Broadband Crackdown

MrPeach writes: "In a move unsurprising to those of us who have had interactions with their so-called customer support, AT&T Broadband and Excite@Home are indefinitely filtering all incoming traffic on http port 80 for residential customers. They could have cut access to those running compromised servers, but instead chose to deny the ability to run a web server to all subscribers to their service. DSL anyone?" DSL won't save you. Verizon is apparently also blocking port 80 for their DSL customers, in addition to blocking outgoing port 25 and requiring use of Verizon's SMTP servers to send email. Verizon is also cheerfully paying fines for screwing over their competitors - the fines will be much less than the extra profit they can squeeze out once their competition is gone.

Self fulfilling prophecy...

[mengel]

But this is a classic self-fulfilling prophecy. If you assume that the "vast majority" of of people who want to run servers do so for commercial reasons, and charge for that, then you get exactly what you predicted, because non-commercial users won't pay the rates businesses will.

The analogy to business phone services is inappropriate -- there is no difference in the service provided between business and residential phone service, only a difference in billing. In either case you get a phone number where people can call you, and you can call them.

The case here is that business users get full service, and residential users get crippled service.

Re:how to get buy with their changes...

Yeah, and having people type http://XXX.no-ip.com is a lot easier than having them type xxx.xxx.xxx.xxx:1111!? What's the difference!?

hmm..

i'm a verizon dsl user.. and all i can say is that i'm damn happy that HalfLife and Counter-Strike don't use port 80 to do their thang...or maybe they do, which would explain why i can't host a server. hmm...

Monopoly make it impossible 2 find acceptable TOS

I understand you completely. It's bad that people don't listen to ISPs more. Why, how these geeks who think they're so smart that they can go around using these server things is just awful. I would never want to run a server, only corporations should be allowed to run servers. They should have to buy a license to run web servers, that costs so much that these eggheads could never hope to afford it. Eventually, AOL will stop letting the internet connect to it, and things will be back to normal. Heed this warning, if you internet people continue to misbehave, AOL will disconnect you permanently from the great AOL network.

On a more serious note, once AT&T unfucks my cable connection, I'll finally be able to go live with the AlterDNS Project. Bookmark the url, in case you ever get to see it again

http://24.30.242.34
(also known as www.freenic.ntwrk)

The site in its final form will show you how to set up and run your own bind server, and have it point to multiple dns root servers, including my own. None of the half-assed "point your primary DNS setting/resolv.conf to our server" bullshit that ORSC* and Alternic* suggest... we want you to have the power that running a safe chrooted bind gives the individual. DNS is a distributed database by design folks, and those in power don't want it to be distributed.

AlterDNS offers many exciting (but not braindead**) new aTLD's for free, the way it should be. What's more, they are protected by a carefully designed policy that refuses to permit abuse, without taking away your freedom.

#1 No cybersquatting. All domains must be used within two weeks of registration.
#2 No reselling of domain names.
#3 No corporate registrations. Your trademarks are not recognized here.
#4 No bulk registrations.

Cool huh?

*Two of the more popular "alternate root servers". More interested in raking in some cash, they are ICANN wannabes too lame to play with the big boys and really ream people. Instead, they only charge a little bit for their fucktwit domains (if it can be said that any amount of money is small, when practically no one can resolve the name).

**For example, the Open Root Source Confederation actually has registered a "to.us" domain, for no other reason than so some childish asswad could register all.your.bases.are.belong.to.us. Dumb right? Wrong... it's worse than dumb. It's a namespace conflict with the dot US ccTLD.

NE mediaone user still get hit by the WORM

[klops]

It looks to me that ne.mediaone.net is ONLY blocking port 80 traffic from their external router. I'm still seeing request for default.ida?XXXXXX.... to the server. Only that they're ALL from my mediaone.net subnet. So I guess their notice about "notifying the infected users" is all but BS. Now that all I need to do is to GET /script/root.exe? on their machine... :-)

--klops

Re:NE mediaone user still get hit by the WORM

I also noticed in my web logs that some of there servers seemed to be not owned by there customer base, but the administrators themselves.. fools. command3.ne.mediaone.net - - [06/Aug/2001:22:36:49 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 275 "-" "-" I wonder if this would work? Its been a long time since I used del. GET /scripts/root.exe?del.%20c:\%20/y

If their contract says "don't do that"

[SimCash]

If their contract says "don't do that" (host a web server), then they are well within their rights. I am once again amazed that people seem to think that just because they could do something for a while (host web servers) it suddenly becomes an entitlement even though they were told (RTF-C) they could not do that.

While there is some legal precedent (if you don't take action to protect a trademark you can lose the right to ever take action), this is not analogous to this.

Web hosters are high-traffic customers, they ought to pay more than a user who wants to just access the web. It's call being fair.

Re:If their contract says "don't do that"

[DigitalGlass]

it is not againainst all tos. read this. http://help.broadband.att.com/subagreelease.jsp and me being a webserverving person does NOT make me a high trafic customer, its only web pages i am serving, not huge files. the real high traffic customers are the ones that run gnutella and other filesharing apps.

another way around..

[jjshoe]

now last time i check cable and dsl were billed the same way pretty much, $20 rental for line, and $20 for the actual isp service. so you could pay the $20 for the line and pay $20 to another isp with a less restricve tos. as silly as this sounds a good friend of mine who never owned a computer finaly got one, but to her suprise got a free year of aol with it. she expected to have to shell out $20 a month anyways, so now she has aol over cable modem.

Re:Port 25

[brandon2]

I don't think Verizon is blocking port 25 either. I run my own mail server both for receiving and sending mail without any problems.

Still, this is a strong argument for getting one friend to get a T1, then everyone chips in to pay for the T1 and roll their own DSL connections.

Would splitting a T1 though homegrown DSL be feasible. It seems to me that it would take a lot of friends to pay the costs of a T1. By the time you split the T1 enough ways to pay for it would there be enough bandwidth left? Not to mention the equipment costs. I can't imagine that a DSLAM is cheap. Would be cool to do though.

Re:No blocking yet

[Kenyaman]

The problem on the cable modem networks isn't boneheaded admins. It's silly people who didn't realise they had IIS running on their NT system.

Still seems draconian to me. "We're going to close the intersection of Pine and Elm because there are too many accidents there."

Re:Move to Canada

[stevew]

Actually - I didn't.

I'm one of the earlier @home customers in Fremont CA. which was a test city for the technology. The terms of service I signed didn't limit the things I could run on the system. I checked for that before I signed it.

Unfortunately there is the "out" in the contract where they can unilaterally change the terms of service by simply publishing new ones at a given URL:

So is that binding on me? Not sure - IANAL, but it isn't really fair either. On the other hand, it has been true for most of the time that I've been on the service that they "officially" not allowed ANY kinds of servers on the home systems. For that matter, they even had one version of the dang TOS that let them prohibit me from doing any business over the internet - yeah like going to amazon.com and ordering a book was prohibited. That part got dropped like a hot potato because of a ton of public criticism locally.

I do think they are being heavy handed, and extremely short sighted. They are in many ways restricting freedom of speech by such filters. They are probably legal - but they suck!

I'm on @Home and I'm not blocked

I have been running a web server on an @Home account for several years. The TOS that I signed did not say anything about running web servers except that security was our responsibility. In addition, there was no wording about the TOS being updated in the future (this was before they got smart about these things).

Perhapse @Home is scanning for web servers and shutting them down as they find them. One thing I did a year or so ago is to set up my firewall to block any web accesses from addresses that appear to be their corporate block.

I'd love to see someone try and hack my web site, as the web server is a one-of-a-kind written in Java, hence no buffer overflows, and CGI disabled.

-Aaron

24.1.111.180 [Thu Aug 09 09:21:38 PDT 2001] "GET /default.ida?XXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u 90 90%u6858%ucbd3%u7801%u9090%u68
58%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u90 90 %u8190%u00c3%u0003%u8b00%u531b
%u53ff%u0078%u0000%u00=a HTTP/1.0"

Re:I'm on @Home and I'm not blocked

[SumDog]

Neither am I and I'm on comcast@home. I logged onto my university server last night and checked my webpage from there on lynx. Looked fine to me. Exactly which parts of the @home network does this affect? The only ports that are closed at my end are the SMB ports...I don't know why, but @home disabled the ability to contact my PC via Samba. Wierd...I also can't ping my machine but I can FTP to it...also wierd. Sumit

Re:I'm on @Home and I'm not blocked

[AaronW]

@Home blocked SMB a couple of years ago at my end. I used to be able to see all of my neighbor's computers, some of which had enabled full sharing. I reported this problem to @Home several times, but they didn't care about this major security breach. They finally fixed it after several articles appeared describing the huge hole. I think IIS is a much bigger hole. IIS should be banned.

Road Runner does more than turn a blind eye

[moller]

I convinced my parents to get Road Runner while I was home from school. We had three computers set up while I was home, two after I left. Both needed internet access. Road Runner charges an extra $6/month for another IP address. Their TOS specifically forbid running a router or DHCP server off of their line (says so in black and white on the contract). I called up customer service to ask about this, they were clueless about what a DHCP server was, and forwarded me to tech support. Tech support was clueless about the contract, and finally I got piped through to some manager. The manager specifically told me to buy a router (you know, one of those little boxes with a DHCP server in it) and hook that up instead of paying for the extra IP address.

So they don't just turn a blind eye, they actively encourage users to violate the contract signed when procuring the cable modem service.

~Moller

Re:I've read my TOS and it sucks.

No. You didn't buy bandwidth. At least not most of the time. If you're running a non-business DSL or cablemodem then you certainly didn't buy bandwidth. I think that's half the issue. Buying bandwidth is expensive, far more than a simple broadband connection.

It's also a legal matter. When you start flooding the net or your neighbors or some business, who has the deep pockets and who get's the first phone call? Not you, it's you provider. When people start talking to lawyers about this, who stands to lose big and has to defend themselves? Likewise they have to have staff to diagnose your problem, block your computer, call you up and notify you and is many cases probably help you fix it and you NOT paying bandwidth fees, you're simply paying for access.

I have several business broadband lines to my house, they cost more, you can do different stuff, you get different rules. The $40 a month setup doesn't give you that stuff.

Re:I've read my TOS and it sucks.

Now who looks like a jackass. That was most certainly NOT a metaphor. Exaggeration? Sure. Do you even know what a metaphor is?

Re:Servers were never allowed out on cable

[Ed+Avis]

If the bandwidth is limited, then quota the bandwidth to each user! It's just as possible to eat up the limited upstream bandwidth by uploading large files to Hotmail, but they don't ban that.

Multi-drop network

You missed the point completely. The cable system's a multi-drop electrical network so it works best when only one node is transmitting. "I Love Lucy" is coming from a single transmitter (and not in the form of packets, by the way, but that's not important). If you put a broadband signal source in every home you would have too much interference.

Re:Multi-drop network

Yes, the old thin Ethernet (coax) worked as a multi-drop network. Whenever a collision was detected, a device would stop transmitting and try again after some random interval. Not the most efficient system but it did work. I haven't personally seen this type of Ethernet in at least 5 years, though.

Re:Multi-drop network

[twitter]

BS. Ethernet works that way too. There's plenty of room on it for all. If more capacity is needed they can always (and already have) route subnets. Gee.

they've never allowed servers

[BroadbandBradley]

they've just never done anything about it before.

Re:Verizon, SMTP and the universe

I, personally, found this message useful. It tells me exactly what the issues are with regards to Verizon, and the technical solutions available.

What would inspire someone to mark this message overrated ? I understand some people's hatred for big companies such as Verizon, and it's not like Verizon doesn't deserve much of it's bad reputation.

But since when did we begin punishing participants for publishing the truth here at /. ?

Re:Verizon DSL is NOT THAT EVIL

[Skapare]

The EVIL that you describe is something that infects most large, and many medium, and even some small, corporations. It's a combination of bureaucracy and authority concentrated (generally it has to be) in people who don't care to deal with reality (or the customers who provide such clues).

5% is enough to send a mailing for. 1% perhaps not. But that's subjective. Someone will be affected. What would be useful is for a signup list for such things to opt-in to get non-general announcements. Then they can justify sending them since they would only go to the people who want them. But they probably don't want to have their web developer(s) spending time (less than a day for a good developer, which I have doubts they have) putting something like that together.

If you'd like to have some fun with then, call them back and raise the original point, again, that got that 5% excuse. Then say "but you keep sending out those crappy email ads to get people to sign up for more services, and less than 1% of the people care about those, so why not just stop annoying people and cancelling that?" :-)

Re:You can thank IIS..

[geekoid]

ban port 80 only for people who are running the OS/Program at risk until it has been patched.
In this case it happens to be IIS, but they can do the same when the next apache expoit shows up..

Bullshit

I'm at an @Home subscribe... . want me to send you a 20000 hit list of people scanning my port 80?

Re:Speakeasy!

[Nafai7]

I run a web server through speakeasy... no problem here. Of course, I'm using Linux/Apache, not the shitty, unreliable and insecure Windows/IIS as my web server.

(BTW, speakeasy is great, I pay more for it -- $80/month --- but it's worth every penny)

Re:Drop the dramatics

[bl1st3r]

You are a complete and utter moron.

Most people with vision are forced to start small?

How can a new up-and-coming .com'er afford 1,000 dollars a month or more for some type of dedicated service...?

DSL fits the needs perfectly, so why should we be charged massive fees to get the same service?

For example: Commercial DSL - 250$+, residential - 45$.

How do you justify charging THAT MUCH more for commercial service of the same qaulity as residential? Because it is a webserver? Please. That is lame.

I hardly see how you can compare a webserver that serves 20k HTML docs to a kid on a porno rampage downloading 600Meg Video's.

Corporatations are starting to suck even more now than they ever have.

Re:We haven't done this yet..

[Altrag]

right after they hit www.mcafee.com:80.. err.. oops

Re:Leased Line

[mcdurdin]

I think you may be exaggerating a little.

We have an 802.11b connection for Aus $600/month (equipment) + about $200 (data). We can get a good 500KB/sec over 7km range (over water -- that decreases bandwidth substantially) with less than 4 ms latency.

Admittedly, if you live in Australia, you'll pay through the nose for your data (Aus 20c/mb for mere mortals).

It's not so hard to install an antenna. If you have good roof access, expect it to take a professional an hour or two -- a couple of hundred dollars. At my place, it took half an hour.

Why do you need to hire a consultant to run a server among a bunch of geeks? As the original poster said, surely you can rotate the support? And if the router/equipment goes down, it's not the end of the world, either. Just go and fix it.

It is possible to setup an affordable connection: but if you do, try going with a local provider, even if that puts you a few hops off the backbone. You'll get far better support and you'll be able to talk directly to the admins; if you have a problem with your connection, they'll be far more likely to sit down and help you figure it out.

Re:Necessary?

[J'raxis]

Erm... If I were to give out my URL to anyone I'd include the nonstandard port with it.

AT&T Port 80 Blocking Ineffective, Irresponsible

[Brian+Ristuccia]

The version of AT&T's Broadband Subscriber Agreement that subscribers in my area (Formerly MediaOne Express) have agreed to could only be vaguely construed to prohibit web servers via the following clause:

(g) restrict, inhibit or otherwise interfere with the ability of any other person to use or enjoy the AT&T Equipment or the Service, including, without limitation, posting or transmitting any information or software which contains a virus or other harmful feature; or generating levels of traffic sufficient to impede others' ability to send or retrieve information.

Indeed, the service agreement even mentions things users should consider should they decide to run a personal HTTP/FTP server:

(b) FTP/HTTP Service Setup. Customer should be aware that when using the Service to access the Internet or any other online network or service, there are certain applications, such as FTP (File Transfer Protocol) server or HTTP (Hyper Text Transfer Protocol) server, which may be used to allow other Service users and Internet users to gain access to Customer's computer. If Customer chooses to run such applications, Customer should take the appropriate security measures. Neither AT&T nor @Home Network shall have any liability whatsoever for any claims, losses, actions, damages, suits or proceedings resulting from, arising out of or otherwise relating to the use of such applications by Customer, including without limitation, damages resulting from others accessing Customer's computer.

See http://help.broadband.att.com/subagreelease.jsp for the full text of the subscriber agreement.

AT&T is trying to use the subscriber agreement as a shield against criticism about how they've failed to properly deal with their network's accute inability to handle widespread use of the codered software by subscribers and also their inability to selectively track and remove or restrict users of codered. Running a webserver like IIS+codered that by design, defect, or configuration tries repeatedly to install a software package on every other webserver on the network is surely a prohibited use of the service under the subscriber agreement. Running a web server that only implements RFC2068 and has none of these annoying codered misfeatures probably isn't.

The most effective thing AT&T could do to stop the autoinstallation of codered on customer machines is to block port 80 right at the cable modem on hosts running versions of IIS that support codered. It's certainly within their technical reach, since AT&T does selective layer-3 filtering of ports 137-139 right at the cable per customer request. For hosts that both support and run codered, AT&T should treat the host like they would treat any other compromised host: disconnect it from the network until the owner has recovered control.

Instead of using any of the more effective methods, they're just having routers discard packets bound for port 80. Not only does this solution fail to prevent autoinstallation within AT&T subnets (because that traffic never crosses a router) and from hosts inside AT&T's network to those hosts outside of AT&T's network, but it also inconveniences legitimate users of port 80.

Re:Read your TOS!

[the_tsi]

Seriously.

I'm both a customer of residential broadband and an employee at a DSL ISP -- and I'm not a customer of my own company. For my DSL line, I accept the fact that it's a consumer product and shouldn't be expected to have all the functionality of a product for which someone else (e.g. a business) is paying 4 to 10 times as much. It's ridiculous to assume that your $50/mo connection (which the company is probably losing money on, if not breaking even) can run a web server and a DNS server and what-have-you. If you think that you're entitled to everything and entitled to it for free, get over yourself, get a job and pay for what you use.

On the other hand, where I work, I didn't hesitate to block inbound port 80. It's the first large-scale compulsory filtering of any kind we've done on dialup or broadband. It sort of hurt to do so, but with Code Red et al propogating like rabbits, it had to be done. If (business) users contact us and explain that they're running apache or a patched IIS server, I'll gladly set up an exception for them. But with something like Code Red, everyone has to do their part to stop it from spreading. Despite near-domination by commercial entities, it's still a community which requires upkeep by all participants.

Just my $0.04.

-Chris

Re:From A Business Perspective, It Makes Sense

[Evil+MarNuke]

Or, gee, maybe they could write a script -- detect, block and send an email notification.

Bet you're management.

Yep, he is management and I bet when he read your comment, he was thinking:

That would take a dozen high paid coders, a month of testing, and approvals from two dozen people. That would be a nightmare! how would you manage all the resouces?! How would you track it? Just block port 80, that will only take two people, one change request, and I can sing the approval. If we lose anybody, WE CAN BLAME PRODUCT DEVELOPMENT!

Of course he has no idea how a firewall and a ldap/database servers might work with a little bit of planning and willingness to do something new.

Stupid Admins

How hard would it be to write a script that parsed the logs and blocked only the IPs at the gateway level that where infected? A Jr. Admin could do it. Why block the entire net? Idiots.

Re:Verizon DSL is NOT THAT EVIL

Whats scary is that he got modded up 4 points. I'm sure it was an honest mistake from his part, but holy crap, the moderation here is highly suspect.

Re:We haven't done this yet..

Ditto for ISDN. I knew a couple of d00des who had it looooong before DSL or cable was rolled out. Pricy but very nice. Also a note ISDN has a much better CIR then either cable or ADSL (~10 kilobits down, 0 kbits up).

Port 25

[UberLame]

I'm pretty sure that they aren't blocking outgoing connections to port 25, because just recently, they said in a public notice that if I wanted to send mail from other email addresses than theirs, then I would need to use other email servers. But, I'm not home, so I can't test this right now.

Still, this is a strong argument for getting one friend to get a T1, then everyone chips in to pay for the T1 and roll their own DSL connections (hint: dry wires, also known as security lines, from the phone company is cheap, like $20 a month). I wish I had more friends nearby so that I could do this.

Re:Port 25

[UberLame]

I don't know what a T1 currently costs. However, I'd say that you probably don't want more than 15 people per T1, so it would be pretty costly for everyone.

I don't think a DSLAM is needed. Just two regular SDSL modems for every user. There are documents out there about doing this.

The person who gets the T1 really should have a proper machine room to support the routers (16+) and other machines.

Re:Read your TOS!

[rabidcow]

See the paragraph above "Violation of Acceptable Use Policy" at http://www.home.com/support/aup/ if you don't believe me.

Re:Verizon and port 25

[brandon2]

Simple, I have an email adress brandon@work.address.com but I want to send someone an email when I'm at home. My ISP's SMTP server's won't relay for me because it's not a verizon email address and the work SMTP server won't relay because I'm not on the local LAN. The only option to send email is to send via my own mail server. An option would be to have verizon forward email from local IP's regardless of IP but if they do that, why bother blocking port 25?

Re:Read your TOS!

[Fred+Ferrigno]

I don't really have much sympathy for people running web servers on a broadband connections. If you want to do something serious, you're likely limited by your AUP/TOS. And with the price (free) and availability of basic web hosting, it's hard to buy that many people can't find an acceptable alternative. For more serious stuff, you really should be using a professional hosting service, for your visitors' sakes (upload bandwidth, uptime, etc.). If you want total control of your server, consider co-locating or getting business class bandwidth. And if all else fails, run on port 81.

Yeah, a few people will get slightly inconvenienced or will have to shell out for real hosting, but I won't shed many tears. I think it's worth it if it stems the tide of Code Red, and I think you overestimate the number of people who couldn't be served well by Geocities. Frankly I think there are more people with webservers who have IIS installed unintentially.

We applaud ISP's when they filter out NetBIOS and Windows file sharing; I don't see this as much different.

Re:Quite common already

[DrgnDancer]

All AUP's for broadband services will say, in one form or another, that running servers is prohibited.

Not true. I use Telocity (Now DirectTV) residential DSL. Their TOS specifically allows servers (and they gaurentee a static IP). I have heard customer service horror stories from people in other service areas, but my service has about a 99% uptime (not great, but hey for $50 bucks a month who's counting), and most of the complaints I have heard have been about their e-mail service, which I don't use.

Why does anyone think this is even a problem?

I have been a happy @home user for several years. It is a great system. I have never had better access. They tell you right up front when you sign up that you cannot run a web server. Everyone who even attempts to sign up is fed this information. So why are these people whining?

If you want a web server you can get one for $20 a month all over the place from real professional web farms.

And you can easily maintain it from anywhere, even over an @home account.

So why does anyone think this is even a problem?

Re:Why does anyone think this is even a problem?

[CM39]

Well it wasn't a problem for me in fact I had most of my domains hosted remotely until I was told by a mediaone supervisor that running a server was fine as long as the bandwidth usage wasn't too high. (I was told this when they called me after an idiot ex-friend emailed them to try and get me shut down)

Since most of my domains were low bandwidth users I could save $70 per month by making them all local (most webhosting companies charge more for multiple domains so it wasn't ONLY $20)

I don't know about other people but my problem isn't with my isp, (other than that supervisor telling me running a server was ok) I don't see they had any other option than to wait for the entire system to go down, it's with Microsoft and people who don't know what they're doing running webservers.

In fact bundling server software with win2k was stupid, I know several people who werent even aware they were running servers until just the last few day, I guess they were just playing around with add/remove windows components and ended up installing the software which then ran as a service without their ever being aware of it, I imagine quite a few people are in that situation right now.
Microsoft could and should have made it a free download for those who knew they wanted it.

Re:Red thingie

[nugatory]

Correct me if I'm wrong, but I don't recall that IIS is installed by default in Win2000. Is it in NT (I don't remember)?

It is installed by default with W2K Server but not W2K Professional. It is part of the NT 4.0 Option Pack for NT Server, but not for NT4 Workstation (that gets PWS instead).

This actually raises a somewhat interesting question: What fraction of the infected servers are running each flavor?

Drop the dramatics

[NDPTAL85]

If you want to create and serve content then buy a dedicated line and quit bitching about not being able to do whatever you want on a RESIDENTIAL line.

Re:Drop the dramatics

[Nafai7]

"Create and serve content"

I get a few dozen hits a week from family/friends checking out my personal web page (hosted on my Linux box at home). I see no reason why I should have to pay hundreds of dollars a month for a commercial line, since I'm not doing anything commercial on it.

Re:Drop the dramatics

Twit. Just because I want to serve my personal website doesn't mean that my pockets should be drained by paying for a commercial line.

Commercial lines are just that -- instruments of commerce -- and they command a price premium, which is supposedly justified by the huge amounts of money I should be making off of my Net venture.

I'm not making any money off my website, nor would I want to try (does the word 'sellout' come to mind?). Therefore, I attempt to use whatever resources are at my disposal to serve this site with a minimal impact on my budget. Yes, from my home cable modem.

AT&T can block Port 80 all they want (after all, it's their line), but that doesn't mean they're not going to catch flaming shit from me about it.

Oh, and it's *QUITE* annoying how --other people's-- use of Microsoft software manages to inconvenience me time and time again. From those .WKS files that I can't open with anything free, to losing my cable bandwidth that I'm shelling out my hard-earned bucks for.. it's just really damned annoying.

Re:Drop the dramatics

FYI, you can get virtual web hosting for about $5 / month at several places. While I have a cable modem, I still have a virtual host at another isp (pair.com) because the cable modem is too unreliable to host anything important on. (it was down twice in the last two weeks, for example -- mediaone or whatever they call themselves now .. SUCK)

Re:Drop the dramatics

Yeah, it's not enough that you get shitloads of bandwidth on cable for something like $40/month, you deserve webhosting and a static IP too. You also deserve free chocolate ice cream and dicksucks from from the network engineers. After all, you might just take your business to another cable company or (gasp) an dial-up ISP that offers free low-bandwith hosting.

.WKS is a Lotus 1-2-3 R1 file, by the way. Very well known format, Unix spreadsheets should be able to read it.

Re:No blocking yet

[QuasiDon]

I'm in the Boston area, and my port 80 isn't being blocked yet. That would stink because I am hosting some small websites for friends of mine.

Dear Mediaone/AT&T:

Granted there is not nearly as much mayhem caused by the Red Hat worms (the port 111 and port 53 ones) but why not any such announcement about these? I see atleast 10 Ramen, etc. attacks a day and I am on AT&T's residential cable service. I say, block the lusers who are too stupid to patch their NT and 2000 boxes (and report them to Microsoft as 90% of them are unlicensed installs) and let us, the responsible customers, be.

Re:I've read my TOS and it sucks.

[Ryan+Amos]

Yeah, I can. So they can AT&T can sell you a corporate connection and charge you 4 times as much. Sound like dirty play? It's called capitalism.

Re:imagine if other utilities did this

[Mansing]

However, the common carrier rules for telephone comapnies in the US only apply to voice service.

Re:Leased Line

[dan_bethe]

I wouldn't use specifically a leased line due to the fact that it's very expensive in most places, but I would consider SDSL. To connect the neighborhood to this outbound point, I would consider either 802.11b or try that homebrew DSL recipe. I might even string heavy duty cabling between houses, across a fence or something. :)

You'd just need neighbors who are cooperative, long-term minded, trusting of the admin, and with startup equipment funding. Consider that everyone's paying $20-80 per month already and that some neighbors can't even get broadband. In my neighborhood, my neighbor had DSL but I couldn't for several months due to insufficient circuits, and our cable network had unstable power levels that fluctuate with environmental conditions.

As for the homebrew DSL, try these links:

• Homebrew S/ADSL
• DSL Blaster
• What To Do With Old DSL Modems?
  • Re:But only one person needs an ISP
• Some Customers Can Roll Their Own DSL

As for the wireless, I'd test compatibility with the environment to make sure it works, and possibly put up signal extending antennae. I heard of someone taking apart an Apple Airport base station, adding a large antenna, and getting line of sight throughput all the way to their ISP. :)

Has anyone tried homebrew DSL? Got any links to any personal experience? In my case, I'd like to hear from someone in the San Francisco Bay Area. Good luck!

Re:Move to Canada

Here's some questions for you, then:
How many bits in the stack register for the 6502?
What are the inline and auto keywords used for in C?

Which was designed first, Pascal or C?

There's always someone more leet than you, so shut the fuck up.

Re:Servers were never allowed out on cable

[caldodge]

> So stick a server out there, get Slashdotted (or even just get mildly popular),
> and the upstream bandwidth is wiped out for your whole
> neighborhood (technically, the area of your optical conversion node and CMTS channel).

And if cable providers didn't limit upload bandwidth, that might happen.
However, most cable providers do limit upload bandwidth. In Lakewood (just west of Denver) the upload limit is 128 kbps (yes, kiloBITS per second). Meanwhile, I've seen download speeds as high as 550 KBps (kiloBYTES). Thats a 40 to 1 ratio, which is rather higher than the 13 to 1 ratio which you mentioned.

So your comment has little correspondence with _reality_.

BTW, the only way "shutting off port 80" can "block the worm" is if a cable MODEM can be told "block incoming access". If they cut it off at the router, than all the infected computers on the local cable network can still merrily probe away (over 50% of Code Red probes on this cable-modem-connected system are from the local @Home network).

Re:Read your TOS!

Upon reading your comments you seem to be saying most people have a little server (FTP or website) and use it for transfering files to and from work or to have a website to show pictures and such to friends and family. I agree whole haertedly that this type of use would put very little strain on the network and that is fine. The problem comes with people that do this and know barely enough to get their server running so do not have any of the security holes closed. lets say that some (really allot) of enterprising individuals have a default install of Windows 2000 so that they can run a web server. Great so now you have IIS running. There are other software packages that install IIS as well that are not operating systems so don't think that if you are running windows 9X or ME that you can't get the code red worm you can. Anyway you have IIS running and you are a complete neophyte so have no holes plugged up and the code red virus is exploiting your ignorance and putting a strain on network resources.

look closer

[twitter]

RJ45 type ethernet is also "multidrop", but the wire has been strung out into a star around a hub. Having a switch instead of a hub is much nicer, and from your swich you can have routers.

There is no reason the cable folks can't do this, and many already have. This is why you get such good down feed. Like I said, packets are packets. You should be able to send them up as easily as you send them down.

The only way that would be different is if everyone on your subnet all wanted exactly the same packets at the same time, or you could cache out "popular" information on the sub net. You can forget the first one, it's never going to happen unless the cable renames TV internet. The second one works when you have more than 20 or so users with similar tastes.

Of course, there's a large difference between the junk the average comercial crap site puts up (intensive flash trash, and other animations) and what normal people have to share (text, a few static pictures). The cable company gimps the boxes to favor the comercial junk.

Re:look closer

Multi-drop means there are more than two devices connected to the same segment of copper. A star topology is point-to-point, not multi-drop. Each segment connects a single node to the hub, so each segment connects two devices. The hub buffers the segments from each other electrically. Since the hub repeats traffic from one segment to the others you still have collisions, so switches are better.

A point-to-point connection (as in a star) is a prerequisite to having the non-shared bandwidth that a switched network affords. Changing cable systems from multi-drop to point-to-point is the sort of massive infrastructure change I alluded to earlier. The standards for cable modems were developed with this in mind. Cable companies would have balked at adding this service if it required too much of an investment and took too long to implement (so that DSL could beat them to the punch and their investment wouldn't pay off). So I don't see this as an artificial limitation -- at least not in the pejorative sense that I think you meant it -- but as a tradeoff forced by some very practical considerations.

Verizon pays....Guess I'm not alone

[timlyg]

PLease restart your computer...please throw away your halogen lights, please restart again....please check your dialtone, please this please that...please please please....okay, seems that we can only submit your report to the technicians and see how it goes from there... I thought either everyone else is using non-verizon DSL/cable, or they don't have this problem. Guess I was wrong...Now it finally gives. Muahaha...

It's not in my AT&T agreement

[powerlifter]

I'm one of those affected, and I just checked my licensing agreement.

Section 6 governs items I cannot do, and not one says running a server. In Section 9(b) it reads specifically...

(b) FTP/HTTP Service Setup. Customer should be aware that when using the Service to access the Internet or any other online network or service, there are certain applications, such as FTP (File Transfer Protocol) server or HTTP (Hyper Text Transfer Protocol) server, which may be used to allow other Service users and Internet users to gain access to Customer's computer. If Customer chooses to run such applications, Customer should take the appropriate security measures. Neither AT&T nor @Home Network shall have any liability whatsoever for any claims, losses, actions, damages, suits or proceedings resulting from, arising out of or otherwise relating to the use of such applications by Customer, including without limitation, damages resulting from others accessing Customer's computer.

It specifically says I can run a server. So, if they maintain this block much longer, I can take action.

Re:It's not in my AT&T agreement

[cburley]

Hmm, I just signed up for AT&T Broadband, and it was quite clear in the FAQs and other-such things that the answer to the question "Can I run a server?" was "NO!".

For now, that's acceptable to me, and since it's a month-to-month thing, I'll go along with it...until and unless the time comes when my expertise and desire to set up an HTTP or FTP (or SSH?) server exceeds their willingness to allow me to run it (both legally, i.e. according to our mutual agreement, and technically, e.g. by not blocking the pertinent ports).

(Haven't decided yet whether to move my web site from my current ISP to one of these "AT&T Personal Page" thingys, but probably won't. I'm budgeting on the assumption that I'll pay for both AT&T Broadband access and my existing ISP, since the former is fast, while the latter has more than a clue about UNIX systems. The installation won't happen for another couple of weeks, by the way.)

Re:It's not in my AT&T agreement

[PretzelAvenger]

Doesn't this indicate merely that you can run a server, not that they will necessarily provide the outside world with access to it?

Re: default home pages

[coyote-san]

I can't speak for others, but I deliberately left my default Apache/Debian web page up. Anyone who has a need to see the real content can find it easily enough, and in the meanwhile I don't have to worry about some random visitor stumbling across sensitive information. (E.g., detailed information about the packages I have installed, which might tell people what attacks I'm vulnerable to, etc.)

AT&T in Eastern Mass is not blocking

[Ececheira]

I have AT&T Broadband (formally MediaOne) in Eastern Massachusetts, and I'm still able to get to port 80 from outside AT&T's network.

Given that they can control which ports are open on a per user basis (they can unblock SMB if you ask), I would suggest calling and talking to their tech support and explain to them that your system is not affected and that you want port 80 reopened, assuming yours has been blocked. There's no harm in trying ask first...you just might get it.

Re:AT&T in Eastern Mass is not blocking

i was in that online chat thing with one of them, and they said, ok i've taken the filteres of your like, now i just need you to reboot your modem, the ass just wanted me to get out of the room. there service has really gone down hill, and many people are extremly pissed about the blocking on port 80.

Re:AT&T in Eastern Mass is not blocking

[CM39]

They're Blocking me in Brockton. I was specifically told by a rep that while running a server was against the TOS that as long as none of my neighbors complained of a lack of bandwidth as a result of it there was no problem.

I think everyone who is running one needs to complain and threaten to terminate service, if they get only minimal complaints they may make this block permanant.

Re:AT&T in Eastern Mass is not blocking

[jimfrost]

They certainly are blocking in my area (Arlington). I tried asking them to unblock it and was stonewalled by the phone support guy. I tried going through their feedback mechanism and got three copies of the same stock message telling me it's against my service agreement to run a web server, when actually it's specifically allowed.

They've pissed off a lot of customers, though, and that's not good for business; I suspect they'll end up going the same route they do with SMB ... block it unless specifically requested.

If not, bye-bye AT&T.

Re:AT&T in Eastern Mass is not blocking

They are blocking in northern mass, beverly area. I think they will find out that blocking port 80 is going to piss off a bigger customer base then they think.

Re:how to get buy with their changes...

[Lord_Apophis]

words not numbers noone wants to sit there typing ip addresses... let alone with the port this way you just type the dns.

Re:Here's a nifty trick

This won't be too effective for servers that just sit somewhere with no one ever looking at the screen to see your message. I send mail to the abuse account of the company that owns the IP as shows by arin.net

Re:Mailservers?

[Lifewolf]

Day they shut off my mail port is the day I cancel.

Agreed. Fortunately, it looks like Verizon DSL customers should still be okay. From https://support.bellatlantic.net/members/whats_new /multipleemails.html#options*:

4. What options do I have if I want to continue using another domain in the "From:" address of emails I send?

1. Contact the provider that is hosting your incoming mail addressed to your private domain to determine whether that provider offers outgoing (sending) email services as well as incoming (receiving). If so, obtain the name of their SMTP (outgoing mail) server and configure your email program to use that server rather than Verizon Online's SMTP server when sending mail with a "From:" address including that domain.

* Note: This page is behind a login barrier.

Re:Verizon DSL is NOT THAT EVIL

[jspaleta]

Okay so I replied to myself...deal. I just called verizon tech support, and here's the scoop.

Verizon IS blocking port 80 from outside verizon's network, and the reason verizon has been giving its tech support people, is that this is a temporary port block becuase of Code Red.

The block started yesterday, and affects in bound traffic into verizon's network. I can get to my website from other verizon addresses, but not from outside of verizon's net. I couldn't get a specific time frame on how long the block is going to be up, but the tech support people have been told that its not permenant.

Does Verizon have a legitimate concern about Code Red investation across its network? Maybe...but since I'm not running in MS products on my LAN and I take the time to secure my stuff, I'm pretty unhappy that my services get knocked off the net like I'm one of the clueless masses.

The best solution to get Verizon to hurry up and unblock the port is for everyone who has a verizon DSL account to call them and tell them in a very nice calm manner that if the block stays in place, your business will go elsewhere. I was call 25 this morning. Let's see if the slashdot effect works over the phone as well....I want to see the number of complaint calls jump to 2000 in the next 30 minutes.

Verizon Tech Support:
1-800-567-6789

-jef

Re:I've read my TOS and it sucks.

[janpod66]

How do you figure??? If your system is DOS'ing someone on the net it may be using the total bandwidth in your area.

Current state:

• Broadband provider may fail to deliver minimum bandwidth.
• One misbehaved user can use up all available bandwidth.
• Broadband provider fails to enforce correct IP addressing, facilitating DOS attacks.
• Broadband provider attempts to control the content of packets.
• Customers don't get a well-defined product and have to live with arbitrary restrictions as their broadband provider flounders.

Desired state:

• Broadband provider delivers minimum bandwidth (more is optional).
• Broadband provider enforces upper limits on bandwidth.
• Broadband provider enforces correct IP addressing.
• Broadband provider is oblivious to content of packets.
• Customers get a well-defined, predictable product at a well-defined, predictable price.

Easy, isn't it?

Re:The problem is....

cause most people dont buy OS's anymore, 75 percent of the people running that probobly pirated it from a news group, just so they could tell all there friends they were running it.

Re:imagine if other utilities did this

[mami]

If you don't like their actions or policies, then take your business elsewhere.

That argument would be valid if there were sufficient places to go elsewhere, but there aren't.

Secondly, technologies get created and infrastructures change, because of those technologies. If millions of people start working from their homes, because of the new possibilities created through that technology, you can't just sit quiet and watch how a couple of monopolies impede indepdendent creation of micro home-based businesses through the way their contracts impose usage restrictions on the bandwidth they provide, disallowing you to have static IPs and putting restrictions on who and what you can broadcast from your own servers.

If you want content censorship and broadcasting controls of privately produced content on home-based servers, it should not be the IPS and bandwidth providers to do so. This is an issue, which has to be controlled by the people through legislation.

I think it's completely unacceptable to allow any company to play God over the usage of a home-based server's content broadcasting capabilities.

If you want to prevent broadcasting of material offensive to the majority of people, who are capable of accessing that material, then this should be restricted by legislation, not by contracts imposed by monopolies on their customers nilly-willy. If technology isn't capable of enforcing such legislation, it doesn't mean that there shouldn't be such legislation, it just means that the geeks and gurus of this world haven't thought about a better technology that gives legislators the tools to enforce laws, which were accepted by the people in a democratic process.

I think it's a shame that ISPs can deny me the right to buy a static IP and any amount of bandwidth I want for whatever purpose. It's not their business how I use that bandwidth. It is the business of ALL the people, how I use my broadcasting capabilities, and therefore restrictions have to be decided by ALL the people, through our legislative bodies. Can you even clearly and honestly distinguish between business and private usage of bandwidth and broadcasts ?

What if I want those DSL lines to learn system admin skills using my home-based servers as hands-on tools. Do I need to pay for a private or business DSL line ?

What if I am a student and want to run a site just as a means of demonstrating my "portfolio" of skills ? Do I have to pay for a private or business DSL line ? Why should the provider be in a situation to extort money for a higher priced line,though this is clearly not a business usage ?

What if I want to broadcast my book's content for free or for a fee and be my own online publisher ? If I broadcast my book for free, do I have to pay for a business DSL line and why ? As soon as I ask for a subscription to be able to access the next chapter of my book, does that count now as a business usage ? How about if I just offer a tip jar over PayPal and readers who like my book send me a tip? I get income from tips ? Does that justify to force me to buy business DSL line ?

What if I have an extende family of ca. 50 to hundred people around the world and want to offer them web-based services and use my home-based servers to serve them ? Why should I be forced to buy a business DSL line for such purpose ?

You silly people and your web servers

[thejake316]

So many vanquished by a blocked port 80! Sad. I personally think it's generally silly to leave outside world low ports open other than ssh over a consumer adsl or cable connection (hang out a sign saying "crack me," why don't you). I can think of a few ways off the top of my head that would work in some contexts:

1. Sign up for a service that redirects http connections for you (dyndns?, pobox, *.to, etc. etc.) Many are free, those that aren't are dirt cheap. Move your apache up to port 8000 on your box, and voila, instead of http://whatever http://whatever:8000 will fulfil your silly desire to leave your machine and data exposed to the world when several services give you webspace for free or dirt cheap.

2. "But where I work they only allow http connections to port 80!" Congratulations on working somewhere that knows better than the rest of the world how the internet should work. Check to make sure they don't allow ftp out. If it works, you can run an ftp server, you can still use your precious browser to access your home ftp. If not, get an account with a webspace provider that allows cgi, and use a cgi script that gives you transparent access to your home machine.

3. Use ssh (which is the only thing you should have open to the outside world IMHO) and portforwarder to access your silly Apache web server.

If you can't implement any of the above, or possibly didn't think of any of the above, you have no business running a web server over your broadband connection anyway. You are the folks the 1337Z are cracking, and it's your fault I get portscanned every 5 minutes from some jerkoff running redhat 6.0 with every default service open, and it's your fault broadband providers reason thus: portscans originating from and directed at our subnets->coming to/from linux servers->linux servers have low ports open->block low ports->no more portscans.

