Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Major Aussie ISP Disconnecting Trojaned PCs

timothy posted more than 9 years ago | from the sorry-fella-you're-wetting-the-sandbox dept.

Security 388

daria42 writes "Australia's largest ISP, Telstra BigPond, has started disconnecting customers that it suspects have excess traffic-causing trojans installed on their PCs. The trojans have been flooding BigPond's DNS servers and causing extremely slow DNS requests for around a month now. Despite nightly additions of DNS servers, BigPond appears to be unable to cope with the extra traffic on its network." Note that the article says the disconnections are temporary and accompanied by communication with the affected customers, not just a big yanking-of-carpet.

cancel ×

388 comments

Sorry! There are no comments related to the filter you selected.

Good. (0, Interesting)

Anonymous Coward | more than 9 years ago | (#12221330)

Good.

Re:Good. (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12221453)

It should also disconnect those rooted Linux-b0xen of clueless Gnetwo-users. Remember always: 40% of the world's spam is sent from rooted Linux-b0xen, while only about 0.5% of the world's b0xen are Linux-b0xen.

Think about it, fanboi.

Wot (-1, Redundant)

curlyjunglejake (874251) | more than 9 years ago | (#12221333)

Oh, dat? Dat's not a Trojan: Dis is a trojan!

My 1st Thoughts (5, Insightful)

reezle (239894) | more than 9 years ago | (#12221338)

"Thank God"

"It's about Time"

"Glad somebody is finally taking an interesting in keeping the neighborhood cleaned up"

"Oh crap, is this the first chink in the armor, ISP's can disconnect people based on their traffic... Virus, Trojan, P2P, Torrent"

You don't want to go there (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12221374)

"Glenn, you managed to produce a very interesting piece of writing about the 'Goatse' man, but this was let down somewhat by your failure to explain exactly what the image contains."

-- Comment on yr 12 English assignment [zoy.org] [SFW]

Re:You don't want to go there (1)

destinedforgreatness (753788) | more than 9 years ago | (#12221585)

please post the full essay - that comment just teases me :>

Re:My 1st Thoughts (1)

ceeam (39911) | more than 9 years ago | (#12221411)

Oh, come on! Like there are currently no ISPs prohibiting P2P?!

Re:My 1st Thoughts (3, Insightful)

Unipuma (532655) | more than 9 years ago | (#12221428)

"Oh crap, is this the first chink in the armor, ISP's can disconnect people based on their traffic... Virus, Trojan, P2P, Torrent"

Fortunately, they can yank the plug because these machines are attacking their DNS servers. Not because these computers are just sending out a lot of DNS requests.

Re:My 1st Thoughts (4, Insightful)

TeraCo (410407) | more than 9 years ago | (#12221470)

ISP's can disconnect people based on their traffic

They've always been able to do that.

Re:My 1st Thoughts (0, Offtopic)

imsabbel (611519) | more than 9 years ago | (#12221564)

perhaps where you live...
Here a flatrate has leagally to be a flatrate, so nobody can complain if you use full bandwith 24/7

Re:My 1st Thoughts (2, Insightful)

carl0ski (838038) | more than 9 years ago | (#12221612)

the trojans are causing excessive DNS request or Worse Attacking local DNS service. I applaud Bigpond for this Australia's internatioonal link/User ratio is very poor compared to most other continents. And this protect me you everyone from lazy/stupid buggers who won't go to the effort to remove malicious programs from their computers. Contributing to spam, DOS attacks remote hacking gateways etc which any of us can be the victim!!

Re:My 1st Thoughts (3, Interesting)

Anonymous Coward | more than 9 years ago | (#12221541)

"Oh crap, is this the first chink in the armor, ISP's can disconnect people based on their traffic... Virus, Trojan, P2P, Torrent"
I can agree with you on the first 3 statements, but that last is just crap.
Why the fuck should an ISP want to disconnect a user because of his P2P or Torrent uses? If the ISP can't cope with the amount of data flowing through, it shouldn't disconnect a user. If I pay for a 2mbit DSL with no limitations to usage, I want a 2mbit DSL with no limitations. My ISP shouldn't fucking cut off my internet access. Besides, P2P and Torrent can actually be used for something useful. The last 10 times I've used bittorrent, it was for downloading WoW updates and Gentoo and Debian ISOs.
Yes, I know that some people will call me naive, and I DO know that not everyone uses P2P and torrent for these purposes, but that shouldn't change the fact that the ISP shouldn't disconnect a user depending on how he uses his connection as long as he pays for it.

Re:My 1st Thoughts (4, Insightful)

Anonymous Coward | more than 9 years ago | (#12221591)

"Oh crap, is this the first chink in the armor, ISP's can disconnect people based on their traffic... Virus, Trojan, P2P, Torrent"

Yeah, that's a valid concern. I think what we are talking about here is the difference between being pragmatic and idealistic.

Idealistically, the ISP would never look at your traffic, and just deliver the pipe. Practically, zombies are degrading the service of other customers significantly, and the ISP is going to know what the problem is.

