendors, known OS upgrade services etc and requesting user to follow this link to repair their computer(or have it cleaned by someone skilled enough).
There are (or should be!) multi-platform NAP/NAC solutions to do this.

Of course, users should have opt-out option, which allows them to disable the NAP, and take responsibility of maintaining their systems themselves without "middle-maintenance".
Opted out systems would receive direct disconnect until user verifies by phone to the operator that their misbehaving system has been fixed. (for example, spam zombie)

Re:Of course...

[gunnk]

No. You have a DOCTOR cut it out. The question here is whether or not most ISP's are competent in determining what really is bot activity. A bunch of false positives will be miserable -- as will having to prove to some first-tier customer support person that your system is not infected (as in never was) or that it is actually cleaned and should be allowed back online.

And pity the person that has their ISP connection blocked that uses voice over IP to call customer support. If the ISP blocks the MODEM life is going to be interesting.

Oh, and you won't need to look up that phone number, will you?

Overall, getting infected systems of the net is a wonderful idea, but one that could be a complete mess if done poorly.

The serivce in ISP

[syousef]

They're Internet SERVICE Providers. Not Internet Police, nor Internet Guardians. They exist to provide people with access to the Internet for a fee. Now a lot of ISPs already do plenty that is contrary to the best Interests of the customers. Bad behaviour ranges from price gouging and using misleading advertising, to draconian terms of service (usually because they're able to due to a monopoly or collusion), to playing fast and loose with customer's private data (often in the name of anti-piracy). Do you really want to give these same ISPs the power to take a customer's money and provide them with nothing based on nothing other than their own conclusion that a customer is infected? That's madness. An ISP should be providing a customer with help to remove the infection, not removing their access to the Internet.

Slight hypocrisy.

[CannonballHead]

So on one hand, ISPs should not regulate the type of traffic and should not sniff, etc...

On the other hand, ISPs should cut off virus-infected computers. Apparently, they ARE sniffing or monitoring in some way in order to cut you off.

Just wait for a company to decide that being a torrent feeder is being part of a botnet and thus torrent feeders must be cut off. Good luck getting back on again.

If it is really botnet activity, why not just block the botnet activity but not the non-botnet activity? If you can't determine if it's botnet activity well enough, then how are you going to choose who gets cut off?

(I am not necessarily decidedly against this, but at the moment, it seems to be somewhat hypocritical to be against ISP filtering and for ISP cutting off [on their own]. Enlighten me. :) )

Craziness.

[pclminion]

What is it about spam and malware that causes people to completely lose their minds? What are you worried about botnets anyway? Either your system is secure and it won't be a problem for you, or your system is not secure and you are, by your own admission, "part of the problem." This isn't like quarantining carriers of a deadly disease. It's not exactly difficult to secure your own system against the nasties on the internet. But people are here supporting the idea of severing a person's internet connectivity because they've been a victim of some asshole on the internet. I think we can all agree that the internet is culturally revolutionizing, and has already proven itself to be an extremely important tool in the promulgation of free speech. But once you throw this crap in the mix we have people asserting these authoritarian opinions which, quite honestly, scare the shit out of me.

At the very least, if there is some set of criteria for disconnecting somebody from the internet, there must also be criteria for how to get reconnected and a very clear and doable set of instructions how to get back online. Otherwise you will end up permanently silencing people.

Re:Craziness.

[Haedrian]

You're not exactly 100% right.

Firstly, people who are infected often spread the infection amongst other computers, using the social aspect. Maybe you won't open an email from someone you don't know, but your best friend?

Secondly, you're protecting them as much as you're protecting yourself - if they buy something online, their details might be stolen.

Thirdly, they might not realise, and spread the virus anyway through other means, but disconnection makes it sure.

Fourthly, even if your computer is uber-filtered, DDOS attacks, spam sending and other nasties can be done using a botnet, so even if you're not part of it, there's no way around that.