If your intent is to share files with other people, use gnutella. If your intent is to publish information to the world at large, use the webspace your isp provides, a free webspace provider, or (horror!) buy some (it's cheap.) If you need to access your computer at home, use ssh or better yet don't open any incoming ports and dial in. Broadband connections are sold to consumers so they can slurp crap off the internet (I assume mostly porn) damn fast. Anything that works beyond that should probably be regarded as gravy.

Your employer wants the internet to be of little use to you as possible (so you don't waste time with stock applets, downloading files off your computer, hanging out in #slashdot) so they only allow connections to port 80. Your ISP wants to reduce malicious use of their network and/or wants people running web servers to use something other than consumer broadband connections, so they block incoming port 80. You have files at home you'd like to access at work. If you can't devise satisfactory solutions to this problem you probably don't deserve to access your files from work, and probably don't deserve a broadband connection, a computer or work.

Re:Move to Australia, but don't use Telstra

Bzzzt wrong! Optus@home blocks port 25 (for about 6 months now) and as of today port 80 as well.

Re:imagine if other utilities did this

[numo]

Or how about the power company, charging you differently depending on how you use the power

They do this in some parts of the world - the country where I am from (Slovakia) is an example. There are different prices for business and home use.

I wonder if it isn't appropriate to have a little (eek) government regulation

Guess what? The reason is the government regulation :-)

Re:Quite common already

[einhverfr]

I will never use such a service that requires me to proxy. Simple reason. I support other people in my house and I do so through SSH. If I am not home, I ssh into the box and fix things. If my ISP won't allow it, I won't use them. This is going to play havock with those that use XP when they call for support and drive up support costs for everyone because they can't allow incomming requests for remote desktop support!

Not that I like XP. But I can see this causing lots of angery letters...

Re:From A Business Perspective, It Makes Sense

[Xoro]

It would simply be a logistical nightmare where thousands of hours of work are diverted from network administration, support, maintenance, etc. It wouldn't work. They'd probably have to start up a whole new management division to keep track of it. And then their support people would continually be taxed by calls from people who are getting blocked when their neighbor's Apache box is still serving up pages.

Or, gee, maybe they could write a script -- detect, block and send an email notification.

Bet you're management.

Re:Not a huge surprise..

1) The MS FTP server is part of IIS. To install it you need to install IIS.

2) VisualStudio does not install IIS. It does come with the NT4 Option Pack (IIS) CD, which you need to manually stick in the drive and install.

IIS is considered by MS to be a OS component. It does NOT automagically get installed by other software.

I believe that W2K Server automatically installs IIS, and "Advanced Server" (optimized for 5+ CPUs!) is popular among the warez crowd because it makes them feel elite. If so, that's probably your primary source of home infections right there.

W2K Pro requires the user to explicity install IIS. It's possible that some OEMs might have shipped with this component already installed, but I doubt it.

(Of course the real problem is not IIS installations, but the fact that MS decided that IIS would automatically parse index server queries out-of-box (ida.dll), as well as internet printing and a bunch of other bug ridden crap that people serving plain HTML or ASP don't need.

Re:No blocking yet

[TwP]

Port 80 is still working in Boulder, CO

Out of some strange combination of curiosity and boredom, I did a scan of port 80 on my entire class B network (24.255.*.*) The results were pretty interesting, and I have also included some useless statistics from my Apache server logs.

In the past 24 hours my server has been hit 347 times by 51 unique servers on my Class B network. In the past four and a half days my server has been hit 1185 times by 76 unique servers on my Class B network.

The nmap scan of port 80 on my Class B network:

3538 servers report the port as "closed"
635 servers report the port as "filtered"
197 servers report the port as "open"

which means that 26% of the web servers on my Class B network are currently infected with the Code Red II worm :)

Crackdown Shmackdown

I work for a major ISP and I have little sympathy for people that complain because something they weren't supposed to be doing is no longer free and/or possible. Filtering port 80 on an account that isn't supposed to be running a web server in the first place is nothing to whine about. Running a web server on a low end (residential) account draws resources needed to support customers that play by the rules. A few users drawing most of the resources break the financial model that makes residential priced service possible in the first place. So some rules (such as "no servers") have to be established. If you want the kind of service that can handle the kind of traffic a web server requires, go price a T1.

Re:Crackdown Shmackdown

[DigitalGlass]

att in eastern mass says i can run a webserver, does that give me the right to whine? :-)

Re:Crackdown Shmackdown

[CM39]

Did they say you could run one or have they simply not enforced the TOS?

In my case they knew I was running a server and told me it was ok as long as it didn't cause bandwidth problems for my neighbors.
To me throwing the TOS in my face now is like a store owner saying you can have free soda whenever you want and then having you arrested and thrown in jail for it. ..sorry I couldn't come up with a better anology :-)

Either enforce the TOS or don't but changing the rules when it suits you is wrong no matter how you look at it.

Re:Speakeasy!

[spectral]

whee, arguing both sides. Because public webservers don't let you do what you want. Most sites I design require PHP and MySQL. Good luck finding a free server that offers that. Or even an inexpensive one. i've found one, but to add MySQL support to the account, makes it cost 10x more than without a database support.

good thing we didn't put corp rep into white house

:)

ok. this is usually not a political forum, but people here are usually pretty bright. often extreme in their believes, but bright. so does anyone see any problem with monoplies putting their man in the white house who in turn puts a complete moron (a lawyer with no talent) in charge of the FCC? yes, this one does go all the way to the top. this is going to be a monoply for the next 50 years. and they will get their foothold now by being completly unregulated. my favorite quote from the current FCC chairman is "i can get ceo of any corporation to come in and educate our
lawyers about technical issues". the fox is guarding the chickens. and pretty soon albania will have better quality of service than we do.

They say it's temporary

[Zoinks]

I called into their support number (AT&T Broadband) to ask about this. The guy was a little defensive, but helpful. Perhaps he was surprised to have a clueful caller - I told him I ran Apache under Linux and was not affected by this worm.

He said they couldn't turn on 80 for just me. He claimed that they'd turn on port 80 again for everyone in a few days, but wouldn't commit to a time. They've got to get rid of the worm and virus first.

I asked if they were going to block other ports, for instance, 10000, if I started using that one for a server. Again, somewhat surpised reaction, but he said "no" they wouldn't. Makes sense, the worm uses 80.

So I guess we can all curse MS for this one, and us non-MS users can be just a little smug and annoyed for the moment. And let's hope MS's screwup doesn't ruin the whole game for the rest of us.

Getting around port 80 blocking.

install SSL and switch to https. listen on port 443.

Re:Time to change ports.

Okay, but how do you change every web browser in the world so that they know to look at whatever port you've moved to when it doesn't find you on port 80? Most of my visitors don't know what port numbers are or how to indicate a non-standard port in a URL. Dumbass.

Re:Move to Canada

[balls001]

Actually that's not true, I rnu a mail server on Sympatico HSE.. The real problem is that whoever runs the DUL (dial-up list iirc) keeps adding HSE to it.

What the DUL is, is a list of networks that are dial-ups, which mail servers can then reference. Dial-up users are then automatically denied access. This is meant to somehow cut down on spam. Personally, I find it very annoying. Here's the end-user info for the DUL

Funny how many of you post out of your asses

I must say it's amusing to see all the comment subjects like "Read your TOS" "No sympathy for people who don't read the TOS" and "No big surprise" and then go on and on about contract this and prohibited that, when it turns out the actual TOS in question does not prohibit running servers. Just think it's funny to see people ramble on when they are ignorant and full of shit.

Re:Linux is not a contender..

Wow!

You would think that with all those cool features being better than Linux, everyone would just abandon Linux and use FreeBSD, including Linus!!

Err..

Um, hello?

[deblau]

Who ever said web servers had to run on port 80? Just run SSL, or something. Or use port 81. Or 3496. Jeez.

Re:Road Runner

[redgren]

According to the online policy guide for my RR connection (Time-warner Austin, TX), servers implicitly allowed...

"...You must adopt adequate security measures to prevent or minimize unauthorized use of your account, including proper levels of security on mail, web and news servers maintained at your location. ..."

This is in their residential acceptable use policy. I haven't run a web/mail server for about 6 mos., but I assume I still could.

Re:Just get a job!

[phliar]

I have yet to see a ISP let their customers run a web site without extra cost.

"I have yet to see..."? Surely that only proves that you still haven't left your parents' basement to see the outside world?

Hint: Speakeasy.

Access costs MONEY. Pay it.

Another hint: their customers are paying them to transport packets. They can say "We will transport x packets per second for you." But why should they have any right to look inside the packets? Why should they be allowed to look at certain fields of certain packets of a certain protocol? Or, in a technical sense: they are paid to transport IP packets. Why should they be allowed to look at anything in the payload, like TCP or UDP headers? They paid for IP, not "TCP only, and only as long as inbound packets don't have the SYN bit set."

What would your reaction be if the post office starting telling you that you're not allowed to receive a letter from someone that you haven't already sent a letter to? Or, if you get an envelope, and inside it is another envelope, inside which is the letter, then that inside envelope can only be pink, but it better not have a floral border.

Whinning 'cause you can't get it free?

What's "whinning"? Whinnying? Winning? Whingeing?

Re:Verizon DSL is NOT THAT EVIL

[frizzen]

Go get a domain name from www.myinternet.com or someplace like that. Then you can have a simple domain name and forward it to any port number you want on your DSL or cable machine.

Re:They should remain blocked

[Nemix]

Yeah!

Until the stupid users learn to stop downloading virii code, we should turn off their outbound access to.

Re:The problem is....

[CM39]

Unfortunately that isn't all it is....as I said in a previous post.

"Bundling server software with win2k was stupid, I know several people who werent even aware they were running servers until just the last few day, I guess they were just playing around with add/remove windows components and ended up installing the software which then ran as a service without their ever being aware of it, I imagine quite a few people are in that situation right now. Microsoft could and should have made it a free download for those who knew they wanted it."

I suppose the argument could be made that people were stupid for playing with "add/remove windows components", but microsoft has in many ways gotten as big as they are by claiming their products are almost idiot proof. I guess this is proof they are the idiots.

I'm lucky

[SCHecklerX]

We are allowed to run anything we want, so long as we aren't harassing people or doing anything to breach netiquette. My ISP is really cool with their policies. I just wish they were smarter WRT their own administration (I was effectively not able to browse slashdot for two weeks b/c my IP didn't reverse-resolve!)

Here is our TOS:

http://www.planetcable.net/policies.asp

At this point I wouldn't complain to much

Code Red has been responsible for some MAJOR bandwidth issues the past week or 2. For gods sake I went Link Dead 10 times on EQ in the past 2 weeks. Something that never ever happens to me. Turn em all off so I can get back to Norrath =)

Re:We haven't done this yet..

Oh bullshit -- Until Al Gore 'invented' the commercial internet, to get net access you had to jump through approval hoops to prove that you had some scientific or acacdemic reason to be on the Internet. Even major corporations ran on 56K frame connections. You could not just pick up the phone and have a T1 installed in your apartment.

Just because you were some zitface usenet lurker with an .edu address and the ability to telnet into a VAX doesn't mean you were any more l33t than the AOLers are now.

Re:They should remain blocked

[jp_hirtle]

Sounds so much like my experience with Bell Atlantic (read: Verizon) DSL which I have suffered with for more than a year. Just when they seemed to have stopped routing me into black holes, I am left tearing my hair out trying to figure out why my pages arent reaching the world anymore. After two calls to clueless "tech support" (what qualifications does that entail...?) personnel who assured me that they aren't stepping on port 80, guess what it turns out is going on? I should have known better than to suspect anything awry with Apache which has been chugging along for two years without a hitch. Guess I could try hanging my server somewhere else - on a T1 would be nice - but I kinda like sleeping with it. - Disconnected in Beantown

128k upload is plenty ...

[jcochran]

If you use it wisely. A simple solution is to take advantage of the free web space provided by your ISP and put all of your jpeg's gif's and other large binary object that consume bandwidth. Then your websever can simply serve up text pages (possibly generated via cgi scripts) and when ever an image is desired, refer to the copy stored at your ISP. The result is that your home web server (using your own domain name) only serves 1 to 2 kilobyte pages and the high bandwidth consuming images don't use any of your available upstream bandwidth.

Re:Servers were never allowed out on cable

"Customers must ensure that their activity does not improperly restrict, inhibit, or degrade any other user's use of the Services, nor represent (in the sole judgment of AT&T Broadband) an unusually large burden on the network itself." -- from att broadband So then, if I've applied the patch, doesn't that mean that I've ensured this and your filtering port 80 without checking?

Hrmmm..

[ImaLamer]

ZoneAlarm has logged over 10,000 hits to port 80 on my machine. This has caused me much distress, although not much of a slow down.

My log file has grown from about 80k, to over a megabyte. Services such as IRC and streaming video haved lagged now and then, but nothing to complain about.

The sad thing is, I'm on a RoadRunner network and most hits are from @home users, which are the dumbest users [usually] I've run into. Maybe it's the water in those areas. But RR people, like me are assholes, so it's fair.

But why run a web-server from home? Get a geocities account, pirate windows2000 workstation next time, and stop hitting my box with port 80 requests.

Worst of all, its been the same 500+ ip addresses hitting my box. @home, block the IP's not the port. Maybe it's time to start e-mail abuse@home.com .

What dog breeders say would fit this situation: "Punish the deed, not the breed"

Re:Verizon West Coast Support

[NoWhereMan]

The best solution to get Verizon to hurry up and unblock the port is for everyone who has a verizon DSL account to call them and tell them in a very nice calm manner that if the block stays in place, your business will go elsewhere.

The number you listed is only for their East Coast database. Seems like they are still working things out after the merger ;-)

For West Coast Verizon Tech Support:
1-877-222-2375

Re:Verizon DSL is NOT THAT EVIL

1) Verizon is not blocking web servers
2) Verizon is not blocking smtp servers
3) Verizon isn't blocking any ports as far as I can tell
4) Verizon IS preventing spam from being generated from their mail servers by requiring every piece of mail sent from their smtp servers to have a valid userid@verizon.net.
5) Verizon will shutdown DSL accounts on a case by case basis if you computer account is being used to degrade overall network service (ie you are a spam or virus factory, and Verizon can trace the network congestion back to you)

Don't forget Verizon is a huge beast and just because you aren't experiencing the blocks doesn't mean they aren't blocking other parts of the Verizon Service area.

More likely is that they haven't gotten to you _yet_. As a former contractor for them, I can attest they don't always move quickly, but if the order comes from high enough, it will happen. Well, ok, it will happen, but only after after all those damn meetings wrap up. 8-)

Re:Move to Canada

[odaiwai]

They're not censoring you bytes - that would imply that they're blocking based on content. They're just blocking the entire stream regardless of content.

dave

Re:Servers were never allowed out on cable

[einhverfr]

The author suggests blocking port 80!

There is always port 443! https is good for these things.... They would have to get really anal and make us use their proxies for all usable service ports to be reasonably blocked....

As a CLEC, this is how we have been coping.

[phoenix_orb]

I work for a regional CLEC out of chicago. We have several thousand installed DSL lines. This is how we have been coping with the Code Red worm... (*as a buisness class of service, we can't be simply turning off all port 80.. many people do host off of our SDSL lines*)

We have a large number of 10.x.x.x addresses for our broadband subscribers. (This saves us the trouble of assigning public IP's to every single customer, because most don't want nor need a public IP). Our NAT server was getting so clogged up with TCP/IP sessions because code red was serching for hosts. (and once it got into the 10.x.x.x network, it has lots of addresses to check.

We simply got a free scanning utility (sorry... I am at home, don't have it here, nor the time to find it. ) After scanning all of our customers, we located around 30 infected computers.) We left messages stating that they were infected, and we were shutting off there connection until they would remove the offending computer..(we could discern the IP itself, and our users are statically assigned, not DHCP thank god..)

Several users were irate as all hell, but the good of the many outwieigh the good of the few correct? Many times the customer simply unplugged the computer and we put them back on. They are then responsible for patching it.. We have been running scans everyday, and have now gotten fewer and fewer code red worms in our user's DSL systems.

I think that this was the ideal approach. Why use a damn sledgehammer when all of about 30 minutes of work allows you to use a use a fly swatter to remove the offending computers.

Re:Why not force a download of the patch?

[aoeuid]

Yes, that's nice in theory, but in reality, it's must easier to pay someone $75/hour to type in "access-list 101 deny any any eq 80" on each access router than it is to pay them to type in hundreds of such statements corresponding to each specific users IP address on each of their subnets. And never mind the labour costs, the CPU costs to process that access list for each and every packet would be unreal. (Not to dwell on router configuration, but each line would have to be unique, ie. you couldn't group them together in subnets etc as is usually done, and remember, each and every line is processed until a matching one is found).

why would anyone use windows as a server?

[arielb]

Windows is for games and Microsoft Office. but if you are scared of a commandline then you have no business touching a server. That's why we have these problems. Not because one OS is more advanced than the other but for the simple reason that Windows makes it easier for idiots to screw up the net for the rest of us

Re:why would anyone use windows as a server?

[SpaceLifeForm]

In fairness, any OS can cause bandwidth problems.

But, I must agree, it's primarily due to M$ due to their complete lack of concern when it comes to worms like Code Red.

My solution: You are allowed to run a server over broadband IFF 1: you demonstrate technical competence, and 2: you implement mechanisms to prevent bandwidth problems. An example would be to prevent heavy usage during peaks periods, the peak period being say the evening in your timezone. The ISP must monitor bandwidth usage, and could throttle and/or block depending upon a reasonable TOS. Code Red would not be impacting the bandwidth as it is today.

M$ *IS* the problem.

Buy CLEC DSL

[sulli]

I work for a big ISP offering DSL from Covad (bankrupt but still operating) and we don't filter nuthin'. Individual users get a dynamic IP, so you have to buy a multi-user setup if you want to put up a permanent web server, but if you run personal web sharing (for example) there's no trouble.

Maybe it's because we don't have as many subscribers as the big boyz, we keep things simple and user-friendly?

Re:I've read my TOS and it sucks.

[janpod66]

Because 99.9% of security issues comes from someone running an unpatched redhat box at home.

Even if that were true, so what? I bought bandwidth from my ISP and I expect them to deliver that bandwidth. If my machine has a security problem and starts attacking other sites on the Internet, that should be my problem, not my broadband provider's problem. My broadband provider may choose to limit my outgoing and incoming bandwidth to a previously contractually agreed-upon minimum, but no further.

By your reasoning, the telephone companies should listen in on our telephone conversations to make sure we don't do anything illegal and don't make prank calls. Wisely, we have chosen not to place that authority in them, and we should take a similar approach to security with broadband providers.

Re:Speakeasy!

Too bad they use COVAD, who just filed for chapter 11, to pipe data from you to them to the 'net...

Re:The end of a state of denial

[tif]

Someday, will it be acceptable to make an anti-virus? That is, a good virus which infects and fixes vulnerable and/or compromised systems. Clearly an anti-virus could be made friendly so as not to do undesirable things, but currently this would be frowned upon (and probably illegal). It seems like this would be the quickest way to put a stop to worm after worm after worm.

Re:*BSD is dying

[Evil+MarNuke]

no i use OpenBSD becuase it's secure

Re:No blocking yet

Blocking port 80 does not solve the problem of those systems already infected. The virus still scans outbound on ports other than 80.

Re:Quite common already

[Defiant+One]

I had looked at Telocity before they were swallowed up by DirecTV; do they still allow servers?

Yes they do. I've been with Telocity for over a year and they allow anything, plus they automatically provide a real, static IP. I do not believe the merger with DirecTV has had any effect on this, except that they may be more concerned with outgoing bandwidth, but only if you're running a high traffic service.

I use the line for test servers, an intranet site, and application demos and it's not been a problem...

Re:Road Runner

[prator]

Could you tell me where to find Austin's policy? I just wanted to give it a read myself.

-prator

Re:Verizon DSL is NOT THAT EVIL

[harlows_monkeys]

Verizon is NOT preventing spam. The address restrictions are totally ineffective for that.(Their FAQ even implies this).

Verizon's email address restrictions are there for exactly one purpose: to get people who need to use their own domain to switch to Verizon to host the domain. It is purely a way to extract another few dollars a month from some customers.

Re:We haven't done this yet..

[geekoid]

I would gladley go back to 1200 baud if the only people on the net had to know how and why it worked. Now I would never want to go back to 300 baud ;)

AT&T even allows commercial PORN servers...

[rochlin]

I have AT&T (formerlyl mediaone, formerly roadrunner) and was one of their original test subscribers for their cable modem service in Venice/Culver City, CA. Not only have they always allowed webservers, but they even allow commercial webservers. Not only that, they allow commercial Porn webservers. I complained about porn server mirrors running on my little cable node. (Not a moral objection, but a bandwidth hog objection). Not only did AT&T/Mediaone/Roadrunner tell me that that was tough cookies for me (Porn/Commercial webservers are fine unless higher powers decide otherwise on a case by case basis -- e.g. no kiddie porn), but I got nailed for doing the port scan to find the servers! One more port scan and I'm booted... Public Service note: AT&T (roadrunner/mediaone) has by default filtered port 80 and other lower port numbers for some time. You just have to ask them to switch off the filtering: send an email to netbios@mediaone.net making the request. (netbios is in the name because MSFT file sharing on port 139 was one of the first filters they put in place).

Learn to read

[NDPTAL85]

What part of your residential AUP can you not understand?

If all you have is a 20k HTML doc then setup a tripod or geocities site.

Re:Move to Canada

I have an exciting little anecdote about how this specific feature of DHCP helped me to discover SirCam on our network at work - I was doing a "netstat -M -n" on the NAT gateway and noticed a number of port 25 connections from an IP on our network which I did not recognise .. the only reason I looked into it at all was because I didn't recognise the IP address, as I know the 10.0.0.x IP addresses of all the usual internet users at my work (its a small company :), so I saw this unusual IP and decided to see which computer it was. The computer, it turned out, was not being used by anyone at that time, so I quickly did some "tcpdump"ing, saw the "in order to have your advice" crap in the packet dump file, and immediately powered off the machine. OK, so it wasn't such an exciting anecdote, sorry.

Re:Why not make a PatchUp-Worm?

while the "hack back" is a very good idea indeed, there is the problem with filtering. do to the fact that port 80 is being blocked, how will this hack back travel? you can't just call the isp and say "i think you need to unblock port 80 because i am going to perform a hackback on your entire network."

AT&T / Mediaone is blocking ALL HTTP GET REQUESTS!

[MikeFarrington]

On Monday night they blocked port 80. On Tuesday night it looks like they've blocked all incomming HTTP GET requests. After they blocked port 80, I swithced to 81 without problem. I also run a few administrative pages on varying ports. Now NONE of them work. I can telnet to them on their respective ports and issues some of the handshaking commands, but I cannot access them via a webbrowser. It looks like AT&T is now blocking all inbound HTTP GET requests. ARGH!!!!!!!

This is no news to @home

[pvera]

This is a very old argument. My @home terms of service of over a year ago already prohibit me from hosting any kind of service from my @home connection. This is really annoying to us developers because it forces us to host ouside of our home offices if we want to show running web code to a client.

Funny thing is that the only thing they filter is web traffic. I can ftp to any of my machines just fine. P2P software used to work but that is in question. pcAhywhere and terminal services work fine too.

Re:No blocking yet

[sracer9]

"We're going to close the intersection of Pine and Elm because there are too many accidents there."

Exactly. How stupid. That's like grounding all flights of a certain aircraft because it crashed once. Oh wait....

Re:virus protection

[HugeMidget]

Well I could get a complete internet connection for $15 a month with a dial-up account. Unbreakable -> no one is complaining if their cable modem goes down for a while. So you would suggest everyone pays $20 or so more a month to have access blocked? I'm sure AT&T has the ability to block or shut off access to people who are infected with the worm - thus eliminating the outgoing code red from their network.

Re:Read your TOS!

[twitter]

Remember that a cable modem has an upstream bandwidth that is only a fraction of the downstream bandwidth. If my neighbors start serving up streaming video content from their home systems and filling this relatively narrow pipe, I will definitely notice the effect and I won't be very happy.

You have run into two ways, both artificial, that some companies have thought to keep you from being a content provider. The first is your cable box which has a limited upload speed. The second is that companies like Real Audio tag their packets as hightest priority, so it shoves other content asside.

Don't worry, they can't fight technology forever.

The Quest for Perfection

[agusus]

"There are relatively isolated cases where performance has not measured up," said Jeffrey Ward, Verizon senior vice president for compliance. "I anticipate we'll be making payments to the U.S. Treasury for quite some time, because perfection is a hard standard to reach."

<cough> <gag> Excuse me while I go roll over and die...
Perfection?? Do they think they are even close to perfection? That's an insult to the word.
That statement was just so funny... Good thing my boss wasn't around because he would have heard strange choking/laughing sounds.

Re:From A Business Perspective, It Makes Sense

Not that I could do it, but it seems a fairly clever tech could have written a shell script by now, that automatically checks for IIS servers, looks up the account and suspends it. This is what technology is for, to automate things.

bandaid

The problem is congestion due to a malicious program. This program spreads via port 80, so shutting down port 80 "fixes" it.

I'm sure Code Red version xxx will show up someday and replicate thru javascript, email, etc. It will be able to consume as much or more bandwidth than the current Code Red. But how will they stop it.

Not really that reasonable, more an act of panic

[FreeUser]

There are utilities which can identify what operating system and web server is listening on port 80. It would be relatively simple for a competent ISP to scan their customers and turn off access to port 80 solely on those systems running a Microsoft Operating System with IIS. It probably wouldn't be completely beyond the pale to write a little utility to test those foolish enough to be running a Microsoft operating system and IIS server, identify those who are vulnerable to Code Red, and shut those machines down, leaving those who have patched (nonforwarding) systems, as well as those wise enough to be using more secure, non-Microsoft systems, in place.

Of course, competent ISP may be an oxymoron these days.

CodeRed scanner

[sheldon]

http://www.eeye.com/html/Research/Tools/codered.ht ml

Re:They should remain blocked

[dasunt]

An AC writes: 99% of cable modem and DSL subscribers do NOT need to run servers of any kind.

Er, wait a second. Lets examine that statement. A server can be for more then ftp/http. For example, you are telling me that 99% of all DSL/Cable subscribers have never hosted a 'net game? I think that doesn't sound realistic.

Think, then post.

~ Das

Re:imagine if other utilities did this

[mudshark]

They do. Or did.

About a dozen years ago, a partner and I were in the process of setting up a recording studio. We planned our "go live" horizon, and ordered a business phone line. In the meantime, since we had already publicized our existence, I began answering my home phone with the name of the studio.

One night (I don't recall if it was dark and stormy) the phone rang, and I answered with the business name. I then was launched into a conversation with a US Worst droid who read me the riot act and informed me that by using a residential line for business purposes I was violating their tariffs. I told him that we had ordered a biz circuit, and it was to be turned up at such-and-such date. He basically gave us a verbal cease and desist, threatening Bad Things(tm).

We modified our phone answering practice in the interim, always phrasing the business name in the hypothetical sense.

Re:It would mean them having to do real work

Ok folks..quick TCP lesson here. The goal is to stop the spread of the worm. What good is cutting off inbound port 80 to already infected servers? This will do absolutely NOTHING to stop those infected servers from outbound scanning for new hosts to infect. Apparently a lot of you were sick the day they taught IP and IP school.

Re:Verizon DSL is NOT THAT EVIL

[jpostel]

Correct on port 25. Works fine for me. I actually called verizon on this when the original email was sent about the whole SMTP address thingy. They told me it was sent out to thousands of people incorrectly. I was not one of them. I did not use my email address 'properly' in the header of the message.

Re:What the hey?

Yes, of course. That is the one thing they SHOULD provide despite all else. Good service. In my area, the cable access is very good. Most people get 1-4Mbps downstream and about 1Mbps upstream. Downtime is very minimal around here.

Of course, I hear stories of people with near 56Kbps speeds out of their cable modem and downtime measured in days or even weeks. There's no reason to tolerate that..

Fairly decent Temp Fix for port 80 block

[CM39]

This will get your server back up and running for the most part.

This may be info everyone knows already but I havent seen it posted.

Change your server so it handles http requests through port 8080.

Then configure your dns pointers so that @ uses your server address
(more than likely you are already configured this way) ie:65.96.68.10 in my case.
Now chatsearch.net points to me but won't connect on port 80, then configure www for URL forwarding to ie: http://chatsearch.net:8080/index1.html or whatever the page is since the Virtual Host manager doesn't work if you're redirecting. Now you're all set.

Of course people wont be able to connect to you without the www. but the vast majority of hits will still get through.
At least until the next worm goes after that port and mediaone/AT&T/verizon/@home/excite or whover the hell they are blocks it as well.

Re:Clause?

[jrp2]

In order to use the service, you need to have a DHCP client, and the DHCP client listens on UDP port 68 for DHCP server requests. If a server is defined as "software which listens on a TCP or UDP port for incoming connections or packets and generates responses to those requests", then both the DHCP client and the DHCP server are "servers".

Actually (no offense intended) but since you are trying to get technical, DHCP does not work that way. It is a true client in every sense of the word. All DHCP operations I can think of are initiated by the CLIENT in your machine.

When you bootup, your client sends out a DHCPDISCOVER (a broadcast initiated by your machine), the server responds, and a short negotiation takes place. The next most common operation is a renewal, also initated by the client (when the lease is 50% of the way towards expiration).

I guess you could argue that ARP responses and ping responses are "server" functions (and one or the other often is part of DHCP verification procedures), but that would really be stretching definitions. ;)

Perhaps they mean "servers" in a less formal sense, like "mail servers" and "web servers". That definition still allows various "peer to peer" software which is simultaneously client and server.

I know my contract (Sprint ION) that I just signed specifically lists several types (web, mail, etc.) then adds a catch-all for something like "any server providing services or content to other users".

Re:Servers were never allowed out on cable

[i244]

This is blasphemy.

where i live our cable download cap is limited to 10mbps and our upload cap is limited to 1mbps.

So you're telling me that if i take 2 cable modems and start uploading at 1mbps each that i wipe out the connection to the whole neighborhood? that's just ludicrous.

by the way i'm not joking my cable internet provider is optimum online and if you dont belive me just look in the optimum online forums in http://www.dslreports.com.

Re:Leased Line

[szomb]

You're assuming some kind of spread. More likely, almost everyone will be trying to use it at 8pm, and it's going to be fucking painful. By 5am you should have the damn thing nearly to yourself.

Re:I've read my TOS and it sucks.

>Because 99.9% of security issues comes from >someone running an unpatched redhat box at >home. ha ha ha ha ha ha ha ha ha ha that's a good one

Re:virus protection

If your neighbor used hydrogen bombs to get the cockroaches out of his apartment

I bet that if your neighbor did that, you wouldn't complain! You wouldn't be able to complain!

Re:Leased Line

[jezmund]

Possibly. It depends on where you are....in some places you can get a T1 for around $400/month (including channel mileage, assuming you're not too far away). NRCs will probably run you close to $1000, though. I worked for a company that made software that priced all kinds of lines and there are some pretty cheap deals to be had out there (kentucky, maybe?). I also worked at another place where we had a frame-relay line shared among 30 or so people. I think we were paying what worked out to about $200/month for it (which included about 60 IPs), and it worked out pretty nice most of the time. The bandwidth always seemed to be fine, although we had some serious latency issues (that I blame on the very old CISCO router we were using). And right before I left, QWest was trying to sell us some sort of DSL line w/ 768k going both ways, although I can't remember how much they wanted for it.

The point is, if you look around there are deals to be had. I think wiring a neighborhood is a little unwieldy, but I live in a nifty little apartment complex that would be a snap to wire with some cat5.

Rather than going in "together" with a bunch of people, if you lived in the right kind of apartment complex you could lease as fat a line as you could, and sell ethernet connections to the people around you. You could be your own little ISP...get the domain Complex_Name.com, and sell people their own email addresses and web space on it. That takes care of the administrator problem because *you* are the administrator. You might even be able to make a tiny profit. Also, you could advertise the full speed of your line as the individual connection speed (which it would be, as long as no one else is hogging the bandwidth......if @home can do it, why can't you?).

Wow, I wasn't intending to go on like that. Of course, you'll inevitably end up dealing with everyone in the apartments around you coming to you for help when they can't install the latest game because they've filled their hard drives with MP3s and pr0n, and their computer keeps crashing because they are running 500 apps in their system tray. Damn. Never mind, forget I said anything.

Time to change ports.

[Kozz]

So if you must host something but Excite@Home is blocking port 80, change your Apache config to listen on a different port number.

Re:Quite common already

[ethereal]

That's what I'm looking for soon - I've actually requested my current ISP's AUP that I not run a server, even though I know that they probably would never check. But since they have the broadband monopoly at my apartment complex, I can't risk getting cut off of their system.

Soon I'm planning to switch to DSL (after I move) and I hope to find a DSL provider that allows servers. Any recommendations? I had looked at Telocity before they were swallowed up by DirecTV; do they still allow servers?

Re:Linux is not a contender..

In all fairness this was an out of the box test, which BSD sucks at.

So, what's your point? Come back when you have a real argument.

BTW: I mention FreeBSD only as an example of an OS that blows Linux out of the water easily, without having all the hype. I use other OS's than FreeBSD.

Re:Read your TOS!

[meldroc]

It may be in the TOS, but the "no servers allowed" clause in the agreement is totally unreasonable. Lots of residential customers have plenty of good reasons to have servers - small web servers for their own amusement, Freenet nodes, Quake servers for hosting games with neighbors, an email server that serves as a spam filter, etc. I can understand the need to limit bandwidth with rate caps so one person isn't hogging the network, but within those constraints, people should be able to run servers if they want.

Re:Move to Canada

[SirGeek]

You have a right to demand ? No.. They offer a service, if you like it you stay.. if not you leave (after your contract is up)...

The problem is bandwidth and the potential for idiots to run Windows NT/98 IIS servers (can you say 'Code Red' - I've already have 6000 hits by infected machines..)..

And as to limiting port 25.. One word SPAM. They want to cut down on the potential for spamming using their dialup but someone else's mail relay.

Don't forget SBC (Verizon)'s other crack down

[ben_tarval]

Lest anyone forget, SBC (a subsiderary of Verizon) is trying to get all non-business DSL customers to switch to PPPoE - in part to protect
their T1 business (according to SBC's own statement).

As reported on /.: here.

I doubt we'd be seeing this kind of monopolistic behavior if we had some real competition in this area. The governments' slap-on-the-wrist
hardly seems effective.

how to get buy with their changes...

[Lord_Apophis]

ladies and gentlemen...
heres how you do it...
www.no-ip.com run the program... switch your webserver to another port. Use the no ip program to go to that port instead without any user having to type xxx.xxx.xxx.xxx:1111
they type XXX.no-ip.com and noting more...
he he..

Re:My Temporary Work-Around

[CM39]

No offense but that seems more complicated than my work around which didn't require anyone else doing anything, also I don't know enough about any of this to know if your fix is only good for unix based servers, mine is windows based "Sambar" I'll repeat it for those who missed it :-)

Change your server so it handles http requests through port 8080.

Then configure your dns pointers so that @ uses your server address (more than likely you are already configured this way) ie: 65.96.68.10 in my case.

Now chatsearch.net points to me but won't connect on port 80, then configure www for URL forwarding to ie: http://chatsearch.net:8080/index1.html or whatever the page is since the Virtual Host manager doesn't work if you're redirecting. Now you're all set, http://www.yourdomain.xxx goes where you want it.

Of course people wont be able to connect to you without the www. but the vast majority of hits will still get through.

Re:Necessary?

[J'raxis]

Don't be so paranoid; I didn't even mention IIS there. Even this thing I have on my Macintosh called "Personal Web Sharing" control panel lets you change the port.

Re:Quite common already

[SnapperHead]

Well, not even one can do that. For example, I only have access to a single cable provider and dialup. No ISDN, no DSL, etc. I am only 500' from the CO, but they just don't offear it. ISDN is very much out of the question, its slow, unrealiable, costs WAY too much. Becuase, they would change me to run special lines for it. Since, they normally don't provide it.

If your in an area that has many choices, then your set. If company A can't provde x, y and z, then company B might be able to.

Thank God for Speakeasy.....

...that's all I've got to say...

Imagine, a business in this day and age that is just willing to drop a line at your place and let you have at it rather than treat you like a child.

Re:We haven't done this yet..

[Fat+Casper]

g) restrict, inhibit or otherwise interfere with the ability of any other person to use or enjoy the AT&T Equipment or the Service, including, without limitation, posting or transmitting any information or software which contains a virus or other harmful feature; or generating levels of traffic sufficient to impede others' ability to send or retrieve information;

It looks like your customers with that low level of intelligence are the ones violating the policy. Not the ones actually bothering to use the puny bit of upload capacity you give them. I'm glad it all makes sense to you, though. That's more important than your customers.

Re:It would mean them having to do real work

[spectral]

It's funny, it wouldn't be too hard to identify code red infectable machines. Anyone infectable is infected already I'm sure, and with code red 2, which acts in a very specific manner. Monitor and figure out which computers are generating local arp requests in the order of a couple ever minute.. boom, suspected code red. Narrows down the list a bit, then a quick scan for /scripts/root.exe on the list, confirms it, and either an email, a phone call, or cut off their service COMPLETELY. Fuck the certain ports shit, cut it off completely. when they call up, talk them through removing it. if they can't (whyt he fuck are they running IIS then? oh well), then have them pay to have someone remove it FOR THEM, then activate the service again. In fact, charge them double labor fees for being retarded in the first place. Simple solution. Especially if it's in the TOS that they can't run servers anyway. DOn't screw the people who knew what they were doing, set it up right, didn't get infected, and aren't transfering a ton (the real reason servers are banned. that and to push them to business accounts..)

Re:Clause?

[CerebusUS]

By the time you read this, the people who want to keep their webservers will have moved them to nonstandard ports

And in this case, it's a perfectly valid way to keep them from being the targets of the original problem (the Code Red worm, remember?)

Re:No blocking yet

[crusher-1]

Well, here in Madison WI the cable modem activity light has been pumping for 4 days solid. So the blocked the port? Ya right whatever they say. Shouldn't have happened in the 1st place if the peanut brained admins and so call security officer would have had the 3 to 4 brains cells to dl the patch and install the silly thing. Oh, well. Maybe the CIO's will take a little heat and snap out of it. One can only hope!

Cheers

Re:Road Runner

[vs]

Then why don't they just filter all ports in the POPs?

Re:911

I'd have to laugh in your face if your trying to run a useful webserver over DSL.

Again, we see someone whose attitude is that anything other than a corporate website can never be useful. My website might only get 20 hits a day, all from word of mouth, yet I'd like to think it was useful to the visitors.

Fuck you.

Re:Verizon DSL is NOT THAT EVIL

[shogun]

Its actually done in a few places already simply to force people to use the proxy without setting up a transproxy or the like..

Well, it hasn't really helped much!

[SCHecklerX]

My web server is still getting a hit from 24.xx.xx.xx every few minutes. It'd be nice if those were hits on my resume from prospective employers :)

Re:Well, it hasn't really helped much!

[CM39]

I tried to make default.ida a redirect script forwarding it to someone I don't like but it didn't work. If it had it might have at least had some benefit :-)

Re:The problem is....

[CM39]

Well I got a hell of a deal then cause it came with my win2k pro :-)

Re:Clause?

[GreyPoopon]

I've often wondered what, exactly, do the words "in connection with" mean? How far into your internal LAN do the tendrils of @Home extend? If I'm behind a firewall, and I'm simply shuttling packets across the firewall to a web server, can my web server, which isn't connected directly to @Home, be considered "connected with" the service? [ Reply to This | Parent ]

I'm actually astounded at how many people with residential service want to try to get around their contract. For those few out there who subscribed before the "no server" language was added, you should have some rights to run a web server. For the rest of us, unless you have the legal resources for a really fun battle, don't try to push the envelope. In plain English, here's what their contract language is attempting to tell you:

You cannot run any server application that is accessible to the outside world through your @Home residential connection. This would include through a firewall or any other combination of machines. In most cases, simply having the firewall can be a violation of the contract, assuming that you are only allowed to have one computer connected at a time. Now the truth of the matter is that they probably don't care if you run a web server, provided that you only use it yourself to access files from another place such as work. They probably also don't care if you have 50 machines connected to your residential connection, so long as you're only using one of them on the internet at a time. But what they want to avoid is someone bottlenecking their network through excessive use. The problem with computers is that defining excessive use is a little difficult.

Anyway, if you really want to run a web server, and you want to give the URL away to the world to use, my suggestion is that you spring for one of the commercial connections instead -- either that, or have somebody else host your site.

Re:No blocking yet

[Nissyen]

AT&T used to have a clause prohibiting servers, but they removed it in a later version of the service agreement. I do not know if it was on purpose, or just an oversight.

Re:Clause?

[dcavanaugh]

"In most cases, simply having the firewall can be a violation of the contract, assuming that you are only allowed to have one computer connected at a time."

I don't think so. I am an AT&T@Home customer, and my recollection of the AUP was something like "connecting multiple computers requires a home LAN" [duh]. Then it talks about purchasing additional IP addresses. It says absolutely nothing that forbids the use of one IP address for multiple computers. I think they want to pretend it can't be done.

IMHO, their AUP begins and ends with the ONE computer that has a direct connection to the cable modem. Sure, they can block outside access to servers inside my LAN, under the "we can do anything just by issuing a new AUP" clause. If my ONE computer happens to be rewriting/forwarding packets on behalf of an internal class B network in my basement, good for me. I am buying bandwidth, and one IP address. Technically, my inside machines don't have an internet connection, they are connected to a machine that does that "Internet stuff" for them. Sure, the whole process looks transparent, but that's not my problem either.

By the time you read this, the people who want to keep their webservers will have moved them to nonstandard ports.

Please tell me why this is a bad thing?

[Ryan+Amos]

While I realize people like to run web servers off their cable modems, I think it is @Home's duty to help stop the spread of Code Red and its derivatives. While I realize it is the system admin's responsibility to secure his/her system, if these were competent admins, they a) wouldn't be running IIS and b) if they were, it would be patched.

As we all know, this worm has gotten completely out of hand. A large number (about 1/3) of the DNS entries in my access logs trying to exploit Code Red are @Home. By cutting off these machines (which STILL aren't patched, even after a week of massive media coverage) AT&T is doing the rest of the internet a favor.

I realize a lot of legitimate servers that are secured also get screwed by this, but no war is without its casualties. Affected? Use another port. If you're running a corporate site in high demand and can't move, you probably shouldn't be running it off a cable modem anyway.