It's not a perfect Internet yet, we all know that, so I think it's pretty reasonable that certain measures are taken in cases like this.

Just remember to scream really loud when there is an incident of an ISP disconnecting you for something that is perfectly legal.

(PS. It's good to see that the use of Torrents appears to have a high legal/questionable content ratio, whereas the last time I looked at P2P, it was really hard to argue that it wasn't used mainly for illegally copying stuff)

Why is this news!?! (4, Informative)

pctainto (325762) | more than 9 years ago | (#12221339)

ISPs around the world have been doing this for a while now! I live in a house with 12 people and one person had a hijacked computer sending out mail and Adelphia cut us off. Although they never told us that they did (a quick call to customer support hooked us back up).

Seriously, why is this news?

Re:Why is this news!?! (2, Insightful)

MysteriousPreacher (702266) | more than 9 years ago | (#12221394)

It's Australia's biggest ISP according to the posting.

Re:Why is this news!?! (4, Informative)

Yrd (253300) | more than 9 years ago | (#12221401)

And? NTL are one of the biggest ISPs in the UK and they do the same thing.

Re:Why is this news!?! (0)

Anonymous Coward | more than 9 years ago | (#12221430)

Just because businesses in your country have oppressive policies that they inflict upon their customers doesn't mean all countries are like that.

That Austrialian businesses are censoring content rather than just providing customers with the bandwidth they purchased is news.

Re:Why is this news!?! (-1)

Anonymous Coward | more than 9 years ago | (#12221464)

You are not a very good troll.

Re:Why is this news!?! (-1, Offtopic)

MysteriousPreacher (702266) | more than 9 years ago | (#12221509)

The French overthrew their monarchy some years back. Does this mean it would not be news if the Queen were to chased out of the the UK by an angry mob?

Re:Why is this news!?! (3, Funny)

SQL Error (16383) | more than 9 years ago | (#12221642)

The French overthrew their monarchy some years back.

Yeah, in 1792, but in a typically French fashion, they had to do it again in 1814, then in 1815, once more in 1830, and yet again in 1848 and then several times during the 1870's.

Then they tried to bring it back in 1946, but no-one could agree on who got to be King, so they ended up with President de Gaulle...

Re:Why is this news!?! (2, Informative)

TheScream (147369) | more than 9 years ago | (#12221403)

pctainto wrote:
Seriously, why is this news?
Because it is surprising that BigPond is doing anything proactive in the customer support area given its horrible customer service track record [whirlpool.net.au] . Although, I guess their goal is to save money, not help its customers.

Re:Why is this news!?! (2, Interesting)

GafferFish (852750) | more than 9 years ago | (#12221438)

Save money? I figure they'll be loosing revenue based on excess data traffic charges generated by extra traffic caused by the trojans. Note to Non-Aussies: BigPond counts both uploads and downloads for data traffic with excess usage charged at A$0.15/mb. There have been cases of people being hit with very large internet bills for one month (IIRC the largest was in excess of $10,000)

Re:Why is this news!?! (-1, Troll)

NoMercy (105420) | more than 9 years ago | (#12221481)

Slashdot, news for nerds, stuff which matters.
News for morons, stuff which no one gives a damn about.

Re:Why is this news!?! (1, Funny)

slittle (4150) | more than 9 years ago | (#12221562)

Seriously, why is this news?
It's the next step:

1) Patent: {thing}
2) Patent: {thing} on teh intarwebs!
3) Patent: {thing} in Australia!!

Re:Why is this news!?! (1, Informative)

Anonymous Coward | more than 9 years ago | (#12221638)

This is news because when I used to use BIGPOND they would charge you 20 cents per megabyte when you went over a set limit.

There cutting into there profit margins with this one !!!!

This is a good thing (5, Insightful)

kasperd (592156) | more than 9 years ago | (#12221340)

More ISPs should handle compromised computers this way. Just leaving them around to harm the internet for the rest of is is irresponsible.

Re:This is a good thing (2, Interesting)

zimba-tm (598761) | more than 9 years ago | (#12221416)

Well, there is no need to *disconnect* the computer if all you have to do is block the problematic port. It's so lazy to disconnect a computer. Do they know traffic shaping ?

Re:This is a good thing (5, Insightful)

Anonymous Coward | more than 9 years ago | (#12221455)

If you don't disconect the offending computer, how will the idiot who owns it know they've been an idiot? Disconecting it totally is a great way to handle the problem, because it forces the idiot to call customer services to find out why their connection no longer works, at which point you can lart them for being an idiot and force them to clean up their idiot-box before you reconnect them. Just silently droping the offending packets does nothing to educate the idiot involved.

Re:This is a good thing (0)

Anonymous Coward | more than 9 years ago | (#12221503)

I fully agree! Disconnect the computer to make the customer aware of the problem so it can be solved at the root. Trying to work around it by blocking ports is just a sloppy temporary solution which isn't going to solve the problem. //fatal

Re:This is a good thing (5, Interesting)

Dulcise (840718) | more than 9 years ago | (#12221547)

I think isp's should do what ntl did during the ms blaster worm out break, which is only allow the user to connect to ether the removal tool or a page that contains a link to it and how to use it. it would take more work, but its better for the customer.

