Forgot your password?
typodupeerror
Security The Internet IT

Australian ISPs To Disconnect Botnet "Zombies" 213

Posted by CmdrTaco
from the want-braaaains dept.
jibjibjib writes "Some of Australia's largest ISPs are preparing an industry code of conduct to identify and respond to users with botnet-infected computers. The Internet Industry Association, made up of over 200 ISPs and technology companies, is preparing the code in response to an ultimatum from the federal government. ISPs will try to contact the user, slow down their connection, and ultimately terminate the connection if the user refuses to fix the problem. It is hoped that this will reduce the growth of botnets in Australia, which had the world's third-highest rate of new 'zombies' (behind the US and China)."
This discussion has been archived. No new comments can be posted.

Australian ISPs To Disconnect Botnet "Zombies"

Comments Filter:
  • by Anonymous Coward on Monday January 25, 2010 @11:43AM (#30890778)

    Not quite an accurate solution, but statistically close enough...

    • by gparent (1242548)
      Because then no one would live in Australia.
      • by asdf7890 (1518587)

        Because then no one would live in Australia.

        If a few people move out, that would be a benefit. Don't they have a growing people vs resources problem over there, hence the relatively strict immigration rules?

        (for the emotionally/intellectually deficient out there who need this pointing out: yes, I'm being facetious here)

    • by thinktech (1278026) on Monday January 25, 2010 @11:46AM (#30890840)
      having a computer beneath the notice of hackers is a great idea. that's why I only post on slashdot using my web-tv console.
    • by Anonymous Coward

      They don't need to disconnect bad users. They should just give a discount to users who are running secure operating systems that are more resilient to malware infections than Windows is.

      For example, give OpenBSD users a 50% discount, since it's quite unlikely that their system will ever get infected or compromised. The same can probably be done for users using Solaris, NetBSD, FreeBSD and commercial UNIXes.

      Linux and Mac OS X are more widely used than the aforementioned systems, so the chance of them getting

      • by lwriemen (763666)

        OS/2 and eComStation users should get a 75% discount!

      • by hedwards (940851)
        And yet we take away the license of people that drive in an irresponsible fashion. If you're not willing to take responsibility for your actions, or are unable to, then there needs to be some way of hammering home the damage that you're doing to the group. Just like those idiots that endanger everybody else by refusing to get vaccinated against serious illnesses.

        In this case, sure it's not a life or death decision, but spam, phishing, malware, child porn, and other nastiness does ruin lives. Slowing the
        • by daveime (1253762)

          A couple years back malware was using 2/3 of the bandwidth, I shudder to think what it is now.

          Ooo, must be at least 150% by now ...

      • by tuxgeek (872962)

        Disconnecting people from the Internet over something they're not willingly doing is completely absurd, and in may ways should be considered criminal in the Western world

        This statement of yours is completely absurd

        A computer that's a zombie node of a botnet is most likely dishing out spam by the thousands by the minute effectively clogging the InterTubes with digital feces. Additionally it is also part of any DDoS attack associated w/ that particular botnet's activities.

        This makes that computer engaging i

        • by PRMan (959735)
          And if you are driving down the road with a smoking car, you can get a ticket, even if "you're not willingly doing it".
        • The owner of said computer is negligent and should have their connection isolated until the computer engaged in infraction is cleaned.

          Calling the owner negligent is assuming a lot. Don't get me wrong - plenty of them probably are. But you can have your box automatically downloading patches, run a top-tier antivirus package, avoid visiting shady websites, and still get yourself infected by some 0-day exploit served off an ad server used by a respectable website (say, CNN).

          Disconnecting infected users is a worthwhile idea. Though wonder if malware writers won't adapt to that - detect disconnections or unusually slow throughput, go into a

    • It just occured to me that if you can identify those computures that have Bot nets running, you have to be able to identify what that bot net traffic is. Why not just filter that out?

      • by Lumpy (12016)

        Simple! Fingerprint all users computer OS. block all Windows OS's.

        Oh yeah, and my computer keeps playing a wav file that says.....

        Brains............Need Brains.........

        Damn windows updates!

