Aussie ISPs May Block Infected PCs

Computers unwittingly infected with malware and chained together into botnets are a major source of spam and other annoyances. But should ISPs start blocking machines that have been roped into botnets?

Picture by dancoulter

At ZDNet, Liam Tung reports that the Internet Industry Association will push ahead this year with a plan to allow ISPs to temporarily 'quarantine' infected machines from network access, reducing their impact on others until the problem can be fixed. There had been a legal question over whether ISPs could do that without breaching privacy, but the IIA believes that issue has been resolved by a minor clause in the iiNet piracy decision. The code would be voluntary, and isn't likely to be implemented until June, following a period of public consultation.

The arguments for this proposal are pretty solid: users who aren't aware they're part of a botnet are creating a major inconvenience and supporting criminal activity, as well as potentially opening themselves up to much larger bills if they exceed their monthly download limits. The obvious downside is that it extends the ways in which an ISP might monitor customer traffic, but, compared to proposals to impose a mandatory filter of unspecified content on everybody, that seems relatively minor.

iiNet trial clears way for 'zombie' code [ZDNet]


Comments

    How are those infected machines supposed to download updates to remove the virus/spyware then?

      I imagine they contact the ISP when their connection is cut off and go from there. This is certainly the big downside to all this. The overhead that will hit ISPs who suddenly become the medical centres of the Internet would be significant.

      On the flipside, I would have thought the legal and business issues for blocking infected machines are readily resolvable. I'm sure the technology exists to identify bot traffic without violating privacy, and most ISP terms and conditions prohibit illegal activity, so blocking an illegal bot infected machine should be a no-brainer.

      My US-based server host throttled my traffic and contacted me because it was out of the ordinary. We promptly fixed the problem, which turned out to be just a misconfiguration, but it sure was good to have the ISP notice and act on it.

    What's wrong with the ISP just sending an email or, God forbid, a real letter (!) to the account holder to say that they think their computer might be infected with malware/spyware? And then it could offer solutions like recommended free anti-virus/anti-spyware/anti-malware programs, hosts file information etc..

    If you disconnect a user without really informing them of how to deal with the situation and how to maintain a clean system, then the problem will just occur again and again and again.

    If an ISP really does think that some of its users are part of a botnet, then it should be proactive about solving the problem of infections in the first place, rather than just being reactive and disconnecting users.

      The only effective way for ISPs to be proactive about stopping infections would be to take some amount of control of their user's PCs. I'll take a pass on that option myself.

      Our vehicle registration system tells drivers with faulty brakes they can't take their car on the road. It's the driver's responsibility to take that information and fix the problem. I have no problem with our ISPs taking the same approach to compromised PCs.

      I'm no legal expert but I reckon the answer lies in this section of the article: "There had been a legal question over whether ISPs could do that without breaching privacy"

      I suspect that ISPs may not be allowed to monitor your traffic in the ways required to spot an infected PC.
      The method of notifying (blocking, mail, email, etc...) may not be the issue.

    ISP's now have the power to check your internet traffic, as long as the reason is on security grounds. This was passed in the Federal Parliament last week, in the Telecommunications (Interception and Access) Amendment Bill 2010. The bill reads:

    "The act 'enable(s) owners and operators of computer networks to undertake activities to operate, maintain and protect their networks; enable Commonwealth agencies, security authorities and eligible State authorities to ensure their network is appropriately used by employees, office holders or contractors of the agency or authority; limit secondary use and disclosure of information obtained through network protection activities; and require the destruction of records obtained by undertaking network protection activities when the information is no longer required for those purposes...'"

    In other words, if an ISP detects and proves that a PC on its network is a part of a botnet, they can take such measures as to secure its network.

    However, if you read further into this bill, you will find that now anything you do online can be checked and scrutinised. Before you had some privacy protection- now you have none. Then, the question becomes one of defining what is a security breach- can it include such activities such as downloading copyrightable material or the accession of material listed on the Federal Government's banned list?

    (Props to the Canberra Times' Myles Peterson, from whom this post has been a summary of his piece in the 1 March issue.)

    My ISP (and I'm sure most others do too) already does this for Spamming.
    They send a warning letter/email that a machine is spamming, then another warning letter/email stating that if the problem is not fixed, then connection will be terminated and will only be reinstated upon presentation of a Professional Invoice for fixing the problem.
    Seems a reasonable way to go about things. 2 strikes to fix it yourself if you're capable, then on the third strike, you must have a Pro fix it.
    This same method could be used for a bot.

Join the discussion!

Trending Stories Right Now