Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Should ISPs Cut Off Bot-infected Users?

CmdrTaco posted more than 3 years ago | from the excising-the-tumor dept.

Botnet 486

richi writes "There's no doubt that botnets are a major threat to the safety and stability of the internet — not to mention the cleanliness of your inbox. After years of failure to act, could we finally be seeing ISPs waking up to their responsibilities? While ISPs can't prevent users getting infected with bots, they are in a superb position to detect the signs of infection. Contractually, the ISP would be reasonably justified in cutting off a user from the internet, as bot infection would be contrary to the terms of the ISP's acceptable-use policy."

cancel ×

486 comments

Sorry! There are no comments related to the filter you selected.

Lets ask in different context (3, Insightful)

odies (1869886) | more than 3 years ago | (#33798988)

Should ISPs cut off P2P users that infringe copyrights? Contractually, the ISP would be reasonably justified in cutting off a user from the internet, as copyright infringement would be contrary to the terms of the ISP's acceptable-use policy.

What about posting opinions that the ISP company doesn't like? It's not like its suppressing free speech as they are a private company.

Or what about if we just let ISPs be what they are supposed to be, common carriers, before this goes to slippery slope?

Re:Lets ask in different context (0)

Anonymous Coward | more than 3 years ago | (#33799028)

That's what would likely happen. They would have an official policy of cutting of bot-infected users but use that to cut off P2P users as well, telling them that their computer was infected by something.

After all, I'm pretty sure that nobody runs P2P 100% of the time, downloading patches for WoW or SC2 doesn't take a week, neither does downloading a Linux distro.

Re:Lets ask in different context (5, Interesting)

Yalius (1024919) | more than 3 years ago | (#33799162)

Because you've apparently never been blacklisted because one of your members sent comcast.net 250,000 spam emails in a 24-hour period. Because you've never had your SMTP server so overloaded with botnetted messages that delays of up to an hour were occurring for legit traffic. Because you've never had to block port 25 for out-of-area SMTP traffic because of complaints from other local partner ISPs. Yes, we disable access for identified botnet members and spammers. The infections of a handful of our members' PCs aren't going to ruin the experience for our other 6500 members.

Re:Lets ask in different context (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#33799274)

and P2P context "The bandwidth usage of a handful of our members' PCs aren't going to ruin the experience for our other 6500 members." ?

Re:Lets ask in different context (2, Insightful)

Anonymous Coward | more than 3 years ago | (#33799320)

GP may be exaggerating the problems of the slippery slope, but I think there is a point there. Cutting infected computers completely off the internet is unacceptable, how the hell do you fix the problem with no internet access? If my desktop were to get infected, I'd use my laptop to look up instructions and/or programs I'd need to clean it.

The "walled garden" approach is more justifiable, but I still see it as a dangerous game, because the ISP winds up controlling who is in the walled garden. I would assume that you'd be able to access at least some sites of antivirus vendors, but whose? Does the ISP get to pick? What stops them from selling those rights to a specific vendor? Do I have to purchase Symantec to clear my infection because my ISP won't let me access Kaspersky? Lots of infections require specialized programs to clean infections when they first hit, do I have to wait while my ISP updates to allow access to those programs? What if I get an infection with no currently known cure, do I have to just wait it out? Meanwhile having no ability to contribute to or follow the discussion.

How do I prove that I'm no longer infected? If my desktop is infected, and I turn it off and turn on my laptop, am I still walled off? I agree with the idea conceptually, but logistically it seems completely unworkable, and the fact is it's just not an ISPs job, I pay them to give me internet access, not run my network.

Re:Lets ask in different context (1)

poetmatt (793785) | more than 3 years ago | (#33799306)

even -1 would be too high a rating.

This is not a slippery slope scenario. Botnetted individuals have been cut off for years, so that's not new at all.

Meanwhile, that comment in the article about "Razor thin internet margins" is a load of complete and utter bullshit. Comcast's revenues, as one example, have been on the up for over 4 years straight, up and through these "troubled economic times". If the margin goes down but the volume goes up exponentially then focusing on margin is a load of crap.

Yes (5, Insightful)

grub (11606) | more than 3 years ago | (#33798996)


Should ISPs Cut Off Bot-infected Users?

Yes. Some ISPs already cut off P2P users. By comparison botnets are a real threat.

Re:Yes (4, Insightful)

mark72005 (1233572) | more than 3 years ago | (#33799056)

I agree. Sounds like a good policy.

Not being able to get online is probably the surest (maybe only) way to get a novice (or under) computer user to take their bot machine offline.

Re:Yes (1)

commodore64_love (1445365) | more than 3 years ago | (#33799506)

Would ye two guys still feel the same way if it was YOU who was cutoff, and it turns-out you've an infection you don't know how to get rid of?
.

Re:Yes (1, Interesting)

Anonymous Coward | more than 3 years ago | (#33799082)

Car analogy:

If your beat up old 1980s sedan was damaging the road as it drove, would it be smart for the police to take it off of the road until it is fit for driving?

I think we can all agree that the answer is yes.

Re:Yes (2, Interesting)

FictionPimp (712802) | more than 3 years ago | (#33799182)

But how long until they are taking cars off the road simply because they are driven by the wrong kind of person, or at the wrong speed! This can't be allowed!