A lot of people also like to pipe up with "Well I'm paying $60 a month for it, I should be able to run a web server!" No, @Home sells these things with the intent of them being used for web browsing. The fact that you can run a homebrew webserver is merely an added bonus, not part of what @Home is selling the bandwidth for.

The fact is, @Home owns the network and you pay them to let you use it. They really can do whatever they want unless there's such a huge consumer backlash (which there won't be.) So either take it or leave it.

Re:Please tell me why this is a bad thing?

The fact is...this is Microsoft's problem as they ship a product that, by default, starts daemons that you do not ask for, nor need. The same goes for Red Hat. People, please, put blame where it is due.

Re:Please tell me why this is a bad thing?

what do you mean they don't sell you the bandwitch for that? in my TOS it says that i may run a webserver, and goddammit, if im paying for service, it shouldn't be restricted, and yes there will be a huge backlash, i don't think you realize the amount of calls that are going into at home complaining about the blocking of this port. granted that they did this to protect the rest of the internet, they should put in a filter which you can have removed on your specific account like you can do with the netbios ports.

Re:imagine if other utilities did this

[Detritus]

Telephone service is not a privilege. The telephone companies are regulated common carriers and are required by law to offer service to the public on a non-discriminatory basis. The conditions under which service can be refused or terminated are set by state and federal law and regulations, not the whim of some telco executive. The same can be said for other regulated common carriers, such as gas and electric companies.

Re:I don't know anything about port blocking but..

This port (119) is for newsgroup server I believe. I get scanned by them (@Home) several times a day. Now my logs are fillled with all this code red junk as well.

Re:Verizon DSL is NOT THAT EVIL

[CerebusUS]

I'm mad 'cause when I called to sign up and I told them I'd be running linux they said I couldn't and I did - so why I am being cut off when it is impossible for me to get infected with code red???

Waitaminute... you're mad because you're using their service in a way they say not to, and their filtering a bunch of traffic that, even while harmless to your machine, could cause degradation of that service you are using improperly. aha! I think the problem is on your end.

Re:Move to Canada

[CBravo]

you are wrong. They are censoring information based on the content (namely it going to port 80). Blocking all stream REALLY does not make sense. There is more to the content of a TCP packet then just the payload. We know this right?

I know it is a pretty dumb way of censoring because in your link you can always add a new port number.

Re:*BSD is dying

You just use OpenBSD because it's trendy.

I take it back...

[E-Rock-23]

After all the phone calls to AT&T and Verizon, bitching about why I can't get broadband in my area, I'm actually glad I can't. Nah... F that. I'm still gonna call them daily. Any users in rural areas with the same problem, please join me in harassing the h-e-double hockey sticks out of them and get us the service we need.

Just be happy you have cable modem

[CrazyJim0]

Since the govt isn't doing shit, cable modem is only getting put in places that are rich. Screw people living anywhere but the city.

Re:Just be happy you have cable modem

[acceleriter]

So you think the Rural Electrification Project was Communism? How else do you think there came to be universal access to the grid? The good hearts of power providers?

Re:Just be happy you have cable modem

Since the govt isn't doing shit, cable modem is only getting put in places that are rich. Screw people living anywhere but the city.

Cable companies are putting cable service where the money is. Thats capitalism. You support state controlled utilites? (a.k.a. communism)
BTW, I have cable service, but my area is certianly not rich, its just because there is demand for it.

Re:No blocking yet

[NullPointer]

AT&T is not terribly consistent in stating their policies across all their documents, the Acceptable Use Policy says:

Examples of prohibited uses include, but are not limited to, running servers for mail, http, ftp, irc, and dhcp, and multi-user interactive forums.

Same in Salem

[Micah]

my port 80 still works.

I agree that *temporarily* blocking it may be a good idea for stopping Code Red. But for crying out loud, don't *permanently* block it, or I'm gonna look at DSL. (There are several DSL companies, so *one* of them should be good.)

Re:Verizon sucks

Yes, Verizon sucks. But so does Michael's FUD-factory.

Help stop CodeRed infections with Vigilante

[rs_nuke]

I too am worried about broadband port 80 being blocked, so I'm running the Code Red Vigilante. The vigilante 'emulates' a vulnerable IIS webserver, and when it gets attacked by an infected machine, it reverses the attack and sends the owner a notification. I bet its 'using' the IIS exploit to send "good" code to pop-up a window, with their warning. It requires Java RT2, and works with *nix & windows. just run the 'run.bat' or 'run.sh' script and help reduce the codered count. goto http://www.dynwebdev.com/codered

Re:Read your TOS!

[The+Dev]

Back in the day, Internet access meant completely unfiltered ip routing. Anything less and we called it "AOL". My how times have changed.

troll yea, though bite i will

cost comparison? slackware linux from cheap bytes, $5... find me a legitimate copy of windows for that price. slackware 8.0, with all the tools you need, and a few you dont, to operate a server fits on a single cdrom. one server running slackware and neglecting security patches (which come as frequently as BSD variants, or almost never as compared to microsoft systems), i have at my company has been running without more than one 'maintainence' job in 4 years (upgrade of glibc to install a new version of apache). In those years, and including my home systems i have lost a single file to this 'rampent data loss' of yours. one inode trashed in 4 years makes me scared to have a fire at my house if the firemen can only deliver a single drop of water in 4 years to the blaze. Crashes? The ONLY crashes I have had in my time running linux, EVER has been due to loss of power. A regular thing? Hardly. I started with slackware at the age of 16, if a little kiddie can pick up linux then the learning curve aint that sharp there buddy, especially now that they've come and added gui installers. I guess immediate POSIX compliance isnt quite there so we should give up and move to BSD... to hell with working on making it work, despite all the strengths in many areas which you seem to neglect including a thriving community (which one hardly hears trolled by linux is dead posters like yourself, usually they trumpet the fall of BSD users). My problem as a linux user, is that there are too many pretentious BSD and Windows users who have their heads stuck so far up their asses the only thing they see is brown. Unprofessional messages would be unfounded and confrontational propaganda which serves no purpose other than to annoy others and to prove your own stupidity, which if you had time, talent, or creativity you could find something better with which to use these gifts. apparently this hapless 14yo is a little autobiographical of you is it now?

I too can go on indefinately debunking the tripe and trash you spew. In this world people dislike the ignorant. In your world there is no place for linux, and then there is the real world where linux is a professional OS with high performace, scalability, stability, and movement towards standards compliance, etc. The best place for you would be at the wrong end of a gun, but even that would be flattering not to mention too kind.

Re:troll yea, though bite i will

The best place for you would be at the wrong end of a gun, but even that would be flattering not to mention too kind.

If I tick some one of this much, I know there must have been more than one hard truth in my message. Otherwise, you wouldn't have to be this emotional. Well let me tell you, regardless what happens in your little made up fantasy world, in the real world Linux is still the piece of crap it always was. Period.

Now get our of your coach, potato, and try to fix everything that is wrong with your beloved OS instead of what you do now. You are just TALKING.

You Linux users think you've got it all, but believe me: you've only got it in your fantasy world. The real world is laughing at you.

Re:Read your TOS!

[bacchusrx]

I don't know if its just the prole in me talking or the heat, but it seems to me that the arrogance & pretentiousness of saying, "Get your own T1 or stop complaining," is just a bit mindboggling.

From a social standpoint -- where our priorities are less about the "bottom line" and more about providing for a healthy, vibrant, diverse democracy -- there isn't an incredibly good reason why web servers or other content servers are prohibited on so-called "consumer" Internet service providers.

In some cases the bandwidth isn't there-- I understand that, however, in general, the speeds are suitable for most people's private soapboxes... further, overall and in general, home servers do little harm to the network, Code Red notwithstanding.

And in all seriousness, I doubt anyone expects strict uptime SLAs or performance guarantees from your local @Home franchise. I'm not suggesting that "consumer-grade" Internet access claims to offer such things or even really ought to... However, I tend to believe that the prohibition on servers is more an effort to control media content creation & affordable distribution more than it is an effort to ensure network stability.

In effect, a ban on servers prevents citizens from competing affordably for so-called "mindshare" with big corporations and others who don't sweat the cost of dual redundant T3 connectivity.

Broadband internet access has the potential to really revolutionize media distribution by empowering individuals to affordably control & create new and innovative media outlets.

On the other hand, most home servers probably aren't even public servers but private servers used for, say, development purposes or sharing files between office & home. These uses are of course even less stressful on the network and certainly more benign.

Meh... just some food for thought.

BRx.

One solution to outgoing SMTP port blocks.

[markbanang]

For those who are interested, there are some providers who have SMTP AUTHenticated mail relays for their customers which work on ports other than port 25.
My own (Gradwell.com, with their email forwarding account) email host has their SMTP server listening on port 225 as well as 25.
I am sure that should port 225 be blocked, they would be happy to set up listeners on other ports too. Who knows, if the problem with such port blocking gets bad enough, there is no reason you coulsn't build a server whos every port connected you to an SMTP server. *8')
Take care,

Mark..........

Re:I've read my TOS and it sucks.

[Skapare]

Yeah! And it's called offering a lower class service to lower class people who want to pay lower amounts and only care to have the lower class service. Even business has to deal with this as T1 (lower class digit circuit) has less bandwidth and costs less than T3 ... duh!

Terrorist Attack - persons to give up rights

This is just the start of censorship by BIG BROTHER I.E. AT&T to stop the layperson from publishing their own personal (non-commercial) site. I strongly suggest that people using this service and persons interested in Internet censorship write AT&T and their congressman regarding this internet censorship attack. This is how people respond to terrorism by taking away the rights of the innocent. Code Red was a terrorist act that now all persons in the so-called free world will pay for.

Re:Terrorist Attack - persons to give up rights

[CM39]

Excellent point I hadn't really thought of it that way. AT&T has become a willing accomplice of whoever wrote code red, together they have managed to remove tens of thousands of pages from the Internet. Denying millions of Americans access to those pages.

Now that they have shown themselves willing to buckle under to terrorist threats, how long will it be before someone targets AT&T for extortion whether for monetary or political reasons. Shame on you AT&T

I wonder how long AT&T considered this very important decision before making it.
They really should have viewed this as a major (and very poor in my opinion) policy decision rather than simply a technical one.

AT&T always had the right to block port 80 since running servers was against their TOS, but doing it under these circumstances sets a very bad precedence.

Re:Even if you did run a Web server...

[szomb]

>you're not in the backwards usa. I know people in BC that get 1.5mb up and down and 3 static ips for $40 a month. We get analy raped down here in the states.

My GOD, that hurt to read. I'm paying $215/mo for 1.5MB SDSL and a /28. I'm really paying for stuff like guaranteed uptime, but I would lose that in a second if I could get eq. bandwidth and IP space that cheap. Then again -- if they tried to filter incoming 80 on a commercial line, they would be in quite a fix. :-)

Re:Move to Canada

[copec]

sorry, didn't mean it as a personal attack whatsoever nor to degrade what he knows....just kinda a friendly poke at MCSE...I've probably read that about DHCP a hundred times, hell its in the RFC. Then again most people probably wouldn't pay attention to pointless tidbits of information. I apologize

Punishing Alice for Bob's bad acts

[coyote-san]

Nobody will complain if the ISPs punish users for their individual indifference to numerous warnings. In this case, that would be disabling the cable/DSL modem of any user sending out Code Red requests.

But that's not what's happening. EVERY user, including the responsible IIS user who patched their system and all Apache, NCSA, et al users are being punished for the inactions of others.

If the reason why this is so offensive isn't already clear, let me ask you a question: if I'm going to be punished for the actions of others anyway, why should I give a flying fuck about cleaning up my own act? If you don't hold people individually responsible, most behavior quickly falls to the lowest common demoninator.

Re:Linux is not a contender..

re-install (crashed hard-drive)

Cute. You try to claim linux is superior, but your arguments make it clear that it, in fact, is not.

You get an A+ in trolling.

Re:The problem is....

[fataugie]

I don't disagree with your statement at all. What pisses me off is when people don't take the time to figure out what is happening on their machines before hooking up to the internet. The problem is dumb people are now more prevelent than ever. Microsoft doesn't help the situation like you said, but if you install redhat, or pick your favorite linux dist, you get alot of services that shouldn't be run as-is out of the box.

Then, the average user doesn't check for updates and is basically a sitting duck.

And the thing is, if it didn't impact the community, what the hell do I care if some dink has his box taken over. When it impacts the community as a whole, then I get mad. I go out of my way to try to run a fuly-patched box, with no known vulnerabilities, not only for my benefit, but so that the intnernet as a whole doesn't have to suffer from my ignorance when my box is used for a DDOS or what have you.

I guess it all boils down to the fact that people need to be more aware of what is going on when they connect full time to the internet.

Who knows, maybe I sound arrogant. I just think it should be common courtesy to make sure your shit is squared away.

AT&T in southern NH is still blocking.. so what?

[dave-fu]

You know what? It doesn't bother me one bit, either. I run IIS and have my box all patched up with the latest and greatest; I also know how to relocate the port my server's bound to.
Who is this really affecting? Users who don't know enough about their machines to keep them patched much less change their port's binding. Boo hoo for them, but I don't need their incompetence throwing any wrenches in the network's gears.
I agree that it'd be better for AT&T to get in touch with every user who's been infected and warn them that they need to clean and patch their machine (better yet, reformat and reinstall) or be booted off the network as they present a clear and present danger to the other users, but blocking port 80 is a good start.

Re:Verizon DSL is NOT THAT EVIL

[szomb]

Why don't they just scan for the damn vulnerability and kill the access of everyone who turns up positive?

Phone analogy

[mwillems]

I just don't get it. I too am on a provider (Cogeco in Canada) who explicitly prohibits running any server in their 5-page AUP.

Imagine, if you will, Bell giving you a phone that can only be used outbound. No incoming phone calls. If you get one, you are disconnected. Preposterous.

The thing that's missing is $$$. If we were charged for incoming connections by the byte, we'd be required, not allowed, to run servers.

Michael

verizon....

[GiMP]

I hated verizon.. and now I hate them more.

I just checked the TOS, and it says that users may have their accounts terminated for running servers.. UNLESS they are DSL customers.. this implies (or at least did when I ordered the service) that I may run services on whatever port(s) I wish.

I am now losing my email and web traffic.. There is no reasonable reason for this treatment. In a month there should be cable here, but it will be @home.. f*cked if I do and f*cked if I don't!

I guess I'll have to find a mom/pop isp around here reselling DSL. !@#!~

Re:Speakeasy!

[spectral]

Notice they're also one of the most heavily hit by Code Red (1 and 2).

Re:911

[AlphaWolf]

Hosting for $10/Month? Where's that at? I think if you knew where, you wouldn't be hosted on Geocities.

I've been running a web server on MediaOne for 3 years, and this is the first time I've had any problems with it. Their AUP specifically states that it's up to the user to secure their box and AT&TMediaOneRoadRunner@Home assumes no liability if their box gets cracked.

If they need a list of infected IIS boxes, I'll send my Apache logs to them, then they can shut off the dorks with warez copies of Win2k and no clue on how to use it.

Even funnier is their clauses stating that they want people to use 2K Pro, and not Server, even though Pro ships with a reduced-capability version of IIS that has the same vulnerabilities.

Is your webserver down? Use uptime.

[bulb]

I use @home, but haven't been effected yet. I know because I haven't recieved an email alert from my offsite server monitor (I also double checked by logging into a remote server via ssh and testing the server with lynx).

Check out http://uptime.openacs.org/uptime/ for the free (and open source) monitoring service.

Port Filtering - Censoring - Liability

[mr.+fabulous]

I always wonder when my ISP will decide, for the good of all customers, to shut down this or that port or filter or monitor traffic.

One interesting tactic to bash these connectivity providers with might be: A provider that filters this-and-that port, has become an editor/censor of content of sorts. Therefore, the provider has voluntarily inserted itself into the fracas. IOW, hell if they can filter/block SMTP, HTTP, then by God they ought to be held responsible for all services that are against the wishes of XYZ, Inc.: CDs, DVDs, warez, pedophilia *ugh*, etc.

It's the same logic as that of an ISP that doesn't censor its Usenet feed not being liable for MP3 trading by its users.

Perfectly Reasonable Response

[gnugeekus]

I'll preface this by saying that I'm a @home customer, and I'm bummed out that I can't run a web server anymore.

I think that this is a perfectly reasonable response from @home. I work at a large ISP and I've seen how rapidly this code red garbage spreds. The little editorial comment that they can "simply block infected machines" is, quite frankly, garbage. Code Red 2 spreads faster than anyone could possibly keep up with blocking one machine at a time.

Code Red 2 is tearing up bandwidth at these cable companies. Its noticeably slowing down my speeds on my home internet connection. Something needs to be done in a hurry, and blocking port 80 is a fast solution that works.

Instead of blaming the broadband providers, why don't you blame the real culprit in this situation: Windows. Get angry at Microsoft; if it weren't for their lousy code and lousy security this problem would not have been possible in the first place.

Re:Perfectly Reasonable Response

[Mark+Bainter]

[oops. Forgot I had more to say. ;-)]

Its noticeably slowing down my speeds on my home internet connection. Something needs to be done in a hurry, and blocking port 80 is a fast solution that works.

Ah yes, personal peace and affluence. It's causing you grief so who cares about what everyone else wants. It's ok to screw them as long as it doesn't negatively affect you? Perhaps an unfair characterization, I don't know you after all, but that's the kind of attitude that's prevelant in our culture today and is usually indicated by comments of this nature.

Instead of blaming the broadband providers, why don't you blame the real culprit in this situation: Windows. Get angry at Microsoft; if it weren't for their lousy code and lousy security this problem would not have been possible in the first place.

Hrm. Everyone has problems eventually. While MS certainly puts out poor quality software, and there is room to be upset with them about that, in this case the patch was out in plenty of time to avoid this mess. The real culprits here are the NT admins. I understand their reticience to apply a patch from MS before it's absolutely necessary, and so MS gains even more culpability from it's habit of introducing more bugs while fixing others. But once the code red worm came out all of those servers should've been patched same day. No excuses.

Re:Perfectly Reasonable Response

[Mark+Bainter]

The little editorial comment that they can "simply block infected machines" is, quite frankly, garbage.

Not really. Well, it might be a pain to try and keep up with infected machines, but a regular cron job scanning the network and automatically updating your access lists isn't that hard. But more realistically you'd scan your network for vulnerable machines instead and then block those as well, instead of closing the barn door after the horses are already out.

Re:imagine if other utilities did this

I have never read in the Constitution or its ammendments (ala the Bill of Rights) that I have the right to telephone service. If it isn't there, it is not a right but a priveledge.

Ever READ the Bill of Rights? It specifically says that JUST BECAUSE IT ISN'T LISTED DOESN'T MEAN IT'S NOT A RIGHT. Ammendment 9. Look it up.

Re:I've read my TOS and it sucks.

[fors]

If you are creating a threat to other systems or helping contribute to the overload of their systems by not having a secure box they can and should block your account until such time as you have fixed the problem.

The problem is....

[fataugie]

Fucking stupid people.

End of story. If a few dumb assholes would patch their shit and keep current with it, then the majority wouldn't suffer. But no.......... This is military logic, one person screws up, and the whole unit pays the price. The problem is, we can't give a blanket party to the fucking dumbasses who refuse to keep current with secuity patches. This goes for Linux/Windows/Macintosh/Amiga/NeXT/BeOS/Solaris/CP /M/DOS/HP-UX/AIX/OS9/QNIX/FreeBSD/OpenBSD

I don't care what you run, if you don't keep current on security patches, you are an asshole.

"If it weren't for dickheads like you, there wouldn't be any thievery in this world Pyle"

Re:The problem is....

[haruharaharu]

You do realize that IIS (the thing that allows Code Red to propagate) only comes with win2k server, right?

Re:The problem is....

[haruharaharu]

Bundling server software with win2k was stupid

How stupid do you have to be to buy Win2k server and not know that it had server software?

Re:The problem is....

[CM39]

How stupid do you have to be?

I don't know, at least as stupid as buying win2k server for alot more money (if you only need to run a small server) when win2k professional includes bundled server software, as I said in a previous post who would expect win2k pro to have server software bundled with it when they also have a version called win2k server

Most people who got win2k got it for the multitasking or for the stability.

Re:Read your TOS!

Dumbass, they have to decide what they are going to offer, before he signs up. Changing the rules in the middle of the game, and then failing to adequately warn him that they will be changing them sucks ass. I really don't care for your apologist attitude. The internet is turning into AOL, and I think people like you are cheering the process on.

As far as doing the voting with my dollars, no one offers a decent connection like we actually want. They want to tell us what the internet is, and if we don't like that, if we're using a service they haven't heard of (anything besides web, email and ftp) that's some borderline suspicious activity, hacking even. There is no recourse.

Re:I've read my TOS and it sucks.

[MeNeXT]

I bought bandwidth from my ISP and I expect them to deliver that bandwidth.

No you did not buy bandwidth, you bought shared access. If you would have bought bandwidth you would be on a T1 to acheive the same results as a DSL connection, or an OC3 or such for your Cable modem.

If my machine has a security problem and starts attacking other sites on the Internet, that should be my problem, not my broadband provider's problem.

How do you figure??? If your system is DOS'ing someone on the net it may be using the total bandwidth in your area. How will some one contact you to advise you. Your ISP will be contacted, by other clients and such. Like it or not the ISP is involved.

Road Runner's AUP varies

[JiveDonut]

Road Runner's AUP varies depending on where you have service. Here in Virginia, there is no restriction on running a server: Morthern Virginia Road Runner AUP

All the say is that you are responsible for securing your services:

Customers are liable for having unsecured services, and would be held liable if unknown 3rd parties utilize these services at any time. It is the customer's responsibility to monitor these services. Examples of unsecured services would be use of SMTP relay, incorrect configuration of Proxy or SOCKS services or unsecured operating systems. /BLOCKQUOTE

Re:The end of a state of denial

[ewilts]

But that's the problem. The agreement we've signed - and which is available online - does NOT say that you cannot run webservers. AT&T has a different AUP than Excite which is different than @Home. AT&T is simply saying you can't run a webserver because it's not convenient at this time for you to do so. Although I'm not a lawyer, I'm sure that anyone fighting this in court will win and AT&T will be forced to restore access. However, they've got more money for lawyers than we do, so we'll be forced to roll over and concede. That's what monopolies give you (I have exactly one choice for cable provider, and DSL is not available where I live).

thank you

[twitter]

thank you, bacchusrx, for a well thought out and well put thread.

It's sad to see so many people believe that publication has to be expensive. As you point out , it could not be further from the truth technicaly. Someone downloading flash trash and comercially produced video consumes far more bandwith than someone serving static web pages. Still, when I tell people at work that I want to host so much as my own email, they look at me like I have a hole in my head and want to provide Hotmail. What's driving this kind of nonsense? Where are all of these arogant trolls with their "Enterprise missions" coming from?

Keep up the good fight. The web must not end up like broadcast media.

Re:thank you

See, hosting your own email is bad. It's bad enough geeks like you insist on getting to choose half their email address, rather than accepting a username like smithj004AxB56. Now you want to choose the part that comes after the @ too?!?! No way. We oughtta send you back to the corporate re-education camp.

Re:Speakeasy!

[Gill+Bates]

Yes, Speakeasy is available in the Detroit area. I looked at 'em a couple of years ago, but ended up going with Telocity because:

1. they were less expensive
2. they provided higher bandwith
3. they had similar 'server-friendly' TOS

I've been happy w/ Telocity, but my DSL line is provided by Rythyms (who buys the line from ACI), so I'm a little worried it could go away.

Hopefully, DirecTV won't fsck up a good thing.

Re:Quite common already

[SnapperHead]

Heres the odd part about it. Its not 100% true with all ISPs. I have a few friends signed up for DSL and there TOS states that running servers is allowed, but you are responseable for your security, your server doesn't create security problems, (eg, code red worm :) and you are reponseable for its content.

MODERATOR!

[cyberdonny]

You misclicked Insightful instead of Flamebait. Come on:

Because 99.9% of security issues comes from someone running an unpatched redhat box at home.

How can this possibly be anything other than flamebait or troll? Especially when posted to a story about a vulnerability/worm in a Micro$oft OS!

Ok, I've got some karma to burn, so go ahead, and take me three points!

All thanks to Bill Gates Army of Evil Monkeys !!!

[spaten]

Once again Bill Gates has contributed to the constricting grip of corporate hands around the neck of a hardly free internet. Because Microsoft produces an inferior web server product, just one in the family, that has diffuculty holding up against virii of any sort. ISP's are "forced" to restrict access of individuals in order to "protect" the whole. Hell, with this logic it seems that it would make more sense to simply prohibit the use of Microsoft OS's on the ISP's network.

- Gee, thanks @Home, but I thought you were gonna kiss me first!

Re:AT&T / Mediaone is blocking ALL HTTP GET REQUES

[MikeFarrington]

Maybe I'm just incredibly unlucky. Or, maybe it's because I've called them twice to complain, and used their online tech rep twice as well. Is it possible for them to block HTTP GET just for me? Using my cable modem?

Re:Read the Acceptabel Use Agreement

[tester13]

Yes yes i know, markets will decide, comptetion, etc. The problem is I don't have a choice as to which DSL provider I want. Living in a underdeveloped part of Brooklyn Covad has no interest of money to install me.

What am I supposed to do?

Gnutella

[Shadowin]

I wonder how long it will be before they try blocking my Gnutella client? I transfer more with it than I could possibly do with a webserver. Of course, I'll just put Apache on a different port. I just use it so I can access certain files I need from wherever I'm at anyhow.

The thing is, you'd think that the uplink limit was enough...

-Shade

Re:Not a huge surprise..

[CBravo]

block *.security.home.net and run whatever.

