LrdVader
Premium
join:2003-12-18
San Diego, CA
edit:
March 8th, @07:57PM
| reply to ChrisDAT
Re: Maybe not the best idea
said by ChrisDAT  :
The infectors/spammers, etc... are winning whe "war" if the average joe is being penalized for their crime. It's better than a trojan that deletes files!
It's not about penalizing people. It's about protecting the network. It's perfectly reasonable to disconnect a machine that is actively having a negative affect on the network. In fact, it's the responsible thing to do.
said by ChrisDAT :
If an ISP can identify an infected PC they can certainly block the offending traffic type until the user complains and they tell them that they have to fix their problem before the ISP will remove the block. Cutting the user off defeats the purpose of providing service in the first place.
Since most of these worms send mail directly to the victim's SMTP server, if you block that, most users won't notice the difference. Thus, you end up just masking the symptom, not solving the problem. If the problem's big enough for the ISP to block traffic, it's big enough for the user to be contacted.
Unfortunately, if the user isn't being affected by the block, they don't have as much incentive to fix the problem. If the connection is completely disabled, the user will definitely notice that, and have an incentive to fix the problem. It also prevents the worm from doing other things later that haven't been blocked yet. Take a worm like Blaster, for example. If the ISP blocks outbound SMTP traffic because the worm is furiously mailing itself out, and figures they've done their part, then when the worm activates and goes to DDoS its target, there's nothing to stop it. If the ISP completely disables the connection until the user cleans up the problem, this can't happen.
said by ChrisDAT :
There is no way to expect an average or even advanced user to be able to stay on top of this issue -- The best in the business can't keep ahead.
No, but we can certainly expect the average user to display a bit of common sense. Most current worms are not being automatically spread by exploits that bypass security. User action is required to execute the trojan (especially in the case of Bagle.whateveritsuptonow, where a user has to actually manually enter a password to unzip the file and run the offending executable). It's not unreasonable to expect people to eventually get it through their heads that it's a bad idea to just blindly open any random program that a stranger drops in their inbox.
said by ChrisDAT :
The ISPs need to attack the source, block the URLs that start the whole thing, scan for viruses in transit. It's in their best interest to protect themselves, but don't cut off grandma because she isn't up on the latest security tweaks.
After the initial release of the worm, the primary source *is* infected PCs spewing it out to others. Disabling those infected PCs *is* attacking the source. I know it may seem harsh, but if grandma's PC is sending out 100,000 pieces of spam a day, it's irresponsible to *not* disconnect it until it's cleaned up. |