Re:This is a good thing (2, Insightful)

gabba_gabba_hey (309551) | more than 9 years ago | (#12221499)

I'm just going to straight up paste the comment that an AC already posted in order that more people might see it as the AC stated the case almost perfectly (even if a tad abrasively) already:

"If you don't disconect the offending computer, how will the idiot who owns it know they've been an idiot? Disconecting it totally is a great way to handle the problem, because it forces the idiot to call customer services to find out why their connection no longer works, at which point you can lart them for being an idiot and force them to clean up their idiot-box before you reconnect them. Just silently droping the offending packets does nothing to educate the idiot involved."

So mods, please mod up the post I'm quoting if you feel inclined, otherwise ignore this post, thanks!

Re:This is a good thing (4, Insightful)

R.Caley (126968) | more than 9 years ago | (#12221514)

Well, there is no need to *disconnect* the computer if all you have to do is block the problematic port.

I think for 99.9999% of a residential ISP's customers, having their access to DNS blocked would not be noticably different from disconnection.

Besides, is someone has an infected PC, disconnection is a friendly action. It kicks them up the arse so they have to find out what is going on, and it prevents them being zombied.

We have a collective problem that many many people have PCs on the internet but don't have the kind of basic understanding we demand before we'd allow them onto the road in a car. Sending them back to the garage for a day or two with a hint to learn what the windscreen wipers are for is good for everyone.

Re:This is a good thing (1)

dosius (230542) | more than 9 years ago | (#12221528)

DNS has been extremely unreliable for me as of late with Verizon.

I asked a friend for his DNS settings (small rural "broadband" ISP) and added the entries to my own. It's reliable, if slow.

Moll.

Re:This is a good thing (4, Insightful)

rabbit994 (686936) | more than 9 years ago | (#12221599)

Nothing stopping you from a setting up a local DNS server. We had issues with Comcast DNS until we simply set up our own.

Re:This is a good thing (3, Insightful)

mwvdlee (775178) | more than 9 years ago | (#12221593)

Then again; all the windscreen wipers in the world couldn't stop a group of thugs from spraypainting your windscreen; you'd need lengthy and expensive training in self defense and chemical paint removal.

You just assume that the people will suffice by installing (purchasing?) some equivalent to a windscreen wiper such as antivirus software but that won't be enough for the really nasty ones.

Since the ISP can apparenty distinguish between good and bad traffic, can't they filter out any traffic which contains the troyans? They are assuming their non-IT clients can.

Re:This is a good thing (3, Insightful)

R.Caley (126968) | more than 9 years ago | (#12221630)

You just assume that the people will suffice by installing (purchasing?) some equivalent to a windscreen wiper such as antivirus software but that won't be enough for the really nasty ones.

If someone targets you for a sophisticated attack, you are probably not a normal internet user (eg you're commercial or a political site or something), you need professional IT support and shouldn't be using a normal retail ISP.

Th threat to normal customers is generic worms and trojans and so on. Things which the basic security everyone should be usig will protect against. Just the equivalnt of using windscreen wipers when it is raining.

IIRC my ISP supplies some kind of firewall/antivirus package for all customers. (I've had my connection since before this kind of thing became really necessary and don't connect from Windows, so I've never investigated what they are offerring). I can't imagine why any ISP would not do that -- the saving in customer support calls alone would more than pay for it.

Re:This is a good thing (5, Interesting)

KiloByte (825081) | more than 9 years ago | (#12221526)

block problematic port

It's not that simple. The attack in question was done by a flood of DNS queries -- you're not really going to cut off port 53, as this is pretty much equal to knocking that person off the Net.

The typical case involves a lot of outgoing connections on port 25 -- you can't really block this as well unless the user in question uses nothing but webmail.

Traffic shaping won't help a lot, either -- it can protect the server, of course, but won't help the user himself. In this case, it will just make their legitimate use prohibitely slow -- their web browser/whatever will compete with the virus they have over the tiny allotted quota of allowed DNS queries.

IMO it's much better to just cut them off outright, telling them that the fault is on their side.

If you want to be nice, you can redirect all their traffic to a web server which gives them a nice idiot-proof message about what they need to do. This is what I've set up for a friend's basement ISP (~30 paying users) -- although in that case, the message was similar to "your payment is due for two months, you didn't heed our reminders".

Re:This is a good thing (0)

Anonymous Coward | more than 9 years ago | (#12221475)

If Joe consumer is paying his ISP $x per month to be able to send/receive $y GB per month, and his computer is doing just that one way or another, I don't see how the ISP can cut him off. Joe is already paying for whatever network resources his computer is accessing.

Is this really news? (2, Insightful)

xiaomonkey (872442) | more than 9 years ago | (#12221344)

ISP has problems with boxes infected with malware. ISP identifies and blocks said boxes. Block is only temporary, and will be lifted when customers disinfect their boxes.....