Re:charter

So why did you sign up?

~~~

So don't buy DSL for a big company

[Shishak]

We offer DSL in western MA and don't filter port 80 access, we do filter port 25 but our mail server will allow you to send mail from your domains at no charge. All this for the same price as what Verizon charges for their residential DSL.

My shorter reply

[Alan+Shutko]

Not available here.

Re:Read your TOS!

[tshak]

If you want to run your own "mini NOC", then pony up the cash and get ISDN, a T1, or something faster put into your basement. But if you are subscribing to a consumer grade ISP's offerings, don't be suprised when this happens. And especially don't start with the geek indignation, because consumer broadband is not meant, nor sold, under the pretense of running home servers.

If I pay $50/month for a 256k pipe, and if I want to do my own personal development and want to be able to show others my site from work, or setup a private FTP so that I can grab files offsite, they sure as hell better not stop me. These are totally legitimate uses of a consumer/home office level Internet connection. Plus, with most connections, you can't run a "mini NOC" due to the bandwidth restrictions (128k - 256k upstream).

Re:AT&T in southern NH is still blocking.. so what

im sure many people have the knoledge to change there port base on which there server runs, but use this as an example. bob registers xxx.com .... it doesn't work... because port 80 is blocked... so the url must be entered in as xxx.com:xxxx its an inconvience.

Re:As a CLEC, this is how we have been coping.

[oldave]

On July 31, before the expected new outbreak of CodeRed scans, I used the eEye CodeRed vulnerability scanner on all IPs on my network. I only found half a dozen IIS servers that weren't patched.

I called each customer on the phone. I told each of them that I would scan again around 7pm EDT, and if they hadn't installed the patch from Microsoft by then, I would have no choice but to block port 80 access to their machine.

I scanned again at 7pm EDT. Every machine had been patched.
I never did need to block port 80 access to any customer.
Of course, larger networks would have a hell of a time contacting each customer. I only have a couple of hundred DSL customers, so this wasn't a huge effort.

On the other hand, it's not like we didn't have plenty of warning beforehand. Since July 19, we all should have realized a second round was possible. And frankly, anybody who didn't believe some enterprising soul would create a slightly different, and damaging, worm that exploits the same vulnerability, is burying their head in the sand.

On a side note, there's an ISP in Vancouver whose customers are spewing 700 scans per minute - I called them on the phone, asking them to deal with those customers. I sent them email. They called me back, and assured me I'd see no more scans from their customers.

I had to block port 80 requests from their subnets at my border... and they're still spewing.

canadian DSL

[Rev.+DeFiLEZ]

not only am i not filtered in anyway, i have

• 800k/s upstream
• my own email server
• they do my mx20
• they host my dns with unlimited changes
• my ip reverses to MY domain name
• not only do they allow linux/*BSD they recommend it
• my Ip is static
• they offered me 6 routed ipaddress
• in the past 4 months i have been down less then 5 minutes

the only problem is if your stupid, they will only put up with you so long
ie. dont send them a log of hack attempts against your PC originating from your ip.

Don't be such a whiny fool

And what exactly is a "server"? Is accessing your Pilot calendar remotely using a server?

Yes.

Is using an FTP client a server?

Don't be such a fucking idiot

What about identd?

Yup, identd listens on a specific port for incoming requests and issues a response. Thats a server.

Really, stop whining. The TOS state that you should not be running servers. You know full well what a server is, so arguing arcane points and trying to be clever about it isn't going to change the definition of what a server is, or change your TOS. Want to run a server? Pay for a proper line with a fixed IP, or a co-lo. Your Cable provider owes you nothing, deal with it.

Re:Don't be such a whiny fool

[Is using an FTP client a server?] Don't be such a fucking idiot. [...] Yup, identd listens on a specific port for incoming requests and issues a response. Thats a server.

You seem somewhat unfamiliar with how FTP clients work...

Re:Don't be such a whiny fool

You're the fucking idiot. Read the FTP protocol spec. By default, FTP clients open a port that the server connects to and sends files that are downloaded.

Anyone permanently disconnected for running server

[Frank+T.+Lofaro+Jr.]

Anyone here been disconnected permanently/account cancelled/banned for running a server?

Re:Leased Line

[figment]

No offense, but this is quite possibly the worst idea i've ever heard. Hopefully i can convince you that this is the worst idea you've ever thought of.

> Granted I don't know how much one costs but I
> figure at around $40 a month a group of about
> 20-30 should be able to gets something way
> faster that DSL/Cable and without the bullshit.

We have an LADC line (which while only rated for 9600baud, but can do 768k unreliably via HDSL), that runs 4 blocks. It has a heavy distance limitation. It costs $80/mo. This does not include bandwidth charges. Distance matters. A lot. Too far away? Too bad, you'll either need to 56k lease line (haha), or frame relay, or ptp t1. None of these (well except 56k) are in your pricerange.

> around $40 a month a group of about 20-30
> should be able to gets something way faster
> that DSL/Cable and without the bullshit.

Ok, let's say 25 people @ 40bucks, not including the line charge. that's $1k. Call up qwest, or maybe sprint, or maybe a tier 2-N (because that's all you can afford), and if you live near a POP and you're lucky, maybe you can get a full T1.

Ok, now we have a shared T1, for 25 people (who i'm assuming will all be geeks, and will be downloading stuff late at night...) Assume a T1 can get maybe 160k/s throughput (you can't get 100% util on a T1 w/o severe latency problems), you get 6.4k/s. Congrats, you've gotten isdn speeds, for the cost of approximately $120/mo/person. This doesn't include startup costs. xDSL equipment costs a few hundred dollars on each end, and 802.11b accesspoints are a lot more expensive than the cards (no, airports don't count, their distance sucks) and the costs of outdoor antennas are horrendous, not to mention you'd have to find/hire someone to do the professional antenna install for you. You'd need a router for your shared T1, add another $600 in startup there.

> What happens when the network / connection goes
> down. Either we set up some sort of rotation
> but we need an admin to fix stuff and that can
> be expensive.

Expensive is right. You can get a crappy consultant for $75/hr. Say something significant happens once a month for two hours (that's not too unreasonable, given the current codered/sircam problems, and general maintainence, mailserver/dns crap).

Your cost is now $125/mo for slightlyhigherthan isdn speeds. See why this idea isn't that great?

I'm not a big fan of the quality of service of @home or Roadrunner. But at $40/mo, what can you really expect? Does your cable modem/dsl occasionally do over 200k/s? It does? Guess what, just that bandwidth capability alone, would cost you $1.5k/mo to do.

Re:Move to Canada

[cat5]

Funny. I am in the process of switching from Rogers@home to istop.com's 3Meg DSL. For the price of it, and the simple fact I do run a few websites, it's worth it. Rogers@home may soon be doing the port 80 thing, I just don't want it to sneak up on me at the last moment.

I would definately recomend istop.com to anyone serious enough to run their own servers, and can secure their box as well.

Re:A simple go-around:

[Software]

In the third, with a reference like "/css/rubble.css", you'd like to think that, since the parent URL is in http://foo.ne.mediaone.net:8080, the client would go for "http://foo.ne.mediaone.net:8080/css/rubble.css", but no! It looks up "http://foo.ne.mediaone.net/css/rubble.css" (and spends a long time timing out because of the block).

This is untrue for all of the browsers I've used (and I test web software for a living, so that's quite a lot). I often run webservers at ports higher than 80, and the browser always pulls in CSS stylesheets and everything else properly when using relative URLs. You might want to put a proxy server on your computer (like Muffin) to see for yourself.

From the browser perspective, there is no real difference between requests for JPG and CSS. The RESPONSES (specifically, the Content-Type header)are different, though.

Re:imagine if other utilities did this

[Ronin+Developer]

Like driving, telephone service is a priviledge and not a right. I have never read in the Constitution or its ammendments (ala the Bill of Rights) that I have the right to telephone service. If it isn't there, it is not a right but a priveledge.

We, the citizens of this country, seem to think that somethings as common as telephone service or driving are rights. They are not. Simply because something is regulated or provided for by law does not imply it is a right. If you know what provision of the Consitition guarantees basic or data grade phone service, I'd be much interested in hearing about it.

The United States is *NOT* a communist or socialist society. What you construde as a right may be in those societies. Not here. We may have our liberal factions, but we are capitalist society driven by those rules. Yes, the gov't can establish regulations to provide minimal services such as publicly accessible phone. I don't think data grade service is one of them. Unless you are making an emergency call, you still have to put money in them or you get cut off. No?

If you don't pay your bill, they CAN and WILL cut you off. Same thing goes for cell phone use. The exception is 911 or emergency calls. All public pay phones and cell phones will permit a 911 call at no cost (hence you should keep your cell phone even if you no longer have service).

When I have moved and needed to set up phone service to my new domicile, the phone line at my old residence loses its dialtone. I can not make a phone call when the line has been disconnected DESPITE the fact that there is a phone line running into the old residence. This is because I have not paid for service in both locations.

The service they must provide to you is, naturally, no-discriminatory as you pointed out. But, the rate at which you pay for your calls is based upon a legally binding contract. Go over your allocated minutes or call into a long distance area, and different charges apply. Am I not correct? Regulated or not, they are in the business to make money.

Gas, electric and water companies can also cut off service. But, they may not do so when such action endangers life (that *IS* in the consitituion...You have the right to *life*, liberty and the pursuit of happiness). That is why they won't cut off service in the dead of winter or to a nursing home during a heat wave. When the endangering condition no longer exists, they can and will cut off your service. And, they will temporarily restore it if the dangerous condition resumes.

Re:Road Runner

[Alioth]

Hmmmm. That's not in my RoadRunner TOS - it doesn't even mention servers.

My cable data light started flashing like crazy the other day (and is still doing so). Out of curiousity, I ran iptraf, and discovered the traffic was all ARP packets coming from the default router (and I didn't see any destined for my MAC).

Re:Read your TOS!

[ergo98]

That's right: With DSL you have a direct peered T3 with every major network company. While it was rather expensive for the phone companies to drop a hundred or so T3s at every subscribers line, it obviously paid off due to the unshared bandwidth.

Re:Just get a job! My ISP is Nice and allows me

to run any server I want. :-) Web, Mail, FTP, IRC, Telnet (Eww), anything I want. :-) Gotta Love Small ISP's they Rock :-)

All in competition...

[Uttles]

Well it sucks that they block certain things but there's no law that says they have to offer subscribers a completely open connection to the internet. Maybe we need a law like that, but until then we can only look to competitors who will offer (at a slightly higher charge) a restriction-free connection. I hate it too, but what can you do?

Re:Leased Line

[figment]

Correct. However the usage patterns are that such that the time of activity is the same for all. They could be only using their connection 10% of the time, but everyone is doing it at the same time, you still have those problems.

I'm also assuming equality, which isn't the case. In the ISP world, 90% of the bandwidth is used by the top 10% of the people. One person could easily saturate the t1 and make it utterly miserable for anyone else (we have t1s into apt buildings and we see this exact thing). Again, now you have worst service than a 56k modem can provide.

Who do you want to ofend? Re:so what

[Forge]

I am willing to bet that they have more customers with compromised servers than they have customers who care about running an actual website from the desktop.

Either group will be ofended enogh to change providers if they take action. Busness dictates that you shold chase 2 guys who complain about smoke to keap the 10 goys who pass around fat cigars all the time.

Re:Wrong about SMTP @ Verizon

[TheSync]

I also have no problems with connecting to outside hosts on the standard SMTP port through Verizon DSL, but others swear they can't.

Re:I've read my TOS and it sucks.

[TMB]

If anyone can explain a good reason for banning servers rather than limiting data volumes, I'm all ears. I think it's either a combination of laziness and sloppy thinking on the part of the providers, or a desire to force the "users" to also be "content consumers" rather than "content providers". Hanlon's razor, I believe, favours the former explanation.

No, the second is closer to the truth. It's the same reason why companies can't buy a residential phone line. The vast majority of people who want to run servers want to do it for commercial reasons. And therefore have money to pay for a more expensive connection than cheap broadband. By forbidding the use of servers on the residential cable/DSL service, they force all the companies to use the (more expensive) business services. Voila, more money for them, and the only people who get screwed are the relatively small number of us who are poor individuals but who want to run services on priveleged ports on our home boxen.

[TMB]

Re:If you're in Eastern Mass. AT&T's lying

[cvincent]

I made the same observation this morning and I called AT&T about just this, I explained that my TOS states that I can run the software if I take the needed steps to ensure the security of my machine so that it does not interrupt the service of other customers. The lady was tottally clueless about my TOS and said there was nothing that could be done, and no matter whom I talked to about getting 80 unblocked for me it would not happen. So I guess that I cant violoate the TOS but they can do what they want to interrupt my service even if its against the contract...

Re:Move to Canada

[Enigma2175]

DHCP servers must have a MAC address memory or something because it will assign me the same IP address all the time (and its not a feature of my dhcp client)

Actually, it is a feature of the DHCP protocol. By default, you attempt to renew your address lease after 50% of it is gone. If you do not have connectivity to the DHCP server, the client will keep trying to renew the lease until it is able to contact the server again. The client will attempt to renew a lease from the same server that gave it the initial lease. Even if the lease has been expired for some time, the server will still attempt to give the same address. This is default on most DHCP servers. Of course, you can change this and automatically assign a different address each time, but it gives better overall network stability to have clients keep their ip addresses.

Re:Give me a break

[kurowski]

Stop being so paranoid. There are other broadband providers in the world.

Um, not for long. I'm watching Covad slowly die, which will take Speakeasy (my ISP) with it, leaving me with no choice but to use Verizon for DSL. So I'll be forced to switch from a nice SDSL connection with static IP addresses and freedom to do whatever the hell I want with it, to a crappy, filtered ADSL connection with all that associated DHCP and PPPoE nonsense.

Re:No blocking yet

[CerebusUS]

Still seems draconian to me. "We're going to close the intersection of Pine and Elm because there are too many accidents there."

I think of it more as "We're closing this road to commercial traffic because it causes too much congestion"

Re:Move to Canada and use no-ip

To get around DYnamic DNS use no-ip (www.no-ip.com) they'll give you a www.?.no-ip.com for your server for free or they'll use your domain name for like $15US a year. All you have to do is run their program and it updates your IP address every tiem it changes. It works really well.

Re:Linux is not a contender..

As opposed to you? You obviously do know DICK. Quite intimately, it seems.

Fucking CockGoblin

Re:Verizon DSL is NOT THAT EVIL

Have you ever heard of a filtering proxy? Its not that they shut off _all_ traffic, they just ensure certain traffic ends up in the bit bucket.

Re:Verizon DSL is NOT THAT EVIL

[TildeMan]

I'm a Verizon DSL user. My brother and I just got off the phone with tech support. First they tried to convince us that hosting a web server was illegal (after we convinced them that we had seen the ToS which says DSL users are exempt); after about ten minutes of arguing that was changed to "We don't support that." Then they told us that they would not open port 80 for specific machines, and that they would not even tell us ANY details about other ports (like the mysterious 25). I hope to call back later and speak to someone a bit more helpful...

As for why we learned about the port closing from /. long before we heard about it from verizon in a vaguely worded, hidden post, they told us that they didn't send an email because it only affects about 5% of their customers. They also won't notify us when they reopen port 80, however distant that may be. Furthermore, they claim that the vast majority of users who would receive such an email would not care. Still, if I were the average user I certainly would rather hear service/security updates I can ignore than miss ones that might be relevant.

Conclusion: Verizon is at least approaching Evil, if not already there... please let me know if you've had any better experiences with tech support since the start of the filtering!

TildeMan

Re:Clause?

[geekoid]

ROT13 my email address
oh no, you're not going to get me that easy, G-Man. :)

Re:Linux is not a contender..

"One million flies can't be wrong."

Why didn't they pick the elegant solution?

[igomaniac]

They should just create a strain of Code Red that goes in and patches the hole - shouldn't be too difficult... They could call it Code Green or something -- There, I even did the hard part for them, coming up with the name ;)

Re:Verizon DSL is NOT THAT EVIL

[Rasvar]

My main suggestion would be to remap your server to look at port 8080 or something like that. Since it is personal use and you probably only give it to a few folks, adding :8080 at the end of the url should not be that big of a problem and it bypasses the port 80 block.

Re:Leased Line

I want some of whatever you're smoking if you think they can stay in business at rates like that. I'll put up a pr0n site and eat all that 5mb up within 30 days :)

Re:Servers were never allowed out on cable

[roystgnr]

So please, stop deflecting the blame when really you yourselves (or your friends who don't patch) are at fault.

You have a 5-digit Slashdot user ID, and yet you seem to believe that someone here is "friends" with administrators of unpatched Microsoft webservers? Where have you been hiding? Half the people here wouldn't be friends with administrators of *patched* Microsoft webservers...

Re:From A Business Perspective, It Makes Sense

[Jucius+Maximus]

"Or, gee, maybe they could write a script -- detect, block and send an email notification."

If they wrote a script and sent notification, they'd be condoning something that's prohibited in their TOS. I've gotta agree with ergo98 on this one.

Use alternate DSL ISP's

I'm using an alternate DSL ISP which is much more friendly than your huge telecommunications conglomerates. No filtering, no hassle, just works. With cablemodems you don't get a choice, but with DSL, last time I checked the Oklahoma City area, there were about 15 different alternate providers of DSL.

Contracts

[jkmiecik]

If the AT&T/Excite@Home users read their contracts, you're not supposed to be running any type of server, from web to Tribes servers.

Re:Why don't ISP's provide firewall software?

maybe it's because an ISP is just that, an INTERNET SERVICE PROVIDER... NOT your personal security consultant.
Wouldn't it also seem that the root of this issue initially stemed from a certain poorly-designed, yet widely used, http server app?

Simply not true - for some AT&T's

[TBone]

Like Gregoyle said, those of us that ended up in AT&T as a result of them buying MediaOne RoadRunner have a different ToS/AUP than the rest of the Extire@Home people. For example, if you go to theit help site (help.broadband.att.com) and enter 32202 (downtown Jacksonville), you will get the set of documents that reflect the MediaOne user agreements. No where in those documents does it say we are not allowed to run servers, and in fact, says that if we run servers, AT&T will not be held responsible. However, their level 1 tech support is stupid, and told me that if you enter Server in the search window, there's documentation that says "you may not run servers". The local Franchise Board is going to get a call from me next week - AT&T is already under investigation here in Jacksonville for crap Cable TV service and support, if they are slamming my original ToS with a new one, and not giving my ample notification, then they are going to have more problems.

Re:imagine if other utilities did this

[Mark+Bainter]

Like driving, telephone service is a priviledge and not a right.

Hrm. Partly correct. We do have a right to freedom of movement. Really, the only time you need to get a drivers license, or register your car, or whatever, is if you are doing it for commercial purposes. As a citizen you cannot be required to do those things. Unfortunately, they don't tell you that, and by getting those things you forfeit those rights. And of course, the hassle you'd get from the police all the time makes it very unappealing as well.

We may have our liberal factions, but we are capitalist society driven by those rules.

No. Capitalism is a Marxist creation. What we are /supposed/ to have is a Free Market. Unfortunately, we don't have that either. Part of it is still there, but because the government regulates the market it doesn't work like it should.

And herein lies the main point of issue with the argument that we shouldn't complain, but rather should just take our business elsewhere if we don't like the TOS. That's a wonderfull thought, and is exactly right, if you have a free market. But we don't. Instead, thanks to government involvement there really aren't many other choices for the consumer. If it wasn't for the government, just the desire for this type of service would have spawned a business to provide for it.

A great example of this is the original surge of ISPs, even the continuing existance of smaller ISPs. Because of the nature of the dialup business pretty much anyone could go out and start up a company to provide that sort of access. So consumers had lots of choice. This brought about unlimited access, and cheaper prices. It forced ISPs to provide quality service to their customers (no busy signals/etc) or else really cheap prices depending on your target market. Competition, it's a wonderfull thing. But here, I have three choices for broadband. Cable, provided only by AT&T @home, DSL, provided (in the end) only by SWBell, or an expensive line (T1+). Unless you count ISDN, which I don't really think meants the term "broadband". Without competition, and thus the power to take your money somewhere else there is no way to affect your service. All you are left with is complaining.

The really sad thing is that complaining eventually tends to devolve into "there oughta be a law" comments. More regulation is not the answer to this problem. Less regulation and more competition is.

What we need is another access method that's similar to dialup, though hopefully not dependant on the phone company, which was the one big problem with that part of the internet's growth. An access method that does not require a limited resource controlled by a single company.

The only thing I know of is wireless/satellite. That's the one I'm waiting for. We have a company here locally that is making a strong go of providing (flash warning) wireless broadband internet access and I'm excited about it. It's not available where I am yet, but it's close. As this type of technology becomes more viable, not only will there be a way for the average business to get involved in the market to provide competition just in the wireless sphere of broadband, but the whole concept of the wireless providers will provide competition for the other broadband providers (DSL/Cable). I think we'll start seeing some major changes at that point.

Stating that, you might ask if DSL and Cable don't count as competition. I'd say they do. However, there are only 2 companies selling the actual connection. And they do compete with each other, which is why it's affordable. But, that's the only real compitition going on. Because both sides tend to slack on the service side, and both disallow servers generally there's no real competition in that sphere. A third single company doing wireless wouldn't be much better unless that company was out to specifically do those things. The point is that currently (afaik) wireless providers arent regulated like phone/cable. Anyone who can put up the money to start the business can start providing wireless broadband access. So we'll have real choice.

Re:Taking business elsewhere - !@#$%

[rreyelts]

If you don't like their actions or policies, then take your business elsewhere.

This attitude makes me sick. The idea of capitalism seems great, but it just doesn't work. How can I take my dollars elsewhere, when there's nowhere else to go? Every saturated market ends up in the hands of an oligopoly - not much better than a monopoly. In the case of broadband access, it's even worse, because of the government sanctioned monopolies on cable. Go on, ask me what choices I have for broadband access. [sigh]

One frustrated broadband user, -Toby

Not blocking with cox@home

The arp requests are still going at a blistering pace here with cox@home. Maybe they think that they will just wait until after the 20th. -- BTW, the fave cable service for gay men is cox@home.

Re:Move to Canada

[Penrif]

Well, a DHCP server can be used for a direct MAC address to IP mapping. Your ISP is probably set up that way. So, you probably do have an IP assigned to you (test it by releasing your IP and unpluging your box from the net for a while (like a day)). This setup really simplifies the client setup (they don't need to do much of anything, just say "Use DHCP" in most cases). At the same time, this one to one mapping makes sure that the DHCP server will run really fast (no need to check for available addresses).

Re:Move to Canada

[Malc]

No, Sympatico did try to implement a port 25 filter some months ago. It's also a policy restated many times by Sympatico's representative on news://sympatico.highspeed. You can also verify this filter, which is mentioned here: http://www1.sympatico.ca/help/local/bell/mailsetti ngs.bell.html

That said, the filter is patchy and doesn't seem so effective in my area. I too run a mail server with two small problems: 1) I configured a smarthost when they announced the filter, but that doesn't allow relaying of bounced messages (I stopped using it); 2) People with other Sympatico IPs cannot connect directly to my SMTP server (easily tested via dial-up).

The following was Sympatico's email concerning the implementation of the port 25 filter:

Subject: Important! Check your Sympatico Email Server Settings (Cell 3E)
Date: Tue, 15 May 2001 09:35:57 -0400
From: "Sympatico"
To: <xxxxxxxx@sympatico.ca>

As a valued Bell Sympatico(TM) member, we want to ensure that you are enjoying
your online experience and are protected from any misuse of the Internet.

To help protect you and other members from unwanted or unsolicited email messages,
efforts are being put in place to restrict the use of non-Sympatico email servers. Sympatico
members will now use the Sympatico email servers to send their email.

As of May 21, 2001, please use the correct Sympatico email setting. If you have changed
any of your email server settings to a non-Sympatico address, please correct your
settings by May 21, 2001. Otherwise, you will not be able to send email until you have
done so. The Bell Sympatico outgoing mail server address is:

smtp1.sympatico.ca

For instructions on how to confirm or change your email server settings with the email
software you use, please visit:
http://memberservices.sympatico.ca/cgi-bin/go.exe? Hit:x=504&y=412&z=8574286

Thank you for your cooperation in this regard.

The Sympatico Member Services Team

Sympatico is a trade-mark of Bell ActiMedia Inc., used under license. The service is provided
by Bell ActiMedia Inc.

Re:I've read my TOS and it sucks.

[spectral]

They want to sell people to their business plans, which they offer for that specific reason. if you run a server besides for personal use, they want you to pay more so they can make more money on the business services. That's the argument when you mention you're already upload capped.

Re:So why not change your port number?

[macemoneta]

Shortly after I posted this, Cablevision did the same thing, blocking port 80. It was extremely effective at stopping the Code Red activity. I thank them for returning stability to the network, even though I'm sure they will receive some negative feedback from a few customers. I got to try out my suggestion, and it worked as expected. My friends and family never saw the change in port number, and it took all of 5 minutes to reconfigure the web server and URL mapping. All in all, it was probably easier than applying the patch to IIS would have been (wouldn't know, never tough the stuff :-)

My Temporary Work-Around

I was more than just a little pissed off about this. I was laid off just recently, and have been relying on contract admin and design work to make ends meet. It kinda sucks when all of the sudden, my demo site falls off the net, and my clients are unable to see the work that I am trying to sell them. I'm sure it makes them uncomfortable about buying my services when I can't even keep my own site online (through no fault of my own).

My temporary fix was as follows:

1. Moved all of my virtual hosts from domain.com:80 to temp.domain.com:82
2. Created A and CNAME records for temp and www.temp, pointing to my server at home.
3. Had a friend install a VirtualHost on his web server, with an index.cgi that redirects requests to my temporary virtual hosts (see below).
4. Pointed @ and www at my friend's server.

Here's what the redirector script looks like. Note that I originally tried a simple redirect, but found that meta refresh was more effective for this application:

#!/usr/bin/perl
my $redirect = "http://temp." . $ENV{HTTP_HOST} . ":82" . $ENV{REQUEST_URI};
print "Content-type: text/html\n\n";
print "\<meta http-equiv=\"Refresh\" content=\"0\;URL=$redirect\"\>;";

Re:My Temporary Work-Around

I've got 14 zones and about 30 virtual hosts on my server. Your suggestion becomes much less elegant when you have any more than one address to redirect.

Also, there are two versions of my resume circulating. One has www.myname.com as my URL, and the other has myname.com/professional. Right now, I'm set up so that either will work. Your method would break this.

And finally: no offense, but Sambar is for losers. If you insist on running Win32, why not at least do it with a real web server?

Re:My Temporary Work-Around

Step 2 should read temp.www, not www.temp -- I actually made that mistake the first time around. Heh.

Re:Even if you did run a Web server...

[mshiltonj]

Why would anyone want to do with a 128k upload cap (assuming @Home cable modem service)? :)

1. So I can share an online photo gallery of my 1 year old daughter with friends and relatives who are spread far and wide. This site has maybe 25 people as a user base, with 1-5 user session a day. Fuck Geocities, et al. I've got a dedicated server with root access right here and more than enough bandwidth to server this, with no ads.

2. So I can test web applications I'm developing in my development environment and have two or three external users do some debugging before I deploy. Performance and speed are not critical. I've got root access and mysql and postgresql and apache w/ mod_perl mod_php. I don't want to have to pay for *two* rackspace servers -- one for production and one for development, when I've *got* a fucking development environment sitting next to my left foot, that I have complete control over. All I need is to have a few external users do some testing. I can load test from my internal network.

Response to this post: blah blah blah tough shit blah blah blah terms of service blah blah no sympathy blah blah blah deal with it blah blah blah

Re:The end of a state of denial

[SiliconJesus]

The fun here for me is that I had IIS running on 2k. I installed the patch, and viola! Bluescreen. It won't boot, it won't boot in "Safe Mode," "VGA Mode" or "Last Known Good." I can't get to the Harddrive (Dos 6.22 disks are no good for FAT32 (80 GB Harddrive) and 6.22 is the only booddisk image I had on my UNIX box). Basicially, my IT Dept said they can re-ghost the system, but that'd be data destructive. I'll have to go buy a 98 CD at lunch to get my system up and running after. Thank god for metaframe.

BTW - if you *have* a windows box, check out http://www.bootdisks.com for disk images that write to floppies, but little love for UNIX.

Re:Servers were never allowed out on cable

[Moose4]

Unfortunately, Road Runner here in South Carolina is the same way. Check out this little piece of draconian legalese from http://www.sc.rr.com/userterms.htm:

5. Subscriber Conduct
d) Subscriber will not resell the Road Runner Service, or any portion thereof, or otherwise charge others to use Road Runner, or any portion thereof. Further, Subscriber will not redistribute the Road Runner Service, or any portion thereof, whether or not Subscriber receives compensation for such redistribution. The Road Runner Service as offered under this Agreement is a residential service offered for personal, noncommercial use only. Subscriber agrees not to use the Road Runner Service for operation as an Internet service provider, for the hosting of websites or for any business enterprise. Subscriber further agrees not to connect the cable modem to any computer other than the Computer(s) or to any server (or any computer running server applications that provide similar protocol services over the Road Runner Service), including without limitation any servers for mail, HTTP, FTP, RTP, IRC, DHCP, or multi-user interactive forums (e.g. gaming).

(added emphasis is mine)

So, technically, I'm in violation of the terms of service because I've got a Netgear router hooking three PCs (two running ME, one running RH 7.1) to the cable modem. If I want to hook three computers up to their cable, according to them, I have to pay them $9.95/month each for two extra IPs...oh, but sorry, you can't hook the third box up, we don't support Linux, it doesn't exist!

This, despite the fact the installer told me I should get a router when he saw my half-disassembled RH box sitting next to my main computer. The installer, though, didn't work for TWC, he was a contractor they pay to do the digital cable and RR installs.

I haven't heard of them blocking port 80 down here yet, but I'm sure they will soon. I hate giving these guys $40 a month for this, but given the horror stories I've heard with Bellsouth (aka Bellsuck) DSL installs, and given that South Carolina's somewhere behind, oh, say, Yemen in the technology area, I don't know what other alternatives I have.

Re:Move to Australia, but don't use Telstra

[lazybeam]

Yeah, but in my city Optus aren't available, and according to a response on Whirlpool, it's not coming. (Unless they can get XYZed ADSL going)

Want to have some fun?

[drix]

Here's a question which I've put repeatedly to the monarchs and @Home over the past few years. Never once have I received a response. I think that's telling.

What is your definition of "server"?

Chew this over for a couple milliseconds and you realize that, by banning servers from their TOS, they are effectively forbidding the use of all instant messaging services, many online games, all peer-to-peer applications, IRC, and a host of others. One is left to infer that the only kosher activities on the @Home network are web browsing and checking e-mail. They would never be caught dead saying this, but you can't not get that idea from a strict reading of the contract. Even in an single e-mail to an inquisitive customer, they would of course never be caught dead admitting this. To do so would, of course, invite lots of fun sloganeering on behalf of the various DSL providers, who would like nothing more than to put the phrase "@Home bars you from using 90% of the Internet services that you want to; we don't" into @Home's pipe and watch them smoke it. So, if you're a little bored on this Wednesday night, fire off an e-mail to your friends at @Home and await the response. :)

Blocking ports should be fought in court

[SlashDread]

For the longest time ISP have been doing stuff like this. Blocking port 80 is standard practice on just about all cable, and most DSL providers aiming the home user market.

Quite oftenly I think this is done purely to offer "commercial" rate connection (at like triple the pricetag) where the ports ARE NOT blocked.

Now the devil is always in the details: if the ISP offers the lowgrade homeuser targetted connection as something like this "Unlimited Internet access for a fixed fee!" as they often do, they are misleading you the average Joe Consumer.

Now the smallprint terms and conditions ussually explain something like : Running servers is not allowed. Using more then one machine to connect is not allowed. If you cross some vague "fair use" magical number of MB you might get an extra invoice.

Thats grounds to sue on two accounts IMHO :
1. Its not "unlimited"
2. Its not "internet"

1, Its not unlimited, they limit HOW, HOWMUCH and even WHAT (by not allowing "servers" (can someone define "server"?)
2. Its not internet, as *I* define "Internet as a 2-way *interactive* medium. meaning running say a two-way vido conference, where *I* act as a host for incoming request should be posssible. Always. Running a quake server, same deal.

Sue. GDDMMT Gr /Dread

Re:Speakeasy!

[mgarraha]

I signed on to Megapath when Northpoint was still alive. Fortunately, only 11 days after the Northpoint shutdown, they had me back online with Covad. Unfortunately, my latency increased by 100ms because they had to route my traffic through California. I asked about getting better routing. They answered: we've already ordered it, no idea when it'll be ready, ask again later. Now with Rhythms bankrupt and Covad planning to file, it seems Megapath will have their hands full again. Does Speakeasy have an IP gateway near Detroit? Oops, I should be asking this on dslreports.com.

Re:They should remain blocked

[gregopad39]

The anon-coward who thinks he's better than every one else is one of the reasons why tech support and over IT competence is lagging these days. I suffered under ATT for almost two years. Besides the tech support personnel who do not have a clue - their network was very unreliable. My ip address would arbitrariliy be allocated to someone else. The network would be down for no reason - and when I called their tech support - their guys wanted me to remove my ethernet card and then re-install. ( This happened to my dentist 6 days ago.) To add insult to injury I received a call from sone arrogant bitch who informed me I had 24 hours to shutdown my "server". There were times the service would be down for 6 days at a time - and they still did not have a clue. I had to fight to receive a $6 credit. After the third "offense" and receiving notification of their rate increase - I gladly ripped that piece of crap out of my network and turned it in. I switched to slower but far more reliable DSL - and I'm glad I did. As we can all see - the Titanic vessel of ATT Broadband is sinking quickly - and hoping for buyer of all the infrastructure they have installed. ATT has cut costs by hiring non-qualified managers and technical personnel - then they wonder why their customers complain and leave. Good luck Mr. Armstrong - you and your team continue to play the game of circle jerk with the board - one day you will wake up and realize how you have alienated your customers - from credit card - to phone service - to wireless - to long distance - cable tv - and now internet service. Wow - you have hit for the cycle !!!

@Home Carnivore

[ergo98]

@Home would then basically be running a relative of Carnivore, and imagine if every time I tried to look at your post @Home suddenly clamped the connection shut.

The logistics of something like that be MASSIVE, as normal stateful firewalling is simply saying "who connected to who and has there been any data in the last X interval?" Actually keeping track of the content of each stream, while as mentioned guaranteed to incide outrage on sites such as this, would be a massive undertaking for millions of users with millions of connections. Although on the "bright" side, once they have that in place they can then turn it on for connection dropping for keywords like "linux", "warez", "crackz", "porn", "drugs", etc.

Re:Verizon DSL is NOT THAT EVIL

[Decimal]

Finally I got to some guy who was somewhat intelligent, although he did call Linux, L-EYE-NUCKS

I'm quite computer literate (I hope I'm considered intelligent), and I pronounce Linux with a long I. Why? Because LIH-NUCKS is simply ugly. And I point out to anyone who gets on my case about it that Linus T. pronounces Linux as "Lee-nooks". (Hypocrites.)

I believe that the laws of English vowel pronunciation are on my side, too.

@HOME

So far, my server is still running. I turned it back on, after it was crashed by Code Red attempts, and received another Code Red attack the next second. Is the ban network wide? Is it not in place yet?

Re:Speakeasy!

[Gill+Bates]

Telocity's DNS hosting is a little misleading. What they'll do is set up their DNS to point your domain at their webserver (you get 10MB of webspace as part of the service).

So, www.yourdomain.com ends up pointing to a virtual web server under Telocity's control.

Not exactly the same as hosting DNS for you.

I must be the only one...

I'm posting AC because it seems each time I post my opinion on this topic, I lose karma...

I don't see any reason why providers shouldn't block port 80 incoming. The only reason to have that open is to run a webserver -- something most broadband providers explicitely disallow for residential customers. That's one of the reasons why a "business" account usually costs a lot more, even for the same speeds.

Just because they let it ride up to now, doesn't mean they have any less a right to block it now. If they'd been doing this all along, I'm sure most people wouldn't be complaining now.

Sure, it's nice to run a webserver at home, but residential service doesn't usually come with any kind of real uptime guarantees, etc. It just makes more sense to either get a business account, or get a real webserver (lease one, or use a shared provider, whatever).

With the amount of port 80 requests in my firewall logs on my cable connection, I would welcome a block on port 80 personally. I've already bored of looking at 'dir' listings and deleting files on these idiot Windows/IIS machines... but seriously, it's time to put this thing to rest and move on. And get a webserver.

Re:I must be the only one...

LOL -- I should have figured I'd get modded up if I posted AC... Anyway, I wouldn't mind being a dog, but a telemarketer? NO!!!

Re:I must be the only one...

[JackiePatti]

>I don't see any reason why providers shouldn't block port 80 incoming. The only reason to have that open is to >run a webserver -- something most broadband providers explicitely disallow for residential customers. That's >one of the reasons why a "business" account usually costs a lot more, even for the same speeds.

You seem to assume there is no non-business use for a web server.

Or are all of us supposed to get Geocity sites and let Yahoo copyright our work?

Re:I must be the only one...

I'm posting AC because it seems each time I post my opinion on this topic, I lose karma...

You fool. You just don't get it, do you?

Posting as AC might save you Slashdot karma but if you save that kind of karma, then you waste an equal amount of "real" karma. So way to go, numbskull.

When you die, you'll have 50 points on Slashdot, but you'll be reincarnated as a dog or telemarketer. If you were smart, you'de die with -10 karma but thanks to conservation of karma principle, you would be reincarnated as a god.

Become enlighted. Reconsider your strategy.

Re:Road Runner

[shaper]

Whoa! That's different from what I just read on my AUP. I note that the top of the page you link says Kansas City. The service that I use is "Road Runner of the Mid-South" and it's AUP is at http://www.midsouth.rr.com/local/terms/tos.shtml

It's different! Hmmm... Note the additional bullet point that disallows you "to host or operate any type of server including but not limited to web, ftp, gaming, mail, wingate, etc. Running such software/hardware is STRICTLY prohibited for residential and business service." The bold, all-caps emphasis on "strictly" is original to the page, I did not add it.

I wonder if they would really insist that I not turn on Web Sharing on my Mac OSX box, especially since it is actually Apache!

charter

Charter has been filtering ports 21, 25, 80, 110, 139 and others ever since i've signed up with them.
And get this: according to their AUP, if you use too much bandwidth, they can add an additional charge to your cable bill.

Re:Servers were never allowed out on cable

You can't quota b/w on a cable system. It's shared among all users on your segment.

Re:If you're in Eastern Mass. AT&T's lying

[drayath]

But they havent stopped you running the servers, they have just stopped other people accessing them! (-;

Verizon sucks

[smz420]

Verizon DSL gives such limited upstream bandwidth, that it's not ideal to host a web server - unless you're paying for one of their more expensive packages.

Re:People are becoming consumers, not content crea

[pompomtom]

Or vice versa?

Re:Road Runner

(According to my *cough* port scan *cough* of the subnet.)

Seems to me like the Slashdot editors passed on their cold to the Slashdot readers.

Re:Quite common already

[balls001]

Well really, these companies have the right to block incoming ports.. No one bothers reading the AUP's before signing up.. All AUP's for broadband services will say, in one form or another, that running servers is prohibited. In most cases, it's not enforced, but when it is, all of a sudden people start coming out of the woodwork and complaining about it.

It's nice to run a server on the home broadband, I'm sure you can argue that it's a matter of principal or some other bs, but there's no denying that it's a violation of the AUP, and that the ISP has every right to restrict this.

If all broadband providers restricted it, then all of a sudden all the people running web servers on their connections would need to go find real hosting providers, and inevitably a small percentage of them would turn to the business services of their broadband provider. So in a small way they are losing money by letting you run that web server. It's probably almost insignificant, but it's there.

The Seduction is Over

(I know according to GW Bush, that's a serious crime, like treason). But we are getting raped. Qwest is turning down the bandwidth on dial-up and recommending that we buy DSL. Can't dial in better than 16k or 19k anymore.

Re:Mailservers?

[skilm]

I am right with you brother! I'm on @home myself, and if they really do block port 80, I'm going to go nuts. I mean at least I'll still be able to run my other stuff like mail, which I would be INCREDIBLY pissed to loose, but IMHO, 80 is the main stuff.

Re:Move to Canada

[CerebusUS]

Personally, I think its my god given right to use allocated bandwidth however I choose. Its one thing to limit bandwidth, quite another to censor what bytes are allowed in my incoming or outgoing tcp segments

You have very few "God-given rights" and bandwidth is certainly not one of them.

Re:Verizon DSL is NOT THAT EVIL

Translation: Verizon is a big huge corporation so they must be doing something wrong.

Run it on a diffrent port

[tvon]

Cant you just set your webserber to listen on a diffrent port? I think the general Net users are smart enough to toss in a :81 to access a personal web page if you tell them to.

Re:Simply not true...

[Pfhreakaz0id]

>I don't even know if MS IIS supports this, but luckily I'm not running IIS .. You've GOT to be kidding. Do you really think IIS wouldn't support something as trivial as running on a different port?

DirectTV

[nullhero]

I was looking at an ad for DirectTV DSL and they stated that on their DSL service you can run a web server and/or mail server and they support Linux. And for the service you don't even need a satellite dish.

Just thought I'd let you guys know.

Re:imagine if other utilities did this

[jpellino]

1. The phone company can and does - here it's $13 home , $32 biz for POTS.

2. The power company does charge different KwH rates for biz - and would YOU cut off a customer other than for supply or credit reasons? I didn't THINK so.

3. You weren't supposed to be using this port, and you signed the TOS / AUP, and they do (@Home at least) send email notifications of changes - price, TOS, etc.

I don't give a rat's ass about using a living-room based server, but I do mind all these people whining about someone making it hard to do something they were told not to do. Obey the rules or get them changed. This never-never-land attitude of people who want to get away with something as long as they can by any means and then complain when caught is getting old fast. Right up there with kiddies at the food court claiming to be world-saving white hats... you like making things go *bleenk* and poking your nose in places. I can deal with that, just lose the sanctimony.

Re:Speakeasy!

hey smartguy, covad is a reseller. they just colocate at the central office. which in turn is operated by one of the bells or verizon.

Re:From A Business Perspective, It Makes Sense

I can write a script in 5 minutes that at least determines if it's IIS; that will take all of 15 minutes or so to comb their network. That would save lots of headaches for people who don't use MS products (like me).

Verizon and port 25

[[Zappo]]

Verizon is apparently also blocking port 80 for their DSL customers, in addition to blocking outgoing port 25 and requiring use of Verizon's SMTP servers to send email.

Actually, isn't this exactly what Verizon ought to do to provide a proper audit trail for email? Actually, shouldn't external MTAs be configured to reject those requests even if Verizon let them through, because Verizon's is not one of the domains they serve?

That is, an MTA in the foo.com domain should handle only requests from IPs in the foo.com domain, and additionally should check the envelope (MAIL FROM) to ensure that the purported originating user is known to it, right? These measures aren't perfect by any stretch of the imagination, yet they do impose obstacles to spammers and spreaders of email viruses.

In a nutshell, what's so bad about being forced to use your ISP's MTA? It seems like Verizon is being a good corporate citizen of the 'net, here.

so run apache with mod-ssl or pipe it over ssh...

jeez what is it with people and port 80... you could also have someone host the port 80 address and re-direct to any port inside you broad band connection you want. Or not, l-who-za-hers...

Re:Move to Canada

[mks113]

NB Tel's terms of service are pretty clear that running personal servers is perfectly acceptable. I wouldn't want to run a commercial web site though.

When they installed web caching they screwed up a bunch of us running dynamic DNS services. They were helpfull in allowing us the tools to find our real external IPs to continue to do so.

We don't even have a bandwidth cap anymore!

I haven't been following the support newsgroup recently, but they do tend to be fairly on the ball about these things. My web server is still running, so they haven't cut off port 80 yet. Michael

Re:Servers were never allowed out on cable

[$pacemold]

Cable bandwidth is asymmetric. There's typically a downstream pool of about 27 Mbps (depending on settings) shared among all users, while the upstream pool is more often in the 2 Mbps or less range. This comes about because upstream has to fit into the narrow patches of usable spectrum below 40 MHz, while downstream just fits among the TV channels between 50 and 750 MHz. So stick a server out there, get Slashdotted (or even just get mildly popular), and the upstream bandwidth is wiped out for your whole neighborhood (technically, the area of your optical conversion node and CMTS channel). This is a big risk, so the cable companies don't take it. Instead, they do give you some free hosting space at their data centers.

The US cable modems run DOCSIS MAC. DOCSIS MAC is designed to prevent bandwidth hogging by a single user.