    • It definitely will make an impact if all countries follow suit with a similar program.
      Contacting the owner is the first good step, as for limiting connection speeds, well, I don't get that, especially if I paid for full speed, whether I am using it for spam or not, it is paid for, but let me know that I am spamming millions of emails per day, and I will change my computer install yesterday.

  • Bad Precedent? (Score:5, Insightful)

    by Anonymous Coward on Monday January 25, 2010 @11:45AM (#30890816)

    I'd rather not have my ISP decide what is a "virus" or "inappropriate communications" thank you. If the users are consuming too much bandwidth then disconnect them on those grounds, but please don't set this precedent.

    • Re:Bad Precedent? (Score:4, Interesting)

      by houstonbofh (602064) on Monday January 25, 2010 @12:02PM (#30891102)
      Exactly what defines "zombie?" I am just betting p2p is in that list...
    • Re:Bad Precedent? (Score:5, Informative)

      by v1 (525388) on Monday January 25, 2010 @12:30PM (#30891684) Homepage Journal

      They usually watch for excessive traffic on specific ports. Since the most immediately profitable use of a botnetted machine is spam, the majority of botnetted PCs are either running open mail relays or are themselves functioning as outgoing mailservers. Many ISPs (including two in my area) watch for excessive traffic going OUT on TCP port 25. Unless you are running a mailserver, your computer has no legitimate reason to send out over that port in volume. Most ISP mailservers are SSL nowadays anyway and are off port 25 so you don't even need to use that if you are connecting to your ISP's mailserver from off-network. (and many ISPs outright block port 25 outgoing from anything in their network besides their mailserver) Many ISPs react the same if your computer is listening on port 25 (acting as an open relay)

      So if you are pushing megs (or gigs) a day every day on port 25, there's better than 99% chance your machine is botnetted. It doesn't take speculation to figure that out, and the odds of false-positives are very close to zero.

      That said, I have no sympathy for someone that knows their computer has a problem that's causing other people grief. That's the most basic understanding of the problem that is given when your ISP gives you a phonecall or email saying you have a problem and need to fix it or we will cut you off. If you're too stupid to acknowledge this and take responsibility for fixing it, or just plain don't care, I'd much rather see you off the internet and out of my Inbox. If you don't care that someone else has violated you by hijacking your computer that's fine with me, until they start using it to violate me, and that's when I start having a say in the matter.

      If you want a fun example to separate the computer from the problem, here's something easier to understand: ABC Construction company does building demolitions. They leave their explosives on site and not locked up. They keep getting their explosives stolen. OK I don't care about that, it's their loss. But then stuff around town start getting blown up and the explosives are easily traced back to you. That's when it's time for the police to come have a talk with you about securing your explosives. You do not have the right to continue leaving dangerous things so easily accessible that the public is constantly being hurt by them. Even if you want to ignore your moral responsibility for it, the public won't stand for it and you lose your say in the matter. You WILL secure your things or you WILL go away.

      Another excellent example is how several states legally require you to have a lock on your anhydrous ammonia tanks to prevent theft and use in drug manufacture. Also, most universities now are requiring students to install AV software on their computers before they're allowed to use the campus net. Your precedents have already been set.

      • by mikael_j (106439)

        ...Many ISPs react the same if your computer is listening on port 25 (acting as an open relay)

        Of course, practically all mail servers listen on port 25 since that's the standard port for receiving unencrypted incoming mail...

        /Mikael

        • by Lumpy (12016)

          Most also listen on port 80 as well. simply to bypass the useless port 25 blocking that most ISP's use.

      • That said, I have no sympathy for someone that knows their computer has a problem that's causing other people grief.

        What about people who do not care enough to find out? That is most people. They do not know, because they do not care.

        My solution would be to allow victims to sue anyone who is negligent or the consequences. I think making everyone whose machine is in a botnet jointly and severally liable for all damage would be excessive, but each of them should face a liability big enough to be worth suing over.

      • My ISP (Clearwire, fwiw) has on several occasions throttled me down to about 5 KB/s until I call and ask what's up. I get a level 1 tech who reads me the entire "have you run your antivirus software lately, do you leave your computer on all the time, etc." script before I can tell him that I run os x on a laptop that spends most of its time at work.