Where's the story?

Should be the standard (1, Interesting)

Rixel (131146) | more than 9 years ago | (#12221346)

Burn up the SMTP servers, then take your lumps.

All responsible ISPs should apply that logic. Too bad money often replaces responsibility so much.

Re:Should be the standard (1)

Rixel (131146) | more than 9 years ago | (#12221378)

whoops. Should have RTFH

Malware is pretty big as well, though I would think hard to convince the newbie that their box was infected.

"But I just bought it!".

Re:Should be the standard (1)

Armadni General (869957) | more than 9 years ago | (#12221633)

A virgin Windows box has a ten-minute window from the time it connects to the internet to the time it gets a malware/spyware/trojan/some bad thing.

Hmm... makes sense to me! (5, Insightful)

PDA_Boy (821746) | more than 9 years ago | (#12221349)

Despite nightly additions of DNS servers, BigPond appears to be unable to cope with the extra traffic on its network."

Right- I can smell a cake burning. Let's add more flour! Come on- more flour!

Oh- right- let's take the cake out the oven...

Seems a sensible thing to do to me- tackle the computers causing the problems, rather than trying to react to the problem itself.

Although, tackling the writers of the infecting programs would be good too, if somewhat harder.

Re:Hmm... makes sense to me! (2, Insightful)

enigma48 (143560) | more than 9 years ago | (#12221463)

Yeah - that whole AIDS thing has been a real waste of resources; why bother with non-cures?

I'd give Telstra a big round of applause for at least appearing to try other options before cutting customers off. A significant minority (maybe majority?) of the customers who get cut are going to be *very* uncomfortable when they get called by Telstra. Telling people that their rough driving finally caused their car to break down isn't easy. Many CSRs will be threatened this week.

I'm only been in AU for 2 months but from what I'm told, Telstra (until the past 7 years or so) has been a very benevolent monopoly. Being from Canada, most people at least disliked Bell and Rogers (our local telephone and cable monopolies, respectively). When Telstra's customer service tanked, opinion of the company apparently changed quickly. Or maybe was expressed more often, who knows.

Either way, Telstra seems to have done the right thing. Kudos to the manager who made this decision... it must not have been easy.

Re:Hmm... makes sense to me! (0)

Anonymous Coward | more than 9 years ago | (#12221493)

Telstra (until the past 7 years or so) has been a very benevolent monopoly

Gee, about the time they were partially privatised? Up until then they were 100% government owned.

Re:Hmm... makes sense to me! (1)

Jedi Alec (258881) | more than 9 years ago | (#12221512)

Telling people that their rough driving finally caused their car to break down isn't easy. Many CSRs will be threatened this week.

Perhaps a better analogy would be that folks should not leave the ignition keys in while the car is parked in a dark parking lot that by now is known to have shady elements hanging around looking for cars they can take for joyrides, causing a lot of destruction in the process.

As for threatening CSR's, most callcenters I know generally respond to that kind of thing by simply telling the customer involved that that's really a no-no, and that said customer better cut it out immediately if he wants to be helped at all. Dunno 'bout aussieland, but over here making threats over the phone is still a crime.

Re:Hmm... makes sense to me! (1)

Feztaa (633745) | more than 9 years ago | (#12221637)

Lol, Bell and Rogers? The cellphone companies? Over here in the west, the telephone and cable monopolies are called "Telus" and "Shaw", respectively.

Re:Hmm... makes sense to me! (3, Insightful)

Anonymous Coward | more than 9 years ago | (#12221507)

Umm... when the customer cannot connect to the
internet, what do you think happens next?

They call the ISP on the phone.

And they are told to clean their computer.

And the computer either gets cleaned,
or they remain off the internet.

Your cake analogy is flawed. Instead, think
of an analogy involving quarantine, computers,
viruses, ISPs and such. Wait. Instead of
an analogy, why not just reason about what's
going on in this situation.

What confusion of facts lets you believe that
quarantine is not addressing the infection
directly? It UNAVOIDABLY causes the customer
to fix the infection, or cease to piss in
the public internet pool.

Re:Hmm... makes sense to me! (2, Informative)

figment (22844) | more than 9 years ago | (#12221643)

Another said: "I am having problems loading Web pages, I get the 404 [page not found] error. I have to retry five to 10 times to get some places."

Which also is totally not a symptom of DNS timeouts either. You need a response from a webserver to get a 404.

The article just seems poorly written, I wouldn't go out and assume that telstra just decided to throw 500 new dns servers at it.

Drastic Measures (5, Interesting)

onosendai (79294) | more than 9 years ago | (#12221350)

These are drastic measures, but given the average BigPond user is much less a geek than anyone frequenting these parts, this will probably be the first time that most of these users will know about it, and given BigPond's previous problems with mail-servers, perhaps they're striking before the problem gets too out of hand.

Although I don't understand the purpose of a trojaned machine repeatedly hitting a DNS server, is this an attempt to cause an overflow and therefore making the DNS server itself vulnerable?