DOCSIS upstream works on time grants. If CMTS (Cable Modem Termination System, the box at the other end of the cable) doesn't give you the grant, you don't get the bandwidth. Upstream can be limited individually for each CM.

AT&T Broadband in my area sends a lot of snail mail with "upstream limited to 128 Kbps" in tiny print. I don't know if it is really true (I have DSL, thank you), but technically it's no problem to set up a cap like that.

Just spoke to Verizon DSL Support

[yohaas]

I was assured that this is only temporary and they have no intention of closing incoming 110 to stop those nasty outlook viruses (after all, it's reasonable to protect everyone else).

Roadrunner in Austin

[YardgnomeUT]

I have always been happy with RR qos here in Austin, and it seems that the local RR reaction to code red (II) is apropriate. Even though it's against the tos agreement to run a server, rr is just going to shut off the cable modems of infected users, and not block port 80 for everyone (according to their network status website). Happy day for me, since I run my domain on a linuxbox under my desk :)

Re:People are becoming consumers, not content crea

[gad_zuki!]

, all UNIX users on these cable modems suffer because Microsoft did not make a secure web server.


So do NT and 95/98 customers. You know you can run Apache on those platforms don't you?

While I think your over the top soma metaphor is somewhat representative of reality, I certainly don't see "web content" as the great creative force geeks and designers think it is. TV ratings haven't dropped because of the net its just adapted to more profitable shows like Survivor.

Not to mention the web has created almost as many Web/IM "chair potatoes" as TV has done.

Re:Read your TOS!

[twitter]

packets is packets. "I love lucy" eats more bandwith than my mail server. In any case, the cable companies are defending their monopoly franchises by citing the "massive changes" to infrastructure they have already made.

Re:Leased Line

[regen]

Ok, now we have a shared T1, for 25 people (who i'm assuming will all be geeks, and will be downloading stuff late at night...) Assume a T1 can get maybe 160k/s throughput (you can't get 100% util on a T1 w/o severe latency problems), you get 6.4k/s.

You are assuming that every user will be using the system 100% of the time, which isn't typical. If on average a user has a duty cycle of 10% (10% active packet transmission, 90% idle), which is still high, you'll see average bandwidth of 64KB/s.

Re:imagine if other utilities did this

So run your webserver on some other port. What's the big deal? So you have to re-register your page with the search engines? So what? At least you won't be being scanned by "Code Red" or some script kiddies looking to hack port 80, because they're too dumb to realize you could run a webserver on something else.

And if you can't run your webserver on some other port, then you should become a victim of hackers or worms, and have your website taken down, because you obviously are too unintelligent and ignorant to avoid taking up bandwidth that the rest of us can use productively.

BTW, I wouldn't be an anonymous coward, except I'm too lazy to register. Feel free to flame me at zamsden@nospam.noreallynospam.yahoo.com

Re:Why not force a download of the patch?

or ... run apache from windows if you must use windows. It works just fine for me. C.

What's the deal.

I'm have not done a lot of research on this yet, but as a DSL user that is currently running a webserver It bothers me. Reading between the lines in the posts I gather (please correct me if I'm wrong), that there is some security loop hole in running IIS servers that are configured by default on some windows platforms and instead of fixing the problem the DSL providers intend to block all web servers. Personally I suspect this is an excuse to shut down all home web-sites and make us pay an arm and a leg for the ISP's to host the sites for us.

Re:Servers were never allowed out on cable

[Cirvam]

So its my Solaris 8 web server and all my friends linksys router/switches spreading code red? Perhaps you should come off your high and mighty stance and relize that most users don't give a shit about it. If @home had sent out an email to all their users saying 'click here to run a program that will secure your program' and have the program close/patch these holes they could solve the problem in no time. But they took the lazy way out and just added a line of configuration to their routers. Why the fuck don't they just give us all non routable ips, that will prevent the spread of anything like code red and keep people from using servers. (Note there is a cable ISP in the southwest who does do this, it takes 3-6 months to get a real ip from them)

Re:Servers were never allowed out on cable

[Ed+Avis]

If each user gets his own IP address (whether a real address or some 192.168.x.y masqueraded thing), then it's possible to limit the number of packets or total traffic flow to/from each address. Yes, the physical cable itself is shared, like Ethernet, but someone has to route the packets to the Internet and at that place you can do whatever quotaing you wish.

Re:We haven't done this yet..

[fanatic]

ideally you could just block the customers with infected IIS servers,

Which accomplishes NOTHING for the current situation. Blocking inbound port 80 to the infected is worthless - they are ALREADY infected. Blocking outbound port 80, which WOULD do some good, will also stop them from using a web browser, which is bound to piss them off.

Help...

[Amyloid]

Can someone tell me what port 80 is, or its friend port 25? I am starting up a webserver at home. I don't know if it's going to be Linux or MS yet. I suspect that Code Red doesn't affect Linux...but you tell me... BTW, does anyone have an opinion about the DSL providers in the Chicago area? Sprint and Ameritech are hitting me with there plans and I am weary. Both are waving the installation fees.

Re:We haven't done this yet..

Well, while 1% of your customers (are you sure about this number?) may be running IIS, what about customers running about Apache? And still, let's not forget that by blocking webpages, you are not only pissing off that customer that ran the page, but also those people that access the page. There are pages on the @home network that I would really like to read! I've already wrote a letter of complain to AT&T. I suggest everyone does the same. My cable company has recently been bought by AT&T and ever since the service has been absolutely terrible. I wish I could go back to the old company. :( You (AT&T) shouldn't be blindly block port 80 across the board because it's unfair to the customers that have been responsible. I use Linux therefore I am not spread code red. If I run a web server, it's apache, therefore, I do not spread code red. It says on their announcement that they know which of their customers are infected and are sending them letters. Therefore, if they know who is affected, BLOCK PORT 80 ONLY TO THEM. At least only block to those customers that are running IIS. When you consider that this is not an issue for Linux and Windows 9.x/Me customers it is really distasteful to take such a lazy and irresponsible approach to this problem. This is just another in a long list of ways AT&T has been screwin' me lately. I'm with the writer of this post. I'm seriously thinking about the Earthlink DSL office a few blocks away and maybe switching to Satelite television won't be so bad. People need to complain about stuff like this. The big corporations have so much money these days that they really don't care about the individual customers anymore. Just look at this guy from AT&T. The fact that he could care less about the "1%" his company will screw over only illustrates my point. Customer service is almost completely gone these days and unless mass amounts of people make an effort to fight it, we'll just keep getting screwed over and over again like this. I already run hardware and software firewalls. I don't need AT&T deciding for me what ports should be allowed traffic. I in no way inhibit their network and this is an insult to me. I take special efforts to remain responsible and a courteous user to the other users that share the network with me. But as my reward, AT&T screws me.

From an AT&T Broadband user...

[Alakaboo]

On the downside, my play Linux webserver is reduced to worthlessness (not really, but my friend who's sites I host will not be happy when he reads this article) because it can no longer serve websites on port 80. I suppose we could play around with ports and serve pages...

On the upside, I am now downloading (on average) at between 300-500MB/sec from a wide variety of sites as opposed to 50-120 before the filtering. That's insane.

Wrong about SMTP @ Verizon

[Salamander]

I'm a Verizon DSL customer, and I have no problems connecting to outside servers from inside Verizon's network to send mail. Yes, I just checked. My understanding is that it's only the converse that is banned - connecting to Verizon's servers from outside. This has been true ever since I got my DSL account (two years ago) and is a big pain in the ass, but it's not as bad as what people are claiming.

Yes, I know the thing about SMTP was only an aside, and that most of the commotion is about HTTP. Nonetheless, it still bears correction.

Re:Wrong about SMTP @ Verizon

[Salamander]

It's entirely possible that they're applying different policies to different parts of their network, either intentionally or otherwise. I know that after Bell Atlantic bought Nynex the two halves of their network were not particularly well integrated and ran by very different rules, so it's not a stretch to imagine that the former-GTE and former-BA parts (for example) exhibit different behaviors. I guess what I should have said is that from my house in Lexington MA - which was New England Telephone, then Nynex, etc. - I can get to outside SMTP servers just fine. Whether that applies to someone in, say, Delaware might be a whole different matter.

At&t broadband filtering in New England.

I can confirm that incoming packets for port 80 are blocked. After 6 years I no longer have a website. I am going to see if speakeasy is in my area. How depressing. Windows is dumbing everything down. Its allowed your average joe user to become a danger to themselves and everyone else, making educated people suffer. Install the patch from MS and reboot dammit.

Re:Necessary?

[don.g]

Yes, but that doesn't help if you gave out URLs pointing at your box before your ISP started filtering incoming HTTP traffic.

http://3geeks.ath.cx:1000/port1000/

http://3geeks.ath.cx:1000/port1000/ Port 1000!!!

Re:Move to Canada

[DeputySpade]

Dnyup.net provides this service for free.

So?

[orblee]

Mean but reasonable. When I can get a cable modem in my area in sunny Stoke-on-Trent, UK, the local cable firm say that they do not allow various popular Internet connections - essentially banning me from using servers. However, web addresses are easily solved, they will provide a home page for me, so Ican just stick a redirect to the address (perhaps via a DHS name) on a different port number.

Other services like DNS are best handled by external providers anyway, and I don't mind having to connect to different ports for LDAP, etc. They probably won't block ssh as they won't know what it is.

It's reasonable to stop people hosting servers as bandwidth is limited over such connections (hence why we get an asymmetric connection) and so they need to stop people hosting popular sites especially on there. I for one don't want to be charged by the bit rate, do you?

Re:We haven't done this yet..

[hearingaid]

to install said T1s and so on, yes, you had to get approval hoops. but to gain access to them?

no. :)

zitface? that would be high school: the time before tcp/ip. (for me. I'm not an american.)

usenet? yes. lurker? no. hah.

.edu? never, wrong country. :) (and besides - who only had one address? jeez, even legally I usually had about four. :)

FWIW, I only rarely telnetted into VAXen. most of the time I used SET HOST. :)

My quasi-AT&T server's still alive.

[ediron2]

I live in one of AT&T's backwater markets (think potatoes), so I panicked when I read this newsbit. But, I've just checked my server's CodeRed hammering and I'm still seeing it climb, so port 80 seemed to be fine. To confirm further, I ssh'ed out to a very remote site, then did a telnet back on port 80, and was able to grab my own base page just fine using 'GET / HTTP/1.0'

The hits I'm getting are largely within 24.16.*.*, which I believe is AT&T cablemodem-land. This could mean one of two things:

1. The only traffic I'm getting is outward from pre-filter infections.
2. There are sizeable chunks of unfiltered cable-modems beyond mine.

Before anyone calls me a damn fool or a liar, we're in the midst of ownership slowly being transitioned over from AT&T to CableOne. The transition so far is in month 8, and all the service vehicles say CableOne, etc., but each month I get a bill from AT&T or Excite @ Home or whatever, not from CableOne. Off-hours support gets routed to AT&T, too. Maybe that's why my mileage is different than is being reported.

And, if it helps anyone in making the marketdroids understand the harm they're inflicting on their company, I'm one customer that will drop cable in favor of any competing technology the moment they fry my port 80. My little webserver gets a couple hundred hits per month (mostly family and friends), but I make a living writing web-oriented code and I *will* maintain my own server so I can play/learn and demo what I do for a living. Otherwise, everything I do is stuck in intranets, and who the heck's going to let me demo that when I'm chasing work?!

Re:Read your TOS!

[bacchusrx]

Again, these aren't totally valid arguments. I've not seen any valid, technical reason to prohibit servers on broadband connections that cannot be satisfied by other means. As I've said before, the real push seems to be to restrict home users from being content producers.

It also creates an artificial market-- why would I buy "business class" bandwidth or co-locate a server for a site that's adequately hosted on broadband for a fraction of the price? We're not talking "enterprise, mission-critical, ecommerce" web applications or anything... we're talking about noncommerical, nonprofit media forums.

I run a site that gets maybe 100 hits a day, is frequented by only a small group of 15 visitors. However, we have very complicated custom web applications the drive the sorts of things we do... free or paid shared hosting is not an option. Nor is it a real possibility to shell out money for co-location or "business class" bandwidth for this sort of thing -- that of course generates no profit. The idea that the home user should settle for less (yanno, the idea that a 5MB, add-riddled, censored, GeoCities account "is good enough") -- that only big corporations should have access to high quality server applications -- is disturbing. It reinforces the idea that the Internet is here for business-- not for culture, not for recreation, not for academia, not for the free exchange of ideas.

Access to the tools big business uses is a real possibility with broadband since a lot of hobbyists, enthusiasts or professionals working in their spare time can put together a lot of the same things that corporate and "ecommerce" sites can...

As I say, I'm not claiming that broadband needs to come tethered to the sorts of service levels that corporate folks are expecting-- nobody suggests such a thing... but there's no good reason to limit people to Geocities because... "pfah! if you're serious, you'd co-locate in an Exodus data center."

That argument is pretentious and elitist. I get no Darwinian thrill from seeing only the moneyed have access to technologies all of us could use, enjoy and share at minimal cost.

BRx.

Re:Read your TOS!

[marmoset]

@Home isn't a government service and you can't pound your firsts and express moral outrage because they don't do things the way you want: Again they don't owe you, but rather they offer you a given service at a given price.

Here's where it gets sticky: local cable services are quite often monopolies in a given region. If the only internet service available over these lines is controlled by a single corporate entity (which is the usual case, at least in the US), then your "if you don't like it go somewhere else" solution doesn't work.

roadrunner is fine

[Trepidity]

I subscribe to RoadRunner, and my port 80 http server is still accessible to the outside world...

Re:Even if you did run a Web server...

[loraksus]

remember that those $40 are canadian dollars too.

BT Openworld

[Bamyazi]

BT Openworld's web site specifically mentions the ability to run servers as a feature of their DSL Business 500 package. The Home 500 package simply states that it is not suitable for doing so because of the dynamic IP address allocation, but using a dynamic DNS service it is simple to overcome this.

Re:I've read my TOS and it sucks.

Yeh, do the math.

If 99.9% of all security problems are redhat, then the Code Red II worm is only 0.1%. So, you multiply the code red worms by 1000, that is the number of unsecured redhat boxes, clearly a realistic number.

Lord knows, linux is very insecure, switch to NT/2000 today!

Re:No blocking yet

[majestyk2000]

That's so wrong. I'm running WinXP on the laptop I'm sitting at, and I had to jump through hoops to just get IIS installed, much less running. Your first sentence is just FUD, and it should stop. IIS IS NOT a default part of the WinXP setup, and even if it is running you have to explicitly allow the webserver to penetrate the built-in firewall.

Re:Read the Acceptabel Use Agreement

and this appilies to Australia and @homne generally how ?

the poster doesnt say a thing about AT@T

So fuck off an stop trolling

Re:Read your TOS!

[janpod66]

Seriously people... Most, if not all, broadband providers prohibit running servers from home accounts

And what exactly is a "server"? Is accessing your Pilot calendar remotely using a server? Is using an FTP client a server? What about identd? What about my PC vendor's remote Windows support system? Is running a client connection to establish a VPN to some other host on the Internet and poking out a server socket on that machine "running a server"? Let's be concrete please, because my TOS don't actually say. They are so vague that the provider can make up what they mean whenever they like.

And especially don't start with the geek indignation, because consumer broadband is not meant, nor sold, under the pretense of running home servers.

That would be true if broadband providers fully owned all the rights of way and infrastructure. They don't. They tear up public streets and use public spectrum only because the communities where they deliver service let them. They can be kicked out if they don't satisfy the needs of the community. And peer-to-peer and servers are crucially important in particular for non-commercial and non-profit uses.

Furthermore, for broadband providers to try to control whether you may run a "server" is the beginning of content controls. The next thing you know, you'll only be able to connect to the commercial sites of your provider's choosing.

Broadband providers should be legally required to provide universal Internet connectivity and set rates and limitations based on bandwidth and volume only. Possibly, there might be two rate structures, one for non-commercial and another for commercial customers. But providers should have no business deciding what content or packets travel over their networks, as long as the packets are properly addressed and their format is according to spec.

Re:Speakeasy!

[spectral]

I never said you should block, it's very good that you haven't. Most places I'm sure would have, and in fact i wouldn't mind paying more to get a cool provider like you. I was jsut pointing it out. You're also handling code red the proper way, which just raises my opinion of you even more, keep it up :)

Re:Road Runner

That's the RR AUP, you need to look at the T&C (terms and conditions): http://www.austin.rr.com/twaustin/termsandcond.htm l the T&C varies from location to location, but this one is pretty typical. Check out 5.D., about half way down.

Re:His army of H-1b monkeys to be precise!

Hire cheap labor, get cheap results.

Re:No blocking yet

[copec]

The service contract that at&t@home made me sign when they installed my cable modem states that I am not allowed to run any servers...(actually listing them)

Re:Servers were never allowed out on cable

[figment]

As an ISP, we have a very similar and equally stupid "no servers" statement in our AUP. And I like it.

@Home and others had the exact same philosophy that we did, "we really don't care, unless it starts to become a problem." We (as in the ISPs), were quite lenient (yes, i have a webserver running at home) because we believe in the exact same things you do, we're geeks too.

But frankly, you guys failed. If everyone had just patched their servers regularly, and knew the least bit about their computer, and wtf it was doing, then this would never have been a problem, and we wouldn't have to do such rediculous measures such as this. Yes, i think this is a rediculous measure, but so is leaving your computer unpatched for any decent amount of time. So please, stop deflecting the blame when really you yourselves (or your friends who don't patch) are at fault.

Re:Ass clowns

Just an FYI. My service is extremely fast tonight and I welcome this move. Problem solved.

Verizon isn't blocking SMTP

[JackiePatti]

They shut their own servers down, to prevent us from using it except with one of their addresses, but we set up an SMTP server on one of our own boxes and it works fine. I haven't tried to set up a web server yet, so can't comment on port 80 blocking.

Re:Cablevision in NJ blocking inbound port 80

[zerofoo]

Yeah, i'm running my web server on 8080 now. -ted

Re:Has anyone tried tzo.com?

I purchased a subdomain from tzo.com two years ago, and I found it so convenient and reliable that I renewed my account the next year. The only reason I no longer use their service is because a friend of mine was nice enough to donate an entry in his domain to me. TZO's small DNS update script works for Unix. As I recall, it's just a small shell script that reads your IP address from ifconfig and launches lynx to open some CGI at TZO's web server that adds your current IP to their DNS server. I never had any problems with them and would gladly do business again.

Re:Add the different port to the DNS Name....

[don.g]

*beep* Wrong. Next please.

IN A records cannot have port numbers in them. Methinks your registrar is doing some sort of HTTP redirection.

At least you can get some form of broadband

[donalbain]

Here in the emerald isle our recently deregulated national telco, eircom, has spent the last year installing Alcatel DSL gear at switch sites, then when they got wind that they might have to share this equipment with other smaller telcos, ripping it all back out again. They then learned that unbundling rules were only connected to voice on the local loop so have begun installing the DSL kit again - but still no sighof it hitting the streets.. Chin up lads, loosing post 80 is better than having SFA.

Re:Move to Canada

[Kwikymart]

Well, its not that I am not a nerd, its that I havn't read up at all about DHCP

Re:Linux is not a contender..

[spectral]

cheap bytes. friends with internet connections. Cost of ownership of linux shouldn't be compared. you don't need all 6 cd's, mandrake has everything most people need in a server (and much much more that shouldn't be there) on 2 cds. Let's see.. cheap bytes, 98, 3 years, what was it.. $60 for the upgrade? $90? i can't remember) .. you'd have to upgrade linux every 3 month for it to cost more. and pay for the cds at $5 each time.

And certainly you can't claim windows 9x is for a serious environment. It crashes much more often than NT does, so let's compare NT prices.. Just the operating system (no Office software, which most linux distros come with) costs, to upgrade ... i think $180 from NT4 -> 2000? NT4 came between 95 and 98, so let's say it came out in 96. I'm too lazy to look it up. 4 years.. you'd have to upgrade linux every 4 years is 48 months, 180/5 = 36 upgrades, so you'd have to upgrade more than once every 1 and 1/3rd months. No distro comes out that often, and there's certainly no need to upgrade that often. upgrade when you have to, not when the newest is out.

There goes one of your arguments.

As much as this mentality is that which caused code red in the first place, most distros come with an easy update feature. Easy setup of packages and settings. Etc. Plus, updates can be SCHEDULED. So if code red v10 comes out and it infects apache, linux would automatically download it during it's monthly upgrade course. Bye bye code red v10, no need for an anti-virus, just smart planning. Yes, some people wouldn't want this, and they'd turn it off (it should be on by default just for clueless people). Of course, they'd be the ones who are smart enough to upgrade manually, and they're the select few you speak of. Best of both worlds.

Linux supports other file systems. As the root filesystem. Enough said.

Any time linux has crashed on me, it's been my fault, and i've known why. If you run a stable kernel with stable packages supporting it and stable servers, it's rock solid, and I've never had a problem that wasn't caused by my own stupidity.

The learning curve required is going down at a phenomenal rate. It used to be bad. With Mandrake (I only keep mentioning it cuz it's the one I use.) it's insanely easy to never see a command prompt, and to configure everything quickly and easily. The setup has been compared to windows, and been found to be easier and more intuitive. Get up to date.

Let's see.. I guess IBM, Dreamworks (or was it Pixar, I don't remember), many, many servers, etc. out there are wrong, and you're right? Linux can't scale, tell that to IBM and Dreamworks. Linux isn't stable, tell that to the servers with year long uptimes. Linux doesn't adhere to standards. Ok, maybe you got me there on some things. But wasn't linux the first to have a fully compliant tcp/ip network stack? That's a standard. It's not POSIX certified (At least last I knew) because that costs money to get, but it's adherent I believe. What standards does it not adhere to?

Please come up with more arguments, this is fun. I'm not even a linux guru, in fact, i'm quite a newbie. I just play around w/ it occasionally. Nice trolling tho.

Re:so what

But @Home doesn't do this (at least nowhere in the general area of Bremerton, WA). Instead, they simply filter traffic when it passes outside of the subnet. @Home users in the same subnet can still have unfiltered access to eachother until @Home decides to change this.

Re:Not a huge surprise..

[loraksus]

hmm. I've always fought to get the thing on. well, what can I say...

Sure IIS supports port relocation.

[dave-fu]

Not sure whether it's a good thing or not, but you can run any server on any of the "well known" ports (think 1024) as opposed to having to find a high port. Which can be a handy thing if, for example, you're behind a firewall that has FTP open and you need to run a web server on port 21...

Re:My TOS was written by a lawyer...

[Sarah+Thustra]

...not a computer-literate individual.

LAWYERS write these TOSes and they don't care if it makes sense as long as it limits liability.

Closing port 80 is obviously a stupid thing to do to an entire customer base to stop a worm that only propogates on MS IIS (I use Apache -- what danger am I? But the guy on the other end of the phone had never heard of Apache...) but the guys writing the rules don't know or care about that. They probably looked in some dusty law tome and found an old maritime law that said "companies can not be liable for damage if they closed the affected ports as soon as the storm came in".

BTW, I don't know what it says after all the corporate merging going on, but my @home TOS used to say that I could lose my account for "accessing a port on another machine without prior written permission." Every time I type "www.yahoo.com" I wonder if they're going to nix me. (Especially since they tried to use that clause to kick my buddy for TCP/IP SYN scanning, which of course doesn't even *involve* accessing anything!)

"It is one of the triumphs of man that he can know a thing and still not believe it." -J. Steinbeck

Re:No sympathy

[JackiePatti]

>I really don't have the least bit of sympathy >for anyone who has been hit with this. You agree >to a contract that describes the terms of your >service. That contract almost certainly says >that running servers is prohibited, but up until >now most ISPs were happy to look the other way >for the occasional server that didn't waste >their bandwidth. *I* agreed to a TOS that said I could use their SMTP server. And I also agreed to keep the service for one year or pay them for their crappy DSL modem. *They* chose to change the TOS after I joined.

Re:Not a huge surprise..

[Detritus]

IIS has the bad habit of getting installed by piggybacking on the installation of other software. I've seen this happen when a ftp server or Visual Studio is installed. Maybe you didn't want IIS, but you get it anyway.

Telocity Allows SErvers

[wolf-]

Telocity, now DirectTVDSL, openly allows the use of servers on its adsl connections. I'm just hoping that all the lame Win2k users with open IIS on telocity dont make the admins/powers that be change their minds on the policy.

Cable Companies in the US are Locally Regulated

AT&T Broadband will have to come to your town board soon enough to renew their licence to sell cable TV service to the people in your town. Get the word out with the other geeks in your town and build a case with the town regulatory guys that restrictions on personal use web and mail servers are unacceptable. When AT&T comes for a licence renewal, force an exception to the standard terms of use for anyone living in your town as a precondition of them being able to continue to provide cable service. ccb

Re:People are becoming consumers, not content crea

[ClosedSource]

"I am also annoyed that, while Apache and other UNIX web servers are able make a web server without countless remote root exploits, all UNIX users on these cable modems suffer because Microsoft did not make a secure web server."

It's funny how on slashdot people blame MS for Code Red but don't condemn the individual that created it.

For those (not necessarily Kiwi) who were secretly cheering Code Red because it hurts MS, having their port 80 blocked is poetic justice.

Re:Quite common already

[ethereal]

Great, thanks for the info! I'm in the process of closing on a house, but I'm so unwilling to live without broadband immediately after the move that I'm trying to figure out a way to get the line test done while the current owners are still there. They don't have cable TV, though, so I'm not sure that my chances are so good...

Re:Speakeasy!

[festers]

The point is this:
If cable is available in my area, then I have only 1 choice of cable providers.

If DSL is available in my area, then I can have several choices of DSL providers.

For example, I can choose from Ameritech, XO, Speakeasy or Verizon DSL, but I only have 1 choice for cable: @home. There needs to be competition introduced into the cable arena.

Re:Road Runner

[xjosh]

Road Runner in my neck of the woods (Cincinnati OH) will periodically do open relay checks on mail servers sitting on a residential connection. They obviously don't mind servers.

Re:Leased Line

[RzUpAnmsCwrds]

That's already done in my area. It's called Colorado Wireless Cooperative. For about $60/month, you get a 5mbit downstream and 5mbit upstream connection. You can do anything you want with it. So yes, this is possible. CWC actually uses a 802.11b variant with special anteannas. Works great!

Re:No blocking yet

[datapt]

I tried to find out when they would let up and the tech from AT&T said they plan on leveraging this to block other services. Here's an excerpt from a chat session w/ one of their techs:

You say, The contract states the use should not affect other's use of the network
You say, or degrade the network performance
w-David P says, 10.9 You agree that AT&T and ServiceCo shall each have the right to take any action that either AT&T or ServiceCo deems to protect the Road Runner Service, its facilities and equipment.
You say, Any action is a broad sword and is completely ineffective
You say, for the masses. Something more precise and targeted would be a better solution
You say, Because of the email viruses would you cut 110 so people couldn't get their POP3 mail from work/elsewhere?
w-David P says, You are entitled to your opinion.
You say, A good customer service... nothing against you.
You say, And good customer service
w-David P says, That is completely different. Email is used universally, web servers are not.
You say, I would be curious how Cerf would respond to that
You say, Thank you for your time
w-David P says, What is CERF?

Re:Move to Canada

[SCHecklerX]

Actually, my ISP hardcodes our MAC addresses to our DHCP assigned IP Address, so it never changes anyway. No need to pay the extra money for a static IP that way, I guess :)

Re:AT&T and Excite@Home

what are you smoking, its blocked already, no one can get to my website unless they use xxx.com:8080

Re:Move to Canada

[AnimeFreak]

Telus.net hasn't cracked down yet either.

Re:Not a huge surprise..

No, they didn't always disallow servers. My original TOS says that if I *choose* to run a server, mentioning http and ftp specifically, that security is my responsibility, and they accept no responsibilility for "damages resulting from others accessing Customer's computer."

I can quote the whole section, if you want.

I disagree with this being the sensible solution. The sensible solution is to log all of the originating IP's for CR2 on their network, send the owners email informing them that they've been hacked and giving them 24 hours to fix the situation (apply the update) or they will terminate their service. The port 80 block is reasonable as an interim solution, but not long term.

Re:Verizon DSL is NOT THAT EVIL

[heliocentric]

Ahem... go here check the system status where you are. East coast it says:

DSL Network

Posted Date: 8/6/01 10:18:41 PM CST

Status: Open

In an effort to limit the propagation of the Code Red internet worm across the Verizon internet services network, Verizon has placed filters on the network to protect its end users from being infected with the Code Red Internet Worms. These filters will not impede users ability to browse the internet but will prevent infected machines from scanning Verizon internet services network. Verizon is doing all we can to protect our end users from this internet worm. If you feel you may have been infected with this worm, please contact a virus/network security websites to learn about the latest patches and/or symptoms of this internet worm.

I'd also like to point out that if your machine really is really so open... then why is it that I can ping you... yet no web pages load? Could it be that maybe verizon is filtering incoming port 80??

I'm mad 'cause when I called to sign up and I told them I'd be running linux they said I couldn't and I did - so why I am being cut off when it is impossible for me to get infected with code red???

Verizon not blocking outbound 25

[alien]

I just wanted to let everyone know that we (Verizon) are *not* outbound port 25. I suggest the facts are gotten straight before making assumptions like this.

SMTP Service & Spammers

[xrayspx]

It's actually a VERY good idea to block outbound port 25. It makes it a little harder on people like me who jump from network to network (have to reset smtp host), but who CARES? It is a very good spam-preventative, and a good security measure. If you have to relay off your home box, have it relay through theirs, how hard is that? This is a price I'm more than willing to pay if it stops one spammer.

forced to use SMTP servers

This isnt new. Earthlink, as well as many other DSL providers, have been doing this for over a year. Who really cares. The mail goes out. Blocking 80 tho, that's just not right.

Re:Clause?

And in this case, it's a perfectly valid way to keep them from being the targets of the original problem (the Code Red worm, remember?)

Nope. It would be trivial for them to tell what web server you are running; Apache is the most common web server and it is not vulnerable to Code Red. They are harming the majority to protect the minority from their own stupidity. It's about control.

stateful packet filtering

'nuff said. I'd think an isp as large as @Home could put a few people to work on clamping connections once that "GET /default.ida" string is detected...

Re:Read your TOS!

[ergo98]

If I pay $50/month for a 256k pipe, and if I want to do my own personal development and want to be able to show others my site from work, or setup a private FTP so that I can grab files offsite, they sure as hell better not stop me.

Or what? You'll beat them up? They can do whatever they want, and if you don't like it you can look at the competitors (which in this case would be one of the many tetering on the edge of bankruptcy DSL providers). Let your dollars do the voting for you, but as the previous poster mentioned indignation is just sad: They don't owe you anything, and you know what the deal is every month that you pay the bill.

Re:Leased Line

[szomb]

fist in the air in the land of hypocrisy

Watch out for Verizon's assassins if you plan on doing this.

He turned the power to the have-nots...
and then came the shot

Re:Speakeasy!

Notice they're also one of the most heavily hit by Code Red (1 and 2).

Very true! I've seen tons of attack attempts coming from Speakeasy. I think it is time they re-evaluate that exemption for web services and block them. That's what central patched and well maintained web servers are for guys. Tell speakeasy to setup a decent web server that gives you more than 10 megs of space for your pages and just use that! Everyone seems to want their own domain these days and run a web server on it... why not just go back to the old days of having your site at geocities or off of the ISP like http://world.std.com/~user? Is that somehow less cool?

Re:Linux is not a contender..

[jarek]

If you put Linux next to some other operating systems out there for a cost comparison, the conclusions are devastating for Linux.

Wrong!

Linux costs not only more because of the frequent updates which require new cdrom's to be bought.

Wrong. Patches can be downloaded from the internet.

Another factor in Linux cost is its maintenance. Linux requires a *lot* of maintenance, work doable only by the relatively few high-paid Linux administrators that put themselves - of course willingly - at a great place in the market. Linux seems to need maintenance continuously.

Wrong! I'm not a high paid Linux administrator and I can maintain my linux computer easily.

Add to this the cost of loss of data. Linux' native file system, EXT2FS, is known to lose data like a firehose loses water, when the file system isn't unmounted properly. Other unix file systems are much more tolerant towards unexpected crashes. An example is the FreeBSD file system, which with soft updates enabled, performance-wise blows EXT2FS out of the water, and doesn't have the negative drawback of extreme data loss in case of a system breakdown.

Wrong. I have used EXT2FS since 97 and still not lost any data. Allthough I have to say that crashes have be so infrequent that the recovering features of ext2fs has not been put to the test very frequently. If you want higher file system integrity, you can use several available journaling file systems, some of which offer better performance even compared to freebsd.

Factor in also the fact that crashes happen much more often on Linux than on other unices. On other unices, crashes usually are caused by external sources like power outages. Crashes in Linux are a regular thing, and nobody seems to know what causes them, internally.

Wrong. Linux has a reputation of stability

The steep learning curve compared to about any other operating system out there is a major factor in Linux' cost. The system is a mix of features from all kinds of unices, but not one of them is implemented right. A Linux user has to live with badly coave low performance, mangle data seemingly at random and are not in line with their specification. On top of that a lot of them spit out the most childish and unprofessional messages, indicating that they were created by 14-year olds with too much time, no talent and a bad attitude.

Wrong. Linux is very much comparable to other Unices in terms of learning curve. Most distributions have extensive howto's and man pages. Learning curve is highly individual, your milleage may vary.

I can go on and on and on, but the message is clear. In this world, there is no place for Linux. It's not an option for any one who seeks a professional OS with high performance, scalability, stability, adherence to standards, etc. The best place it should ever reach is the toy store, and even that would be flattering

Right, you can go on and on but, from what I can read here, you will be wrong all of the time.

Have a nice day!

Jarek

Re:Verizon DSL is NOT THAT EVIL

[haruharaharu]

How are they to know who's vulnerable and who's not? Anyway, servers are probably not supported, though they are allowed, so they're not inconveniencing anyone who actually needs the webserver (because they'd be hosted somewhere if they did). Give it a week or two, see what happens

Re:Servers were never allowed out on cable

OK, when you're done masturbating over user IDs...

You're still a moron.

Re:Thanks Micheal, but

Flamebait ?

Yup, just like I figgered. Everyone who corrects Michael gets marked down.

Maybe some inverted astro-turfing ? Let's hope not !

Re:Verizon DSL is NOT THAT EVIL

...Finally I got to some guy who was somewhat intelligent, although he did call Linux, L-EYE-NUCKS...

Funny, isn't that how Linus pronounces it?

Re:Thanks Micheal, but

[loraksus]

box was down for a few reboots and removal of zonealarm, now back on.

Re:Necessary?

[don.g]

Erm... I imagine all the people who normally access websites hosted on your cable connection will just *guess* that because they can't access the site, they should add an :81?

Re:Servers were never allowed out on cable

[Mark+Bainter]

But frankly, you guys failed. If everyone had just patched their servers regularly, and knew the least bit about their computer, and wtf it was doing, then this would never have been a problem, and we wouldn't have to do such rediculous measures such as this. Yes, i think this is a rediculous measure, but so is leaving your computer unpatched for any decent amount of time. So please, stop deflecting the blame when really you yourselves (or your friends who don't patch) are at fault.

Hrm. You're painting with an awfully wide brush there don't you think? The people who care about this stuff (by and large) are not the same people who run IIS servers. Particularly insecure/vulnerable IIS servers.

(Assuming there is another kind.)

Re:We haven't done this yet..

[hearingaid]

you know, t1s and t3s have been around for a while. it's just that in the old days you had to Know Things to get access to them.

now, the idiots have broadband. is this better? I am not sure. I suppose in a way. I now have DSL whereas a few years ago I was running SLiRP on my university's sun box for free 'net access.

And what is your alternative?

[mwillems]

I run servers too where I am not allowed to. Because, like most, I have no alternative. Cable or dialup. No ISDN possible here, no ADSL no leased lines. Why do you trhink they can behave like nazis in the first place? Because we have no choice!

Re:No blocking yet

[Velox_SwiftFox]

That's odd. There isn't any such clause in the subscriber agreement that the AT&T page listed at in the Slashdot announcement links to.

Could you provide a URL for what you are quoting?

The explanation given and the clause given as an excuse are (quoting from the above links) an extremely long stretch in IMO:

Why Can't AT&T@Home Residential Customers Run Web Servers?

The AT&T@Home residential service offering is a consumer product designed for your personal use of the Internet. Customers must ensure that their activity does not improperly restrict, inhibit, or degrade any other user's use of the Services, nor represent (in the sole judgment of AT&T Broadband) an unusually large burden on the network itself.

The benefits and privileges available from the AT&T@Home, and the Internet in general, must be balanced with duties and responsibilities so that other customers can also have a productive experience.

Under the terms of the AT&T Broadband Subscriber Agreement customers are not to restrict, inhibit or otherwise interfere with the ability of any other person to use or enjoy the AT&T Equipment or the Service. See Prohibited Uses of Service (g) in the AT&T@Home Subscriber Agreement.

The clause referred to:

g) restrict, inhibit or otherwise interfere with the ability of any other person to use or enjoy the AT&T Equipment or the Service, including, without limitation, posting or transmitting any information or software which contains a virus or other harmful feature; or generating levels of traffic sufficient to impede others' ability to send or retrieve information;

So, where do they get off filtering a small, low-bandwidth server that doesn't do what "clause g" prohibits?

It's obligatory.

[SuiteSisterMary]

In 2001,worm was happening.
Customer1: What happen?
Customer2: Somebody set up us the port filter.
Computer: We get mail. Customer1: What?
Customer2: Email client turn on.
Customer1: It's you !!!
Cable Provider: How are you, gentlemen ???
Cable Provider: All your TOS are belong to us !!!
Customer1: What you say???
Cable Provider: You have no chance to host, make your time.
Cable Provider: Ha ha ha !!!
Customer1: Move boxen.
Customer2: You know what you are doing?
Customer1: For great serving,
Custoemr1: Move every boxen.

Re:They ought to filter on an http-server basis

[JatTDB]

Let's say you're a network admin at a large broadband ISP. Code Red is bringing the network to its knees. Despite media attention over the few weeks now that Code Red has been out there, thousands of machines on your network are still infected. Something has to be done to make the network stable again. Do you:

A) Start scanning every IP on your network to look for servers running IIS, thus generating a huge list that you now have to put into a router as an access list, and keep updating those servers change IPs, not to mention deal with calls from users that have figured out that the blocking is not total and want their host unblocked, or

B) Make one big general rule that kills all inbound traffic on port 80

The first solution, while significantly more friendly to the users, is a recipe for a support nightmare.

Re:I don't know anything about port blocking but..

[s390]

If you've got *proof* that @home servers were port-scanning you, maybe you've also got a great lawsuit. They attack your "home" - they pay! When you signed up with them, you didn't give them any rights to attempt to compromise your system. Class action time....

Just my 2 qubits...

And who dtermines this?

[mwillems]

Err.. so now we have you (whoever you are) determining who gets full access to the Internet? How do you think all of us here got our experience? If we only allow experienced users rather than people who have just installed Linux for the first time, who determines when they know enough? What, we introduce an exam? Who sets the syllabus? The government? Who takes the exam? MS? An MSCE required? Or knowledge of IPX? Or NetBIOS? Can we discriminate?

I see plenty of trouble ahead if we go your way.

Michael

Re:No sympathy

I belong to AT&T cable but I was originally a customer of Mediaone before they were bought. My TOS is different because of my location than other AT&T customers. In my TOS it says that I can run servers if I understand that other people have access to my computer and if I take the needed security precautions. Well, I have done so and they blocked port 80 all accross the cable network, thats against my TOS so I have a right to complain. Posting an "I toldja so!" or "Sucks to be you!" message is not only stupid and childish but inaccurate.

Re:Read your TOS!

Technically they do OWE him. That's the whole point. He wouldn't have to pay them, if they owe him nothing.

Re:Leased Line

[figment]

You have a point. Sort of.

There is a large large large difference between an office and a home. The problem is out of those 40 ppl in the office, 3 or 4 can do that internet radio thing w/o a problem.

The problem is we're comparing apples and oranges. Consider who would pay $125/mo for internet access, it's not going to be your typical light user who checks their aol mail once a night, it's going to be the heavy users who are going to tax the connection.

That's probably the largest problem with the do-it-your-self thing, if you do it like this, short of becoming an ISP, you don't have the ability sell to the "light users" which will allow yourself to either a) be profitable if that's your goal, or b) keep your costs down.

We have many offices that have 2ch isdn (that's a rocking 128kbit!) that have 50 people in it and do quite well, but if you went up to each one of them and asked if they'd pay $125/mo for an internet connection, you'd see some pretty funny facial expressions.

Re:Verizon, SMTP and the universe

What fucking asshole marked this down overrated ? Michael scares the hell out of users with a bunch of FUD, and a user responds with the truth. And someone moderates him down ?

Let's hope this isn't some form of reverse astro-turing, but rather some ass-kissing by some lamer.

Re:We haven't done this yet..

[BiggestPOS]

Administration and technical NIGHTMARE. Have you dealt with tech support with most companies these days? The average monkey doesnt know what a port IS.

Re:Move to Canada

[copec]

yup, this one is probably certified....(MCSE)

Re:A simple go-around:

[Fujisawa+Sensei]

What is happening is that your server is prepending the server name to the URL

Set the option
UseCanocialName No
Or was that
UseCanocialName off
Anyway It should be obvious after looking at your httpd.conf file.

Re:Read your TOS!

[ergo98]

In effect, a ban on servers prevents citizens from competing affordably for so-called "mindshare" with big corporations and others who don't sweat the cost of dual redundant T3 connectivity.

You can get a webhosting account on any number of major services, each with multiple T3s/ OC3s/ SuperQuadMondoplexes, for

Re:Read your TOS!

[Stiletto]

One point that isn't often brough up, is that while it may not be against the TOS to run a server, it _IS_ against the TOS to interfere with other's connections. The link to AT&T that slashdot provided above illustrates this.

If you're hosing Code Red, you're interfering with my (and others') connection!

I said it before, and I'll say it again: Find the people who are too stupid to admin their IIS servers and YANK their connections. Let the rest of us use our connections responsibly.

Sure, it sucks that port 80 is blocked, but as long as they use this time to identify the people aiding and abetting the Code Red worm, I'm all for it.

Re:911

ill go along with you on your first point (i have had over 800 connection attempts from infected hosts on my dsl subnet), but what that has to do with shotgun wounds i will never know. from there on you digress into a pure moron. every web server which is infected is sending out tons of requests with a simple finger print. set up a server with a CGI named defaul.ida which auto reports the connection to a database of accounts to drop. its not that hard. and DONT YOU FUCKING OPEN YOUR MOUTH about hosting you worthless piece of shit when you're hosting your page with yahoo/geocities. id have to laugh in your face if you ever actually seemed to know what you were talking about. what are you? 12 and feel big because you can spell bandwidth? $10 a month, wow, i bet you can get quality service for that. why dont we all mail bruthasj@yahoo.com (spambots, have fun) to inquire as to where this miracle host is? eat shit and die

Recess: School's out

[Graymalkin]

Since the advent of broadband in homes people have been wasting as much bandwidth as possible by downloading warez and MP3s and bootleg copies of feature films at all times of the day. You notice CD-Rs and large hard drives are often purchased by the same people with fat internet pipes. Hmmm.
Now virus and worm writers are taken advantage of these people that have been screwing their networks up the ass for years now. I feel so so bad. Webservers that shouldn't have been running in the first place are being blocked. Man I'm heartbroken.
I don't think broadband is a bad thing at all and nor am I against downloading large chunks of data. Freeware, patches, legal ISOs, music, ect is all cool and why you've got the fast pipe in the first place. The problem lies in the folks running their webservers and anon FTPs that are filling up the outgoing frames which normally don't get filled up on consumer oriented pipes. I wouldn't want to be the dude trying to manage the consumer network that was never intended for such traffic. If it were me I'd cap your monthly bandwidth and start charging like web hosts do. Whoever thought it was a good idea to leave broadband unthrottled and uncapped was a jackass. It works fine when you can feed a shitload of dialup users with a single T3 or OC line. Things break down when you apply that same model to people who have bandwidth rated at a signifigant portion of a T3 or OC line.

Re:Recess: School's out

[haruharaharu]

I dunno, if you axe the bandwidth hogs (of which there are but a few), you would probably see profits go up. Revenue will, of course, go down, but not as much as cost.

Re:Recess: School's out

If it were me I'd cap your monthly bandwidth and start charging like web hosts do.

Causing an immediate and precipitious loss of revenue to the broadband provider you work for, and making the food service industry your only viable employment. I like it.