        The call immediately goes up the chain, I have to explain myself again, I get put on hold for a minute or two, and then the problem is mysteriously solved. All w

        • by Culture20 (968837)

          I don't run any internet-facing servers- in fact, my firewall is locked down as far as it can be without causing problems for myself, and every nonessential service and port is closed. My wireless network uses WPA2 and MAC filtering. All that, and I was identified several times as a zombie.

          Have you port-sniffed your computer with another machine? Port sniffed your wireless router? Your router might be a zombie, and I've seen Mac zombies that look benign from the OS side, but have ports open that the GUI says are closed.

          • Yes, I've run tests on my network that confirm what I already thought. I have a small Dell mini with a few network utilities installed that I've used to troubleshoot issues in the past (said dell spends almost zero time connected to the internet).

            It was actually during the course of scanning my network that I came across all my neighbors.

            I just scanned again for my personal edification, and everything is locked down. The only thing I can't control is my clearwire modem, but I've been trying unsuccessfully t

    • This bot net crap has to stop, I wish they would do that here. Disconne.....{#`%${%&`+'${`%&NO CARRIER")

    • by bill_kress (99356)

      It doesn't really matter what you want if your ignorance is leading to these kinds of problems.

      And bandwidth isn't a very good indicator since each individual bot doesn't have to actually send all that much info.

      Personally I think there are certain patterns that could be gleaned from the traffic to help determine if there is a problem. Hundreds of failed connections or invalid packets per second, for instance.

      Do I want to give the power of choice to the ISP? Not really, but who else is able to do it?

  • What would happen if those ISPs notice increased profit and customer satisfaction (overall) when they are paying less for resources used up by bots? (Assuming they don't have problems with false-positives or find far too many customers being cut off, etc.)
  • Its not like everyone knows how to (and in some cases cannot afford to hire someone to) remove botnets from their machine. I hope the ISPs will provide this kind of support as part of standard service before they consider disconnecting users...
    • Many shops 'round here reinstall Windows and your apps (keeping your personal files) for 40. I doubt you can't find similar services in Australia.

    • Re: (Score:3, Insightful)

      by amorsen (7485)

      If they can't afford to keep their machine clean, they don't go on the Internet. Sucks to be them. They don't get to pass on the cost of their mistakes to everyone else, like they do if you just keep their connection alive.

      Yes I work for an ISP. Yes that's in our terms and conditions.

    • by gmuslera (3436) on Monday January 25, 2010 @01:24PM (#30892658) Homepage Journal
      Then don't disconnect zombies. Redirect any request from those IPs to a web page that explain the situation and why that computer shouldnt be in the net for their own good, and have as direct download most typical cleaning and other essential at that stage applications, and maybe listing local companies that do the cleaning if the person dont want to fresh format.
  • by ATestR (1060586) on Monday January 25, 2010 @11:48AM (#30890872) Homepage

    if the user refuses to fix the problem

    The users who are likely to be infected by a bot are the least likely to be able to "fix the problem".

    • by MrMr (219533) on Monday January 25, 2010 @11:56AM (#30891014)
      Being unwilling to learn, or unwilling to ask someone who does know, would still qualify as refusing to fix the problem.
      Here's a car analogy for you:
      The users who are likely to crash by failing breaks are the least likely to be able to repair their own brakes...
      • This is the deal - it is about responsibility, about being a part of a community. Behaving in a way that harms other users, whether it is the road, the internet or anything else for that matter, is frankly wrong. The internet wouldn't be here if it wasn't for other people participating in this network. We therefore have a right to expect, in return for our participation, acceptable behaviour. If you don't like it - go build your own internet.
      • Re: (Score:2, Offtopic)

        by Tim C (15259)

        I don't know about the situation in your country, but here in the UK any car over a certain age undergoes mandatory regular testing (the MOT), which is designed to check the road-worthiness of the car. These tests are paid for by the owner of the car, and not having a valid MOT certificate brings all sorts of problems (not least of which is that it invalidates your insurance).