Re:Yes (3, Interesting)

c0lo (1497653) | more than 3 years ago | (#33799470)

But how long until they are taking cars off the road simply because they are driven by the wrong kind of person, or at the wrong speed! This can't be allowed!

It's already happening [abc.net.au] .

Re:Yes (1)

d0nster (989432) | more than 3 years ago | (#33799482)

As ISPs go, they already are taking the wrong kind of people going at the wrong speed off the internet (read: p2p users or anyone who goes over the arbitrary download limit). This would be like towing the guy going 5 miles over the posted 70mph speed limit, but not even giving a warning to the guy with the unmarked wide load as he sideswipes other drivers while speeding down the road with a bunch of stolen cash from the latest heist. I don't like what they are already doing, but they should try to protect their network from botnet traffic. What I'm trying to say is that yes, it is a slippery slope. The problem is that the ISPs in America jumped straight to the bottom and missed this needed step on the way there. And for the record, if a machine at my house were to be infected by a botnet, I would appreciate a call from my ISP saying they have suspended my access until I'm cleaned up a lot more than I would appreciate not knowing at all. I would also appreciate not getting verified botnet activity coming down from my ISP.

Re:Yes (1)

Haedrian (1676506) | more than 3 years ago | (#33799504)

Slippery slope argument doesn't always work.

Yes its true that it can be abused, and the video that you just downloaded 'magically' contains a virus that only the RIAA and your ISp can find out - but if there's a proper standards test (hell, even packet sniffing will sort that out) - then yes please.

But what we'd need is a standard test. No assumptions.

Re:Yes (2, Funny)

Yvan256 (722131) | more than 3 years ago | (#33799198)

So what you're saying is that bots are damaging the tubes?

Re:Yes (0)

Anonymous Coward | more than 3 years ago | (#33799434)

More precisely, I am saying that they are "in ur tubes loss-ing ur packets".

Re:Yes (1)

Berserker (16946) | more than 3 years ago | (#33799190)

He's right they should cut bot infected machines off, but for what they are charging they should then provide the use with a CD/software to clean thier pc with so they caqn get back on the net (good will all the way).

Re:Yes (2, Informative)

natehoy (1608657) | more than 3 years ago | (#33799398)

I'm with Comcast, and they already offer a free subscription to the Norton Security Suite as part of my subscription.

I don't use it, but it's readily available, and free, to Comcast customers.

Hint: If you're with almost any ISP and you're paying for Antivirus you're almost certainly wasting your money. I don't think I've ever been with an ISP that didn't provide free Antivirus if I wanted to download it.

Of course, I'm running Linux, so Norton doesn't do me a lot of good for any of my machines. But there are a few AV scanners for Linux (I run ClamAV).

Re:Yes (0)

Anonymous Coward | more than 3 years ago | (#33799488)

That is true, but the recent round of viruses that peddle fake antivirus software is almost always a step ahead of virus definitions. I do independent computer repair, and almost every infected machine has had an up-to-date antivirus program.

Re:Yes (1)

Omnifarious (11933) | more than 3 years ago | (#33799220)

Yeah, my main worry is they'd use it as an excuse to cut people off for other reasons. But since they're already doing that, I guess that worry is moot.

But I think an ISP should do some investigation to make sure they're cutting off the right people. No being cut off for running a mail server for example.

Re:Yes (1)

Da_Biz (267075) | more than 3 years ago | (#33799436)

Yeah, my main worry is they'd use it as an excuse to cut people off for other reasons.

This is the potential harm from any sort of "rule" or "policy": it's always open for abuse.

That said, I don't believe this should be a reason why ISPs should not act. It doesn't take a rocket scientist to ascertain activity from a spambot or open relay, with a little more research to ascertain whether or not a zombie node is being used for a DDoS attack.

Said another way: just because you own a car doesn't mean you get to drive it any way you like: if your computer's behavior is causing harm to others in a clear manner, it should be whacked and the owner notified (e.g., routed to an ISP's page informing them of a problem with their node, dynamically close off ports, throttle their connection, etc.).

Re:Yes (0)

Anonymous Coward | more than 3 years ago | (#33799408)

Yes,

and I love XS4ALL (netherlands) for really doing this for so many years already.

If you have a problem you get a page that you need to clean up your mess, and that a proxy is available in the meantime.

Yes! (4, Insightful)

Capt.DrumkenBum (1173011) | more than 3 years ago | (#33799030)

Yes, yes! A million times YES!
A doctor would quarantine a contagious patient. An ISP should quarantinean infected PC.

Re:Yes! (1)

peterofoz (1038508) | more than 3 years ago | (#33799124)

I like the idea, but would this open a whole new denial of service attack vector? Still, the botnet operators are in it for profit nowadays and this would not make money for them. Perhaps ISPs could detect and shutdown the command and control servers on their networks and perhaps blacklist routes to ISPs that host uncontrolled servers. This would probably work for a while until the botnets become even more agile.

Re:Yes! (1)

theaceoffire (1053556) | more than 3 years ago | (#33799374)

"...But would this open a whole new denial of service attack vector?"

Yes.