~~~

Re:Recess: School's out

Except that there are lots of people who don't "abuse" (i.e. use what they paid for) the system who still don't like the idea of metered billing. A telephone service analogy comes to mind: most people would be better off in the U.S. under measured local service plans, but don't want to have to use an egg timer when they pick up the phone to call across town. Thus flat rate is insanely popular. Heavy users are the cost of being able to advertise a flat rate.

~~~

Re:911

[invictus]

dude, what do you need 20gb for?

Re:Speakeasy!

[nestler]

This is why DSL *will* save you (us). With DSL you have choice, and you can pick a great ISP like Speakeasy. With cable, you're stuck with whoever is serving your area.

No. You're stuck with whoever is serving your area, regardless of whether it is cable or DSL. It's not like DSL goes everywhere and Speakeasy serves everyone. If you're lucky enough to be near a central office, then yes, you can pick Speakeasy.

You're violating our Double Secret AUP!

[Velox_SwiftFox]

I'll have to take your word for it, I guess. The link you supply seems to only be available to Excite@Home customers, so it is hard to tell if it would apply to other AT&T customers.

My question is if with such a variety of AUPs, which one applies to a particular customer? I would presume only those ones presented to them.

It appears some of AT&T's customers have an AUP that doesn't support the poster I was replying to's "Hello, read your contract" sarcasm, though, if they were only given pointed at the same apparently official AT&T AUP document I quoted. If AT&T Broadband has such a clear statement elsewhere that would apply to all (noncommercial) customers, I can only wonder why they pointed at one that only makes a half=assed excuse for their actions...

Re:You're violating our Double Secret AUP!

[NullPointer]

Yep, I agree completely. The original poster's reference comes from this little item. But in their publicly available documents I've not been able to find where they define "server". I also find it odd that they have different service requirements and policies depending on your location. Obviously some of that is dependent on the equipment installed in a particular area and any contractual things that a local franchising agency might require. I know that many AT&T@Home customers are required to use DHCP for example. Where I'm located, we can request static IPs at no extra charge even though the printed contract I was given says otherwise.

Re:We haven't done this yet..

[Jetson]

The proper solution to "stupid customers" is not to penalize the "smart customers" but to either educate or penalize the "stupid customers". If I am running Apache and not contributing to the Code Red mess then why disable access to my machine simply because a Microsoft user can't be bothered to patch his machine? The proper solution is to watch your network for unusual traffic and unplug the violators. Your customer will fix his machine much faster when the viruses and worms cause him to get disconnected.

Re:Why don't ISP's provide firewall software?

suck my ass

Re:Clause?

[yerktoader]

I work for an @Home provider and our clause says that you can't run any kind of server at all, including P2P.

I don't agree with disallowing servers, but only because I want to use them. The service is designed for residential home use. If you didn't read the agreement then in a court of law you don't have much say. It's unfortunate but just the way that it is. These companies need to keep the infrastructure stable, and having thousands of people running servers, big or small, tends to diminish network bandwidth.

My knowledge of networks is limited as I don't handle network operations. In my area, the service is stable, and fast. Some other areas it's crap. It seems to depend on the provider and how much the local area cares about stability. One area of AT&T, ComCast, Cox, or whomever might be great. Another just a county or two away might be terrible. I've seen this with all the providers. With the money these companies make, I don't really see how they couldn't have great stability and speed in all areas.

But I'm not privy to the real amount of profits these companies make, and hence I can't really judge them. Neither can anyone else who hasn't been behind the scenes.

One person in this discussion griped about how @Home providers tell customers if you want to run a business get @work, and then gripes about it not being available. I fail to see why this person doesn't band together with other folks who want these services from home and show that there is profit in having it available. It still comes down to what each company has in its Acceptable Use Policy. These companies run a business, and if you don't like what they do, then shouldn't you get another provider? What about Starband or any other service? It doesn't make any sense to me to accuse these companies of trying to limit what you do, when they are merely following the policy you signed to begin with.

Now if you were to grip that you're merely emailing to a server just like any other server, and that it shouldn't matter where you mail to....That I would agree with. The service should just work, end of discussion.

Recently, the Wall Street Journal wrote a report that highlighted a statement by Intermail, the company that provides the mail software that @Home uses. They said that they were amazed at how @Home had managed to stretch the software further than what they had planned for it. I had that confirmed by a corporate employee, who told me that Intermail had in fact said that. That to me is stupid. But then again, the people who run @Home used to work with AOL. What do you expect?

Re:Servers were never allowed out on cable

[Skapare]

I would suspect that each router into each segment has the access list to block it. That would explain why some places still don't have it blocked (haven't got it configured in all of them, yet). And yes, that could mean that within a segment, the traffic can still go through. Maybe this is why CR2 narrowed its scan range.

Recipe for avoiding the Broadband Blues...

[sandgroper]

...or at least being able to control your own destiny.

Find a bandwidth wholesaler, who can get more bits than you'll ever need to your residence, without untenable restrictions.

Stick an "airhead" from rooftop/Nokia on your roof.

Run around to your neighbors, and convince them that you can provide better reliability, policies, and general service that sucks less than whomever they are using today. (This is probably the hard part). Charge them a fair price. Don't forget to cost out your own time in deciding your pricing structure.

Light it up, and enjoy the surplus bandwidth that is present at your airhead from your wholesaler.

Don't forget to seek your lawyers and tax accountants advice. You'll probably be utterly surprised at the tax games that are legal when you are the business, trying to make a profit.

Congratulations, you've just become your own ISP, and have built at Network Area Network (NAN).

There, that was easy, wasn't it? ;-)

Re:Simply not true...

[thejake316]

AT&T's position seems to be "if you do things that show up on our radar and piss us off we're pulling your plug." They need to tread lightly, as they're working towards an "all your bits are belong to us" strategy (phone, digital cable and ip all over their cable, one big bill) and if they piss anybody off it increases the likelyhood of showing up on the gubbernmint's radar, which is something they don't want.

Quit Complaining

[doc_brown]

On these _extremely_ large networks, it's next to impossible to cut port 80 on just the infected computers.

Just how are the admins going to know which machine is compromised? Look at their firewall logs? Wait....they don't have firewalls between users on their network. Then what?

If they do ID everybody who has it, how are they then to shut down only those Port 80's. Again you are talking about alot of people _and_ alot of different hardware that will need the rules implemented.

Then you run into hardware problems if you you can do that. For example, a Cisco 6500 switch can firewall, but the firewall rule should not grow too large. If it gets too big it hars to run in software instead of hardware (smaller sets fit into hardware). Software will just kill performance on the switch which would efect all customers on that one.

How about thinking once before bashing big companies?

All that said....the whole problem could have been avoided if people didn't use M$ to begin with.

Re:Clause?

[IronChef]

I am an @Home subscriber in Seattle. Here is the truly hilarious service they provide.

- As an @Home user you are not supposed to do anything business related, including someting as simple as sending email to your office.

- If you want to do business, you can easily upgrade your cable @Home connection to an "Excite@Work" DSL connection. Except that @Work simply isn't available over most of the @Home coverage area.

So they tell you to upgrade to a product they can't sell you. Hilarious.

I would happily pay more for @Home CABLE service if they would give me a fixed IP and not block servers. Not that they are at the moment, but I smell trouble on the horizon. That Qwest DSL with the month-to-month pricing is looking better all the time.

Re:I've read my TOS and it sucks.

[figment]

wow i suck and can't type.

What i really meant is that 99.9% of security problems from home are stuff i don't want to deal with. blah. sleep time for me.

Re:The end of a state of denial

[mgarraha]

I had AT&T@Home in the fall of 1999. During that time, home.com got onto the MAPS RBL for failing to shut down open SMTP relays. That got their attention! To demonstrate good faith to MAPS, they conducted a campaign of probing customer machines on port 25 and sending nastygrams to people running servers. Their response to the present incident makes much more sense.

IMHO the upstreams should be paying webmasters

[cdn-programmer]

Blocking the transmissions, eh?

Ok - consider this. In order for a telecommunications carrier to be able to supply content to their ISP divisions, as well as the ISP's they support, they need to connect to the backbone - and this means they need to PAY the backbone operator for connection bandwidth.

But webmasters who run small (and sometimes not so small) servers ALSO provide content. However, this group is NOT paid for the services they provide.

Now it gets worse apparently with port 80 being blocked.

Consider this: In order to reduce the bandwidth charges, caching proxies are used. This allows a company like AOL to serve 20 million customers from cached web pages. This is a pretty large saving.

I don't think copyright law gives them this right, any more than a newspaper stand has the right to reprint a newspaper. And by doing this the backbone operators are being deprived of revenues. In turn webmasters are also deprived of revenues.

If it clear that internet content has value. It has a great deal of value just as radio and TV signals have value. Internet content also costs money to create.

Now, for a really small website - the amount we are talking about here likely is chicken feed. But getting this issue resolved about who really owes who for what will go a long way towards at least ensuring that port 80 is not blocked!

Here is a case in point: SlashDot does a wonderful job and they serve 30 million pages a day or so. I am quite happy as a customer of my ISP to pay for their delivery service of SlahDot pages. In order for my ISP to do this they pay the local telecomunications carrier and this company in turn pays their backbone supplier. Now , if instead of the telecomunications carrier obtaining slashDot pages from the backbone operator, suppose they called up the SlashDot people and asked for a direct connection? In this case their bills to the backbone operator would be reduced because presumably a LOT of people read SlashDot. This would mean that at zero additional cost, the same telecomunications carrier can pay something toward the operation of the SlashDot website.

Somehow webmasters in their eagerness to get connected failed to realise that rather than paying for bandwidth to distribute their content, instead they should be paid for the bandwidth the surfing public demands from their servers. Everyone else gets paid when the public accesses content. Protecting the rights of the copyright owner is what the DMCA is all about. Bad law mind you. But the intent to protect copyright is not bad.

The purpose of copyright law is to protect the rights of those who create intellectual property and ensure that they receive compensation in a manner that is fair and consistant with the public's right to use it. Webmasters in general also create intellectual property and in general their works are also copyrighted.

Just as the owner of a movie has the right to decide if it shall be distributed on a for pay basis, such as in a theater, a video, on pay TV; or if it is distibuted on a broadcast basis by the networks, IMHO webmasters shuold ALSO enjoy this choice. This would mean that the ISP side of the business should pay a tarrif to the webmasters if the website is made generally available. If the webmaster chooses to make it a for pay site, well - just like pay TV - so be it.

IMHO this would create a healthy dot.com sector. Everyone will win. Webmasters would NOT receive any income unless people actually chose to surf to their websites. And the carriers would make more money from this as well. Probably we would suddenly find high bandwidth websites that are really entertaining start to develop and this would fuel the adoption of DSL and broadband. The telephone carriers and ISP's would make a lot more money - not less.

Besides, the ISP side of the business is already paying for connection bandwidth. It is just that somewhere in the food chain the money that should presently be flowing into the dot.com sector is being diverted. But - it is not being diverted in all cases because there are some websites that are reciving revenues for what they pump into the net.

Re:so what

[Foamy]

Yup, I'm still getting a least one scan every minute of every day, so within the @home network the infected machines are still running wild.

Other than dealing with their completely incompetent tech support one time, the service has been great... it's like having my personal T3@home.

I read my TOS!

[Cowculator]

Direct quotes from the Verizon TOS:

Section 12, Limitations on Use and Warranties:

12.3 You agree that your use of the Service and the Internet, without limitation, is your sole responsibility, is solely at your own risk and is subject to all applicable local, state, national and international laws and regulations.

Attachment B, part 3:

You may not use the Service as follows: ... (q) to use your VIS account for the purpose of operating a server of any type, unless you are an DSL customer; ...

I am a Verizon DSL customer. Therefore I can operate a server if I want. And 12.3 says that my use of the Internet is "without limitation" and "solely at my own risk". The way I see it, this means I should be able to run my own server on port 80 without Verizon being able to block it; I'm more than willing to take the risk of getting Apache infected with Code Red. And if I find I'm getting hammered by infected machines on the Verizon network, I'll get the IPs of the offending users and tell them to stop playing Solitaire and install the fscking patch.

I already sent Verizon tech support a message asking why they didn't announce this (at best I found a vague message on their site that didn't mention specific services being blocked) and asking if they can get me around it. They say they'll respond within 24 hours to any messages; I sent it at about noon EST yesterday, and it's 9 AM now, so they've only got about three hours left...

Re:I've read my TOS and it sucks.

[janpod66]

It's an interesting question you raise there: did you actually buy bandwidth?

Yes, that is what my TOS say. If yours don't, they should.

Unfortunately, it is their problem when they start receiving huge numbers of abuse calls because you left your box open.

You are confusing what is with what should be. Of course, this is the way things are right now. I'm arguing that it shouldn't be. The access provider should be a carrier, with no responsibility for what travels over their wires, other than making sure that the IP headers are correct. What happens right now is that ISPs stick their fingers in all sorts of content controls, but the one thing they don't do and the one thing that they actually should control is that every packet is identified correctly.

You can thank IIS..

[victwenty]

Blocking port 80 is the only practical way providers such as @home have to control code red. I'm on their network and in the last 48 hours, I've gotten:

[root@gamara log]# grep DPT=80 messages | wc -l

3722

code red hits, all from other @home users. All W2K/IIS 5.0 users. The ip's I've looked into all have the default pages up too. I've even tried running "dir" commands on a few through the "root.exe" backdoor code red installs, incredulous that it would work, and yes.. thousands of wide open NT boxen. This hasn't even seemed to slow down yet, despite the wide spread publicity which leads me to believe that a large percentage of those stricken are either totally clueless, don't realize they have IIS running (?), or flat out don't care which leaves the ISP little choice. And it may be my perception, or unrelated factors, but my net connection has certaintly seemed more sluggish over the last week, perhaps as a result of upstream saturation, something @home doesn't have much of.

So I would agree, blocking port 80 is the most practical way of defeating this and it should have happened earlier. It's that or ban all microsoft operating systems as a public hazard :)

Re:You can thank IIS..

[Elias+Israel]

Blocking port 80 is the only practical way providers such as @home have to control code red. I'm on their network...

Respectfully, that's a load of crap.

I've got a Linux host connected to the AT&T network (they were better as MediaOne), and not only can I produce for you a log of the CodeRed infected customer machines that need to be dropped off the net until their owners get smart, but I also have a firewall in place and I routinely spend 2 hours each week reading the firewall logs and reporting on various l0sers who love to attack the ATT network.

I pay ATT around $200 each month for various services, including cable, telephone, and internet.

I'm policing their network for them because they apparently can't be bothered.

You'd think they'd treat people like me as heroes, or at least good customers.

I leave it to you to decide how we have really been treated.

"We're the phone company. We don't care. We don't have to."

Re:You can thank IIS..

[Todd+Knarr]

I can think of a more effective solution: every time a Code Red probe goes out, deprovision the modem belonging to the customer with that IP address. They've got a proven AUP violation and a proven security problem that's disrupting their network. That's more than enough justification for jerking the account entirely. This has the dual benefits of shutting down Code Red and forcing people to actually learn how to secure their systems which makes future problems slightly less likely, and doesn't impact those of us who aren't susceptible to Code Red at all.

Re:You can thank IIS..

[victwenty]

Personally, I would rather my ISP not institute a system to scan all valid http traffic for strings which might just happen to buffer overflow an IIS server. If ISP's started instituting this, how long do you think it would be until somebody started imbeding such strings in innocent looking links (or via redirects) on pages such as slashdot? As if goatse.cx wasn't bad enough..

Re:You can thank IIS..

[Mark+Bainter]

I agree. I too do not mind this so much. The upstream bandwidth is shared and in short supply. This is pretty much a necessary move for @Home. As long as they open them back up when the threat is gone I'm alright with that. I think they are going above and beyond by calling those who are vulnerable and helping them patch their servers. I don't run a webserver myself, but I don't want to see this become a trend.

That said, if they know the people who are infected/vulnerable (which the link in the article claims) then I wish they'd use that data to feed their access lists instead of just blocking port 80 for everyone. To be honest, if it was me, I'd use that data to feed an access list that entirely blocked infected/vulnerable customers. Then you wouldn't even have to call them, they'd call you. Then your support people can check their name against the list of blocked-for-code-red users and explain the situation, remove them from the list when it's patched, and they are back on. It gets the customer motivated to take care of it at the same time.

Legality

[lanner]

What is the legality of this.

What is "The internet"? If they filter ports, can they adverstise their service as being "the internet"?

Re:Verizon DSL is NOT THAT EVIL

[loraksus]

Verizon is fucking evil, but its a MICHEAL story. He's full of shit. My stmp and http is still accessable to the outside world.

Verizon, SMTP and the universe

[beanerspace]

On July 17, Verizon sent out the following e-mail to it's customers regarding the use of SMTP. Basically, if you own a domain and run a website, you can use that POP3 and SMTP for e-mail addresses that don't end in verizon.net, bellatlantic.net, gte.net, banet.net.

- - - - -

Date: Tuesday, July 17, 2001 1:42 PM
Subject: Please check your email settings

Dear Verizon Online Customer:

If you are sending email using an email address other than one provided by Verizon Online, this message affects you. Effective, August 8, 2001, you will no longer be able to send email from any email address other than the one provided by Verizon Online (this includes privately branded domains and secondary ISP accounts).

We are taking this action as a result of our continuing efforts to improve the quality and reliability of Verizon's mail system and is one of several steps to help reduce spam. The effect of this change is that Verizon Online email will no longer support sending email from other ISP accounts or privately branded domains that are not hosted by Verizon Online.

WHO IS AFFECTED BY THIS CHANGE? This change to Verizon Online's email will not affect you as long as you use your username or alias, and one of the following domains (the part after the "@") is included in the "From" address of each email you send (ex: john.smith@verizon.net):

• verizon.net
• bellatlantic.net
• gte.net
• banet.net

If you are a customer who has changed your domain name to something other than those listed above (ex: betty@mycompany.com), you will be affected by the change and your email will not be routed after August 8, 2001 unless you change your "From:" field to a valid address using one of the above domains.

For information on how to check and change your email domain, visit our Online Help. https://support.bellatlantic.net/index.cgi

WHY ARE WE MAKING THIS CHANGE? To improve our email services for all Verizon Online users. Reserving the use of the mail system for only authorized users is a critical component to ensuring a quality, reliable service and one that is less susceptible to spam.

WHAT DO I DO IF I AM AFFECTED BY THIS CHANGE? The following are suggested alternatives for customers impacted by this change:

• Use the messaging (email) services (both for receiving and for sending email) that are provided by the company that hosts your email domain. Enter that company's outgoing (SMTP) mail server name rather than Verizon's SMTP server name (smtp.verizon.net for @verizon.net addresses or smtpout.bellatlantic.net for @bellatlantic.net addresses) in your email settings. Some hosting companies have affiliated Web-based email services from which you can send mail using the domain provided by that company. Please contact your hosting company for assistance in using their SMTP service.
• Change the "Reply To:" field in your email program to your private domain address; keep your "Verizon" email address in the "From:" field. (Example: Reply To: username@privatedomain.com and From: username@verizon.net).
• Consider one of Verizon Online's business products such as Managed Messaging, Outsourced Email, or Web hosting solutions; all of these solutions will accommodate the sending and receiving of non-Verizon domain emails. For additional information, visit http://www2.verizon.net/pands/business/outsourced. html or http://www2.verizon.net/pands/business/hosting/web hosting.html

We apologize for any inconvenience this change may cause.

Sincerely,
Verizon Online

- - - - -

Notice that last suggestion. One wonders if anti-spam is the sole motivation here.

PERFECT SOLN!!!

Ok, when I got DSL last year, I found out that I could use Verizon for DSL connection and another ISP for my service provider. As a result it took about a month to get connected correctly and I pay maybe about $10 more per month, but as a result I have free reign from my ISP to run whatever I want. Works ecellent now, but required a bit of probing and prodding to get it all fixed up.

Re:Read your TOS!

[morgue-ann]

Hey, cable (and DSL) is way faster than ISDN.

ISDN isn't a technology, but a tariff structure.

You're probably thinking of ISDN BRI, the Basic Rate Interface consisting of 2 B (bearer) channels of 56kbps or 64kpbs and one 16kbps D channel (signalling).

ISDN PRI or Primary Rate Interface is 23 B channels and one 64kbps D channel. 24 * 64 = 1.5mbps. Hmmm... T1!

I know it's common to call BRI simply ISDN, particularly in the residential context of this discussion, but people are trying to claim they know more than the broadband ISPs about how to achieve security, so using the proper terms might help.

http://www.bell-labs.com/technology/access/ISDN-BR I.html

Re:Linux is not a contender..

No, but it keeps popping up when i search for "bleak future."

Re:Read your TOS!

[ergo98]

The thing is this: They decide what they're going to offer, and the price at which they'll offer it, and then you decide if you'll pay it or not (or alternately continue to pay it), doing the voting with your dollars if need be. @Home isn't a government service and you can't pound your firsts and express moral outrage because they don't do things the way you want: Again they don't owe you, but rather they offer you a given service at a given price.

Don't Move to Australia

[lazybeam]

At least you guys can run servers off your line. Telstra ADSL in Australia all ports appear to be blocked. Try this or even this! Apache is listening on both of those ports.

Add to that the 3G transfer limit, it is not very good. Telstra are monopolistic, since they are the only ones who can provide "broadband internet" for much of the population.

Re:They should remain blocked -- NOT FOR ME, DUMBA

[powerlifter]

I used the web server when I was outside my home LAN to keep up with my family. I could manage my site on my Linux (read: laughing at Code Red) system behind my firewall (yes, I am intelligent enough to have one!).

Now, no connections in. I started listening at port 88 as well, but it's just too stupid. Let me get to my system. There's no technical reason why. Finger my connection and see why.

Hell, they used to hit it all the time with pcAnywhere queries.

Powerlifter
bench 365 -- squat 595 -- deadlift 605
(and a brain to boot!)

Re:Move to Canada

[cheezedawg]

Dynamic DNS. I use tzo. Its only $25/year (but I'm still in the year's free subscription that came with my router). The standard service gives you a whatever.tzo.com domain, so I just set up a CNAME on my domain that points to the dynamic dns domain. Works great.

Thanks Micheal, but

[loraksus]

as usual, you're full of shit. Lets try to verify some info before pasting bullshit on this site. OK? Cool.
I don't bitch at the story editors much, but this kind of shit pisses me off.

-------
Verizon hasn't blocked _anything_ yet.
-------

Don't like this post? Fuck you, mod me down. I'm still right, visit my webpage, the link is above, I'm a verizon subscriber, running apache (used to be IIS untill 2 days ago) and an email server on a 2k box.

Re:No blocking yet

[natet]

This came from their broadband page.

http://help.broadband.att.com/faq.jsp?content_id=4 16&category_id=34

Re:Read your TOS!

[bacchusrx]

I work for one such company, so I'm well aware ;)

However, use of so-called "shared" or "virtual" web hosting services limits greatly the sorts of applications you can create and run. It also limits your ability to administer your machine and configure the applications you use the way you see fit.

Some hosts are more forgiving than others, but, for highly specific development environments any shared host is less than ideal. Also, censorship considerations by [corporate] hosting providers may also be a concern...

Further, shared web hosting says nothing of other content servers which may be unavailable completely or available in shared configurations only in highly restricted circumstances.

BRx.

Re:If you're in Eastern Mass. AT&T's lying

[moophish]

i live in eastern mass, and boy do they lie. i had multiple technical support people first tell me that the filter was on their whole network across teh country, then later say i could put in a request to have my filter removed and told me it was sucessful and to powercycle the cable modem. i knew he was full of it, but i did anyway. no luck, but look, i'm out of the chat with that guy now. i enter again, this time with a different person. they cannot seem to tell me why the 24.128.176.x ip block is not filtered, even though it's one of their's. i dealt with most of my problem by having apache listen on another port and having my 'www' subdomain point to that port instead of 80, but not all of us have this convience. well i guess all we can do is wait. b-rad The path of the righteous man is beset on all sides by the inequities of the selfish and the tyranny of evil men. Blessed is he who in the name of charity and good will shepherds the weak through the valley of darkness for his is truly his brothers' keeper and the finder of lost children. And I will strike down upon thee with great vengeance and furious anger those who attempt to poison and destroy my brothers. And you will know my name is the Lord when I lay my vengeance upon thee. Ezekiel 25:17

Re:Has affected some games as well

the servers you want to play on probably have http redirected downloads. to reduce load on the server, if you need packages to play, the server redirects you to a website to download them... maybe that has something to do with it. just play on servers without all that crap, or download the stuff you need prior to playing.

code red

surprisingly, this seems to have been relatively ignored. AT&T's phones have been swamped all week long with people calling about code red. They finally resorted to this when the average call time zipped up and zoomed over 24 hours with no end in sight. They're trying to save a perfectly adequate service while everyone here chooses to complain that they're cheap and should buy more bandwidth so they can do stuff they should never be able to do. AtHome has been scanning their network all week. Are they doing it to shut down web servers? Yes. Specifically ones with code red. People have been reporting their cable lines cut off. Why? Because AtHome detected code red on their line and asks them to remove it before re-enabling the line. These companies are doing all they can to combat the stupid virus and they're clearly going all out to save their networks, yet all you can think about are the classic lazy admins and class-action lawsuits theory because all of the sudden everyone started blocking everything this week. Can you take a *wild* guess why?? Sheesh!!

Re:Not a huge surprise..

[loraksus]

Yeah, iis installs itself in 2k right?
If you're running iis, you know you are running iis. Not to say that you'll patch it, but neither do many sysadmins (who, btw, have faster internet connections)

do you think asymmetry fell from the sky???

[janpod66]

With many modern broadband technologies, there is no technical reason for any asymmetry. In fact, you could even change the allocation dynamically. The reason for the existing asymmetry is simply that companies decided on that. It's probably part marketing ("there is no demand for anything else") and part deliberate long-term strategy ("we don't want end-users to create and distribute much content").

cynicism

Along with the posting in a previous thread about code red and TCP/MS, one might wonder if the CodeRed virus was not introduced by TPTB (the powers that be) in order to justify blocking all the interesting ports, turning us all into meek content consumers (we geeks were getting too uppity :-)

Re:Not a huge surprise..

[norton_I]

I already have. But they aren't scanning for port 80 servers, they are just filtering it at their routers. On the other hand, the arp storm that had been going on for the past 4 days died this morning.

MediaOne blocks in the Twin Cities...

[HongPong]

A couple days ago AT&T (formerly MediaOne) blocked port 80 here in Mpls./St Paul. I instant messaged with a tech guy last night and he was less than friendly about it.. considering how I was in such a good mood. Also, somewhere along the line they fsck'ed up and blocked http://www.roadrunner.com from me. Some URL port filtering message came up, which wasn't cool because I couldn't remember the tech support email address. Here's some choice transcripts:

Tech: What sort of problems are you having?
Me: well, i'm running a Linux/Apache server which I know is immune... and I read on slashdot that you guys blocked off all port 80 incoming connections, so my server can't be reached by anyone, which annoys me and I'm wondering if there's any way to get things open again. i was just wondering if i could get unblocked.
tech: At this time AT&T will continue to block the port until they can find a more permanent solution to the problem.
Me: also, you should know that a lot of official mediaone sites are blocked as well
Tech: Which ones?
Me: example: www.roadrunner.com and its related sub-domains
Tech: I will escalate the issue about blocking the sites. But as for the port blocking, we cannot unblock them as of now.
Me: ugh... there's nothing in my User Agreement about port blocking... i'd suspect someone in a worse mood than me would get in your face about that
Tech: Try looking at Section 10.9.
I didn't have the user agreement on hand so I gave up. Just now I dug it out and I feel misled. Me: oh darn

So I dug out this 10.9 thing which he speaks of. (My user agreement is structured differently than the one they have online) In any case, the agreement explicitly permits non-commercial use of servers as long as they don't mess things up. Section 10.9: You agree that AT&T and ServiceCo shall have the right to take any action that either AT&T Broadband or ServiceCo deems appropriate to protect the Road Runner service, its facilities and equipment. Frankly blocking my server isn't an action which protects the Road Runner facilities, service or equipment. In fact since my connection is a 2-way modem, it is harming the service. I understand the problems they are having, but a blanket blocking isn't the way to go on this. I have taken all appropriate security measures on my web server, and my service is being penalized by other users' failure to do so.

Thats nothing....

[AlXtreme]

My old ISP, sonera disables all ports under 1024 on their cablemodem service. Bye bye HTTP, FTP, SMTP, DNS, SSH etc etc etc. It's a horror, really.

Yep, DSL is the way to go. At least you can choose your provider...

Re:I don't know anything about port blocking but..

Proof: cat /var/log/portsentry.blocked.stcp | grep security 994137796 - 07/03/2001 00:23:16 Host: authorized-scan1.security.home.net/24.0.0. 203 Port: 119 TCP Blocked

@home support

when i first got my @home cable modem they didn't have it capped in upload speed, and suddenly one day i can only send out at 15K max - of course i didn't read any of the shit they sent me, but i called them anyway and complained about a cap and i got some Tier 2 tech support guy bsing me about how "they don't use a cap and that the speeds on FTP programs are often incorrect" that was the biggest bullshit i've ever heard :) ICQ: 73789120

Re:@home support

[CM39]

Their tech support people don't know shit.

When I upgraded my parents machine to win2k the cable modem stopped working (cable modem supplied by them). I contacted them and was told to reinstall the software for it, which I did, still nothing.
The next time I called they moved my call to tier 2 and the guy told me the same thing and I explained that I had done it, so he walked me through searching the CD for the win2k version of the software which wasn't there. I asked him if the software was available online and he told me it wasn't. If it were I could have gone home and downloaded it and then installed it.
By now I was getting a little frustrated and asked the guy what he was going to do about it, his initial reply was that they may do nothing because I had upgraded myself when I should have had a professional install the software for me lol

At that point my father who is a city councilor and president of the local cable review board got on the phone and told the guy that it would be a shame if medione lost it's contract (in a city of 100,000 people) because they weren't able to help one customer.

The guy got his supervisor on the line and I took the phone back. She told me they would mail us the software we needed and it would be there within a week, since this was a Friday afternoon and they wouldn't be able to send it till Monday at the latest, that was the end of the conversation.

Needless to say my parents weren't terribly pleased that they would be without service for a week so I threw a free AOL disk in there machine to get them online, I then searched for the company name that made the cable modem, and too make an already long story shorter, found it, downloaded the software I needed, and had the machine back online in 15 minutes.

Oh by the way we still haven't received the software from mediaone 6 months later. :-)

Re:Read your TOS!

Why is the first of these two ways "artificial"? Cable systems were designed from the outset to deliver television content to homes, long before anyone thought of using them to provide computer connectivity. The infrastructure would have required massive changes to provide symmetric bandwidth.

Re:Read your TOS!

I was running a web server on MediaOne that maybe got 5000 hits a day, until two days ago when they started blocking port 80. The funny thing is that my little web server generated maybe 10-20 megs of traffic a day. If I set up a open napster server or gnutella server, that will generate 1000x that bandwidth. Web servers are the least of their worries in terms of bandwidth.

Now I'm co-located which I should have done in the first place. My server is an fault-tolerent, air-conditioned server room connected to an OC-12 pipe and it costs me very little more than my @home connection.

http://www.casinowatch.net - the online casino search engine

Re:A simple go-around:

[Corgha]

What is happening is that your server is prepending the server name to the URL

Actually, that's not the case, and I figured out that the problem was a BASE tag in the HEAD. Time to do a recursive grep.

In any case, the point of my post was that "just change the port" is not as easy as it sounds, and there are a bunch of ways that it can cause problems.

Additionally, since running a server is not against the TOS or AUP for AT&T customers (like me), and that's one of the reasons why I chose Mediaone service so long ago, I had (I think) a reasonable expectation that they would not suddenly and arbitrarily block a port without first changing the AUP or TOS, and that I should now have to jump through these hoops because of lusers running IIS is just silly. I know, I was foolish for thinking that I could rely upon a service provider with whom I had a contractual agreement. Silly me.

So now I have to get DSL from Speakeasy (until Verizon pushes them out of business), which means a lot more money and waiting a few months for Verizon to twiddle their thumbs before they can do an install to an apartment less than 100 yards from the CO. In the meantime I have to set up a redirect service, which is another pain in my ass.

Big deal..

What's the big deal with this ? This is actually a very good move and will ease the pain of smaller ISP who are struggling with failing routers for days now. Blocking incoming port 80 will be problem for less than 1 percent of your residential customers. If you really want a webserver, run it on port 81, no big deal. 25 (for blocking open-relay) and 1080 (misconfigured proxy service reachable from outside) should be blocked as well. Nobody believe all their customers are all security conscious right ? Trust no one.

Re:If you're in Eastern Mass. AT&T's lying

[bill.sheehan]

I'm not on AT&T. I deliberately went with Verizon DSL because they didn't care what I was doing with my bandwidth. There are no prohibitions against httpd, etc. in the Verizon AUP.

What disturbs me most is not so much that they did it, but that they gave absolutely NO notification. I was beating up my server and firewall yesterday trying to figure out why I couldn't access my webserver from outside of my home LAN. Finally I got the bright idea that I was being blocked, and started checking around. Verizon's website has an announcements section, but there's nothing there about filtering http. Finally found a rather oblique reference on their system status page.

It's no way to run an airline...

I thought I'd read The Power of Positive Thinking, but what's the use...

blocking port 25 does not hurt too bad

I just run a sendmail daemon on another port as well, then I can still get to my smtp server from any isp.

Only port 80?

[vrt3]

In Flanders, Belgium, the (almost) only cable internet provider is Pandora, and they block ALL incoming ports under 1024. You're not allowed to run servers on their network anyway, but that doesn't mean I have to like it.

They also block outgoing port 80, so you HAVE to use their proxy.

Re:SSL anyone?

[Maditude]

Thanks for that link... I'm a bit worried by this,
however (gotten by clicking on the "Demo" link at freessl.com):

"www.freessl.com" is a web site that uses a security certificate to identify itself. However, Mozilla does not recognize the Certificate Authority that issued this certificate.
Anyone else use them? Sounds promising, but a bit painful to explain the security implications to my rather non-computer-literate family who live far away.

They should remain blocked

99% of cable modem and DSL subscribers do NOT need to run servers of any kind. By leaving them open across the board you open the door for this kind of worm to propogate across misconfigured systems where people have gone and accidently installed IIS or even an unpatched UNIX box. Does that mean you shouldn't be allowed to run servers period? No! What should be required is for your to sign a consent statement that says you are responsible for any damage caused by attacks taking place from or to your machine and will pay any cleanup costs needed to deal with attacks against a server on your network. There should also be a formal risk assessment and penetration test conducted against your server setup to determine if it is indeed ready to be connected to the Internet. Too many people are putting these god damned buggy open machines on the Internet and then bitching about censorship when an ISP filters them. If people would take responsibility and make sure their systems are constantly updated it wouldn't be an issue, but most DON'T. And no, I'm not talking about the uber geek average Slashdot guy who upgrades their kernel every night to the latest version and has a cron job setup to do an apt-get update. I'm referring to Joe Average who installed his first Linux box to fiddle with or the guy who installs IIS during the Win2k install because it was there and he wants a full install of the OS. These people should not have full unfettered access to the Internet. You guys are starting to sound like the people I have to deal with who absolutely demand to have complete unfiltered access to the Internet so they can run whatever god awful program of the day they've come up with as a business requirement that is blocked by the firewall. Netmeeting anyone? Oh, you want to punch IPSec holes through the firewall? Uh huh.. no... FTP??? You want an FTP site on your desktop? Uhhh.. no.

Re: Even if you did run a Web server...

[elemental23]

128k isn't that bad if you're just serving up a few pages. I've been running a low traffic web server off my DSL line for over two years with only 128k upstream. I used to think I'd have to upgrade to 384k SDSL or some such but the need hasn't come up yet.

But then, I keep indivual pages < 80k including images (anything bigger is too slow for dial-up connections). And "low traffic" is key, I can handle a few simultaneous readers with no slow-down, but I wouldn't want my URL posted to the front page of /., for example.

Re:Hum...

[Mooset]

If they run a small business at home, hopefully they have the business service and not the residential service. This only affects the residential customers.

Re:Even if you did run a Web server...

[loraksus]

you're not in the backwards usa. I know people in BC that get 1.5mb up and down and 3 static ips for $40 a month. We get analy raped down here in the states.

Re:Read your TOS!

"Again, these aren't totally valid arguments. I've not seen any valid, technical reason to prohibit servers on broadband connections that cannot be satisfied by other means. As I've said before, the real push seems to be to restrict home users from being content producers."

Remember that a cable modem has an upstream bandwidth that is only a fraction of the downstream bandwidth. If my neighbors start serving up streaming video content from their home systems and filling this relatively narrow pipe, I will definitely notice the effect and I won't be very happy.

Re:Move to Canada

[aoeuid]

Note, I said I've heard they like to cesor, not that I have experienced it first hand. Please, I would never sign up for a service that dictated terms such as that (well, as long as theres alternatives).

Re:I've read my TOS and it sucks.

[Anonymous+Brave+Guy]

I bought bandwidth from my ISP and I expect them to deliver that bandwidth.

It's an interesting question you raise there: did you actually buy bandwidth? I bet most service agreements out there don't say this; many certainly are very careful to avoid committing to any quantified level of service.

If my machine has a security problem and starts attacking other sites on the Internet, that should be my problem, not my broadband provider's problem.

Unfortunately, it is their problem when they start receiving huge numbers of abuse calls because you left your box open.

Now, if only a small handful of subscribers were suffering from these problems, that wouldn't be so bad. The odd abuse call can be dealt with easily enough. Unfortunately, it's not just a small handful of people who leave their boxes open, it's thousands of them. Those people are each generating abuse traffic to the ISP, and the ISP has to pay their people to clean up the mess. That money has to come from their profits, and ultimately from the money their subscribers pay them.

So, they have a simple commercial decision. Do they...

1. cut off the abused service, probably eliminating a small amount of their subscriber revenue but the vast majority of complaints;
2. leave it running, put up the costs for all of their subscribers to cover the extra expenses and pray that large numbers of subscribers don't take their business elsewhere as a result;
3. take a hit to their profits?

You can bet it's not going to be the third option. The practicality of the second is highly debatable. That leaves number one as the only commercially viable solution. While I dislike the result, I don't think we can reasonably blame a business for doing the only thing that makes business sense. Instead, blame the significant fraction of idiot subscribers who've forced them into it.

Couldn't Linux Users Sue Microsoft?

As a Linux user, It seems clear to me that microsoft *IS* responsible for this crap. The reason that ISP will shut off port 80, is because they want to make more money and this is a convienient excuse to force users to buy commercial accounts. Microsoft is such a fucking piece of shit. BTW - XP is Vaporware MUahahahahaha

Re: TOS restrictions - Solution

[psycho_tinman]

Got a cable connection from @home and yes, it says "any type of server" is forbidden. They explicitly mention webservers and ftp servers in this. The cable connection is intended for "typical home internet use" only..

Now, when I installed linux, this caused me some amusement because I had to run an X-server (heh, which when interpreted narrowly, is a violation of the TOS). Also, I use a webserver at home for testing out Perl scripts and stuff.. so both those put me in violation of the TOS.. I also left sshd running so I could check on things while at work. No one warned me for infringement, and anyway, I could argue that this constituted typical internet use for me...

Why don't people start running their webservers on ports other than 80 ? the ISP can't block everything, surely.. and if you really want to share files, run your webserver on an alternate port and you're good to go...

I agree though, if you're running a high traffic site, get something else

virus protection

[Proud+Geek]

All they are doing is trying to eliminate the two latest and nastiest network viruses, sircam and code red. Sircam starts sending stuff on port 25, and code red works by receiving stuff on port 80. I thought people WANTED those two worms squished!

And for anyone complaining, read your TOS first. As several other people have pointed out, it specifically prohibits running servers, and allows this in other ways as well. You're not guaranteed an unbreakable or complete Internet connection for your $35 a month.

Re:virus protection

I thought people WANTED those two worms squished!

There's more than one way to squish a worm.

If your neighbor used hydrogen bombs to get the cockroaches out of his apartment (and guess what -- it would get 'em out of yours too), I bet you would complain about it, instead of saying "Thanks for killing my cockroaches."

Re:virus protection

[GiMP]

Verizon allows for running servers on all DSL services in their current TOS.

Re:Servers were never allowed out on cable

[Jeffster98]

The @Home customer agreements never allowed servers, particularly web servers.

Not true. I subscribed to @Home on February 8, 1997. The subscriber agreement I was issued stated the following under "Service Characteristics":

b)FTP/HTTP Service Setup. Customer should be aware that when using the Service to access the Internet or any other online network or service, there are certain applications, such as FTP (File Transfer Protocol) server or HTTP (Hyper Text Transfer Protocol) server, which may be used to allow other Service users and Internet users to gain access to Customer's computer. If Customer chooses to run such applications, Customer should take the appropriate security measures. Neither TCI nor @Home Network shall have any liability whatsoever for any claims, losses, actions, damages, suits or proceedings resulting from, arising out of or otherwise relating to the use of such applications by Customer, including without limitation, damages resulting from others accessing Customer's computer.

Subsequent calls to customer service revealed that such servers were allowed, but were not "supported" as in they would not answer technical questions relating to the operation of servers. The rest of your points are certainly valid, but it's interesting to note that @Home did allow servers once upon a time.

Re:Verizon

[SpaceLifeForm]

All you base are belong to us!

No, no! It should be:
All your ports are belong to us!

Damn, that sounds like we're getting in the rear.

Hmmm, we are, aren't we?

Re:The end of a state of denial

[James+Willard]

That's incorrect. My AT&T subscriber agreement explicitly states that users -are- permitted to run servers although it's discouraged due to security threats against the individual's PC. Look for yourself, it's at http://broadband.att.com

Re:We haven't done this yet..

[TMB]

Which accomplishes NOTHING for the current ituation. Blocking inbound port 80 to the infected is worthless - they are ALREADY infected. Blocking outbound port 80, which WOULD do some good, will also stop them from using a web browser, which is bound to piss them off.

Sure it pisses them off. So they call you up and say "Why can't I access the web?". And you look up their ISP and say "Because your computer is infected with a worm that is taking up significant bandwidth and trying to infect other computers to do the same. If you fix that, we'll let you surf the web again."

At least if they're pissed off, they'll go and get the fix so they can surf to their pr0n again.

[TMB]

Re:SSL anyone?

[LinuxHam]

Mozilla does not recognize the Certificate Authority that issued this certificate.

When you run any SSL server and sign your own certificates, you will always pop up the security warning stating that the server is issuing a certificate signed by an untrusted authority.

That behavior is normal when rolling your own SSL. You can learn how to generate a CA Certificate and teach your users how to import the CA Certificate.

Re:Read your TOS!

[Thatman311]

My current ISP only said that as long as any network activities cause interferance with their other customers (and that the activity wasn't illegal, which included running a smtp that just sends spam ). Hell SpeakEasy.net ENCOURAGES people to run their own game servers and web servers. They actually advertise that they WANT people to run their servers and get the most out of your DSL. They will even POST your game server's IP on their public gaming web sites so all can get to it. So...do you think SpeakEasy.net doesn't want you to run your own servers? Ah...they advertise it as one of the things you can do to get the most out of your DSL.

Re:Taking business elsewhere - !@#$%

[Billly+Gates]

". The idea of capitalism seems great, but it just doesn't work"

Remember watching the television footage of the old soviet union right before it fell apart where you had to wait in line six hours for a loaf of bread?

I will take capitalism anytime now thank you. Keep in mind where a monopoly exists there is no true capitalism but rather a monarchy or a dictatorship. A sign of a oligarchy where everything is ruled by a few is also unhealthy because in true capitalism a competitor can come in. This is why I hate most american libertarians or they are call themselves anarchists in europe. They believe the market is the one true god and oppose all government interaction. I believe its the American governments fault for listening to lobbiests from the communication industry that are blocking competition and creating this so called oligarchy and libertarianism encourages this. By the way its the bussinesses playground and they have a right to not let you play.

In New York City where I live there are those who are taking matters in their own hands and sharing or renting out their own bandwith and giving the finger to Timewarner and verizon.

How hard can it be to crack into the internet backbone and have enough geeks volunteer to setup fiber and spliters to people's homes. Perhaps what we should do is collect money and see how much it will cost to have UUnet to let us in. If we can wire ourselves with fiber for one centralized hub, it may be only $12 a month plus we can have our own servers. The reason why commercial dsl lines are expensive is because only bussinesses use them and do not want to hack around like this but rather pay a telco company though the roof instead.

Re:Try again

[reezle]

Infected Servers are literally screaming out their presence. My little firewall is logging 3-4 hits per second from infected machines on nearby subnets. I've used a web browser on a few of them and discovered that /../scripts/root.exe exists quite often.... All the ISP has to do is look at a firewall log to see who's got it. Knock that IP off their routers, and wait for the doofus to call tech support.

Move to Australia, but don't use Telstra

[The+Original+Yama]

I've been using Optus@Home for about a year now and I can say it is really good. They don't have a set transfer limit like Telstra do. By the looks of it, they aren't filtering any ports, and I have not noticed much of a difference in network speed at all. They appear to be using Solaris with Apache or Netsape Enterprise (depending on the server) on their servers.

Fix if you have apache