Re:Drastic Measures (5, Informative)

Arghdee (813921) | more than 9 years ago | (#12221375)

To expand on this, a lot of you non-australians should probably know that Telstra Bigpond is the ISP that people choose when they don't know any better.

Value for money wise they rate very poorly compared to the opposition - for ADSL at least.

For those of you that don't know, Telstra is a part government owned company, which owns much of the telco infrastructure in Australia. They like to make life difficult for any competitors.

Also one of the few ISPs in Australia that charges traffic in both directions.

Just in case you guys care :)

Re:Drastic Measures (1)

ArsenneLupin (766289) | more than 9 years ago | (#12221418)

Also one of the few ISPs in Australia that charges traffic in both directions.

Hah! At least that proves that the problem is really serious and not just some silly excuse to take potshots against Windows boxen. They're giving up some revenues, after all!

Re:Drastic Measures (1)

novakreo (598689) | more than 9 years ago | (#12221522)

Hah! At least that proves that the problem is really serious and not just some silly excuse to take potshots against Windows boxen. They're giving up some revenues, after all!

They'd be giving up a lot more if they didn't fix the problem, as people would start to go to better ISPs. Bigpond's DNS performance has been terrible for at least a month now.

I for one would like to see these measures made permanent. Why should the rest of us suffer for the lazy few who can't look after their computers?

Re:Drastic Measures (1)

isecore (132059) | more than 9 years ago | (#12221567)

Why should the rest of us suffer for the lazy few who can't look after their computers?

In my experience it's usually the reverse. It's the lazy/clueless masses that makes life painful for the (relatively) few of us non-morons.

Mathematically... (5, Funny)

Shag (3737) | more than 9 years ago | (#12221354)

if BIGNUM% of PC's are malware-infested (I've heard 80% tossed around) and they get disconnected, suddenly anyone who's looking at their web logs will think that an unusually high number of Big Pond users are on Linux boxen, Macs, etc.

If more ISPs did this, maybe we'd see a decline in sites that only work in MSIE...

Re:Mathematically... (1)

ceeam (39911) | more than 9 years ago | (#12221417)

Oh, so you say that all those "Unix shell accounts" traded "you know where" are in fact Windows shell accounts?

Re:Mathematically... (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#12221616)

Actually anyone in Australia who is using Linux would not be using Big Pond anyway.

Good idea to me (5, Interesting)

Rainwulf (865585) | more than 9 years ago | (#12221358)

i think this is a good idea as well. I work in technical support, and the amount of infected machines i have to deal with is just phenomenal. Cutting of the machines access to internet both fixes the problem. The customer goes "WTF" and i say.. yea your machine is infected. Either install nix or go to a computer store. However its open to abuse... define excessive traffic.. and what traffic is malware or legitimate traffic. However... since a good 90 percent of spam comes from infected machines as well (go windows you good thing go) its all thumbs up from me.

er (1, Funny)

Anonymous Coward | more than 9 years ago | (#12221365)

is that "(excess traffic)-causing trojans" or "excess (traffic-causing) trojans"?

i.e. can you get kicked for having only one trojan, or is there a threshold ?

Waste of time? (5, Interesting)

www.sorehands.com (142825) | more than 9 years ago | (#12221376)

They should at least make a phone call to the party so they don't waste time trying to figure out the problem.

Not all people pick up the phone and tolerate the script. Some people actually try to diagnose the problem first.


Most ISPs have language in their terms of service that permits this action. It is a shame that an ISP need to have their services almost knocked out before taking action.

I'd like to see some ISPs that ignore trojaned machines or support spammers get sued by other customers when their IP blocks end up on block lists.

Re:Waste of time? (3, Informative)

Raumkraut (518382) | more than 9 years ago | (#12221441)

I was 'disconnected' from my ADSL a while back, not because any of my machines were infected, but because I'd tried scanning my company's IP.
My ISP had detected traffic on port 135 (some Windows thing exploited by malware), and automatically stopped forwarding any connections to or from my home machines. The only port which was allowed was port 80, and every web page request was redirected to a help page explaining what had happened. :)

After blocking port 135 at my router, all it took was clicking a link on the aforementioned web page, and my connection was restored automagically.

Rather well implemented, I thought.

Re:Waste of time? (1)

schotty (519567) | more than 9 years ago | (#12221471)

They should at least make a phone call to the party so they don't waste time trying to figure out the problem.

Is there a call center large enough for this? There are alot of poeple that can easily fit this bill. Perrhaps an autodialer could aid here. An informative computer call may be the best way.

Ahh, just like ResNet! (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12221382)

WhaT?

moo? (1)

n0nane (829616) | more than 9 years ago | (#12221393)

I'm sure there's firewall logs one can examine and filter through. Users that are connecting to remote clients on strange ports, or excessive ping requests to a certain ip address, or a port connection across a wide range. With that, someone can filter the IP, and block the customer. That being said, that's a lot of customers being blocked. But it would speed up, no? Though the logging might hurt response times a bit. :\
c/f/s

Re:moo? (1)

mikael (484) | more than 9 years ago | (#12221538)

If you have Linux, look at your security logs (System Tools->System Log->Security Log->Filter For "Failed"). You should see all the failed 'ssh' login attempts. For a broadband connection, I get around 60 per day (usually from the same host in Germany/Korea/Taiwan/Spain/whereever).