But to continue the metaphor:
Just because a new virus / disease will come out at some point does not mean that time spent treating the existing problems is a waste.

Re:Yes! (1)

mlts (1038732) | more than 3 years ago | (#33799368)

Any sane enterprise has a mechanism in place where their network fabric will contain a segment if the IDS detects a definite threat.

This really shouldn't be a question -- ISPs should mitigate damage done by customers with poor or no security. It is debatable to stick the customer with the bill for cleanup, but it might be a good idea so Joe Sixpack actually learns to either zip up his fly or pay someone to do it for him. Perhaps a warning or two, then start billing for the janitor work.

Yes would be the answer (4, Insightful)

markdavis (642305) | more than 3 years ago | (#33799038)

>"Should ISPs Cut Off Bot-infected Users?"

After a suitable warning to the customer/administrator, yes. Absolutely. But it should be made very easy for the customer/administrator to reactivate their service, too.

Re:Yes would be the answer (2, Insightful)

RsG (809189) | more than 3 years ago | (#33799244)

Second this. You don't want the solution to be punitive to the infected computer owner, you want it to be disruptive to the botnet operators. A simple "your zombie PC has been disconnected, please contact us to reconnect" followed by instructions on cleaning malware would cut the problem in half. Added bonus, after it happened to them for the first time, the end user would hopefully wise up a bit about security and adopt minimum standards of prevention and safety.

Re:Yes would be the answer (1)

epdp14 (1318641) | more than 3 years ago | (#33799414)

This is a great idea. Also, every consumer ISP that I have ever been a customer of offers some type of antivirus/antimalware suite for free. Maybe this would be the kick in the pants it would take to have novice users install it on their PC(s).

No Way! (1)

CitizenPlusPlus (1867870) | more than 3 years ago | (#33799042)

This is an open door for abuse by ISPs to shut off anyone they think is costing them to much bandwidth.

Re:No Way! (2, Insightful)

chemicaldave (1776600) | more than 3 years ago | (#33799166)

All the more reason to use a structured definition of what constitutes an infected machine instead of pure judgement.

Re:No Way! (0)

Anonymous Coward | more than 3 years ago | (#33799168)

This is an open door for abuse by ISPs to shut off anyone they think is costing them to much bandwidth.

Exactly. Whats from stopping an ISP from simply cutting you off because you were using too much bandwidth, stating that you are infected?
Sure, you'd probably be able to reactivate after that happened, but what if they do it again? Or permanently remove you because of repeated 'violations?'

Re:No Way! (2, Insightful)

John Hasler (414242) | more than 3 years ago | (#33799172)

That door has always been wide open.

Re:No Way! (2, Insightful)

JesseL (107722) | more than 3 years ago | (#33799288)

They already do that, and their right to do so is written in their contracts.

Certainly not (1)

McTickles (1812316) | more than 3 years ago | (#33799044)

This would be contrary to net neutrality principles. Any ISP I hear doing that is going to get bad press very quickly.

Yes (0)

Anonymous Coward | more than 3 years ago | (#33799060)

That way, the users would have no way of downloading information to help them fix the infection.

Re:Yes (1)

The MAZZTer (911996) | more than 3 years ago | (#33799212)

Block every port except 443 and 80... this wouldn't stop all bots, but it should make enough of a difference and still allow users the freedom to even choose AV solutions the ISP may not have heard of (which would be a problem if they used an IP whitelist). Also some injection of HTML content every so often (or a redirect to an ISP server) so the user is warned they have an infection and their internet connection is limited until they take steps to remove the infection. Injection would break some web pages but it would be worth it to warn the user imo.

Re:Yes (0)

Anonymous Coward | more than 3 years ago | (#33799352)

nope. Then the pots will just communicate on those ports. That's too naieve.

Should ISPs Cut Off Bot-infected Users? (1)

John Hasler (414242) | more than 3 years ago | (#33799064)

Yes.

Nooo! (0)

Anonymous Coward | more than 3 years ago | (#33799084)

How do they I its not really me sending a bazillion emails about my er3ctile dysfunt10n?

Maybe I like being a node foe the mothership?

Maybe I just want to mess up the Internets for everyone!

My money, my bandwidth.

Heybiff
-Even the Sun goes down...

User agreement (2, Interesting)

0racle (667029) | more than 3 years ago | (#33799090)

If it was spelled out this would constitute a usage violation, then fine, I see no problem.

Yes (2, Funny)

Korveck (1145695) | more than 3 years ago | (#33799092)

Of cour

No (1, Troll)

santax (1541065) | more than 3 years ago | (#33799094)

They should not, for the same reason ISP's should not filter ports (25 anyone) like a lot of them are doing now. Also to see if someone has an infection you would have to monitor the traffic. While that can be automated it is none of their business. They just rent an internetpipe to me. How I care for the security of that pipe is up to me. That's what I am paying for. I can see that this would benefit some users and would help make the internet 'safer' but installing a good firewall and virusscanner wil keep you reasonable safe also. And one thing still goes btw... if your system is mission critical... consider if it really has to be on a public network. A lot of times it doesn't have to be.

