Viruses and Attacks

From AAISP Support Site

There are many types of undesirable traffic on the internet, and they fall in to several different categories.

Viruses and attacks from customers

Customers computer systems can be infected with viruses, or other software that is used to attack other users on the internet. We take this seriously, and will contact customers if we become aware of such traffic. We can disconnect lines if there is a severe problem or if the customer is not taking appropriate action quickly enough.

Amplification and obfuscation attacks

Customer equipment can be vulnerable to types of indirect attack. This is where some equipment responds to specific traffic in a way that causes someone else to be attacked. This is typically to amplify the attack, or hide or spread the source of the attack.

A good example is routers which will answer DNS queries from outside. A small query to the customer router causes a large response sent to what it things was the originator, but is in fact the victim.

Where we find this happening we will advise customers of fire-walling and configuration changes to stop this.

We have more information about this subject on this Wiki.

Denial of service attacks

Our exact policy and technical solutions to address denial of service attacks are not published. It is important to realise that anyone and any ISP can be vulnerable to high volume attacks - even whole countries have been vulnerable to attacks. This is especially true with millions of virus infected machines around the world conducting the attack, and a major reason for trying to ensure our customers are not a source of attack.

We will always take all reasonable steps to minimise the impact of any high volume denial of service attack as soon as we are aware of it. If we shut down your line because of such an attack against you, we'll try and let you know. This can be a necessary step to protect the network as a whole.

We will also discuss with customers that get repeated attacks, why it is happening. There is usually a cause. One common cause is that someone has a virus infected machine attacking someone else, and this is revenge. Another is where people annoy someone on an irc channel or chat-room. So please, be polite and try not to wind people up. The internet as a whole is fragile and can break!

Usage

If you have high levels of traffic from the internet, or even continuous low levels, this can impact your usage. We allow some over usage to be carried over, and we have warning emails when usage appears to be high. It is up to you to take your service off line or contact us for help as we charge for all traffic you receive while your router is on-line, whether you asked for it or not. I appreciate that this may seem unfair, but at the end of the day we are paying for this traffic. Whilst we can identify some types of high level denial of service attacks and take immediate action, there are many ways in which lower level attacks can be happening without us being aware of it. So please, take note of the usage emails we send.

Protection

If you have a sensible network with fire-walling and correct configuration to stop amplification attacks, and are generally a good net citizen, then you are unlikely to be attacked. There may be occasional port scans and probes which get nowhere. Fire-walling at your end is not going to stop these probes, or the usage charges for them, but it is a low level background of such traffic and not a major cost factor. Fire-walling your end helps ensure your machines are not attacked and reduces the chances of them being exploited.

We do not generally offer any network side fire-walling. We may do as an optional extra feature at some point in the future. In some cases we can offer short term filtering for customers suffering from persistent attacks. This stops you paying for usage (even though we are still paying for transit, this eliminates the main cost factor of traffic over the broadband line).

In general there is a reason someone is attacking you, and removing that reason is the best way to stop the attack. In general, once traffic is blocked, the attack will stop.

Network side filtering is only available in unusual cases as a short term option - please discuss with support if you require this.