If I feel particularly nice, I will look up the abuse E-mail address using dnssstuff.com and send a report.

test (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#12221400)

test

Potential boon for alternative OSes (1)

Mr.Progressive (812475) | more than 9 years ago | (#12221406)

Disconnections from my University network pushed me to give GNU/Linux an earnest try. People may not switch in droves, but there may be just enough resultant frustration to have a positive effect.

Re:Potential boon for alternative OSes (1)

jpop32 (596022) | more than 9 years ago | (#12221557)

Disconnections from my University network pushed me to give GNU/Linux an earnest try.

Being ignorant on Windows is not much different than being ignorant on Linux.

Re:Potential boon for alternative OSes (4, Informative)

grolschie (610666) | more than 9 years ago | (#12221594)

Except on most Linux dists:
1). the default user is not an administrator
2). 99.9% of malware cannot run. If it did, then it'd cause minimal damage (see 1.)
3). There is no ActiveX
4). etc, etc, etc

The average Linux (non root) user can be as clueless as he/she likes and won't get into trouble.

Plusnet has a better way. (5, Informative)

Zeussy (868062) | more than 9 years ago | (#12221409)

My isp (plus.net) monitors any communications on port 135 etc and if it dedicates any when your connected. You get redirected to a Plus.net you may have been effected with MSBlast page etc. And give you the links to tools to fix it.

Very handy indeed.

Re:Plusnet has a better way. (1)

cs02rm0 (654673) | more than 9 years ago | (#12221485)

Unfortunately, it's really irritating when I nmap someone else to check they've got certain ports stealthed and then find I have to wait for their safety message to disappear.

I don't even run a Windows box.

That was my first thought, too: (1)

imsabbel (611519) | more than 9 years ago | (#12221576)

And now im affected and the isp doesnt let me connect, how do i get some removal utility?
Redirecting also is much more intuitive than a simple "cannot connect" error.

All ISPs should be doing this. (5, Interesting)

Anonymous Coward | more than 9 years ago | (#12221419)

All of these infected Windows boxes are killing the net. If ISPs would simply yank them as they show signs of infection (trojan, worms, etc) UNTIL the customers can demonstrate that they have taken care of problems, then things would be a lot easier.

Catch-22 (4, Insightful)

Mr_Silver (213637) | more than 9 years ago | (#12221429)

Of course, once you have no net connection, it becomes a little difficult to download all the latest Microsoft patches and virus updates to clean your machine so you can get back on the internet.

Thats not to say it isn't impossible, but it wouldn't surprise me that taking a laptop/ipod/some other storage device big enough around to another friends house and getting all the updates is going to be beyond most people.

Also, last time I checked, I can't download all the updates that have been developed after XP SP2 was released from a machine running Windows 2000.

(side note: I'm on a 56k modem at home and therefore don't have a spare 3 weeks to get the several hundred megabytes of updates - and autopatcher xp hasn't been updated after sp2 was released)

Re:Catch-22 (2, Insightful)

Guus.der.Kinderen (774520) | more than 9 years ago | (#12221531)

This is just a random thought, but what about this: after disconnecting, the ISP sends the customer a letter explaining why they dropped the connection, and include a coupon for a CD with some of the latest microsoft patches and servicepacks. They might even work out some deal with an antivirus vendor and add some shareware antivirus kits to cover the costs and send those CDs for free.

Re:Catch-22 (1)

imsabbel (611519) | more than 9 years ago | (#12221586)

why not just "sandbox" the user into a explanation site and update.windows.com?
if all dns querys outside of this would be dropped from users that are flagged as bad, it would also make the dos ineffective in the meantime.

Re:Catch-22 (0)

Anonymous Coward | more than 9 years ago | (#12221611)

I believe most ISPs reconnect you as soon as you ring their support line. So the idea here is that the disconnection tells a user that they have an infested PC. Many users won't realize this until they suddenly can't look at web sites any more and ring tech support. They then get reconnected and can go about downloading patches, etc.

Of course, if they are still infested a week or so later, they should be disconnected again.

If they ring up again, get reconnected again and later get disconnected a third time, that just proves what I've believed for years: tech support people should have a red button on their phones that electrocutes the person on the other end of the line. Darwin in action. :P

Re:Catch-22 (1)

Hinhule (811436) | more than 9 years ago | (#12221618)

In this case it seems like there is a specific program installed to disrupt that ISPs traffic. How about they just write a tool to remove the crap and force all pageviews to a site with that removal tool. Once the tool is run and the offending program is removed, the tool sends a message to the ISP letting it know that the machine is clean and patched. The ISP automaticly lets the user back on the net.

Yes?