Re:No (1, Flamebait)

TheOldFart (578597) | more than 3 years ago | (#33799270)

Your name is almost an anagram to Xanax, which, by the looks of it, you need a lifetime supply of.

Yes* (2, Insightful)

HenryKoren (735064) | more than 3 years ago | (#33799100)

Yes, but not before first providing ample warning notifications by e-mail, SMS, and robocall.

If you cut somebody off from the net straight away, that prevents the person from downloading the necessary file to take the steps necessary to remove the bot.

Of course... (1)

Lucas123 (935744) | more than 3 years ago | (#33799106)

Don't you cut out gangrene flesh?

Re:Of course... (5, Insightful)

gunnk (463227) | more than 3 years ago | (#33799238)

No. You have a DOCTOR cut it out. The question here is whether or not most ISP's are competent in determining what really is bot activity. A bunch of false positives will be miserable -- as will having to prove to some first-tier customer support person that your system is not infected (as in never was) or that it is actually cleaned and should be allowed back online.

And pity the person that has their ISP connection blocked that uses voice over IP to call customer support. If the ISP blocks the MODEM life is going to be interesting.

Oh, and you won't need to look up that phone number, will you?

Overall, getting infected systems of the net is a wonderful idea, but one that could be a complete mess if done poorly.

We need a middleground. (0)

Anonymous Coward | more than 3 years ago | (#33799114)

I say no, because that's too much power. However, I think it might be time for ISP's to offer some kind of cloud-based anti-malware ala hitmanPro or maybe hire a cadre of IT ninjas to help their users on-site and off-site. How much would you pay extra for something like that?

Just some ideas that maybe will get modded up and discussed.

What's the recourse? (0)

spmkk (528421) | more than 3 years ago | (#33799130)

So...my kid goes off and surfs somewhere stupid and the family computer gets infected. The ISP cuts me off from the rest of the world, making the internet a safer place for everyone else.

Great. What happens next? Am I stuck in Paypal-like purgatory where they're "reviewing" my account ad nauseum while I have no access to the outside? Do they start snail-mailing me CDs with antivirus software? What would be the EXACT path a customer follows to get back online? Until that's unquestionably clear, nobody should be cutting anybody off.

Re:What's the recourse? (1)

TheOldFart (578597) | more than 3 years ago | (#33799350)

If you allow your kids to play with an unsafe computer, or worse yet, with administrative rights, I would imagine that's your problem, not mine. It will certainly teach a lesson, which is the whole point.

maybe a how-to (0)

Anonymous Coward | more than 3 years ago | (#33799134)

Yes - followed up with a disinfect your PC like this, update regularly, don't do this how-to that lands in their inbox. Maybe a good geolocation for independant repair peeps to contact to follow-up if they aren't too clued up in said how-to

Yes, Is The Upside; However, (0)

Anonymous Coward | more than 3 years ago | (#33799138)

the downside is that bot-infected users are MICROSOFT [microsoft.com] addicted customers.
who comprise 75% of Internet users.

Ooops.............
Deleting 75% of the Internet users is an additional BENEFIT.

Yours In Minsk,
K. Trout

Who said they don't already? (2, Insightful)

Fazeshift (1192371) | more than 3 years ago | (#33799144)

My cable ISP cut me off in 2001, when my roomate got a worm/bot infection due to bad P2P settings. I understand the good intentions, but it then became difficult to reach the right person who could reinstate service once I convinced them my network was clean.

No reason not to do the following (2, Insightful)

gurps_npc (621217) | more than 3 years ago | (#33799146)

There is no reason not respectfully cut them off. Warn the user with an email that must be replied to before they get any further service.

For all the information the ISPs track from us, they have a responsibility. Pleasing cost (razor thin margins) is no excuse to engage in restless behavior. In a capitalist society we recognize that if you can't pay for the costs of doing business, you go out of business and your competitors eat your lunch. Preventing crime that involves using your service is a reasonable and legitamate business cost. After all, the botnets tend to be one of the major user of ISP resources - particularly if they are doign a Denial of Service attack. So shutting them down lowers the ISP costs, increasing their thin margins.

Re:No reason not to do the following (1)

kwerle (39371) | more than 3 years ago | (#33799370)

"Shutting Off" needs to be better defined. Isolated would be a better phrase.

They should have all WWW traffic redirected to a "You have been infected" site. Complete with instructions about how to fix your machine and an automated way to assert your machine is now clean.

Hell, it's a revenue opportunity - give them an optional page where they can buy [anti-virus software] and the ISP gets a cut.

Am I evil enough to be in marketing?

Re:No reason not to do the following (4, Insightful)

aardwolf64 (160070) | more than 3 years ago | (#33799448)

Wait, your big plan is to:
1. Cut off their access (presumably also to e-mail)
2. Send them an e-mail that they must reply to if they want to be able to read email.

And where exactly are they supposed to read this email?

of course they should shut you off (3, Insightful)

digitalsushi (137809) | more than 3 years ago | (#33799148)

Sure it's fair.

Once you're infected the rest of the Internet with crap, you're costing them more money in tech support calls from people complaining about you. Why would they pay to keep launching your crap packets into the core? Be your own ISP if that's your agenda. If you take care of your network, you won't run into this.