No way

[quatin]

This has happened to me once. I got a virus and a couple hours later, my internet was off. I called the service desk and I was told that my computer was infected and get this, I need to download a patch to fix it. "How do I download a patch when my internet is off, I asked." "Bring your computer to the service center when we open on Monday." I instantly canceled my service. I was a college student at that time. Some tasks required the internet. In fact the only way to turn in my physics homework was to upload it to the server by 2am on Tuesdays and Thursdays. I don't need to be worrying about my internet shutting off at random times and having to make a midnight dash to campus to use the library computer.

I try to keep my computer clean. I run firewalls and I have virus scanners, but if you haven't been infected with a virus before then you haven't been on the internet long enough. Sooner or later you'll get infected and god forbid if you rely on the internet. IE VoIP or server hosting. Why do I get punished for what other people do? Should car manufacturers be able to remotely turn off your car when your car starts to leak oil or freon?

Re:No way

[John+Hasler]

I run firewalls and I have virus scanners, but if you haven't been infected with a virus before then you haven't been on the internet long enough.

I've been on the Internet for about 25 years. No computer under my administration has ever been infected by malware of any sort.

Why do I get punished for what other people do?

You aren't being punished. The Net is being protected.

Should car manufacturers be able to remotely turn off your car when your car starts to leak oil or freon?

Bad analogy. The manufacturer is not shutting off your car. The toll-road operator is telling you to leave and not come back until you fix your oil leak.

Re:No way

[rickb928]

"How do I download a patch when my internet is off, I asked." "Bring your computer to the service center when we open on Monday."

I did a stint at a college help desk. We would have patched your system fully, re-scanned it for anything else, and offered to defrag it if you had the time. And of course offered to install the college-provided office suite if you had time, or just drop the URL on your desktop for you to at your pleasure.

And we would have done it for FREE. Well, your parents did pay an obscene tuition, but with that comes the assumption that they don't want you wasting time with mundane tasks such as cleaning up your machine, and of course the interruption of being infested by your roomie's machine either. Boy, the first couple of weeks starting the Fall term were days and nights of cleaning up incoming machines that had spent the summer on facebook and pr0n.

Quit yer whinin. They probably put in the 80-hour weeks I did getting the incoming crew settled down, and can use a weekend off. Were they gonna charge you? I bet not.

Kids.

Oh, BTW, this was at a very prestigious Northeastern lberal arts and science college. Obscene barely describes the tuition, but the kids coming in were impressive; polite, patient, quick to understand what was going on. It renewed my faith in America, compared to your average state college rabble. Unfortunately, they will be indoctrinated in the most unfortunate theories and balderdash, but many of them overcome that and go on to be productive and valuable members of society. The rest become politicians.

Re:No reason not to do the following

[aardwolf64]

Wait, your big plan is to:
1. Cut off their access (presumably also to e-mail)
2. Send them an e-mail that they must reply to if they want to be able to read email.

And where exactly are they supposed to read this email?

Re:No Way!

[Lunix+Nutcase]

Exactly. Whats from stopping an ISP from simply cutting you off because you were using too much bandwidth, stating that you are infected?

Nothing. Just like nothing is stopping them from doing it now.

Re:Lets ask in different context

[Yalius]

The first time, we take the member's word that they've cleaned or replaced the computer. After that, if it recurs, we need to see either an invoice from a repair shop or retail shop for repair of purchase of a computer. We provide CDs here in our office with removal tools, and we do provide removal and cleanup services.

We also provide download links for security software right from our tech support portal, and a complimentary CD with the same software with every new subscriber. 3 times a year we offer a class on intro to pc and internet security. If someone's still getting infected after all the resources we've made available, then tough love may be just what's needed.

Could not be more wrong

[XanC]

Being able to connect to any port and to receive connections on any port is the definition of Internet access. I absolutely should be able to run a mail server on my home machine.

Now, if the ISP were to block incoming port 25 by default, and people who wanted it could fill out a quick form or something, maybe that would be okay.

Re:Lets ask in different context

[h4rr4r]

When the latest Ubuntu ships I often leave my torrent client seeding for a couple weeks.

Re:Lets ask in different context

[Lanteran]

This is a great thing! Within 3 days of this becoming standard practice, there won't be any windows users with an internet connection!