Of course other stuff may have been done to some computers. Used as FTP sites etc.

Nothing new (4, Interesting)

Rob Kaper (5960) | more than 9 years ago | (#12221433)

Dutch ISP Xs4All has been doing this for months/years, blocking all traffic (most notably SMTP) minus SSH and access to their HTTP proxy.

Re:Nothing new (1)

aXis100 (690904) | more than 9 years ago | (#12221472)

Then they're not really an "Internet" service provider are they....more like a "World Wide Web" service provider.

Re:Nothing new (2, Informative)

pe1chl (90186) | more than 9 years ago | (#12221497)

They only put up this block after it has been shown that your system is virus or trojan infected and you have not responded to requests to do something about that.
Normally there is no filtering whatsoever.

How will the user tell the difference? (5, Interesting)

aussie_a (778472) | more than 9 years ago | (#12221439)

Lucky they're ringing up the user, because otherwise the user will just assume that they've been disconnected. Yet again. Bigpond is terrible with keeping it's users online (I'm talking broadband here), and believe that two to three disonnects per day is perfectly fine, even when those disconnects last for an hour or more.

I can see it now:
Customer: My broadband is down again.
Bigpond: Oh, I see. Well from time to time this does happen for a brief moment...
Customer: It's been down all day, and it's happened every day this week.
Bigpond: I see.. What's your account *clickety* Oh yes, we've marked you as a computer with a trojan. Please do a virus scan and call us back, if it comes back negative we'll re-connect you.

I'd go with someone else but they're the only broadband provider for my area. And I live in Sydney (the suburbs, an hour from the city itself)

Re:How will the user tell the difference? (1)

Arghdee (813921) | more than 9 years ago | (#12221510)

I'd go with someone else but they're the only broadband provider for my area. And I live in Sydney (the suburbs, an hour from the city itself)

I assume you are referring to cable and not ADSL..

Maybe you should sacrifice your speed and get ADSL with another ISP :P

They aren't the only ones (1)

luke911 (546086) | more than 9 years ago | (#12221462)

Cox Cable has been doing this since the summer of 2003. A blessing in my opnion.

Just traffic? Or trojan traffic? (4, Informative)

SlashDread (38969) | more than 9 years ago | (#12221465)

Look, I ALL for ISP's disconnecting "polluting" PC's. They just better make damn sure its not legit traffic.

My ISP does exactly this, if it suspects trojan traffic it shuts you down (and snail mail you). You subsequently call the helpdesk, they ask what you did to resolve the matters (The ISP provides FREE anti-virus and firewall software). If they rae happy with your counter measures, theyll reconnect you in a jiffy.
If you can explain you have a legit reason to hit DNS 9765 times per second, I suspect they'll unlock you too.

I love it.

Re:Just traffic? Or trojan traffic? (0)

Effugas (2378) | more than 9 years ago | (#12221478)

*whistles innocently*

Slow response times? (4, Insightful)

Stephen Samuel (106962) | more than 9 years ago | (#12221489)

One problem with this is that many ISPs are days (or even weeks) behind on responding to complaints. I have a script which automates the process of generating SPAM and virus complaints. In the cases where I've actually gotten a real-live response, it's almost invariably been days after my complaint. (It's only the smallest ISPs that seem to have a fast response time.) In the menatime, these machines have been spewing spam and viruses across the 'net.

If Telestra is like any other large ISP I've seen, I figure that the first thing they should do is hire (or allocate) a good gaggle of AUP investigators so that their intelligence on this problem is reasonably real-time.

They could also write some scripts to log and categorize the DNS queries that they're getting from their customers. It should be fairly easy to automatically identify the worst offenders. You could then send notes to their owners, and if there's no reasonable response, pull the plug. Over the last few years, I think that I've written scripts to do pretty much everything but the last step, so I know it's doable. (that last step should almost always be manual).

Re:Slow response times? (1)

pe1chl (90186) | more than 9 years ago | (#12221533)

I agree with that. Each and every incoming Nigerian 419 Spam message gets a semi-automatic complaint sent to all involved parties here (only requires a manual confirm to make sure it is really a 419 message and not some misdetection by SpamAssassin).
The idea is that when their replybox gets closed, they won't be able to collect. However, the enthousiastic "we have removed this user's account" message that I seldomly receive is rarely within a week of the complaint, making the entire process useless.

For viruses it is ofen worse. ISPs require "proof" to be sent but when you forward the entire mail it is often "blocked because it contains a virus" or "blocked because it has an attachment - please send only text".
When sending only headers you get "this is not one of our users, look our domain name is never mentioned" or some other "request more information".
Sometimes it feels like they are trying to discourage reporting by tightening the screws ever more, and always having some reply ready that means they won't do anything until YOU do more work for THEM.

Other ISPs block ports in order to reduce threats (3, Informative)

goonerw (99408) | more than 9 years ago | (#12221491)

Aussie ISP Internode (one of the better alternatives to BigPond) deliberately block various types of malware (usually port blocking but other means have been employed such as IP blocking a client's IP) and an advisory is placed on the service status page indicating what is blocked and for how long.