No! (-1, Troll)

CitizenPlusPlus (1867870) | more than 3 years ago | (#33799154)

The solution is not censoring the internet.  It is for PC users to ditch Windows and have a safe, modern operating system like Ubuntu installed. 

Re:No! (0)

rainmouse (1784278) | more than 3 years ago | (#33799342)

The solution is not censoring the internet. It is for PC users to ditch Windows and have a safe, modern operating system like Ubuntu installed.

Tried ditching windows for Ubuntu but couldn't make everything work and the installation was a nightmare with endless problems. Sure I'm only one among many but my own experiences said that Ubuntu was not really ready for all desktops, at least not mine.

Since I work for an ISP and Telco (0)

Anonymous Coward | more than 3 years ago | (#33799184)

who will be moving to metered billing soon, I say the more botnets, the better! We'll be raking it in!

Re:Since I work for an ISP and Telco (1)

denis-The-menace (471988) | more than 3 years ago | (#33799386)

Then you (The ISP) will be vilified when the user gets a $400 bill.
He'll tell his friends and neighbours.
Your ISP will then become *INFAMOUS*.

Instead, slow down the guy's connections and try to send the guy notices to tell him that he is "Owned".

Don't stop there. (2, Insightful)

chemicaldave (1776600) | more than 3 years ago | (#33799194)

Restrict them to a subnet that only contains pages related to removing the malicious software.

Cut off vs. filtered (4, Insightful)

rwa2 (4391) | more than 3 years ago | (#33799202)

ISPs should be responsible for filtering out bot activity, but it's not really fair to anyone to cut them off entirely. After all, it's not entirely their fault they got infected... hell even if they're responsible with updates and activity they could have been compromised by some new vulnerability.

Has firewall technology not been able to keep up with bulk ISP traffic or something?

I understand that users ought to control their own home firewall, but ISPs should have firewalls / filters they control further upstream, where they can add rules to block certain types of traffic only when necessary. But I guess if they have it, then that means they're kinda liable for configuring it effectively and can thus be held responsible for attack traffic that does get through.

Anyway, I don't like the idea of being cut off from network access without at least a few weeks' advance notice and time to respond. Which is virtually an eternity in botnet time... which makes that whole approach somewhat pointless.

Re:Cut off vs. filtered (3, Insightful)

John Hasler (414242) | more than 3 years ago | (#33799282)

...ISPs should have firewalls / filters they control further upstream, where they can add rules to block certain types of traffic only when necessary.

So much for "network neutrality".

Anyway, I don't like the idea of being cut off from network access without at least a few weeks' advance notice and time to respond.

It's easy to avoid getting infected.

Re:Cut off vs. filtered (0)

Anonymous Coward | more than 3 years ago | (#33799460)

>...it's not really fair to anyone to cut them off entirely...

It's not really fair that my email server gets hammered by tens of thousands of bot-infected PCs every day, but it does. Cut the fuckers off.

They could do it nicely (4, Interesting)

formfeed (703859) | more than 3 years ago | (#33799210)

They could just redirect them to a portal, where they get informed that their computer is sending out viruses.

The portal would offer a free virus scanner and the option to have several ports closed by the ISP (checked by default)
- ports that could later be reopened by going to the "experts"-page ;)

If the user insists, they of course can go on and use the internet anyway. But only after clicking "ok" to a sentence declaring that they are now informed and
"solely liable to any damage they might do to the internet"

Re:They could do it nicely (1, Troll)

TheOldFart (578597) | more than 3 years ago | (#33799432)

... and the scanner would say: Malicious software found: Windows. Please replace it with anything else... Is it even possible to "clean" a Windows machine? How far behind are these so called "virus scanners"? Specially these freebees?

Re:They could do it nicely (2, Funny)

blair1q (305137) | more than 3 years ago | (#33799446)

That happens to me every time I visit certain websites.

I get a popup telling me I'm infected and to click "OK" to have my computer scanned.

It's ever so nice of them to do that for me.

Re:They could do it nicely (1)

The MAZZTer (911996) | more than 3 years ago | (#33799494)

"Expert mode" won't work. [msdn.com] Neither will a dialog box [msdn.com] .*

* - Sure that article says "The default answer is Cancel" but it should probably say "The default answer is whatever makes everything appear to work again" which in this case is OK. And the user actually won't have to fix anything in your scenario.

Re:They could do it nicely (0)

Anonymous Coward | more than 3 years ago | (#33799498)

They could just redirect them to a portal, where they get informed that their computer is sending out viruses. The portal would offer a free virus scanner

But we've been trying to teach people to not trust random webpages that claim "you're infected with a virus, click here for a free scan".

In fact, if somebody's computer were infected with malware of any kind and this sort of thing started showing up, I'd believe that it's the malware at work, not the ISP.

"Thank you for buying our data/voice bundle." (2, Insightful)

tacarat (696339) | more than 3 years ago | (#33799214)

"Your internet service has been suspended due to a virus infection. Please call or email us to get reconnected". .

Re:"Thank you for buying our data/voice bundle." (1)

denis-The-menace (471988) | more than 3 years ago | (#33799420)

Meanwhile the voice service is VOIP and is blocked!