        Perhaps the same should be true of PCs? Since we're equating poorly maintained cars with poorly maintained PCs.

        • Nobody gets run over by an infected computer. Fixing the computer after the fact is good enough

        • Go away.....NOW! (Score:4, Insightful)

          by tacokill (531275) on Monday January 25, 2010 @05:12PM (#30895834)
          Oh god, no. This is a very very bad idea. We do not need to have our PC's "certified" by a Ministry, Department, or any 3rd party for that matter. Yes, they have done that for cars for pollution testing but it makes no sense for computers.

          Do you seriously want some twithead bureaucrat telling you what a "safe" PC is and what a "dangerous" PC is?

          I want you to choose a number from 1 to 60. This number represents the amount of seconds before Linux (or some other disliked-by-those-in-power application) goes onto the "dangerous" list. This number also represents how many days you have to install a properly maintained OS, such as those produced by Microsoft, onto your PC. Within 10 days, please bring us proof that you have made the correct repairs and we will waive your fine. Oh, but court costs are 200 euro. Thank you, drive through.


          I am deadly serious when I say this: This is one of the all-time worst ideas I have ever read on Slashdot.
      • I agree that the car analogy is has some merit. But is incomplete. It is more like someone is driving around with a car with a manufacturing flaw that is not obvious. You don't see that the brake is not working. When you brake everthing works fine, when you accelerate everthing if fine, maybe a little slow but fine. What you don't know is that someone is using part of your trunk to transport drugs, because the lock was made such that they could open it up and put it in, open it up and take it out without yo

    • by gad_zuki! (70830) on Monday January 25, 2010 @12:07PM (#30891194)

      Who cares? He owns it, its his responsibility to fix it. Pay someone if he cant figure it out and stop clicking on NAKED_PHOTOS.EXE or doesnt understand why he should be doing those Microsoft updates. Should we also coddle drivers with unsafe cars because they arent mechanics?

      Its only when there's a financial incentive to keep a machine patched and thinking before clicking that people will begin doing so. Or switching to OSX or Linux. The status quo of not taking responsibility for your own computer isnt sustainable and isnt helping anyone.

      • Re: (Score:2, Insightful)

        by Syberz (1170343)

        OK, I just had to jump in here. I'm tired of the people who say "Switch to linux and the spam/virus/worm problem will be solved!". It wouldn't solve sh*t! The spammers and virus/worm makers would just develop for the new platform, and the only reason that Linux is so secure is that the malware devs aren't developping payloads that attack it.

    • > The users who are likely to be infected by a bot are the least likely to be
      > able to "fix the problem".

      Unplugging the computer fixes the problem.

    • so what? (Score:3, Insightful)

      everyone talks about their rights, but few speak up about their responsibilities

      if people don't live up to their responsibilities, they lose their rights. not as a matter of some government mandate, but as a simple logical, natural consequence of ruining things- the internet, safe roads, a healthy economy, etc., for other people

      • if people don't live up to their responsibilities, they lose their rights. not as a matter of some government mandate, but as a simple logical, natural consequence of ruining things- the internet, safe roads, a healthy economy, etc., for other people

        That shits on centuries of philosophical thought.

        I think you confuse the word 'right' with the word 'privilege'. Driving a car? That's a privilege, revocable when used irresponsibly.

        The internet is developing into a primary means of communication, especially

    • by greenguy (162630)

      This is correct. I know plenty of people who are clueless about security, and computers generally (I'm thinking of the ones who ask me "Do I have Adobe on my computer?"), but I'm not prepared to tell them they have to stop using them until they become experts. The real solution here is to offer proactive solutions. The ISPs could provide them for free (including house calls) and probably still come out ahead financially.

    • by houghi (78078)

      I am not able to fix my car and yet the governement wants me to have things safe for others. I doubt that I can use that as an excuse driving around in a car that is not up to the standard that they demand.
      I believe there is a difference between fixing it and fixing it yourself.