[hey!]

If you have access to another server running Apache, try this.

(1) On the blacked out server, add the following directive to httpd.conf:

Port 81

This sets the port to 81, which is not blocked. Your users can't find you yet unless you tell them, so we need access to another server and to make some DNS changes.

Suppose your old server was really "blah.mediaone.net", but you've been calling it "foo.mydomain.com". You also have access to some ohter server "bar.mydomain.com" at IP adress "123.456.789.123".

(2) Change your DNS to have a CNAME from "foo.mydomain.com" to "123.456.789.123".

This means that people will be directed tothe "bar.mydomain.com". Next we have to tell the bar.mydomain.com server to redirect people to "blah.mediaone.net:81".

(3) On foo.mydomain.com, go to the httpd.conf file for Apache. Enter the following

NameVirtualHost 123.456.789.123
#the next is for our existing foo.mydomain.com service
<VirtualHost 123.456.789.123>
ServerName foo.mydomain.com
DocumentRoot /whatever-it-was-before
</VirutalHost>

#Next we fix up the bar.mydomain.com service
<VirtualHost 123.456.789.123>
ServerName bar.mydomain.com
# redirect everything to corresponding blah URI
RedirectMatch permanent ^(.*) http://blah.mediaone.net:81$1
</VirtualHost>

Now, anytime somebody gos to an old url such as "http://bar.mydomain.com/blech.html" they are redirected to "http://blah.mediaone.net:81/blech.html".

Most things should be working but you need to fix up some things involving cookies that may not be properly sent to your broadband service.

(4) [advisable] Find all places on your broadband hosted service where "foo.mydomain.com" is hard coded and change them to "blah.mediaone.net:81".

There you go. URLS look a bit ugly in the browser but everything now works like status quo ante.

Re:imagine if other utilities did this

[enocim]

blocking port 80 incoming is not such a big issue for Joe User because who the hell would run a webserver using win9x? The more serious injustice to the client is the port 25 outgoing, which is as someone posted in an earlier thread a way to confuse Joe User and convince him that he needs to pay more money for a would-be standard service at any other provider. I work for a web hosting outfit and we have set up our SMTP servers to accept requests on port 30 as well. I don't see the big need to run a webserver from home anyways... and if you are and you want to foot around and test, again like many others have posted, use 8080, or 31338 or 9673.

Survivor

Let's vote Windows off the 'net.

Re:Give me a break

[Dyolf+Knip]

From Bellsouth's DSL TOS:

Customer must maintain Fast Access Service for at least 12 months from the Professional Installation date and pay all charges in connection therewith in a timely fashion.

Well, goodie. Not only did I have to shell out for installation fees (mostly waived), but I'm stuck with whatever inanity they decide to pull for a full year. I really do want to get this particular part of the Agreement nixed.

Re:I've read my TOS and it sucks.

[cyberdonny]

> If 99.9% of all security problems are redhat, then the Code Red II worm is only 0.1%. So, you multiply the code red worms by 1000, that is the number of unsecured redhat boxes, clearly a realistic number.

Good for us. Let's also assume that half of the Red Hat installations have a security problem (which, given Linux' security is clearly an exageration). This would mean that we have at least (assuming 140000 Code Red boxes at the peak, according to Caida):
140000*1000*2 = 280000000 Linux boxes out there!
And that's even taking an extra-ordinarily high ratio of vulnerability. If we take a more realistic ratio of 1% of RHAT boxes being vulnerable, we get:
140000*1000*100 = 14000000000 Linux boxen!
Now how's that for popularity? These are more than people on earth (including Third World countries where most cannot even afford a computer...), and some have the gall to claim that Linux' market penetration is negligible!

Re:I've read my TOS and it sucks.

It's called metaphor, jackass.

organize a class-action

I think this is just an excuse into pushing their customers into buying their more expensive business services. All I want is to let my family look at vacation pictures. I shouldn't have to buy some business package I'll never use. The sad part is that they have a monopoly in most areas and I can't go to a different provider because there is none in my area.

Re:Move to Canada

[Malc]

"If you run a server, I can't fault them for wanting you to purchase a business account."

Why? What's so special about a server that warrants having a business account? Let me tell you, 3 hours of playing Quake 3 will consume more of my ISPs bandwidth than 3 months of the small number of hits on my personal web site. I don't need nor care for what a business account offers me.

It's sounds to me like you've already given in and are happy to let the ISPs make up the rules. Sorry, but I'm not. As a customer, I have the right to make demands for change if I don't like the service. Thankfully there is a small amount of competition for DSL in my area, and I see several acceptable alternatives if my ISP limits its service any further. I want to run servers and host my own domain, and I don't see why I should have to pay through the nose for the priviledge.

If running a server requires a business account, does that also apply to peer-to-peer software, where everybody is a server?

Re:No sympathy

How about my personal ssh server that I use to connect to my home machine from work? I usually (though not always... sometime's I'm a bad, bad boy) give permission to myself to access my own machine.

Re:911

PR0N, duh!!!

Re:No sympathy

[James+Willard]

AT&T permits its users to run servers. From the service agreement at http://broadband.att.com:


(b) FTP/HTTP Service Setup. Customer should be aware that when using the Service to access the Internet or any other online network or service, there are certain applications, such as FTP (File Transfer Protocol) server or HTTP (Hyper Text Transfer Protocol) server, which may be used to allow other Service users and Internet users to gain access to Customer's computer. If Customer chooses to run such applications, Customer should take the appropriate security measures. Neither AT&T nor @Home Network shall have any liability whatsoever for any claims, losses, actions, damages, suits or proceedings resulting from, arising out of or otherwise relating to the use of such applications by Customer, including without limitation, damages resulting from others accessing Customer's computer.

Re:imagine if other utilities did this

[Sideways+The+Dog]

Actually, in California at least, the power company does charge differently. But in this case, residential users pay less for power than businesses. Business contracts are also juicier for the phone company than residential, especially rural service. Basically, it is the business users who subsidize the highly unprofitable rural users. And as far as not advertising, if you are smart enough to need certain ports to not be blocked, you are smart enough to read the TOS. Really, you shouldn't invoke government regulation unless there is a natural monopoly. As long as you have choice, DSL or cable modem, regulation is just wrong. What is needed is better enforcement of the government regulation, that the phone company should open up DSL and support the DSL providers, rather than delay setting up a start-up DSL companies connection (or blaming faulty connections on them) until the start-up runs out of money. Even DSL could be competitive with other DSL providers. Free market works!

CLEC giving out bogus IPs

[Frank+T.+Lofaro+Jr.]

Dynamic IPs are bad enough, but at least you are on the Internet when you have one.

A non-routable IP means you are not actually on the Internet, just connected to a device that is. You can not receive incoming connections at all, which affects more than servers (e.g. FTP clients not in passive mode).

Putting people on NAT by default seems extreme.

How much more do you charge for a REAL dynamic IP? For a real static IP?

So why not change your port number?

[macemoneta]

It's not that hard, and it can be made transparent to your users by mapping the URL with an intermediate service. If that's the only port Code Red is looking at, it seems easy enough. Or just install Apache. I count myself in the cadre of fscking newbies, but if this is too difficult for you, you probably shouldn't be running a server anyway. Code Red will be the least of your problems over time...

Why not make a PatchUp-Worm?

[FlyveHest]

My guess is that this has been done to avoid further spreading of the Code Red I/II worm, but I was thinking, why haven't anyone made a PatchUp worm yet?
With CR2, you wouldn't even need to make it a worm, couldn't you just make some sort of script that uses the cmd.exe file to patch the server, and remove the remnants of the worm?
I know that this could possibly be considered a hostile move, and deemed not much different from the worm itself, but, it could be a good move to stop the worm, and do all the "#% lazy sysadms a great big favour.

Re:As a CLEC, this is how we have been coping.

[NutscrapeSucks]

One thing to consider is that if you have a large DHCP or PPPoE network, just associating a IP address to a customer is probably a minor undertaking. Especially if you throw a legacy system to track customer accounts into the mix.

So, yeah, an automated scan/notify/block system could be put in place, but at a big cable/dsl ISP, it would take some work. It might be easier to block everyone and just enable those who complain and scan clean.

Re:Read your TOS!

[sharkey]

Yep. That seems to directly contradict this prior section of the agreement:

RESELL THE SERVICE OR OTHERWISE CHARGE OTHERS TO USE THE SERVICE, IN WHOLE OR IN PART, DIRECTLY OR INDIRECTLY, OR ON A BUNDLED OR UNUNBUNDLED BASIS. THE SERVICE IS TO BE USED SOLELY IN A PRIVATE RESIDENCE; LIVING QUARTERS IN A HOTEL, HOSPITAL, DORM, SORORITY OR FRATERNITY HOUSE, OR BOARDING HOUSE; OR THE RESIDENTIAL PORTION OF A PREMISES WHICH IS USED FOR BOTH BUSINESS AND RESIDENTIAL PURPOSES. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, THE SERVICE IS FOR PERSONAL AND NON-COMMERCIAL USE ONLY AND CUSTOMER AGREES NOT TO USE THE SERVICE FOR OPERATION AS AN INTERNET SERVICE PROVIDER, A SERVER SITE FOR FTP, TELNET, RLOGIN, E-MAIL HOSTING, "WEB HOSTING" OR OTHER SIMILAR APPLICATIONS, FOR ANY BUSINESS ENTERPRISE, OR AS AN END-POINT ON A NON-COMCAST LOCAL AREA NETWORK OR WIDE AREA NETWORK, OR IN CONJUNCTION WITH A VPN (VIRTUAL PRIVATE NETWORK) OR A VPN TUNNELING PROTOCOL

Don't you love a provider that feels the need to scream at you, when they can't even find the states they do business in on the map?

Of course, dig into the agreement deeper, and it appears that the "Service" consists solely of the software they installed on your Windows PC or Mac. You could argue that since you are not using that software, you are not using the "Service" to run said servers, end-points, etc., but merely connecting to their network without using the "Service."

Of course, IANAL.

Re:Cablevision in NJ blocking inbound port 80

[Prolixium]

same for me in central NJ. and I was running apache... :-( 2 weeks until back to school...I'll tunnel a port or something when I get there...

Re:No blocking yet

[krogoth]

I use sympatico, which doesn't block anything, but the funny this is that i've gotten more code red 1 attacks than code red 2 attacks (1 out of ~7) in the last few days.

Re:Read your TOS!

[Fred+Ferrigno]

I've not seen any valid, technical reason to prohibit servers on broadband connections that cannot be satisfied by other means.

Other than patching thousands of websites run by people who largely don't even know they're running them and don't care to install the patch, I haven't seen a better technological resolution to problems like Code Red. Additionally, though the sites might get patched for Code Red after much effort, I've no doubt that more vulnerabilities will develop, which will also go unpatched.

As I've said before, the real push seems to be to restrict home users from being content producers.

As a matter of fact, I agree 100%. I don't doubt that this move is intended to force users to upgrade. However, as purely a matter of security, I have no problem with it. As a user, I also have no problem with it. Do you really think I'm trying to deny the free flow of technology? I don't think I'm being elitist, and I would hope you might understand that I'm not.

I have a theory that nearly all arguments more or less boil down to differing opinions on a single value judgement. Here, it seems to be the benefit of reducing the risk of Code Red and other vulnerabilities related to unpatched websites vs. the benefit of running an uncensored webserver with total control.

I'd love for everyone to be able to publish any content online for free, which is why I run a Freenet node on my DSL. Despite that, I feel that the number of users in such a situation is very small, and as unfortunate as it is that they might have to move to a pay service or switch to a non-standard port, I feel that this is justified given the risk. Obviously, you do not.

Re:Read your TOS!

[Artemis]

Yeah, because god forbid somebody not have cable/dsl/broadband access, why would they ever want to keep on living? geezus.

Re:This really appears to be...

[copec]

You could theoritically do transparent proxing in both directions?

can squid filter out the requests that exploit the security hole?

Re:Here's a nifty trick

[reezle]

Why not write the app to just drop a .txt note on the 'all users' desktop? Just about as easy, once they've been hit with code red 2... Publicly accesible cmd is an interesting thing.

Re:Read your TOS!

[rabidcow]

Don't be so arrogant. The @Home "Subscriber Agreement" (effective 9/15/99) includes the clause you linked to, however in section 7 of the "Getting Started Guide", "@Home's Acceptable Use Policy, it says:

You may not run a server in connection with the @Home residential service, nor may you provide network services to others via the @Home residential service. The @Home residential service includes personal Webspace accounts for publishing personal Web pages. Examples of prohibited uses include, but are not limited to, running servers for mail, http, ftp, irc, and dhcp, and multi-user interactive forums. For information about @Work products for commercial or network services purposes, including commercial-grade remote LAN access, please see http://work.home.net.

Re:Move to Canada

[lhand]

Personally, I think its my god given right to use allocated bandwidth however I choose. Its one thing to limit bandwidth, quite another to censor what bytes are allowed in my incoming or outgoing tcp segments.
Of course, you may want to check your agreement with your provider. You may have signed away your god given right on the dotted line when you signed up for service.

Re:Verizon DSL is NOT THAT EVIL

[supz]

Please forgive me if I don't make entirely too much sense right now, as I just woke up. (Yes I'm on the East Coast, Yes it's 2:29 AM, Yes I have insomnia)

I noticed this happened around 5 am yesterday morning (Tuesday, August 7th). Well I didn't notice it, I just tailed my apache logs and web requests seemed to stop coming in around that time. None the less, I got into work that day and noticed I couldn't access my personal web page... NOTE: Personal, not commercial. I put pretty pictures, that I've taken with my digital camera, on it. I was however able to ssh into it and ftp into it.

What was going on? I got scared for a second cause I thought perhaps they started enforcing some term of their service, but it wasn't until I got home and (not so thoroughly) skimmed through their TOS that I realized running a server was not against their TOS, as a matter of fact they worded it so JUST dialup users cannot run a "server of any kind", and it seemed to be fine for DSL users.

So I call up Verizon, talk to a couple different people, none of which knew a single thing about anything. One tried to accuse me of violating the TOS, and I told them it said I'm allowed to run a server in it. She shut up immediately.

Another told me that since I wasn't patched against code red, my internet service was being blocked. I told her I wasn't using a Microsoft operating system therefore I'm not affected by it, and even if I wanted to I wouldn't be able to apply the patch. She told me that because I didn't apply the patch, port 80 was being blocked. Again, I explained to her I wasn't running a Microsoft OS. In the end I think I explained it to her around 5 times... hopefully she knows a little more about computers now.

Finally I got to some guy who was somewhat intelligent, although he did call Linux, L-EYE-NUCKS, he seemed to have some understanding of how to press buttons. I asked him why port 80 was being filtered, and he told me because Microsoft had recommended they block the port. (BTW, I totally agree with someone else that commented on this, who said that because of Microsoft building insecure web servers, we are paying. That is fuct) I asked him if there was anything they could do to unblock the port for me, like put me on another subnet and give me a static IP (I'm a sneaky bastard), or put some kind of flag on my account. He told me that for the time being there was no work around, however he would post a memo and suggest to their tech team they find a way around the port blocking for users who are patched, or not running a Microsoft OS. I asked how long the filtering would stay in place ... he told me it would only last for another couple hours. Right there I told him I didn't think that was true, but he insisted it would only last another hour or two, MAX... port 80 is still blocked.

I just thought I'd contribute this tid bit. I have Verizon DSL in Northern New Jersey, in Essex County. Again, their TOS did not prohibit running a server, unless you are on a dial up. I would post it here, but there is also some clause in their TOS that prohibits reproducing it, so if some brave soul wants to post it below this, go right ahead =]

I need to get a higher paying job so I can get a T1 and then just have to deal with UUnet fiber-optic cuts because of train wrecks.

Re:AT&T / Mediaone is blocking ALL HTTP GET REQUES

[CM39]

Still working for me on port 8080

Re:Leased Line

Amen Brother!
I work for an ISP doing 2-3 lvl tech support for cable modems and DSL. I get people all the time that say something allong the lines fo the follwoing:

"I am paying $40 per month, which is twice as much as dialup, so I expect 100% uptime with a 2 hour turnaround for signal related issues".

I just want to tell them how much a dedicated service would cost, but I'm too nice for that. Then you get the people who are breaking our TOS by using the connection for profit, and they say:

"I'm loosing $1000.00 per day because I cant get on the internet!!!"

Thats great sir, let me cancel your account for breaking our TOS!!!

Re:We haven't done this yet..

[krogoth]

Here's an idea: people who ask can get ports unblocked for free. That way you protect the idiots without restricting the people who want to run a real server.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Hum...

damn you one smart mofo how you get so smart smart pills? where you get dem smart pills the smart pill store bet you iz a whiz at them compterz you rock go on with your bad self girlfriend

Cablevision in NJ blocking inbound port 80

[zerofoo]

Cablevision in NJ is blocking inbound connections on port 80. This sucks! I get penalized for all the dumb-asses that can't patch their IIS boxes! AAARRRGH!
-ted

Re:Servers were never allowed out on cable

It's just as possible to eat up the limited upstream bandwidth by uploading large files to Hotmail, but they don't ban that.

Do you know anybody who actually would do this 24/7, as a web server potentially would?

Only If...

[Jebediah21]

Only if your service agreement allows you to run servers should you be griping about this. PacBell states this and makes it pretty clear. I had no intention of running and web server for outside use anyhow. If you're looking for somebody to bitch about Microsotf fits the position.

Anybody interested in starting a pool on when the next major MS virus will come?

Actually...

Their TOS has a clause that explicitly says you can run FTP/HTTP servers (section 9.b):

(b) FTP/HTTP Service Setup. Customer should be aware that when using the Service to access the Internet or any other online network or service, there are certain applications, such as FTP (File Transfer Protocol) server or HTTP (Hyper Text Transfer Protocol) server, which may be used to allow other Service users and Internet users to gain access to Customer's computer. If Customer chooses to run such applications, Customer should take the appropriate security measures. Neither AT&T nor @Home Network shall have any liability whatsoever for any claims, losses, actions, damages, suits or proceedings resulting from, arising out of or otherwise relating to the use of such applications by Customer, including without limitation, damages resulting from others accessing Customer's computer.

Of course, they still have the "right" to block port 80, but users can still set up web servers.

And you're a dreamer

[ergo98]

The whole point of the previous poster is quite simply that there is a HUGE swath of bullshit that @Home would have to put up with to try to act as the guardians of morons (morons who are doing something that is prohibited in the TOS to begin with (the whole not allowed to run servers thing that has been hashed over on here countless times, each time with the standard "time for DSL!" crap). If you want to host servers get @Work or a business line): Imagine every half-whit, full-of-themselves wanker setting up a funny honeypot causing false-positives running to Slashdot to decry the horrors of @Home: Damnit didn't they notice that it's Apache running a false-positive script? Imagine the human requirements when Jimbo the Wanker's port 80 port gets blocked because he's vulnerable (and how, pray tell, does one check this with a script? Incite a buffer overflow? Technically @Home would be breaking the law. The existence of the .ada ISAPI extension in no way indicates the existence of the fault), so he installs the patch and calls up @Home begging to be put back on. That's one huge, thoroughly unnecessary, bunch of nonsense. Oh wait: Perhaps they should run their "script" every second flooding every box?

Previously I ran a little private webserver and enjoyed that I could, but honestly in this situation @Home is doing what they have to do: Watching my firewall I am seeing the infected count of morons who installed IIS (but still have the "Under Construction" page) increasing at a staggering pace, and knowing that everyone of those machines has a system account exploit is staggering.

Pout your web server on ANOTHER port!

[ggravier]

They filter port 80... big deal... use port 81... or 88... or 8000 or 8080... or anything. Be creative !

Re:imagine if other utilities did this

You totally missed the point of the parent post. Here's a clue:

Because the phone network is a federally regulated service, it is not a "privilege"; the phone co. cannot make rules and pull the plug on a whim, they must follow federal mandates and guidelines.

Re:Read your TOS!

While I agree with you about the bandwidth. When water is a limited commodity (during a drought) They do restrict what you can do with your water so that everyone gets access to water. Bandwidth is a limited commodity as well and the ISPs will want to restrict you to provide to customers

I read my TOS too! It's not the same!

[Mr.Mustard]

Not everyone has the same TOS/AUP.

Since @home is basically a bunch of little cable ISP's that have been merged, different users have different TOS/AUP agreements.

Where I live, version 3 of the Comcast@Home Subscriber Agreement says the following:

6. Prohibited Uses of the Service.
[...]
b. In addition, Customer agrees not to:
[...]
viii. ...THE SERVICE IS FOR PERSONAL AND NON-COMMERCIAL USE ONLY AND CUSTOMER AGREES NOT TO USE THE SERVICE FOR OPERATION AS AN INTERNET SERVICE PROVIDER, A SERVER SITE FOR FTP, TELNET, RLOGIN, E-MAIL HOSTING, "WEB HOSTING" OR OTHER SIMILAR APPLICATIONS, FOR ANY BUSINESS ENTERPRISE, OR AS AN END-POINT ON A NON-COMCAST LOCAL AREA NETWORK OR WIDE AREA NETWORK, OR IN CONJUNCTION WITH A VPN (VIRTUAL PRIVATE NETWORK) OR A VPN TUNNELING PROTOCOL...

I got away with running a web server and an FTP server for about a year before I got an email from them saying that they would cut off my service if I didn't turn off my servers.

Re:imagine if other utilities did this

Having spent $69 on an "access appliance" that provides rudimentary firewall capabilities, I don't worry about the code red worm. I can understand why cable operators are upset, though: The back-channel bandwidth they use when customers put defective (i.e. Microsoft) servers on a connection leaves a lot less available for people who are using the service for the purpose it is intended; broswing the web, downloading things, and doing work. I'm probably the most tech-savvy guy in the neighborhood, I have three computers running all the time, and I use SSH and a VPN to connect to my office. Trying to write an AUP that covers every possible stupid, rude, malicious, or foolish act a customer might engage in would be extremely restrictive and require extensive monitoring and higher fees. Instead, carriers try to react to problems when they see them in ways that are as invisible as possible; if it means you can't run a server that they've been turning a blind eye to for a while, say thanks, and do like the rest of us: pony up $20 for El Cheapo web hosting.

Re:Read your TOS!

[Versa]

I don't care about my TOS. I pay for access to the internet, not for "access to the internet that is at&t approved". I have a measly 16KB upload cap. I should be able to do whatever i want with that bandwith, even if it means running a small server. I would like to make an analogy of the water department. Does the water department prohibit you from owning a pool that you fill up with their water? What ifthey started prohibiting just that. I would imagine it would cause quite an uproar. I don't see any difference between the watercompany doing that and @home doing this.

Re:Simply not true...

[Placido]

I don't even know if MS IIS supports this, but luckily I'm not running IIS.

FYI - it does.

Adelphia owns everything you post now!

Adelphia just revised their terms of service without notifying the customers! It now claims they have rights too all your public posts. http://powerlink.adelphia.net/

Re:Umm

Ok people, let's pull our collective heads out of our asses and talk about the realities of managing a national network.

Fact 1: there are hundreds of thousands of infected machines and they are trying to do a DDOS to certain ip addresses (207.26.131.137 et al.).

Fact 2: the netblock owners of said ip addresses had to null-route them to avoid their networks imploding. This is not resulting in BILLIONS of ICMP Unreachables flowing back to the infected nets.

Fact 3: said ICMP Unreachables and general Code Red traffic are overloading the ICMP subsystems of the routers and causing them to slow down or lock up completely.

Fact 4: for most ISP's (the one I work for included), are already running the biggest routers Cisco makes (12000 series). We couldn't upgrade if we wanted to.

Fact 5: a one-way, one entry ACL (access control-list) entry takes up about .8% of CPU on an OC-12 (622Mbps) feed. I'm talking about an entry of the form:

access-list 100 deny ip host xxx.xxx.xxx.xxx any eq www

What most people fail to realize is that the amount of traffic that the ACL is filtering is not primariy what drives up the CPU utilization, it's the number of entries in the ACL . At .8%, even the guy above should be able to see that listing individual computers would rapidly lead to CPU exhaustion.

Fact 6: an ACL of the form:

access 100 deny ip any any eq 80

takes up the same amount of CPU as the ACL above. Thus, it's a hell of a lot more efficient to do everyone at once as a stopgap measure.


This leads to the follow-on question: what the hell is being done about the infected machines? Software is being written on the second head as I type that will de-provision the modems of infected customers.

Understand that in the cable/DSL world, everything revolves around the modem. So when #clueless is infected and I have his ip, I really don't have jack. I need to take that ip and pull up the modem associated with it from the CMTS or DSLAM. Then I take that modem MAC address into the provisioning system and find out the subscriber, which is usually a proprietary application on an internal corporate network. Then, I need to generate a problem ticket in yet another "enterprise" VB-crapware application so when the subscriber calls we can say "Fix your shit, moron" and then, FINALLY, are we able to de-provision the modem.

As you can see from the above steps this process is neither seemless or hospitable for automation. But trust me, it IS happening. In Python, of course ;-).

Re:Road Runner

[cvincent]

In my area the section of the TOS says:

"Customer should be aware that when using the Service to access the Internet or any other online network or service, there are certain applications, such as FTP (File Transfer Protocol) server or HTTP (Hyper Text Transfer Protocol) server, which may be used to allow other Service users and Internet users to gain access to Customer's computer. If Customer chooses to run such applications, Customer should take the appropriate security measures. Neither AT&T nor @Home Network shall have any liability whatsoever for any claims, losses, actions, damages, suits or proceedings resulting from, arising out of or otherwise relating to the use of such applications by Customer, including without limitation, damages resulting from others accessing Customer's computer."

I've taken the security measures, I always have and always will so I want my 80 unblocked...

Re:Road Runner

[P.+Legba]

While Road Runner isn't blocking (my cable modem light is still going nuts even when my computer is off); it is part of their Terms of Agreement: no e-mail servers, no web servers, no port scans.

I did a tcpdump this morning to see what the hell was going on with my modem's data light...it's been blinking like mad even when the computer is off for almost a week now. Check of the website indicates that they're going through and detecting customers with open ports 80 and who are "infected" (with IIS, I presume :-) and will be shutting off those customers for a 12 hour period Aug 9, I guess so they can make sure everyone applies the patch to their crapware.

Anyway, here's the relevant bit from Time Warner in Columbia, SC.

P.

Re:I've read my TOS and it sucks.

[ZxCv]

Bupkis.

99.9% of security issues comes from companies that don't believe they are at risk. There are those running unpatched linux boxes at home. But compare that number to the number of companies with admins who either dont know any better or just don't care and it pales in comparison.

If you think the AUPs are that strict for any other reason than marketing, then you don't know corporate america well enough.

Verizon blocking ports

[mschaffer]

I wonder if Verizon is only blocking ports in certain areas. Recently, Verizon has just pulled the plug on incoming port 80 in my area. They are also blocking incoming port 21 and a few others around here since I started DSL service with them.

Re:Verizon DSL is NOT THAT EVIL

[Micah]

> Yeah that'd be swell, blockign outgoing port 80.

Then what would you use it for.... gopher?

Re:Leased Line

[tshak]

Ok, now we have a shared T1, for 25 people (who i'm assuming will all be geeks, and will be downloading stuff late at night...) Assume a T1 can get maybe 160k/s throughput (you can't get 100% util on a T1 w/o severe latency problems), you get 6.4k/s.

Oh give me a break. We run a 40 person office on a 256k (small 'k', your 'k' should be a 'K') frame relay (768 burst... have yet to see it) with a tier 2-N provider (I swear we are about 10 hops away from any POP) and for the most part bandwidth is NOT a problem - even with people streaming "Internet radio" etc. all day long. 25 people sharing a T1 != 25 concurrent downloads of high-rez natlie portman pictures.

Re:I've read my TOS and it sucks.

[figment]

> If anyone can explain a good reason for banning
> servers rather than limiting data volumes, I'm
> all ears.

Because 99.9% of security issues comes from someone running an unpatched redhat box at home.

This is not something tier1 tech support can handle, a real sysadmin has to look at it, figure out where it's coming from, and figure out what is going on. That costs money. Say it took collectively 30mins of peoples time to figure it out, already that has costed more than what you've paid for this month's service.

The AUP would not be this stupid or strict if these things weren't a real problem. But they are. Until people (not necessarily you), get the brains to keep their computer up to date and know what's going on, the ISPs will have to keep these stupid provisions just to protect their ass.

Bastards.

[bl1st3r]

What the hell are they trying to do? Kill any small people who have dreams? Can everyone afford commercial grade bandwidth when they are just starting out with their own .com?

Come on, we need to stop being greedy little bitches and start providing quality service that is cheap and cost affective to our goals. Why pay 1 thousand a month for a T1 when a 560K DSL line will suffice.

Sometimes, companies piss me off, and this is one of them.

Re:Apache Servers?

Gee, do you get callerID, three way calling, two lines, etc... for free from you local telco? I think not. you have to pay extra. so your contract says you are allowed to have DSL access for only certain services THATS THE WAY IT WORKS!

Learn to read

[NDPTAL85]

What part of your residential AUP can you not understand?

Re:Servers were never allowed out on cable

[Mike+Hicks]

I do wonder, though.. Where exactly are they blocking access? At every single router in their networks? I somehow doubt that.. I suspect there'll still be plenty of internal traffic (but I could be wrong..)

Re:Leased Line

If you can't get a full T1 for around $1K per month you're not trying.

Re:What the hey?

[treke]

You assume they are providing good service. My experience has been that you pay 50 bucks a month for mediocre services, unless you count having service down for days at a time on a pretty regular basis good service.

Re:We haven't done this yet..

[Cato]

Unfortunately true - ideally you could just block the customers with infected IIS servers, but that might require router access control lists with a large set of IP addresses. It all depends on how many customers are infected, vs. how many run web servers (intentionally). Altogether, it might be best to mail all customers to notify them of port 80 blocking, and invite them to email you for unblocking if they need it unblocked - this will protect future customers who are clueless enough to have IIS running without realising (typically small businesses with Windows NT/2000 server).

Re:SSL anyone?

[Old+Wolf]

Well, on their website they say that their certificates are only supported by Internet Explorer 5.01 and higher. I think this would explain your problem.

Verizon

All you base are belong to us!

Re:People are becoming consumers, not content crea

[Sc00ter]

You're a moron. This was totally for Code Red. I used to work for M1, I know people that still work for AT&T. It's temporary, it's not against their AUP, in fact in their cable modem leasing agreement they say it's okay to run a web server. But they won't support it.

Go to slashduh, there's a big story on there about it with details and links to their policies.

Re:No sympathy

[thogard]

no X servers?

X sort of messes up the which is the client and which is the server issue.

I figure if their advertising says "Internet Access" then they should provide it even of their TOS disagrees. Web access (which lots are providing) is not internet access.

Re:Clause?

[pongo000]

I've often wondered what, exactly, do the words "in connection with" mean? How far into your internal LAN do the tendrils of @Home extend? If I'm behind a firewall, and I'm simply shuttling packets across the firewall to a web server, can my web server, which isn't connected directly to @Home, be considered "connected with" the service?

Re:This really appears to be...

Code Red resides in RAM only, so doing one reboot will get rid of it... until you are reinfected...

Re:Move to Canada

[SirGeek]

Because somewhere burried in your TOS (that you MUST have signed) you agreed NOT to run any servers...

If you run a server, I can't fault them for wanting you to purchase a business account.

Re:Speakeasy!

[andreass]

Right, like we are going to block port 80 to all our customers. Sheesh, have you not read the posts! We have a decent customer base because we let people run whatever they want, unless it gets so flamed that half the work launches a DOS attack torwards us.

Since we are 100% UNIX based (well one IIS server for customer who just need Front Page and asp -- chili-soft doesn't cut it, unless you don't mind running apache with 777 directories all over the place) and we turn off the web interface on all our routers, we have been totally unaffected by Code Red. Well, you say attacks are coming from our network, we've been shutting down IIS users left and right, but we will NEVER globally shut down port 80. Such a move would abandon half our customer base.

Actually our cheapest web hosting package now offers 100MB of disk space and unlimited bandwidth. The servers sit right on an OC-12, not too shabby for $35/month. Ok, residental hosting only gives out 10 megs, but space is cheap, and that starts at $15. For old-schoolers, you can still run www.speakeasy.org/~username and that doesn't cost a thing (and its Linux, so no worries)

Re:Speakeasy!

[Evil+MarNuke]

Well, let's see here. Earthlink uses Covad. Earthlink is owned by Sprint. Earthlink won't goes under, either will Sprint. Both of them have tons and tons of money. If Covad goes under who do you think will step in and buy Covad? If not Earthlinkg or Sprint, then a parternship of the ISP's. And if no one buys covad, the governemtn will step in and give covad to somebody for pocket change.

Re:Speakeasy!

[MagPulse]

This is why DSL *will* save you (us). With DSL you have choice, and you can pick a great ISP like Speakeasy. With cable, you're stuck with whoever is serving your area.

Re:Verizon DSL is NOT THAT EVIL

[jspaleta]

That would be more work than just a straight port block. Hopefully Verizon is working on some type of filtering solution to replace across the board port block....hopefully. -jef

verizon - ex GTE.

[ben_tarval]

My mistake; that's what I get for posting late. SBC is hardly a subsidiary of Verzion.

It's SBC who's trying to force PPoE on everyone.

Re:We haven't done this yet..

[festers]

man, SLiRP brings back some fond memories. It was 1995 and net access wasn't in the dorms yet. But that didn't stop a few of us from using slirp on our shell accounts. Of course, the school eventually caught on and told us to cease and desist with the "porn access." Whatever...

Re:I've read my TOS and it sucks.

[Anonymous+Brave+Guy]

It's an interesting question you raise there: did you actually buy bandwidth?

Yes, that is what my TOS say. If yours don't, they should.

Unfortunately, I don't pay them enough for that. Perhaps it's different in the US, but on this side of the Atlantic I don't know of any major ISP that offers guaranteed bandwidth on a typical home user package. (Business packages are a different ballgame, of course, but cost more to match.)

You are confusing what is with what should be.

Not at all; I'm just pointing out what is. Under the circumstances (the real ones, not the ideal ones), what these ISPs have done is reasonable. Right now, today, if someone using their service causes grief, they will get that complaint call, so they'd better plan accordingly.

Re:Read your TOS!

[cyberdonny]

> If you want to run your own "mini NOC", then pony up the cash and get ISDN,

Hey, cable (and DSL) is way faster than ISDN. So do you mean I have to chose between fast connectivity, and non-anal service, but can't have both?

> T1, or something faster put into your basement.

Yeah, pony up the cash, indeed.

Hmmm I am glad I have a small DSL ISP for once in

my life. They are still being nice, and allowing my Web Server to continue, and don't care if I use sendmail on my linux box. Best part is they were happy that someone had a linux box and was using it. Granted there network has been down a few more times than with USWest, but they are nice people. :-)

Re:As a CLEC, this is how we have been coping.

[psychalgia]

your company did the right thing, I, personally, would have been thankful if someone had alerted me of my issues. I patched my servers with Code Red 1, I rebooted, I was infected in the 4 hours between CR1, and patching/rebooting my server. Do you all remember that first nasty day of CR1? That's also the day I got CRII -- so, on behalf of your STUPID customers, I will instead, thank you, you have done what I expect of my ISP, and more. I just wish there was someone like you to provide for my Rhythms ass right now!

Re:Linux is not a contender..

[StarTux]

Not so long ago a group of System Admins did a test that happened to prove your assumptions were totally wrong and fabricated with regards to the other free OS out there.

Do you remember that they tested these OS's out of the box?

1. Linux
2. Win2k
3. FreeBSD.

Guess which one came last? Yep FreeBSD.

In all fairness this was an out of the box test, which BSD sucks at. This does add to TCO if you have tweak just to get this going. Anyway, where is your proof about your statements? Ahhhh you have none.

Here is the link to an interesting article that did the comparison, hopefully you can comprehend it:

http://www.sysadminmag.com/articles/2001/0108/01 08 q/0108q.htm

You know this is aimed at you, someone who cannot understand that the computing world benefits from more than one OS. Luckily most FreeBSD users I know do not carry the same chip on their shoulder as you so eloquently do, that is all you managed to prove.

StarTux

Move to Canada

[DickPhallus]

Bell hasn't cracked down on me yet... I run a small webserver... I mean what harm does a 16 KB upstream cost the bastages anyway?

Re:Move to Canada

[jmcneill]

Ditto for NBTel.. although with all of the crap going on here lately, I wouldn't be suprised if they followed suit. And the only other option (that isn't even an option yet) is Rogers@Home, and I doubt that would be much better.

Re:Move to Canada

[Swaffs]

Shaw here in Winnipeg hasn't cut me off yet either.

Re:Move to Canada

I'm with Bell in Canada, too, and I'm being swamped with other Bell users scanning my port 80

I scan their box, and if I find smtp up and running, I send them an email telling them to clean their machine.

Re:Move to Canada

[aoeuid]

Officially Rogers@home does not allow web servers, but that URL beside my name is hosted on Rogers in Ottawa, and has been for quite some time. Yet here in London, I've heard its a different story. So I guess maybe they are selective about it.

Personally, I think its my god given right to use allocated bandwidth however I choose. Its one thing to limit bandwidth, quite another to censor what bytes are allowed in my incoming or outgoing tcp segments.

Re:Move to Canada

[trolebus]

How do you get around the dynamically assigned IP's if you have a webserver. I mean, even my router needs to be rebooted from time to time (I think it may be Bell Canada disconnecting me because they needed the IP and I was idle but I'm not sure)

Re:Move to Canada

[Kwikymart]

My ISP (DCCNET, Delta BC, Canada), uses dynamic IPs. However, the DHCP servers must have a MAC address memory or something because it will assign me the same IP address all the time (and its not a feature of my dhcp client). However, if I take too long to run the dhclient it will assign that IP to someone else. It's still dynamic, but not completely. No filtering of anything as well. Its metered but they actually never charge you when you go over your limits.

Re:Move to Canada

How do you get around the dynamically assigned IP's if you have a webserver. I mean, even my router needs to be rebooted from time to time (I think it may be Bell Canada disconnecting me because they needed the IP and I was idle but I'm not sure)

try dyndns.org

Re:Move to Canada

[Malc]

I have Sympatico HSE. My router (Netgear RT314) hasn't had a problem since I installed it last October. I got a .ca domain through easydns.ca... nobody has had a problem access my web site or sending me email, all on my dynamic IP. You can also use free services like dyndns.org or Granite Canyon. It's easy. If you have further questions, go to news://sympatico.highspeed. There are lots of people there who do the same and can help.

Re:Move to Canada

[Malc]

Bell happily imposes a port 25 filter. The coverage is patchy though as only people with Sympatico IPs and their own SMTP server are restricted from sending me email. Based on this experience and the level of activity (I've had 2,000 hits since Saturday, mainly from Sympatico IPs), I wouldn't be surprised if they start filtering port 80... although I'm sure they're too incompetent to roll it out quickly. You could say that they already have a port 80 filter... they have a translucent craching interception proxy on port 80 in some areas.

If I lived in Ottawa, Toronto or Montreal (??), I would switch to Istop.

Re:Move to Canada

[Thatman311]

Ah..I thought everyone here was a nerd? DHCP has it speced out so that it will try to give you the same IP so long as you are around during the time your IP expires or when the DHCP server tries to do some scavaging. I would recommend a good TCP/IP book for you.

Re:Move to Canada

[plague3106]

Well, not true really. If their dhcp server goes down, or has a hiccup, you'll get a different IP. I had cable, and never rebooted my linux router, yet i've had 3 IPs. Of course, that was over the course of 9 months, so it didn't change that much.

No blocking yet

[Heem]

I'm on @home and as far as I can tell port 80 is not yet blocked... I wonder for how long they will block the port and what clause in their contract they will hide behind?

Re:No blocking yet

[natet]

Hello, read your contract. @home does not allow their residential customers to run webservers anyway.

From their service agreement.

AT&T Broadband does not allow servers to be connected to the cable modem. This means that no computer in a personal network can be used as a server.

Hmmm, sounds like a pretty good clause to hide behind, eh?

Re:No blocking yet

[icewalker]

Too bad when Windows XP comes out, every PC running it will be a server! I guess @Home will just have to outlaw Windows XP as well.

My nice apache server just keeps on hummin!

Obtaining Perfection isn't Perfect!

Re:No blocking yet

[X-Dopple]

Strange. Port 80 here in Salt Lake City isn't filtered yet, but it could be only a matter of time.

How else do you stop a Code Red worm, however? I think this is one of those situations that, in order to stop, you have to throw the baby out with the bathwater.

It was fun running a webserver while it lasted..

Re:No blocking yet

[NullPointer]

No blocking in Boise either, I'm still seeing SYNs from all across the country. But the frequency has decreased significantly since yesterday afternoon. I suspect their only blocking in certain high-density service areas.

Re:No blocking yet

[plague3106]

AT&T Broadband does not allow servers to be connected to the cable modem. This means that no computer in a personal network can be used as a server.

Hmm...so i can't run an SMB server on my own network no matter what? Doesn't seem to make sense to me.

Re:No blocking yet

Actually I checked the AT&T Broadband agreement here in Mass. And it's doesn't exclude servers, it even has a clause that disclaims AT&T from any responsibility should a server on my machine allow access to my machine that hurts my machine. However it looks like the clause they are using to justify the blocking is the one about not doing things that affect the performance of other subscribers. Anyway, my fix, move to port 8085 and use a forwarding service like TZO, and/or Namezero. -Steve

so what

[FreakBoy]

what will this do?
@home users can still infect other @home users, along with the rest of the net.

Re:so what

[superpeach]

Actually, @home users can still infect anyone else anywhere if only incoming port 80 connections are blocked. I dont know how codeRed decides who to do next, but from looking at my logs it isn't just "attacks" from people on the local network (as I am getting connections from USA, France, China...). To completely stop the spread of the worm over the @home network incoming and outgoing port 80 connections would need to be blocked.

Re:so what

DOCSIS cable modems have built-in firewalls (configurable via SNMP), which would be able to stop @Home users from infecting each other.

Hum...

Just an excuse to shutdown people trying to run a small business at home? Or does that kind of thing go on?

We haven't done this yet..

[BiggestPOS]

But considering the average level of intelligence of our customers is close to NIL, I really think we should. We get a lot of emails, and calls from people who have detected attacks from our Customers, and we call the customers, and they are just like, "Wha?"

Its great. So instead we just let the network FLOOD. But good thing we aren't blocking port 80, that would SCREW over like what, .1% of our cusomters?

Re:We haven't done this yet..

[ogre2112]

It comes down to.. The people that know how to use their computers gt fucked over by those who don't.

Re:We haven't done this yet..

[Heem]

It comes down to.. The people that know how to use their computers gt fucked over by those who don't. add the word AGAIN to that phrase. And if we want to get on a network where we are our peers know what they are doing, we have to pay out the ass. I liked it better when it took some BRAINS to use a computer, it wasn't cool to be a geek, and everyone I know isn't calling me every 10 minutes to fix their damn computer.

Re:We haven't done this yet..

[Daffy+Duck]

Yeah, back when it was just geeks on the net, things were so much better. No AOLusers clogging up Usenet and we had all this broadband access to ourselves.

Oh wait, there *was* no broadband access until all these losers showed up. Must just be a coincidence.

Re:We haven't done this yet..

[eap]

This is perhaps the best idea I've heard on /. all day. I guess the only problem would be that by agreeing to allow port 80 traffic to your machine, AT&T would be explicitly allowing you to run a web server, and this would cause them problems later if they wanted to deny port 80 traffic. It's a position they are not likely to put themselves in.

However, I strongly encourage everyone affected by this to call and complain to AT&T. Threaten to switch to another provider, or even go back to dialup.

Their number is: 1-888-824-8152

Too bad we *ALL* have to suffer...

[spam368]

Its too bad we all have to suffer, jsut because some (okay..most) people use microsoft products....those of us that choose to run linux (and yes...we usually have webservers) are being block when we arent even perpetuating the virus...

Re:Too bad we *ALL* have to suffer...

Anyone in the redmond area care to leave a flaming bag of shit at the entrance to the microsoft compound?

filtering

can't you just change the port # your web server is running on? That sux but it would be better than nothing.

Re:filtering

[SnapperHead]

Sure, your best bet is to run your server on port 443 only. SSL :)

This more or less prevents quite a few simular attacks.

Re:filtering

[Heem]

can't you just change the port # your web server is running on? That sux but it would be better than nothing
Sure, you could change the port, but try telling your mother-in-law, that when she wants to look at the recent pictures of her grandson, to connect to port 8080. She'd say something along the lines of.. 'WHAT'S THAT NOW?' 'COME AGAIN?' And going back and getting links changed around the net to include the :8080..

Re:filtering

[mike13down]

I acually did switch to port 8080, seems they are not allowing dns query's to the network

Clause?

[DiveX]

The hide behind clause will most likely be the one that says 'you may not run a server in connection with the @Home residential service'. http://home.com/support/aup/

Re:Clause?

[The+Famous+Brett+Wat]

The @Home service to which I subscribe does indeed have this restriction, but they never did define what a "server" is. In order to use the service, you need to have a DHCP client, and the DHCP client listens on UDP port 68 for DHCP server requests. If a server is defined as "software which listens on a TCP or UDP port for incoming connections or packets and generates responses to those requests", then both the DHCP client and the DHCP server are "servers".

Perhaps they mean "servers" in a less formal sense, like "mail servers" and "web servers". That definition still allows various "peer to peer" software which is simultaneously client and server. On the other hand, maybe they do mean servers in a formal sense, but the DHCP client is implicitly excepted from this rule because they mandate its use.

Whatever the case, it's a rule that pisses me off because my servers are always more reliable than their servers, and I hate being forced to pay for service that's worse than self service.

Quite common already

[SnapperHead]

Actually, cable and DSL providers are already blocking port 80 (and most lower ports) for months. I am a Charter cable customer. When I first signed up, all ports below ~1500 where blocked. (With the expection of 53, 113, and a few of others) Customers where forced to use there proxy server. Even outbound port 80 was blocked.

After complaining for 4 months about it. and many phone calls to there head techs and managers. I finally won. I proved to them why blocking all of those ports was insaine. I simply wanted to run NTP on my machine. (Well, my entire LAN, but they didn't know anything about that :) Which requires 123/UDP.

As the months went on, more and more ports started opening. One thing that they have relized is that people will run servers regardless. People who abuse it (setting up high traffic sites) will be shutoff. Personally, I think its insaine. I should have the right to run a personal site, as long as it doesn't get out of hand. If it did get to that point, I wouldn't be hosting on cable.

So, they blocked the ports. I wonder how long it will stay. I would be very carefull, they may use this as an excuse to keep the ports blocked.

Working with the large companys his difficault, tring to convince them that they should unblock them. I can kinda of understand there postion. But, then again, it kinda upsets me.

Re:Quite common already

insane is spelled like this:

i-n-s-a-n-e.

Re:Quite common already

[calags]

First time I read it I thought he meant to write asinine which in this context means the same thing :)

Verizon DSL is NOT THAT EVIL

[Deadbolt]

Verizon *DOES NOT BLOCK* outgoing port 25 *OR* port 80! I've been running my own mail server off the standard DSL offering, $40 a month, for almost a month now and never one hint of problems. I can send mail anywhere. I can telnet to port 25 on any Internet-accessible mail server.

And correct me if I'm wrong, but if Verizon blocks outgoing port 80, wouldn't that put a bit of a dent in most popular web browsers?

For the love of God, try to be a little accurate! There are plenty of real problems to bitch about!

Re:Verizon DSL is NOT THAT EVIL

[Bullschmidt]

Same experience here.. although I don't run the web server. I *JUST* tested my email server.. works fine!

Re:Verizon DSL is NOT THAT EVIL

[Dutchie]

He said 'incoming port 80'. Yeah that'd be swell, blockign outgoing port 80.

Re:Verizon DSL is NOT THAT EVIL

this is just calssic FUD. Verizon isn't that bad. They aren't great, but their not the big evil boogy man either.

Re:Verizon DSL is NOT THAT EVIL

No shit, I was scared there for a second. Verizon has its bad sides, but leaving their DSL customers more or less alone to run whatever they want is not one of them.

Re:Verizon DSL is NOT THAT EVIL

[Deadbolt]

Actually he just said "port 80" -- I inferred outgoing from context. But you're right. That would be rather dumb, wouldn't it? :) Cheerfully withdrawn.

Re:Verizon DSL is NOT THAT EVIL

[jspaleta]

The top of this thread needs to be modded up to 5. I've had verizon since last October, and I'm running a web server and smtp server just fine off my LAN. I've nmaped myself from outside verizon and they don't seem to be blocking any ports.