NAP/NAC (3, Interesting)

Keruo (771880) | more than 3 years ago | (#33799226)

ISPs should hand out routers which utilize Network Access Protection by default.
The router should verify if the endpoint is clear for internet access, and if it's not, it should limit user access to antivirus vendors, known OS upgrade services etc and requesting user to follow this link to repair their computer(or have it cleaned by someone skilled enough).
There are (or should be!) multi-platform NAP/NAC solutions to do this.

Of course, users should have opt-out option, which allows them to disable the NAP, and take responsibility of maintaining their systems themselves without "middle-maintenance".
Opted out systems would receive direct disconnect until user verifies by phone to the operator that their misbehaving system has been fixed. (for example, spam zombie)

Local ISP has been doing this for a while (2, Interesting)

Jabaruk1 (1416363) | more than 3 years ago | (#33799240)

My local UK ISP has been doing this for a while,a good 20% of my work has been from people who have been cut off until their PC has the infection removed NICE

Define 'shut off'. (1)

oneiros27 (46144) | more than 3 years ago | (#33799254)

At the ISP I used to work at more than a decade ago, if we had a customer who wasn't responding to notices by e-mail, we'd move them to a special IP pool, where given ports would be redirected to proxies to make sure they got the message (eg, you're behind on your payments).

You could use this to give them a message they've been infected, while still giving them access to domains / hosts or their anti-virus software.

Of course, in those days, it was all dial-up, so we assigned IP addresses as they came in ... you could still do something when they refresh their DHCP lease. If they get static addresses, your router rules could get big pretty quickly, and you risk a bad rule screwing everyone's traffic up.

The serivce in ISP (3, Insightful)

syousef (465911) | more than 3 years ago | (#33799258)

They're Internet SERVICE Providers. Not Internet Police, nor Internet Guardians. They exist to provide people with access to the Internet for a fee. Now a lot of ISPs already do plenty that is contrary to the best Interests of the customers. Bad behaviour ranges from price gouging and using misleading advertising, to draconian terms of service (usually because they're able to due to a monopoly or collusion), to playing fast and loose with customer's private data (often in the name of anti-piracy). Do you really want to give these same ISPs the power to take a customer's money and provide them with nothing based on nothing other than their own conclusion that a customer is infected? That's madness. An ISP should be providing a customer with help to remove the infection, not removing their access to the Internet.

They do (or at least they did) (2, Interesting)

decipher_saint (72686) | more than 3 years ago | (#33799268)

My parents PC was a fully functional mail server sending out 4-5 GB of e-mail a day, they didn't know this of course and complained about internet speeds all the time, the ISP figured it out pretty fast though and sent someone over to get it off the network and clean it for 'em.

I was quite surprised at how civil they were about it.

Slight hypocrisy. (5, Insightful)

CannonballHead (842625) | more than 3 years ago | (#33799294)

So on one hand, ISPs should not regulate the type of traffic and should not sniff, etc...

On the other hand, ISPs should cut off virus-infected computers. Apparently, they ARE sniffing or monitoring in some way in order to cut you off.

Just wait for a company to decide that being a torrent feeder is being part of a botnet and thus torrent feeders must be cut off. Good luck getting back on again.

If it is really botnet activity, why not just block the botnet activity but not the non-botnet activity? If you can't determine if it's botnet activity well enough, then how are you going to choose who gets cut off?

(I am not necessarily decidedly against this, but at the moment, it seems to be somewhat hypocritical to be against ISP filtering and for ISP cutting off [on their own]. Enlighten me. :) )

Old News (0)

Anonymous Coward | more than 3 years ago | (#33799298)

10 years ago when I was in college, my computer was disconnected from the network because someone had hacked in through my imap server on to my Linux box and was DDoSing some other server at some other university. It took awhile before I was finally allowed to activate my port again. I think they should do this, but they should also be reasonable and help their users get back up and running safely as quickly as possible.

Some already do (1)

Anthracks (532185) | more than 3 years ago | (#33799312)

I work at a decent sized regional ISP. If a customer is disrupting the network with blatantly viral traffic (like tens of thousands of simultaneous SMTP connections) we shut them off and have tech support walk them through disinfecting their PC. The exception is if they also have VOIP through us since we don't want to be in the position of having cut off someone's only link to 911. The network engineers don't sit around all day looking for infected boxes, but if performance issues are traced to an infected customer they definitely get cut off.

Already Done (1)

davegravy (1019182) | more than 3 years ago | (#33799316)

I'm pretty sure I remember Rogers in Toronto cutting me off a years ago due to malware-related data they detected coming from my IP address. They gave me 24hrs notice (but I was away at the time) before cutting me. How a bot-net is considered different is beyond me.

I'm surprised this kind of thing isn't done already worldwide.

Yes (1)

lazycam (1007621) | more than 3 years ago | (#33799332)

At my last university the IT department routinely scanned machines attached to the network and blocked infected machines. Students were required to bring their computers to an IT desk to have the malicious software removed and were instructed on how to properly use a virus scanner or malware removal tool. From what I understand, this policy continues to work well to this day. If ISPs should follow Comcast example by informing individuals their machines are infected, and go the extra step of directing affected parties to paid (or free) scanners that will remove the offending software. Only repeat offenders should lose their privileges (temporarily) to ensure responsible computing habits develop. Just my two cents.

