Providers asked to detect malicious activity, educate users and disconnect repeated offenders

Sep 23, 2009 09:26 GMT  ·  By
Australian Internet Industry Association drafts security code of conduct for ISPs
   Australian Internet Industry Association drafts security code of conduct for ISPs

The Australian Internet Industry Association (IIA) has released a draft of the "eSecurity code for ISPs" for public consultation. The new code to which Internet service providers can adhere voluntarily contains guidelines for identifying compromised computers, educating the customers and enforcing penalties for repeated misconduct.

"The IIA is aware of significant benefits that will accrue from this scheme. In particular, the scheme enables ISPs to assist their customers by providing them with advice that their computer appears to be compromised, thereby giving them the opportunity to remedy this situation. Such restorative action by customers will contribute to the overall security of the Australian and international Internet," the organization explains.

The code (PDF) provides mostly general guidelines, leaving sorting out many of the details to the ISPs. For example, it is clearly specified that ISPs that want to adhere to this code of conduct must detect the malicious activity and compromised computers on their network. This can be achieved by active network monitoring for certain traffic patterns, by investigating reports received from third parties, or both.

The guide suggests several actions that can be taken when malicious activity is identified, such as speed throttling, temporary account suspension, temporary port/protocol blocking, restricting SMTP traffic and even terminating the Internet access if the customer refuses to remedy their problem.

"ISPs may choose to use one or more of the above examples, and may choose different options depending on whether it is the first time a customer’s IP address has appeared on the source lists or whether they continue to appear on the lists and have taken no remedial action," is noted in the code.

When abuse is detected, the ISPs are advised to inform the responsible customers and attempt to educate them. A batch of information recommended for inclusion in the notifications sent by ISPs is provided in the code along with the URL to an IIA Web page, where users can find additional resources and tools to scan and clean their computers.

Finally, ISPs are encouraged to contact proper organizations such as AustCERT when the malicious activity is serious enough. "Where the ISP believes that that the nature and extent of the network compromise is of sufficient severity, the ISP should report this to the relevant agencies," the code notes.

"I am not very familiar with Australian industry associations, but this seems like a great idea to me," Chester Wisniewski, a senior security advisor at Sophos Canada, comments. "Every user without proper protection is a part of the problem. I welcome Australian ISPs in joining responsible computer users in cleaning up this mess," the researcher adds.