Should ISPs Cut Off Bot-infected Users?

richi writes "There's no doubt that botnets are a major threat to the safety and stability of the internet — not to mention the cleanliness of your inbox. After years of failure to act, could we finally be seeing ISPs waking up to their responsibilities? While ISPs can't prevent users getting infected with bots, they are in a superb position to detect the signs of infection. Contractually, the ISP would be reasonably justified in cutting off a user from the internet, as bot infection would be contrary to the terms of the ISP's acceptable-use policy."

Yes

[grub]

Should ISPs Cut Off Bot-infected Users?

Yes. Some ISPs already cut off P2P users. By comparison botnets are a real threat.

Re:Yes

[mark72005]

I agree. Sounds like a good policy.

Not being able to get online is probably the surest (maybe only) way to get a novice (or under) computer user to take their bot machine offline.

Re:Yes

[Joce640k]

So long as the "I'm clean now, let me back in!" part is easy, then, yes.

Re:Yes

[paulej72]

We have implemented this at Princeton University. Port 25 blocked, unless you specifically ask for it. All users who were using outside email services also had to change to use port 587 to connect to their mail servers.

We are trying to be good net citizens an not have mail bots running from our network.

Re:Yes

[Jiro]

As long as they give the user a means to get back online through cleaning their system up, and they don't do something silly like requiring you to use a NAC that only runs on one operating system

Of course, the ISP has every right to cut off bot-infected users, and should do so. (There's still the problem of not letting the user get online to get the bot removal software, but that's relatively minor and there are several ways around that).

But a lot of Slashdotters, being more technically competent than the typical Internet user, have experience with ISPs who do, in fact, do something silly, and cutting off bot-infected users has great potential for the ISP to screw over the customer via silliness. ISPs could very well

• Not provide enough information for the customer to figure out that a false alarm is one
• Not have anyone who can understand a customer's explanation about a false alarm
• Announce "we don't support Linux", and if you get a false alarm on it, tough, you just get cut off with no recourse
• Just not have enough personnel to handle users who are cut off (or if they have such personnel, they are following a script in India and can't respond to things the customer might tell them which aren't in the script)
• Cut off customers for other reasons using "botnet" as an excuse, which works especially well when combined with some of the other items above

Yes!

[Capt.DrumkenBum]

Yes, yes! A million times YES!
A doctor would quarantine a contagious patient. An ISP should quarantinean infected PC.

Yes would be the answer

[markdavis]

>"Should ISPs Cut Off Bot-infected Users?"

After a suitable warning to the customer/administrator, yes. Absolutely. But it should be made very easy for the customer/administrator to reactivate their service, too.

Re:Yes would be the answer

[sjames]

The answer might be to do something like Comcast's approach of redirecting flagged accounts through a web proxy with a frame at the top and blocking other ports. You don't want to cut them off entirely, since the fix for their problem will go a lot better if they can browse the web and download AV software.

The danger is that they will implement "policies and procedures" and have know-nothing flunkies carry them out mindlessly, but then that's a danger anyway. They will need to actually have knowledgeable people willingly review cases that don't fit on the flow charts. Things like, NO, I do not have Windows virus XYZ, I don't do Windows.

Fully agreed, there must be no punitive element to this. There should be an educational component since most home Windows users simply don't know any better. Even the restrictive aspect should be the minimum necessary to contain the damage and inform the user.

Re:Lets ask in different context

[Yalius]

Because you've apparently never been blacklisted because one of your members sent comcast.net 250,000 spam emails in a 24-hour period. Because you've never had your SMTP server so overloaded with botnetted messages that delays of up to an hour were occurring for legit traffic. Because you've never had to block port 25 for out-of-area SMTP traffic because of complaints from other local partner ISPs. Yes, we disable access for identified botnet members and spammers. The infections of a handful of our members' PCs aren't going to ruin the experience for our other 6500 members.

Cut off vs. filtered

[rwa2]

ISPs should be responsible for filtering out bot activity, but it's not really fair to anyone to cut them off entirely. After all, it's not entirely their fault they got infected... hell even if they're responsible with updates and activity they could have been compromised by some new vulnerability.

Has firewall technology not been able to keep up with bulk ISP traffic or something?

I understand that users ought to control their own home firewall, but ISPs should have firewalls / filters they control further upstream, where they can add rules to block certain types of traffic only when necessary. But I guess if they have it, then that means they're kinda liable for configuring it effectively and can thus be held responsible for attack traffic that does get through.

Anyway, I don't like the idea of being cut off from network access without at least a few weeks' advance notice and time to respond. Which is virtually an eternity in botnet time... which makes that whole approach somewhat pointless.

They could do it nicely

[formfeed]

They could just redirect them to a portal, where they get informed that their computer is sending out viruses.

The portal would offer a free virus scanner and the option to have several ports closed by the ISP (checked by default)
- ports that could later be reopened by going to the "experts"-page ;)

If the user insists, they of course can go on and use the internet anyway. But only after clicking "ok" to a sentence declaring that they are now informed and
"solely liable to any damage they might do to the internet"

Re:Of course...

[gunnk]

No. You have a DOCTOR cut it out. The question here is whether or not most ISP's are competent in determining what really is bot activity. A bunch of false positives will be miserable -- as will having to prove to some first-tier customer support person that your system is not infected (as in never was) or that it is actually cleaned and should be allowed back online.

And pity the person that has their ISP connection blocked that uses voice over IP to call customer support. If the ISP blocks the MODEM life is going to be interesting.

Oh, and you won't need to look up that phone number, will you?

Overall, getting infected systems of the net is a wonderful idea, but one that could be a complete mess if done poorly.

Slight hypocrisy.

[CannonballHead]

So on one hand, ISPs should not regulate the type of traffic and should not sniff, etc...

On the other hand, ISPs should cut off virus-infected computers. Apparently, they ARE sniffing or monitoring in some way in order to cut you off.

Just wait for a company to decide that being a torrent feeder is being part of a botnet and thus torrent feeders must be cut off. Good luck getting back on again.

If it is really botnet activity, why not just block the botnet activity but not the non-botnet activity? If you can't determine if it's botnet activity well enough, then how are you going to choose who gets cut off?

(I am not necessarily decidedly against this, but at the moment, it seems to be somewhat hypocritical to be against ISP filtering and for ISP cutting off [on their own]. Enlighten me. :) )

No way

[quatin]

This has happened to me once. I got a virus and a couple hours later, my internet was off. I called the service desk and I was told that my computer was infected and get this, I need to download a patch to fix it. "How do I download a patch when my internet is off, I asked." "Bring your computer to the service center when we open on Monday." I instantly canceled my service. I was a college student at that time. Some tasks required the internet. In fact the only way to turn in my physics homework was to upload it to the server by 2am on Tuesdays and Thursdays. I don't need to be worrying about my internet shutting off at random times and having to make a midnight dash to campus to use the library computer.

I try to keep my computer clean. I run firewalls and I have virus scanners, but if you haven't been infected with a virus before then you haven't been on the internet long enough. Sooner or later you'll get infected and god forbid if you rely on the internet. IE VoIP or server hosting. Why do I get punished for what other people do? Should car manufacturers be able to remotely turn off your car when your car starts to leak oil or freon?

Re:No reason not to do the following

[aardwolf64]

Wait, your big plan is to:
1. Cut off their access (presumably also to e-mail)
2. Send them an e-mail that they must reply to if they want to be able to read email.

And where exactly are they supposed to read this email?