Why not just cut of China and Russia fm Net? (0, Flamebait)

WillAffleckUW (858324) | more than 3 years ago | (#33799338)

A more serious question should be, why don't we just cut off China and Russia, the botnet controllers, from the Net?

That would make more sense.

Re:Why not just cut of China and Russia fm Net? (1)

Haedrian (1676506) | more than 3 years ago | (#33799468)

. . .

Because not all of the population of China and Russia are botnet controllers. You are overgeneralising here. I hope you're joking - but my sarcasm meter is broken.

Craziness. (3, Insightful)

pclminion (145572) | more than 3 years ago | (#33799340)

What is it about spam and malware that causes people to completely lose their minds? What are you worried about botnets anyway? Either your system is secure and it won't be a problem for you, or your system is not secure and you are, by your own admission, "part of the problem." This isn't like quarantining carriers of a deadly disease. It's not exactly difficult to secure your own system against the nasties on the internet. But people are here supporting the idea of severing a person's internet connectivity because they've been a victim of some asshole on the internet. I think we can all agree that the internet is culturally revolutionizing, and has already proven itself to be an extremely important tool in the promulgation of free speech. But once you throw this crap in the mix we have people asserting these authoritarian opinions which, quite honestly, scare the shit out of me.

At the very least, if there is some set of criteria for disconnecting somebody from the internet, there must also be criteria for how to get reconnected and a very clear and doable set of instructions how to get back online. Otherwise you will end up permanently silencing people.

Re:Craziness. (3, Informative)

Haedrian (1676506) | more than 3 years ago | (#33799444)

You're not exactly 100% right.

Firstly, people who are infected often spread the infection amongst other computers, using the social aspect. Maybe you won't open an email from someone you don't know, but your best friend?

Secondly, you're protecting them as much as you're protecting yourself - if they buy something online, their details might be stolen.

Thirdly, they might not realise, and spread the virus anyway through other means, but disconnection makes it sure.

Fourthly, even if your computer is uber-filtered, DDOS attacks, spam sending and other nasties can be done using a botnet, so even if you're not part of it, there's no way around that.

No way (4, Interesting)

quatin (1589389) | more than 3 years ago | (#33799356)

This has happened to me once. I got a virus and a couple hours later, my internet was off. I called the service desk and I was told that my computer was infected and get this, I need to download a patch to fix it. "How do I download a patch when my internet is off, I asked." "Bring your computer to the service center when we open on Monday." I instantly canceled my service. I was a college student at that time. Some tasks required the internet. In fact the only way to turn in my physics homework was to upload it to the server by 2am on Tuesdays and Thursdays. I don't need to be worrying about my internet shutting off at random times and having to make a midnight dash to campus to use the library computer.

I try to keep my computer clean. I run firewalls and I have virus scanners, but if you haven't been infected with a virus before then you haven't been on the internet long enough. Sooner or later you'll get infected and god forbid if you rely on the internet. IE VoIP or server hosting. Why do I get punished for what other people do? Should car manufacturers be able to remotely turn off your car when your car starts to leak oil or freon?

sort of . (1)

nblender (741424) | more than 3 years ago | (#33799358)

I mean generally 'yes' but why not quarantine them to a network that allows them only access to a handful of services needed to get things working again: - Microsoft ? - a non-partisan collection of anti-virus vendor websites - ISP specific help pages - ISP specific log entries outlining proof and nature of infection. - a page that allows, once a day to get service restored on a probationary period to test for successful eradication. - netbsd.org/freebsd.org/ubuntu.com/fedora.com/etc ...

Re:sort of . (1)

nblender (741424) | more than 3 years ago | (#33799394)

oh crap. I should have hit preview... I mean generally 'yes' but why not quarantine them to a network that allows them only access to a handful of services needed to get things working again:
- Microsoft ?
- a non-partisan collection of anti-virus vendor websites
- ISP specific help pages
- ISP specific log entries outlining proof and nature of infection.
- a page that allows, once a day to get service restored on a probationary period to test for successful eradication.
- netbsd.org/freebsd.org/ubuntu.com/fedora.com/etc ...

Yes ... but why stop there? (1)

TardyTardis (1915820) | more than 3 years ago | (#33799362)

Yes they should, but only after offering the opportunity to fix the infection (how are users going to download patches or find the fix without internet access?)

But I think it's time to go at least one step further. The ISPs are going to have to take the responsibility of blocking access to countries, ISPs, and sites that are infected or the source of infections. Like it or not, one of the biggest problems we have right now is that a massive amount of the traffic on the internet is related to criminal activities. If people came to your door every day and left 50 fliers for bogus prescription drugs, there would be an outcry. If you received 100 phone calls a day offering porn, there would be an outcry. If 200 people very day walked up to you on the street and tried to trick you out of your bank account numbers, there would be panic in the streets.

But all of this happens to internet users every day, and nothing is done because the perpetrators hide in other countries that can't be bothered to enforce laws, or they have a different interpretation of the word "fraud".