    • by stirz (839003) on Monday January 25, 2010 @12:42PM (#30891878)
      Well, at least the intended mechanism will make sure that people notice that their PC is abused. Furthermore, it imposes pressure on people to care about some basic security measures. I think, many of them will soon take care - in whatever way. But if they refuse to realize that their data is in trouble and that they are (passively) involved in online crimes, why not shut down their net access? Someone who does not exactly know what to do will know the shop where (s)he bought the equipment or even a local shop that offers paid support - there is no excuse in that case.

      I've made some similar experience on my own some years ago while living on campus connected to a network of about 1,000 machines. The admins enforced a "three strikes" directive: if someone's machine was spreading viruses via internet access or via FTP/SMB shares or misbehaved in other ways (disturbing the DHCP and break-in attempts on internal servers, mainly), (s)he got a notice in her/his (real life!) post box to stop misbehaving/to fix the computer. As I recall, the note contained a paragraph offering help in case people weren't able to cope with the problem themselves. They only had to block less that 10 Machines during the time I lived there (4 years, approx.), as people really reacted quickly and we could even observe a (small) learning curve because new inhabitants mostly were briefed by their neighbours shortly after they had moved in.

      So: Go ahead, Aussie ISPs! That's definitely the way to go - and to further sysadmin appreciation, but that's a different piece of.....
    • It’s called “natural selection”. It’s supposed to work that way.
      Either you wise up, or you die. Simple as that. Look it up.

  • by Anonymous Coward on Monday January 25, 2010 @11:58AM (#30891036)

    This SOUNDS like a good idea in theory, but what will end up happening is that Hackers will start to send fake notices to Australian users and will easily be able to trick people into giving personal information (ie account numbers, CC numbers, ect.) by claiming to be from the government and/or ISP. They need to create some sort of control around this, but I only see it causing problems....

  • Sad, isn't it? (Score:2, Insightful)

    by bbbaldie (935205)
    Buy a computer and/or a supposedly secure operating system, and then, unless the customer proactively protects against security breaches, they won't be allowed on the internet. Pardon me, but isn't protection against security breaches the OPERATING SYSTEM'S JOB???
    • Re:Sad, isn't it? (Score:4, Insightful)

      by arotenbe (1203922) on Monday January 25, 2010 @12:51PM (#30892038) Journal

      Pardon me, but isn't protection against security breaches the OPERATING SYSTEM'S JOB???

      Partially, but it isn't the operating system's job to stop the user from being an idiot. If you want to run executables from suspicious websites, that's your right. And if the rest of the world wants a device to stab you in the face over the internet, that's their right, too.

    • No, the operating system's job is to manage memory allocation, physical devices, and manage scheduling of threads and processes.

    • I can't think of an OS that can tell the difference between skype spraying bit all over the internet versus a spam mailer spraying bits all over the internet. In both cases, the user probably clicked something (skype.exe or boobs.jpg.exe), and clicked "OK" when the OS asked if they were sure. At that point the reins are in the hands of the user.

      You can put a HUD, anti-lock brakes, cornering headlights, parking sonar, all-weather tires, and wrap-around cabin airbags in a car, but a stupid user will crash it

  • The code states ISPs should cut off internet access only in the "most extreme of cases", when a customer had refused to install anti-virus software, or where the amount of spam being sent from the customer's account was clogging up the network.

    Does that mean they will cut off users who simply don't have an AV program, even if they're not infected?

    • If there are no signs of botnet activity from a computer, how would they know it doesn't have AV software? Something tells me ISPs aren't going to devote resources to asking their customers just in case...

      • Perhaps change the terms of service as to require AV software installed before a computer is let onto the Net. Perhaps requiring software to be installed on a given computer to check whether it has an applicable AV program.

        So, if the software finds that there is an acceptible AV program, then the ISP is contacted and unrestricted access is permitted. If the software finds the AV program doesn't qualify, or doesn't exist, then the person only has access to a page that says, "You don't have a qualified AV pro

        • No, not going to happen. For a start, such a program would have to be available for every common iteration of every operating system and be able to recognise the installation footprint of a variety of AV software, and be constantly updated to recognise new versions and work around any changed settings. No Australian ISP is going to put in that kind of development work when they can just monitor their logs for suspicious activity (and already do). Besides, attempting to mandate a particular hardware/software

  • I've been calling for this for years, on Slashdot and other venues. ISPs do monitor suspicious behaviour. I can remember many many years ago when I was much younger and playing around with netbus and scanning the default port 1234 with it for about 20 minutes. The next day we got a call from the ISP asking if everything was okay.