Re:Other ISPs block ports in order to reduce threa (1)

pe1chl (90186) | more than 9 years ago | (#12221520)

That is bad, because those trojans normally use ports they have not reserved with IANA and that are used by other services.
Putting up random port blocks for everyone is going to cause random problems to legitimate users.

suspected PCs? (2, Interesting)

Anonymous Coward | more than 9 years ago | (#12221513)

Why do they talk about 'likely source' and about cuting off 'suspected PCs'?

Why not simply do a precise measurement (get the netflow from the router) and take actions based on correct data rather then guessing?

I for one wouldn't want to be cut off by my ISP because of someone at the ISP is guessing.

My permanent boycott of Telstra (4, Informative)

petrus4 (213815) | more than 9 years ago | (#12221543)

Attempting to strangle ADSL adoption, killing the national BBS community when the Internet first became mainstream in Australia in order to force adoption of Big Pond, and a host of other offenses meant that after an extended period of shopping around, I finally stopped using Telstra as a carrier completely last year, and they can now consider themselves permanently boycotted as far as I'm concerned. They are one of the most short-sighted, destructive, and generally amoral corporations I've heard of. They were also vocally criticised by Bill Gates during one of his visits here, for their strangulation of broadband adoption.

Apart from the above, to some degree there are now price incentives to use other carriers as well, particularly for voice. If you've got a credit card, you also might want to check out TPG [tpg.com.au] for ADSL...they probably have the best deals I've seen.

NTL (4, Insightful)

bcmm (768152) | more than 9 years ago | (#12221556)

NTL (UK cable provider) does this. They once started redirecting all HTTP requests from our home network to a page saying "You have netsky. Download this." or something. I had to try this with the Linux box before I believed this wasn't an attempt to distribute malware. Thing is, I checked all the Windows machines with NTL's tool and with Sophos AV, and they were all clean.

Other people with this problem have speculated that Linux machines (which NTL allows but "doesn't support") are sometimes mis-detected as Netsky-infected Windows PCs.

The moral is, if this sort of thing is going to become widespread, they need good detection of many different types of network usage, and they need to tell them by phone instead of just giving them what looks like a default-homepage highjack.

In a similar vein, remember MS marking VNC as spyware? Imagine if an ISP starts taking down VNC servers for the users own security, etc, etc.

Bigpond... (1, Funny)

Wanon (808109) | more than 9 years ago | (#12221568)

I bet they emailed the customers about the problem. Telstra rocks!

Great news (1)

Junichiro Koizumi (803690) | more than 9 years ago | (#12221571)

This can only fuel the uptake of SkyOS as people realise how the vulnerabilities of the Windows OS can affect them personally.

australia has quite a backward internet model (1)

krunk4ever (856261) | more than 9 years ago | (#12221575)

from what i heard from my australian friend, broadband is so expensive in australia, that the the monthly cost for broadband is more expensive than here in the states (i forget how much). not only that, it's slower for the price and it caps the user to 5gb a month or some silly low number.

that said, the only thing keeping my friend from switching to broadband is the fact that his dialup account gives him unlimited bandwidth, although capped @ 56k. so just a little under 9 days, he is able to exceed the 5gb limit using his dial up account (thought that requires d/ling non-stop), but that was for calculation purposes only.

but i heard things are slowly changing, and more people are demanding cheaper and better broadband.

Re:australia has quite a backward internet model (0)

Anonymous Coward | more than 9 years ago | (#12221609)

you consider anything that is more expensive "backward"?
i heard that security in the US is more expensive. quite backward.

sick are put in quarantaine net (on this uni) (5, Interesting)

Anonymous Coward | more than 9 years ago | (#12221597)

When computers here (utwente.nl) are infected it is usually automatically detected, resulting in every webrequest going to "you're in quarantaine, you can download clean-up tools HERE, and when you're clean send us a message HERE. apart from that you can connect to nothing." If you're interested, it's run by the guys from http://snt.student.utwente.nl

Pretty Standard (4, Interesting)

jchawk (127686) | more than 9 years ago | (#12221610)

I'm surprised it's taken them this long. When one of our customers gets infected with a virus / open proxy / etc... We *gasp* pay attention, shutdown their connection and immediately contact them and help them fix the problem.

It's amazing how quickly you can get your network under control doing this. And 9 times out of 10 the end user is greatful that you were willing to work with them to help them correct the problem.

Fixing infected machines on your network only makes the network a better place for everyone using it.

Happened to me on Shaw (0)

Anonymous Coward | more than 9 years ago | (#12221624)

At one time had a virus that turned my computer into POP3 server, the next morning I was disconnected. This itself was perfectly fine, but a few things bugged me. They did nothing to notify me before or after hand about why they disconnected me. To get myself reconnected I had to go through a long process of obtaining the number of the central office of the ISP, calling them between a specific number of hours even though this office was located in a different timezone and then after all this they told me I needed to get the person who had their name on the account to call.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>