If on the other hand, no one in China, Estonia, Russia, or South Korea could reach the Internet outside their country because the backbone providers were required to cut off all traffic to or from those countries until they make an attempt to enforce laws, things would change.

Yep. (0)

Anonymous Coward | more than 3 years ago | (#33799364)

As a user of a superior operating system, these bots may not pose a direct threat to me. However, it may hamper my ability to enjoy online games or watch Youtube. If people don't take steps to secure their machines, I don't think they should be able to interfere with my gaming. It isn't like I care about them or anything. If they're doing nothing but causing problems, terminate their service!

Hmm... (0)

Anonymous Coward | more than 3 years ago | (#33799376)

Where I used to work (the ResNet at my alma mater), the policy was to take people off the network who were infected. I would hope that if ISPs were to implement this kind of policy, that they would also include customer support to the individuals unknowingly infected (e.g., "ooo, sweet... I've got a buddy and its name is Bonzi!", or "I just wanted to see the pictures my friend sent to me on AIM...."). /me shrugs.

Yes please (1)

Haedrian (1676506) | more than 3 years ago | (#33799390)

While you're there, throw them a lot of information about why they should have an anti-virus - why they should scan regularly, and while downloading from 'that shady place' is a bad idea.

Maybe it'll stick once they realise they have no internet.

Nose, meet spite. (1)

blair1q (305137) | more than 3 years ago | (#33799416)

ISPs should be able to identify the IP addresses the bot is contacting and block it from getting out of the ISP.

Then it should track down those IP addresses and inform their ISPs that they are hosting a control node for a botnet.

Backbone providers should shut down access from any ISP that refuses to shut down botnet control nodes.

How would they fix it?!? (1)

Quantus347 (1220456) | more than 3 years ago | (#33799422)

So if they shut off the connection, then how is the average person (without multiple boxes etc) supposed to access the tools and information they would need to clean it? And what happens when a bot gets loose that doesn't yet have a public fix? Then you just black out large swaths of the internet until somebody gets around to fixing it (again without internet access)?

At that point the ISPs are doing the work of the hackers themselves. Now you don't need a sophisticated attack to shut down huge chunks of the internet, just a good looking threat. Soon we will see attacks that do nothing more than mimic a botnet enough trigger whatever automated shut-off the IPS's implement.

Like Communism, this is an idea that looks great on paper, but is doomed to not only fail, but make everything worse in the process.

Re portals/interstitials (1)

SheeEttin (899897) | more than 3 years ago | (#33799454)

From an AC comment [slashdot.org] on yesterday's story [slashdot.org] about Comcast presenting a web-based overlay warning of an infection...

ComcastAntiVirus have detected a infection or your computer. To run free virus removal click here!
www.c0mcast.net/antivirus.exe

Doing it via the browser is a very bad idea. Not only can it be spoofed, it undermines the "don't click those things" mantra that we are trying to ingrain in users' minds.
Cut them off, instant phone call and/or mailing. If they need it, allow them access to antivirus (I believe Comcast has a deal with McAfee) or mail them a CD.

The ISP should work with the customer... (1)

scharkalvin (72228) | more than 3 years ago | (#33799464)

to help him fix the problem. The customer is probably not the villian here and probably doesn't even know that he is botnet infested (after all, ALL windows machines slow down eventually and have to have the OS re-installed, right?). The ISP should try to contact the customer by phone, email or snail mail and first let him know of the problem. Perhaps send him some general information on how to fix his problem, or just point him to the right URL's on the net where he can find the information he needs to fix his problem. (other than by using an Axe on the computer).

Security and Medical (1)

captaindomon (870655) | more than 3 years ago | (#33799466)

This is going to get more interesting as security (home alarm) companies and medical (help, I've fallen and I can't get up) companies are moving all their services to the user's web connection. Once there are a couple of deaths and a fire that don't get reported, these services are going to come under a lot more pressure to not disconnect people without multiple notices through snail mail, etc. type of process.

Reframe this as a friendly Win-Win (2, Informative)

Invisible Now (525401) | more than 3 years ago | (#33799496)

I'd actually appreciate a friendly email from my ISP informing me that they are detecting strange traffic from my IP address and suggesting that I might want to check for a Botnet infection. Detecting sneaky outgoing traffic and other malfeasance is beyond the technical range of many customers.

They might even provide links to resources I could use to detect and remove the Bot. They might even make these resources free, useful (Like pretested and configured against the current signature and MO of the Botnets they're seeing) and come off as concerned and helpful.

This is one area where our interests and the ISP's are aligned. Starting the process with a "cutoff" seems like a lose-lose...

In a word (0)

Anonymous Coward | more than 3 years ago | (#33799510)

maybe. Though strictly speaking beyond most ISPs' remit, the internet still is a cooperative, and that means people ought to cooperate to fix wrongs, not merely point fingers and go ha-ha!

If you are going to "police" or at least act on reports something is amiss beyond the demarc, then put them in quarantaine with the tools to fix it, ask for assistance, get the quarantaine rectified if it was a false positive, and so on. Oh, and make very clear beforehand what you're doing, in fact put it in the Ts&Cs, and don't assume only one OS exists; it's behind the demarc so you have no right to assume anything unless you have proof. But above all: Simply cutting off isn't going to help.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>