    There is no reason that a reasonable profile can't be built to detect standard bot activity and customers notified if this kind of behaviour has been noted coming from their connect

    • The problem I have with this is that my own ISP has blocked me using the excuse that I might have an infected computer. I tell them that I'm running os x and the problem is immediately fixed.

      What concerns me is that what my ISP was doing was not 'bot profiling' (I have almost every port blocked and I'm not running any services that use weird ports, like some p2p software does)- they were simply disconnecting/throttling down their heavy users. I don't use the internet at home more than a few hours a day, and

  • Criteria (Score:4, Insightful)

    by lattyware (934246) <gareth@lattyware.co.uk> on Monday January 25, 2010 @12:30PM (#30891674) Homepage Journal
    Botnet - Collection of computers using large amount of bandwidth.
    Largest Botnet - BitTorrent
    ISP - "Job's a good 'un lads, let's go home."
  • I usually hate messing with a protocol, but this sounds like a good use of a DNS redirect. When a user is deemed infected by whatever measure they decide, have the first web-page that the user brings up a re-direct to an ISP warning page with info on how to cure the problem.

    I suppose if the user refuses to do anything about it you could cut him off after a month or so.

  • At the height of the blaster outbreak a few UK ISPs cut off blaster infected PC's and redirected to a 'clean up your PC' page.

  • What checks are in place to prevent this being used as an excuse to take down "toublesome" sites?

    I mean, computers that are part of the Tor privacy network, or part of freenet, or bittorrent servers, or used by contributors to Wikileaks.

  • by troll -1 (956834) on Monday January 25, 2010 @01:02PM (#30892222)
    Sounds like another case of politicians regulating something they don't understand. Define botnet.
  • by russotto (537200) on Monday January 25, 2010 @01:12PM (#30892412) Journal
    ISPs should be disconnecting zombied machines. The catch is they need a test which catches most zombie machines while not catching any non-zombies, and most ISPs are neither competent enough nor interested enough to do so. If their procedure has systemic problems which disconnects non-zombies, then the cure is worse than the disease.
  • by Oasiz (1017554) on Monday January 25, 2010 @01:23PM (#30892630) Homepage
    I didn't completely RTFA, but.. If this works anything like the same way it does in here, it basically redirects you to a generic page where you can download virus / etc checks and fix your system. You can't simply reach other places (or no connection with other protocols) in that state. The ISP has basically just IP blocked you at that point (other systems under the same connection function like normal). The ISP also re-checks your system every hour or two to see if the issue has been resolved. This is also explained in the page with more detail. If it follows the same formula then I am all for it due to it working flawlessly so far. No false alarms so far in my rather heavy use. Oh yes, and I first ran into this on 2004.
  • Don't disconnect them. First, only block the ports being abused. If that doesn't work, confine them to a "walled garden" that tells them who to call and fix the problem. Then when the do call, help them fix the problem.

  • Go after the CnC (Score:3, Interesting)

    by MikeURL (890801) on Monday January 25, 2010 @02:12PM (#30893262) Journal
    Why harm 100,000 users when you can just disable 1 CnC system? Researchers have already shown, over and over, that is is possible to not only take over botnets but to shut them down. If all the ISPs are going to get together and work as a team then why not work on THAT?
  • by Anonymous Coward

    There is a responsibility by any user not to interfere with others. Being infected with a botnet is certainly one for this category. Not responding to warnings of infection is negating this and is abusive of others using the net. Why should users that interfere with others be tolerated?

    To simply say that a significant number of the people that have botnets don't know how to remove them, even after warnings is far to simplistic an excuse. The same can be said about their ability to pay to have them removed.

  • Why bother implementing a troublesome and unpopular "Three Strikes" law to stop torrents when all you have to do is claim their machine is part of a botnet?

Machines certainly can solve problems, store information, correlate, and play games -- but not with pleasure. -- Leo Rosten

Working...