Should infected computers be prevented from connecting to the internet?

Last year, Microsoft’s Scott Charney wrote that "we need to improve and maintain the health of consumer devices connected to the Internet. This will benefit not only users, but also the IT ecosystem as a whole. To realize this vision, governments, the IT industry and Internet access providers should ensure the health of consumer devices before granting them unfettered access to the internet.”

Earlier this year, Kaspersky’s Costin Raiu took a similar line, suggesting that ISPs locate infected users and start to throttle and limit their access until and unless they disinfect their computer.

Last month, the UK’s new Cyber Security Strategy moved a step closer to this approach by seeking “agreement with Internet Service Providers (ISPs) on the support they might offer to internet users to help them identify, address, and protect themselves from malicious activity on their systems.”

And now Silicon.Com has said the same. Earlier this week Steve Ranger wrote that the “time has come to ignore the howls of protest, the cries of 'I didn't know!' and 'It wasn't me!', and to decide that if a PC is infected with viruses or has become part of a botnet, it should no longer be allowed access to the internet.” (Want to stop botnets overnight? Ban infected PCs from the net.)

Much of the security industry, however, questions whether such an approach is realistic, fair or possible. Commenting on its fairness, M86 Security’s Ed Rowley said that consumers “can take responsibility for their own security only as far as following safe computing guidelines and keeping their PCs or laptops up-to-date with security patches and signatures. However, they cannot protect themselves against the increasing number of zero-day threats for which there is currently little or no protection for home users and consumers.”

He offers an alternative approach. Rather than forcing ISPs to disconnect users, he believes they should use their knowledge of the traffic to block suspicious traffic. “If the ISP can identify volumes of SMTP traffic originating from a home user’s IP address it could be blocked without blocking traffic used for browsing the Internet. Indeed,” he suggests, “why not convince ISPs to block all SMTP traffic from non-registered email servers? This would go a long way towards solving the spam problem.”

Rik Ferguson from Trend Micro believes that the right approach would be “for the ISP to contact their customers who are believed to be affected and, using standard technical support channels, give them the help and support they need to get cleaned up and secure. Besides,” he adds, “isn't internet access now a basic human right according to the UN?”

However, ESET’s David Harley thinks the whole problem is technically more difficult than it might appear. “I’m afraid that tracing a compromised machine is often a far tougher job for an ISP than it is on a small network with reasonably static IP addresses. The range of attacks that might be carried out by a botnet is too wide to diagnose reliably by network traffic alone, especially if it’s a highly adaptive botnet that takes care of its drones by frequently switching machines, tasks, and even IP data.” The end result, he warns, could be that “an address allocated dynamically may have been reallocated several times by the time action can be taken; so Sue in Sussex gets cut off because Dan in Durham had a virus...”


What’s Hot on Infosecurity Magazine?