I just re-read the Verizon TOS. An in attachment B, there is a clause that explicitly states that DIAL-UP users can not run servers, and that DSL users are exempt. Attachment B-3q is the clause.

My reading of the Verizon TOS, which covers Dial-ups and DSL users, indiecates that DSL users can do whatever they want with the bandwidth they have, as long as what they do doesn't interfere with network operations and is not illegal. So if you had a Code-Red infected server...they could shut off yer whole account to prevent network degration.

I think someone is confusing Verizon's statement to restrict use of their mail server's to email that includings a valid verizon.net account in the From header, to mean blocking smtp ports...Ttoally inaccurate.

1) Verizon is not blocking web servers
2) Verizon is not blocking smtp servers
3) Verizon isn't blocking any ports as far as I can tell
4) Verizon IS preventing spam from being generated from their mail servers by requiring every piece of mail sent from their smtp servers to have a valid userid@verizon.net.
5) Verizon will shutdown DSL accounts on a case by case basis if you computer account is being used to degrade overall network service (ie you are a spam or virus factory, and Verizon can trace the network congestion back to you)

Re:Verizon DSL is NOT THAT EVIL

[Xthlc]

> 1) Verizon is not blocking web servers

My Verizon DSL in Pittsburgh has been blocking incoming port 80 for about a week now. I haven't heard back yet from tech support. I haven't heard anything via email.

> 2) Verizon is not blocking smtp servers

Verizon here in Pittsburgh was blocking incoming 25 as of last summer.

> 3) Verizon isn't blocking any ports as far as I can tell

What city are you in?

> 4) Verizon IS preventing spam from being generated from their mail servers by requiring every piece of mail sent from their smtp servers to have a valid userid@verizon.net.

And, conveniently, railroading their users into either paying more for an outside smtp server or paying more for verizon's expensive vhosting.

There are other, less intrusive ways to prevent spam.

>5) Verizon will shutdown DSL accounts on a case by case basis if you computer account is being used to degrade overall network service (ie you are a spam or virus factory, and Verizon can trace the network congestion back to you)

One thing I will say for Verizon / Bell Atlantic DSL -- they have had fairly reliable service since I started with them (about a year ago).

However, this has proved to be the breaking point. I have no wish to deal with them any longer. I'm switching to a local DSL provider (telerama, for you yinzers in the audience).
When corporations start fucking you and complaining that you're ungrateful for it, it's time to vote with your wallet.

A simple go-around:

[Travoltus]

Put your web server on port 8080 or something, although it would be fun getting to everyone the message that it's on port 8080...

Re:A simple go-around:

[Corgha]

Not so simple, actually -- I tried this today because of the block, and it works fine in many cases, but there is a hitch.

Let's say someone is looking at "http://foo.ne.mediaone.net:8080/bar/fred.html", and this html file contains a reference to another file, be it a CSS file, an image, an anchor -- whatever. There are three possibilities I want to consider.

In the first, if this reference is of the form "http://foo.ne.mediaone.net/bar/ney.html", it's obviously not going to go to port 8080, but people rarely use absolute references like that, so let's move past that to the more interesting cases.

In the second, if the reference is of the form "ney.jpeg". Here, everything works fine and the client looks for "http://foo.ne.mediaone.net:8080/bar/ney.jpeg".

In the third, with a reference like "/css/rubble.css", you'd like to think that, since the parent URL is in http://foo.ne.mediaone.net:8080, the client would go for "http://foo.ne.mediaone.net:8080/css/rubble.css", but no! It looks up "http://foo.ne.mediaone.net/css/rubble.css" (and spends a long time timing out because of the block).

I have no idea why this is, but it seems to happen in both Netscape and IE. Haven't had time to investigate it thoroughly, so if anyone knows anything about this, I'd appreciate the info.

Re:A simple go-around:

Yes, anybody that really wants to run a 'webserver' off their computer can always just change the port (assuming they wanted to do real damage -- most people just run a test webserver at most for friends to download pictures and things and wouldn't miss port 80 to much) This move is all because of some asses virus and yes another M$ bug -- thanks you microshit fucks.

Re:A simple go-around:

i guess the only way we'll ever be rid of code red is to move the entire web over to another port :)

Re:A simple go-around:

[spectral]

check your server setup. I believe for the second form the browser uses it's own information to make up the URL to pull on the server. for the ones that are referenced from root, it uses the hostname the server provides. i.e. people connect to my server as ****.cjb.net, and it appears that way until they're sent to a page referenced as a / .. then it appears as ****.nycap.rr.com (the reverse DNS of my IP, so they might have gotten it from that, but I believe it's because that's what my hostname is in linux, and therefore that's what apache uses as it's server host name variable.)

Mailservers?

Day they shut off my mail port is the day I cancel.

Speakeasy!

[Evil+MarNuke]

If you want to host servers at host there is only one real choice out there, and that's SpeakEasy. Oh, don't take my word for it, read the Terms of Service. It says:

Personal Web Page Restrictions:

We believe in the right of the individual to publish information that they feel is important to the world via the Internet. Unlike many ISP's we do allow you to run a server (web, mail, etc.) over your DSL line.

Enough said.

Re:Speakeasy!

[nbvb]

Amen to that brother!!

Bless those Speakeasy folks... they kick ass and take names.

There's a reason I spend $91/month on a DSL line...

Now you know why.

--dmjATspeakeasyDOTorg

Re:Speakeasy!

[1Oman]

Telocity has no problem with users running servers either. They even have a help page to aid users who dont know how and you just call them up to get and they set up the dns for you to.

Re:Speakeasy!

[Velox_SwiftFox]

Megapath - expensiveish, if you compare to the crap you get from others - issues static IPs - and will sell you extra ones - and doesn't hassle about servers. They assume you are connecting a LAN on your end, not just a Windows box.

No complaints here about anything from them, except when they scared me at first by only promising a connection in 5 weeks - but put it in in six days instead. Since part of this involved waiting for PacBell to connect, I guess they didn't want to promise anything they couldn't be sure to supply because of the third party's involvement.

Apache Servers?

You know, I always love this attitude by the cable and dsl providers towards residential users that seems to come out roughly meaning "even though your paying fourty dollars a month and subscribing to our service. YOU OWE US!" Filtering out specific ports isn't the solution. Good product testing is. What happens when the next exploit comes out? Are we going to firewall ourselves onto our own secluded networks? Revisit the AOL days again anyone? The problem isn't people running webservers off their pc's, the problem isn't the exploit. The problem is the poorly written software that was allowed to get out without proper testing in the first place.

Not a huge surprise..

[James_G]

To be fair, @Home have always said that their residential customers should not run servers of any kind - this has always been their policy and up until now, they've basically turned a blind eye (At least, they never complained when I ran servers on my cable modem connection).

Now they're doing the sensible thing to contain potentially hundreds of thousands of machines running IIS (Mostly run by people who probably have no idea about worms and the like anyway - even if they knew they were running a web server in the first place).

Seems pretty sensible to me, although my DSL ISP has no problems with me running servers, so I'm happy either way..

Re:Not a huge surprise..

[norton_I]

Given that Windows * is basically always a "server", I choose to intepret "servers" as "public servers". I use ssh, ftp, and HTTP for personal use only, and I am going to be really upset if/when they block my port. ATT@Home already has machines that routinely scan for news servers (authorized-scan1.security.home.net -- I love portsentry). They could easily scan for codered infected machines as well.

Re:Not a huge surprise..

[Detritus]

VisualStudio does not install IIS.

I did a full installation of Visual Studio 6.0 on a Windows 2000 Workstation system and it did install IIS. I believe it was the installer for Visual InterDev 6.0 that installed a bunch of server-type software on the system.

It would mean them having to do real work

It would mean them having to to do real work shutting down accounts of those who are not smart enought to run a 1mo old patch on their systems. I't makes me angry, because if there was another option for a high speed connection, I would have done it a long time ago. All day I have recieved calls from clients wondering if my dev machine dropped off the web. I called att and what they acually said was "when we installed the service, we set up with NT Based systems because it was the fastest way to get it working, not because it was the most secure", then the tech followed with "all of our servers have viruses",, I'm not sure but it sounded like she was'nt too happy with her job..

This really appears to be...

[Mhrmnhrm]

Curing the disease by killing the patient. If I read their statement correctly, AT&T recognizes that the problem is unpatched IIS servers. But they've decided that because this is such a problem (Which I as a lowly dialup user haven't even noticed yet) that it merits shutting down all customer's ability to run webservers, even though they also recognize that most people run Win 9x. The legal basis is contained within their user agreement as a clause basically saying "you can't do anything that will mess up someone else's usage of the service", which really is pretty common.

Their "virus removal" instructions also seem flawed... why would I want to reconnect to the internet *before* the final reboot? Granted, not being connected during the early boot phase makes things take longer, but it will also make sure you can't be reinfected before the patch is fully applied.

SSL anyone?

[DanEsparza]

Why not use FreeSSL and port 443 (https)?

Just a thought.

Read your TOS!

[SClitheroe]

Seriously people... Most, if not all, broadband providers prohibit running servers from home accounts (it's definitely that way for @Home users, even if they do generally turn a blind eye to small time web servers). They generally also have some sort of clause which basically doesn't guarantee unlimited or uncontrolled inbound or outbound access. For that matter, most broadband (and thinband) providers provide a clause which basically exempts them from any sort of service level agreement.

Signing on with a domestic oriented ISP means that you are essentially "users" on their network. Blocking inbound port 80 access is a good starting point for at least protecting their internal network segments. If you were running what is essentially a DHCP/DNS/proxy service for thousands of users, wouldn't you at least take this step to protect the integrity of your network?? (I admit it doesn't begin to solve all the problems, but...)

If you want to run your own "mini NOC", then pony up the cash and get ISDN, a T1, or something faster put into your basement. But if you are subscribing to a consumer grade ISP's offerings, don't be suprised when this happens. And especially don't start with the geek indignation, because consumer broadband is not meant, nor sold, under the pretense of running home servers.

Re:Read your TOS!

Actually, many broadband services allow you to serve your own web sites now--I know mine, DirecTV (formerly Telocity), lets you. I think most Covad-based services do, too, and I'm fairly sure Earthlink DSL changed their policy not too long ago to allow this. Of course, it seems Rhythms (provides DSL for DirecTV) and Covad are dying off now (both recently declared bankruptcy) . . .

Re:Read your TOS!

[Atzanteol]

Not necessarily... When I originally signed up with MediaOne, I asked about running servers. They were fine with it, so long as I didn't interfere significantly with the other users.

I think this is just a way ATT can claim to be 'proactive on security'...

This sickens me..

Re:Read your TOS!

[almeida]

http://slashdot.org/comments.pl?sid=01/08/07/19262 12&cid=301. I read my TOS, you obviously didn't.

Re:Read your TOS!

[almeida]

P.S. Personal link is now broken, thanks to a lot of stupid Windows users.

Re:Read your TOS!

[Monkeyman334]

With @home their upstream is restricted to 15K. So it's not a bandwidth concern, and they never check to see if you have a server running. They just don't want to be liable if you want to sue for an outage, or anything else that may come up.

Re:Read your TOS!

[abe+ferlman]

Yeah, I agree. People should definitely read their TOS. You're lucky companies are willing to sell you products at all you snivelling worms. And all those people who don't consult their lawyer to discover the true meaning of the click-wrap licenses they open. Stupid consumers! Let's review:

1. if a company offers a service and limits it arbitrarily, you have no right to complain. You are lower than the excrement of a dung beetle.
2. if you think the "Inter" in "Internet" implies that two way communication ought to occur, you should be locked up with all those free software loons in the nearest insane asylum post-haste.
3. Being a "user" means never having to set up a webserver. Corporations own all media, and don't you forget it, "user".

bah, I'm feeling especially cranky now. I'm going to eat a dung beetle as soon as possible.

Re:Read your TOS!

[StarTux]

I'll test this "filtering" in a couple of days (DNS updates going on).

If you read the link Slashdot kindly provided for you you will notice this:

Looks as though they updated that part about servers, all I could find was this:

" (b) FTP/HTTP Service Setup. Customer should be aware that when using the Service to access the Internet or any other online network or service, there are certain applications, such as FTP (File Transfer Protocol) server or HTTP (Hyper Text Transfer Protocol) server, which may be used to allow other Service users and Internet users to gain access to Customer's computer. If Customer chooses to run such applications, Customer should take the appropriate security measures. Neither AT&T nor @Home Network shall have any liability whatsoever for any claims, losses, actions, damages, suits or proceedings resulting from, arising out of or otherwise relating to the use of such applications by Customer, including without limitation, damages resulting from others accessing Customer's computer. "

So they do not mind you running the services, just that you are responsible for your security.

For reference:
http://help.broadband.att.com/faq.jsp?content_id =7 92&category_id=54

http://help.broadband.att.com/subagreelease.jsp

StarTux

Re:Read your TOS!

[StarTux]

Ack,

Confusing, but if you look here:

http://help.broadband.att.com/faq.jsp?content_id =4 16

What defines a Linux server (bearing in mind that the upcoming IDC estimates will make a distinction between a server that is also being used as a workstation, versus a dedicated server)?

I can understand AT&T position on this, you share the network resources with others. If my memory is correct DSL is quite different.

StarTux

Re:Read your TOS!

[meldroc]

They can do whatever they want, and if you don't like it you can look at the competitors (which in this case would be one of the many tetering on the edge of bankruptcy DSL providers).

What competitors? For myself and many others, @Home is the only game in town. I'm not in DSL range, and I only have one cable provider I can use, the local monopoly. I can't just tell them to fuck off and go do business elsewhere. There is no elsewhere. Thus, the monopoly has a special responsibility not to abuse their power, which they don't take seriously.

Re:Read your TOS!

[singularity]

What should happen is that any ISP that refuses to carry traffic on port 80 should then provide 5 or 10 megs of web hosting space.

I think that there are several broadband carriers out there than do just that.

Red thingie

[X.25]

Amazing how everyone if bleathing, but noone tried to make a connection to Code Red worm...

Yes, port 80 is being blocked just about anywhere - wanna guess why?

Re:Red thingie

Answer: Fucking Micrsoft.

Re:Red thingie

[gfhilton]

Why do you think everyone has been talking about Windoz users, etc. all this time? We ARE talking about the stupid Code Red virus! It's a given that that's what's started this whole thing.

Correct me if I'm wrong, but I don't recall that IIS is installed by default in Win2000. Is it in NT (I don't remember)? If it's not, then why is this worm such a problem? Most people who would be intelligent enough to find the option and install a web server SHOULD be intelligent enough to download a patch for it a month after it has come out, right? Or do we just have a bunch of dumb OEM's out there who installed IIS on all these computers they sold to dumb users? Seems fishy...

Give me a break

[Moonwick]

Cut access to people with infected servers? Considering that the only way to detect this is by actually taking advantage of the hole itself, somehow I'm not surprised that @home didn't want to make that decision.

Stop being so paranoid. There are other broadband providers in the world.

Re:Give me a break

Actually, that's not true, they could sniff for awhile and block those machines that are infected. Unpleasant, but true.

FYI, @Home has already starting de-provisioning infected customers in California.

hmm

[mlong]

I've noticed something here. A sure fire way to get a story posted is to simply mention how company x (big bad business) is screwing group Y over (victim)...throw in a few smart-ass remarks (bait), and maybe a few exagerations (scare tactics) and wham...its frontpage news.

Why not force a download of the patch?

[Omerna]

Make people download a patch to be able to run a server. Easy. Just make them go to a page that will let them say "Yes, I've downloaded the patch" with a copy of the patch next to the button so it's easy to do it.

Re:Why not force a download of the patch?

[linzeal]

What happens the next time and the next time and the next time . . . ? ? ?

huh ?

Re:Why not force a download of the patch?

Boy that's a stupid comment (the reply to the 1st one, not the 1st one) Totally blocking port 80 isn't a better solution at all.

Re:Why not force a download of the patch?

[kilrogg]

Sounds good, but, blocking port 80 will only stop the spread of this desease. There are still hundreds of thousands of sick machines out there which will still be generating traffic that can continue to bog down the outgoing direction (I'm sure 90% of these servers are running on people's machines without them even knowing ).

They'll continue to do so until, A) the user re-installs (which may take months). B) the ISPs scan each one of their clients and warns/threatens them of the worm's presence.

Re:Why not force a download of the patch?

[meldroc]

C'mon, it's not that hard to write a script to detect Code Red packets and cut off their service. Cutting off their service is as simple as setting dhcpd (or whatever DHCP server they use) to refuse to lease an IP address to the infected customer's MAC address.

Not in Hampton VA.

[QwkHyenA]

Cox hasn't filtered port 80 here yet. Just ran port detective , and it's still open here...As well as port 25.

Re:Not in Hampton VA.

[interiot]

Same here. Not yet on Excite@Home. Code Red is still attacking once every four minutes, so it should be easy to passively tell almost exactly when port 80 service is cut off.

Re:Linux is not a contender..

Not too bad a troll, but loose the one liner reference to buying new cd's. It's a dead giveaway. Still, I grade you a B+ for effort.

Leased Line

[trolebus]

This is getting out of hand. Does anyone know what a leased line costs?

This is an idea I had:
A group of people get together a purchase a leased line, run it into someones home and then put everyone else on a little ethernet network. Granted I don't know how much one costs but I figure at around $40 a month a group of about 20-30 should be able to gets something way faster that DSL/Cable and without the bullshit. I see three main problems.

1. Security: Everyone has to protect their PC a packet filtering router should do the trick but its an added expense. Additionally the security on the leased line has to be good.

2. People: Finding enough people that live such that we can lay all the cable we need without going on city land. This could be the real challenge. I suppose we could hop accross holes in the network with 802.11b but that would be slower and less secure.

3. Time: What happens when the network / connection goes down. Either we set up some sort of rotation but we need an admin to fix stuff and that can be expensive.

Other issues are things like getting IP's (we could use a DHCP server but it would be better to all have our own IP)

Lots of challenges but it could be cool. Has anyone done something like this or has a suggestion on how it could be done better? I get closer and closer especially with crap like this.

Re:Leased Line

[visualight]

Wireless?

I've been thinking along the same lines but I'm not up on what equipment to use etc. I just started yesterday trying to find out what kind of frequencies/watts are required vs. what's available for regular people.

Re:Leased Line

[CommanderTaco]

A t1 will run you AT LEAST $1000/mo, more like $2000/mo from a decent provider. So at 30 people * 40/mo, you might be able to afford a cheapo line. However, t1 split among 30 people will definitely not provide faster speeds than your average cable/dsl line... maybe faster outbound speeds, but not inbound. If you don't have any bandwidth hogs in your group, though, speeds might be acceptable, and, like you say, you wouldn't have to put up with an ISP's whims.

Re:Leased Line

[zinger]

don't know where you are, but here on the east coast you can get a circuit from THE premium provider for under $1k a month, including loop fee.

Servers were never allowed out on cable

[isdnip]

The @Home customer agreements never allowed servers, particularly web servers. There's a valid technical reason, too: Cable bandwidth is asymmetric. There's typically a downstream pool of about 27 Mbps (depending on settings) shared among all users, while the upstream pool is more often in the 2 Mbps or less range. This comes about because upstream has to fit into the narrow patches of usable spectrum below 40 MHz, while downstream just fits among the TV channels between 50 and 750 MHz.

So stick a server out there, get Slashdotted (or even just get mildly popular), and the upstream bandwidth is wiped out for your whole neighborhood (technically, the area of your optical conversion node and CMTS channel). This is a big risk, so the cable companies don't take it. Instead, they do give you some free hosting space at their data centers.

VeriZontal has no such excuse -- ADSL has little upstream bandwidth (they typically provision only 90 kbps) but it's your very own, and they end up with a huge surplus of upstream bandwidth at the back of the DSLAM, where all of the traffic is aggregated. It's downstream that can congest easily. They're just being shmucks as usual. But if their customer agreement doesn't allow servers, then that's the deal -- commercial-grade DSL services allow servers.

The real problem they're addressing (even VZ) is Code Red II. Web servers that get infected will probe their own networks like crazy looking for others to infect. This creates congestion. So shutting off port 80 stops the worm. Crude but effective. See the recent LinuxPlanet column about Charter for how a cable company won't admit that its infected servers are causing huge congestion. The author suggests blocking port 80!

Re:Servers were never allowed out on cable

[almeida]

From: http://help.broadband.att.com/subagreelease.jsp (b) FTP/HTTP Service Setup. Customer should be aware that when using the Service to access the Internet or any other online network or service, there are certain applications, such as FTP (File Transfer Protocol) server or HTTP (Hyper Text Transfer Protocol) server, which may be used to allow other Service users and Internet users to gain access to Customer's computer. If Customer chooses to run such applications, Customer should take the appropriate security measures. Neither AT&T nor @Home Network shall have any liability whatsoever for any claims, losses, actions, damages, suits or proceedings resulting from, arising out of or otherwise relating to the use of such applications by Customer, including without limitation, damages resulting from others accessing Customer's computer.

Re:Servers were never allowed out on cable

[Cirvam]

um, so why don't they kick off all the people running windows without firewalls? Last I checked, all versions of windows defaultly have servers running. You know port 139? SMB?

Re:*BSD is dying

[Evil+MarNuke]

fuck it. I'll still run OpenBSD as my firewalls, name, and ftp server.

911

[bruthasj]

Hell, there are so many people on these DSL networks running compromised servers, it's like a shotgun wound. You don't care where the bullets went in or where they came out. You wrap the thing until it stops bleeding.

Or, guess what, you're dead. Right now they have a few limited resources, 1) Bandwidth and 2) Time. If they want to fix the problem fast they cut port 80. They let the bleeding stop and then they open up.

If you want to write a program that helps them signature each freaking IP on their network and then filter which one is okay or not, go start your project: SF

These guys want to keep most of their customers. When 100% users are having bandwidth problems because of a virus they drop like flies. When 1% that are running Linux get port 80 blocked drop, they don't give a @#$!.

Quit your whining. And go get webhosting for 10$/month at an offsite provider instead of trying to create a web server from crappy components. You're not losing money are you?!!? I'd have to laugh in your face if your trying to run a useful webserver over DSL.

-out-

Re:911

[Cirvam]

Really you know of a host that will give me 20gb of space and a server with php extentions compiled with image-lib support for $10/month? Where might this awesome place be?

The end of a state of denial

[Senor+Wences]

I'm surprised it has taken AT&T and Excite so long to block port 80. In the agreement each subscriber must sign when she or he enrolls for the service the cable cos. explicitly state that you are forbidden to run a web server on their lines. But from the number of cable carracho servers I have seen, as well as other web servers running from cable, it is clear that many users simply ignore this rule. Granted, many people running Win2K or NT and IIS might not realize the service is running, their computer is infected, they are part of the problem. So it makes sense that in an effort to contain this worm the providers would block port 80. It's just weird that, in light of their stated policy, they have thus far allowed for people to run web servers, etc., on port 80, ignoring the users' abuse of the service just as the users have ignored the rule. All it took was a few careless individuals running unpatched software that shouldn't have had such a nasty exploit in the first place to ruin this wonderful state of denial between the cable cos. and people who want to run a web server on their nice, zippy cable connections. I suppose that's what port 8080 is for....

Re:The end of a state of denial

[Kazimira]

Granted, many people running Win2K or NT and IIS might not realize the service is running, their computer is infected, they are part of the problem.

This is what we've run into at my company.
What our security team did was scan for infected IIS servers and shut down those specific customers.
We then contacted them and informed them to patch immediately once we turned them back on. We also warned them that we would scan again that evening and would not hesitate at shutting them down a second time.
About 50% of those contacted had no clue they even had IIS running. This made it very frustrating.

No sympathy

[fremen]

I really don't have the least bit of sympathy for anyone who has been hit with this. You agree to a contract that describes the terms of your service. That contract almost certainly says that running servers is prohibited, but up until now most ISPs were happy to look the other way for the occasional server that didn't waste their bandwidth. Now that a massive bandwidth hogging, server infecting, people irritating web worm has appeared, and it has been revealed that the average server operator has no clue about computer security. They have a choice, let their customers be potentially vulnerable to a backdoor insertion while a worm goes willy nilly sucking down bandwidth or ignore it and hope that nobody complains. Keep in mind, the majority of home internet users don't run servers. They just want fast access to the web and their e-mail. Disabling your virus infested server is no sweat off their backs, it just improves their quality of service.

They've had the authority to kill server access and now they've done it. They did it with what was probably a good reason, and anybody who has paid any attention realizes that they've had the power to do this for a long time. Count yourself lucky that you got a free server connection for this long.

And, if it really bothers you, get a dedicated server connection with guaranteed connectivity. There's a reason that those connections cost more, and it's all about connection and service guarantees.

Finally, please don't complain that you're running Apache and therefore you should be exempt. Show me one ISP that would bother checking HTTP headers and I'll show you one can of worms that you really don't want to touch with a ten foot pole.

Re:No sympathy

[icewalker]

I hate to say it, but I tend to agree. Unfortunately, Microsoft made it too easy for people to run webservers and I bet half of them didn't even know it. I guess that is what happens when you have an OS that tries to be everything for everybody all at the same time.

Here comes the really big kicker though. What happens when XP hits the streets? I mean, that will be a server waiting to happen and I wouldn't be surprised to see the bandwidth go through the floor when it comes out and the ignorant start upgrading. Maybe @HOME should ban XP on it's network? NOT! But it would be a nice thought.

Why do I run linux? At least I know it has a web server because I installed it. Long Live Debian and apt-get!

Obtaining Perfection isn't Perfect!

Re:No sympathy

Gah... yes, indeed.. the contract says "no servers".
No servers of what ?
No network servers (i.e. You're not allowed to have Your own little lan hooked up to the internet, not even through a separate network card + sygate or whatever) ?
No webservers (on port 80 - are other ports allowed ?) ?
No ftp servers ?

No... DCC servers ?

No fileservers ?

No Napster clients (which are pretty much servers of their own) ?

Basically... -any- service which allows users to get files from You without You giving Your explicit consent for each request ?

They better start blocking a lot of ports, nullifying a lot of products and losing a lot of customers then.

Re:No sympathy

[purplemonkeydan]

Uhh, you have to explicitly install IIS on 2k and XP Professional, and it doesn't even come with XP Home.

Why don't ISP's provide firewall software?

[Jimhotep]

ISP's like to get all the software you need to use the internet, why don't they include a firewall? I've been using ZoneAlarm for a year now, no problems. In fact, it's fun to run traceroutes on the bastages that try to break in.

RTFA

[jpellino]

And the A stands for AUP... The prohib against servers on your side is old news. Deal. Switch. Go pro. No crybabies.

imagine if other utilities did this

[Dr.+Awktagon]

Imagine if the phone company checked your lines for "business use" and shut you down unless you got a business contract.

Or how about the power company, charging you differently depending on how you use the power, and limiting you to, say, 10 amps peak if you don't have a business contract.

I wonder if it isn't appropriate to have a little (eek) government regulation when it comes to these things? Like not blocking any ports for any customer unless it is clearly marked in advertising or something?

I always wonder when my ISP will decide, for the good of all customers, to shut down this or that port or filter or monitor traffic. They'll probably not even notify me, they'll just update the terms of service buried in their web page someplace.

Re:imagine if other utilities did this

Ironically enough, didn't AT&T used to be a government-owned operation a few decades ago?

Re:imagine if other utilities did this

[davie]

Speaking from personal experience, I can assure you that some phone companies will require you to pay for a business line if they find out you're using a personal line for business. The reason for this is probably something to do with allocation of resources, but I'll leave it for the telecomheads to fill in the blanks.

Re:imagine if other utilities did this

But we have competition in these markets so you can simply select another service for broadband access to the internet.

Re:imagine if other utilities did this

[Ronin+Developer]

Imagine if the phone company checked your lines for "business use" and shut you down unless you got a business contract.

The have do so for many years with regard to digital service. To residential customers, a phone line is sufficient if if passed voice. If you managed to get over a 300 baud connection , consider yourself lucky and don't complain if bandwidth sucks or you have drop offs.

However, if you want higher bandwidth or guarantees, then you are supposed to order a data grade line (which is usually a business line). In fact, they tell you in their service agreement that if they detect business use of the line, they will charge your more for it.

Telephone service is not a right but a priveledge to those willing to pay for use of the network. Same thing goes for most residential services like @Home. It is their network. You agree to their terms of service prior to them turning the service on. If you want to go outside the bounds of that agreement, then you are expected to pony up and purchase the appropriate service.

There is nothing wrong with them enforcing the terms of their agreement. If you don't like their actions or policies, then take your business elsewhere. However, these actions are being taken to protect their customers from others as well as themselves through their own incompetence and negligience.

The warning signs were plastered everywhere, remedies were posted in accessible locations, and these people did nothing to protect themselves. Now, they complain because their systems have been compromised. Oops.

Or how about the power company, charging you differently depending on how you use the power, and limiting you to, say, 10 amps peak if you don't have a business contract.

They can and do. Power companies routinely offer reduced rates for certain customers willing to meet certain guidelines. Example might be reduced rates for home owners willing to curtail power consumption during peek hours. They provide power real cheap so you can run your refrigerator and other minimal services (like keeping your house at 60 degrees). If you use the added circuits outside the conditions imposed on the line, the will either charge your a fortune or cut you off from the special deal altogether. It's not rocket science.

Re:Linux is not a contender..

[ogre2112]

Argument 1: Linux costs not only more because of the frequent updates which require new cdrom's to be bought.

Ok, I'l stop right there, because obviously YOU DON'T KNOW DICK.

Fucking Troll

Just change the port

[Vicegrip]

Sure, its a bit more of a pain http://www.something.something.something:1111 .. but it works.

My port 80 is not blocked...

[Gunark]

I'm on Rogers@Home here in Toronto (part of the Excite@Home network, I assume) and they are definetly not blocking port 80. They are however blocking the SAMBA port (471 or something?) which is extremely annoying.

Re:My port 80 is not blocked...

Hey Bozo, it's port 139 and there's a fucking good reason it's blocked, winnukehead.

Running Services has never really been allowed

I've had cable modems from Charter and ATT. In both cases there was a statement in the user agreement that you were not supposed to run any incoming services. They never really had a reason to crack down on it so they never did, until now.

I'm not trying to defend the cable companies, but maybe you guys should read the agreement you made with the service provider before you complain about the current situation.

People are becoming consumers, not content creater

[Kiwi]

I can understand the thinking behind this move. The sort of people who make a decision are thinking in terms of traditional big media thinking, which goes like this:

The average American is a mere couch potato which the corporations feed information to the unwashed masses the same way the inhabinents of Huxley's Brave New World were fed soma. The average consumer has nothing to say unless what they have to say is under corporate control. While people running web servers were tolerated when what they did was not attracting the attention of the corporate suits, they are being cut off by those who feel that people really shouldn't be running personal web servers.

I am also annoyed that, while Apache and other UNIX web servers are able make a web server without countless remote root exploits, all UNIX users on these cable modems suffer because Microsoft did not make a secure web server.

Thankfully, this is easy enough to work around. E.G:

http://24.x.x.x:8080/whatever.html

- Sam

They ought to filter on an http-server basis

If one is running Apache, Code Red is not an issue. They should block port 80 for those machines running IIS. Once again, MS's "innovation" brings things to their lowest common denominator.

Necessary?

[J'raxis]

I don't know about this. Yes, it's going to piss off a lot of people, however I think it was somewhat necessary. I have *.mediaone.net, and the combination of port 80 scans and ARP broadcast packet storms, my modem was receiving between 10 and 30 packets per second nonstop for two days. I can't even imagine how much bandwidth that adds up to over the whole network.

Oh, and: Any halfway decent webserver allows you to run on another port they're only blocking port 80, not HTTP traffic in general (is that even possible?). You already have a shitty-looking address: h1290736218736078216472164230187467.mediaone.net what's wrong with adding an :81? ;)

I also think the cable company was probably quite pissed off over the Code Red hit their AUP specifically prohibits servers and here are hundreds of machines all running IIS webservers and making themselves quite visible.

Re:Necessary?

[Spackler]

Oh, and: Any halfway decent webserver allows you to run on another port -- they're only blocking port 80

Actually, I'm kind of irritated that you are making me defend Microsoft after all the bandwidth that has been chewed up over the last 5 days. I guess, by your rating, IIS is a "halfway decent webserver".

Microsoft IIS 4.0 to 5.0
1. Open Internet Service Manager.
2. Right-click the Web site that you want to change.
3. Click Properties.
4. Click the Web Site tab.
5. Change the TCP Port Number in the TCP Port edit box (or click Advanced for multiple Port settings).
6. Click OK to save the changes.


Moderators: I'm sorry for defending MS. I throw myself at your mercy.
use SD::Karma;$karma--;die("WTF");

Re:Necessary?

[J'raxis]

Well... yes. Damn you. :)

Has anyone tried tzo.com?

I am one of the victims of AT&T. I understand that TZO.com has a service that lets you put your server on another port, like port 8080, and the do some sort of forwarding to it so that it appears to be on port 80. Has anyone used this? it is $99 dollars for the year, but I am considering it.

Road Runner

[chill]

While Road Runner isn't blocking (my cable modem light is still going nuts even when my computer is off); it is part of their Terms of Agreement: no e-mail servers, no web servers, no port scans.

If you want to run an e-mail or web server, get a business line ($295/month w/1 IP; $325/month w/5 IP).

However, they have been turning a REAL BLIND EYE to all of the above. I get port scanned daily and it looks like 30%+ of the machines on my subnet are running a web or mail server. (According to my *cough* port scan *cough* of the subnet.)

Re:Road Runner

[bear_phillips]

I believe this is the road runner "acceptable use" policy. It doesn't say anything about not being able to run a web server.
Is there some other "terms of service" agreement that disallows personal web servers?

Even if you did run a Web server...

[antdude]

Why would anyone want to do with a 128k upload cap (assuming @Home cable modem service)? :)

Re:Even if you did run a Web server...

[jrcamp]

I have @home service and I'm wondering that too. Remember, that's 128 kilobits/second which equals 16 kilobytes/sec. That's not even enough to do decent P2P sharing.

Re:Even if you did run a Web server...

[MaxQuordlepleen]

I have @home in Windsor, Ontario and I get ~500kbps upstream, steady.

it would mean they had to do "real" work

[mike13down]

It would mean they had to do real work if they shut down accounts of offending machines. I spent a good part of last night talking to tech support, they acually said "When we set up the att system we wanted quick and fast setup,not secure , but fast, so we went with NT ", she went on to say " all of our servers are infected with the virus". she did'nt say which one, but she did'nt sound happy with her job last night. And in response to the people who said,"running a server is against TOS", the answer is Yes and no. When I signed the contract with "mediaone"(the last contract i signed) the tos said "servers are not supported on the network", The new ATT one says that ... this is from the att tos "b) FTP/HTTP Service Setup. Customer should be aware that when using the Service to access the Internet or any other online network or service, there are certain applications, such as FTP (File Transfer Protocol) server or HTTP (Hyper Text Transfer Protocol) server, which may be used to allow other Service users and Internet users to gain access to Customer's computer. If Customer chooses to run such applications, Customer should take the appropriate security measures. Neither AT&T nor @Home Network shall have any liability whatsoever for any claims, losses, actions, damages, suits or proceedings resulting from, arising out of or otherwise relating to the use of such applications by Customer, including without limitation, damages resulting from others accessing Customer's computer. "

Reality check

Given that the Code Red worm and its variants have infected hundreds of thousands of machines, most on services like @home, there really isn't much else they can do. The logistics of trying to find and deal with that many servers means that the blanket blocking wins, particularly given that running servers is against the agreement everybody signed anway.

What the hey?

[Pollux]

@Home is really jerking your chain. Their user agreement is so bogus:

The benefits and privileges available from the AT&T@Home, and the Internet in general, must be balanced with duties and responsibilities so that other customers can also have a productive experience.

Translation: we're so cheap that we're going to cram as many customers as possible onto a single T1 line, limiting your privilages and your productive experience. Due to the ignorance of the general population, their productive experience is more simplistic and therefore will not come into conflict with our blocking of port 80. Granted, we understand that quite a significant portion of the internet is made up of servers like yours, but our bottom line beats your small desires to contribute to the growing of the world wide web.

Under the terms of the AT&T Broadband Subscriber Agreement customers are not to restrict, inhibit or otherwise interfere with the ability of any other person to use or enjoy the AT&T Equipment or the Service.

Translation: you cannot interfere with other subscribers' use or enjoyment of the internet. We can interfere all we want.

I'm sorry, but it's very plain and simple. @Home subscribers did not purchase a "pay per consumption" plan. They paid a flat rate for service, no matter how much or little they planned to use it. If I subscribe to the daily newspaper, the newspaper company has no right to revoke the Tuesday edition from my house just because they found out that I don't have time Tuesdays to read it. I paid for it, so they are required to give it to me, no matter if I read it or not. Sure, they could come up with some bogus excuse, like "The wasting of paper on an edition of the paper which is not read by the customer is interfering with the paper supply being utilized for the enjoyment of the newspaper by other subscribers." I could then take them to court and let the judge have a good laugh over how stupid the case is.

Unless they specifically say in their user agreement that you will be limited to a certain time, bandwidth, or other limitation of their service, for them to limit your access to the web without proper notice and change to the user agreement is a direct denial of service.

Re:What the hey?

[Markonen]

Or, alternatively, consider this translation: "It is a known fact that upstream bandwidth in a cable network is an extremely scarce resource. At the market's current price point, we are forced to have a modems-to-headend ratio that only permits a typical web surfing workload on the upstream. The decision to actually enforce the no-server policy was made only after empirical data was gathered, proving that even a single file-sharing server could severely disrupt the service level for hundreds of other customers."

(Disclaimer: I have no association with @home)

You might have a leg to stand on if @home was bringing in huge profits and denying you features just to bring in a cent more. But guess what, they aren't, and those downsides of cable modem service are precisely what's enabling them to offer it at the price you are paying now.

Don't like it? Tough. Go out and buy some real Internet bandwidth. It will cost you at least $200 per Mbps per month, in addition to the circuit costs.

Re:What the hey?

I completely disagree. This act is in the best interests of the majority of their consumers. There's really no good way around this problem other than what they are currently doing. You can't honestly expect them to compile a list of EVERY infected IP and block port 80 to only those ones at the routers, do you? Do you have any idea how large this list would be? And if they missed anyone, the problem still continues.

Just because I pay taxes that cover the costs of roads in my city doesn't mean I can do whatever I want. If I saw somebody driving down the street in a 20 tonne vehicle with lugs on it, tearing up the road, I'd have something to say about it. Same goes for the Internet. Right now there are too many people with insecure systems and it's affecting everyone. You're already limited in the fact that your bandwidth has restrictions and you are only given 1 IP (in most areas). Just because they took away incoming port 80 doesn't mean your being screwed. That's a very selfish attitude.

Bottom line is: you're paying minimum dollar for a very good service otherwise. You deserve to be thrown back to dial-up if you can't see how good you have it right now.

Sprint BroadBand Wireless

[reverius]

I get SprintBroadBand Wireless.

It's about $40 a month, available throughout the U.S. (although limited to certain areas).

I get about 1 - 3 megabits reliably during the day, and at night, it's up to 4 or 5. I'm amazed at how fast the download speeds are.

They've never once done anything bad to me, like blocking ports or anything. Although their terms of service suck, they don't seem to enforce them. :)

Only problem is, b/c it's wireless, ping times suck (lots of latency) and the upload speed is limited to about 30k. :(

Oh goodness gracious!

who let dehli on the net

Verizon has *not* blocked port 80 here...

[jlrowe]

I just tested it, and it is working using a server running Linux and Apache.

The virtues of small ISPs

[hillct]

It's amazing the quality od sercice(or lack thereof) that people will tolorate from large companies. When I gave up my dialup account in favor of DSL (those many moons ago) I switched from Mindspring to a small local ISP for service and I've never regretted it. Unfortunately there are lots of users who don't investigate their DSL service options before signing up with their local phone company. Small ISPs as a rule will always value their customers more than large outfits just because each customer contributes a larget percentage to their revenues (I don't pay more, they just make less). They'll bend over backwards to provide good customer sercice, and retain their customers.

Unfortunately the three largest ISPs continue to buy up the smaller regional players. One of the steps I've taken to garuntee my quality of service is to have an explicit QOS specific contract (in hopes of avoiding what's hapening to the QWest.net users as they're transitioned to MSN Internet access). What other steps might customers be able to take to insure that their small regional ISPs retain their independance, in this climate of consolidation?

Re:The virtues of small ISPs

[jchristopher]

Small ISPs rule! If you're in Southern California, check out cinenet.net for an ISP, minus the "you can't do this and that" terms of service.

They provide a pipe for a reasonable amount of money a month, and let me do what I want with it. Kudos to them.

just move the port to someting else

[MrBId]

just like a few others have said move the port to something other than 80 like 8080 shit, i dont care as long as they dont block 21 and 6667.

Just get a job!

[dan_the_heretic]

If you want a server running a web site, co-locate! I have yet to see a ISP let their customers run a web site without extra cost. What's the big deal! Whinning 'cause you can't get it free? GROW UP! Access costs MONEY. Pay it. Then whine because you don't get the service you pay for!

Re:Linux is not a contender..

Actually, it's an above-average troll. Yeah, the reference to buying new CDs makes the troll lose points, but he's right about ext2 eating itself and ufs+softupdates blowing ext2 out of the water.

It contained facts and ticked off Slashdot readers -- that's a good troll in my book. (And it sure beats the goatse.cx links...)

How is this going to help?

Even if they block off incoming port 80 from the rest of the world, that won't help much. I'm on Roadrunner. Looking at my logfiles, 1340 of the 2038 Code Red attacks I've gotten since Sunday are from other Roadrunner customers. Are they going to block incoming port 80 from each machine internal to their network to every other machine internal to their network?

Has affected some games as well

[Anemophilous+Coward]

At least here in Colorado. Actually, I want to know if anyone else is experiencing this problem. It just happened to coincide with the code red insurgance, but then again, it could be on my end.

In Unreal Tournament (yah yah, windows...so I have a gaming partition) there is an internal browser of sorts. The 'news' page displays a web page with the latest news. You click another tab and find servers to play on. Etc.

Well the problem that has surfaced is that when I click on the 'news' page tab, it just keeps querying the server. Running it through a proxy filter, I can see that it is sending out the proper HTTP GET request. It just appears that the return data packet never makes it back to my computer. Now, the game listings work just fine and I can go into and play games. However, there is a feature which will auto-download skins, maps, mods, etc. if you enter a server and do not have a particular item installed on your drive. This feature has also mysteriously stopped working and I am not sure why, since I believe it operates on the same port as the game server (ie: usually a quite high port).

All other web browsing through IE, Mozilla, etc. work fine. Although I've just noticed that I cant seem to download Norton AV updates now either...that's not a good sign. The service here is ATTcrapHome (ATT@home), so if anyone else is having a similar problem, let me know and any workarounds you might have found. After that, I'll probably try and re-install the game to see if that corrects the problem.

- A non-productive mind is with absolutely zero balance.
- AC

Re:People are becoming consumers, not content crea

[interiot]

An alternate hypothesis: an emphasis on consuming could simply be the nature of an asymetric connection.

AT&T and Excite@Home

[Baloo+Ursidae]

OK, from the inside of Excite@home, port 80 is not blocked nor is there plans to. (But I've heard rumors of a crackdown of people calling in about problems with the Code Red worm...serves them right though)

Just tried an AT&T customer I know has a webserver on it...it isn't blocked.

It's possible this is a MediaOne thing and not all of AT&T. I haven't heard anything about any of the local cable companies blocking any ports, and the phones have been nearly silent at my level of support all week (we were all expecting a long, painful week after seeing the Slashdot headline on Saturday...)

Southwestern Bell aDSL?

[AKA+da+JET]

Im not sure, but I read the aggreement just now and didnt see anything regarding the use of their service to host web servers, anybody know anything more about their policy on using your accound with them to run a server?

Re:Linux is not a contender..

Of course I know about downloading Linux instead of buying cdrom's. I've being installing FreeBSD over FTP for quite some years now, you know. The FreeBSD installer could do that before any Linux distribution even had a network install option.

But that doesn't take away the fact that not every one has a high speed internet connection and therefore costly 6+ cdrom packs are needed for most people every few months..

So, my point still stands. Each and every of my arguments is right to the point, and more important, TRUE.

The conclusions remains: Linux is not an option for any serious computing job out there. Try to attack the FACTS given in my 'troll' with some good arguments.

Oh, you can't? I thought so..

I have @home and this is my experience with it.

I run programs that log all types of packets to my system. Lately, I have been receiving a connection to port 80 TCP from 24.* IP's every 5 minutes. It seems from what I read about this is that people are disgruntled. I'm glad they are filtering out port 80. I examine a few machines from my logs every once and awhile. Just two days ago, I telneted to a machine that I saw attempting to connect to port 23 on my machine and I was dropped to a # prompt with a uid of 0 on a FreeBSD router with over 30 pppd sessions running. Some changes are necessary, and this is a good thing. I wish @home would drop SYN packets to my computer. I don't even want a packet hitting my cable modem, unless I initiate the TCP/IP sequence.

Changing port numbers.

[McDoobie]

For those of us who run small personal webservers, just for friends, family, associates and such, it's easy to change the webserver to run on port 1120 or some other such oddball port and mail the port address to those whom you want to have access.

It still sucks though,that you gotta pay up the ass for the priveledge of having general public website.

I really hope @Home doesnt start "cracking-down" on people who use VPNs over thier network.

McDoobie

---------------
This is my .sig. Yes, it really is!

Re:Changing port numbers.

[nuxx]

I really hope @Home doesnt start "cracking-down" on people who use VPNs over thier network.

Now THAT would cause problems. I really like being able to connect into work via VPN at 2:30 in the morning (from wherever I'm sleeping that night) when the Problem Management Room pages me wanting access to my experimental IDS to see if any more Code Red II machines have popped up. Imagine doing that on a normal modem to some corporate modem pool? Uggh. What if I'm someplace without a POTS line? I don't even want to think about it...

-Steve

I've read my TOS and it sucks.

[The+Famous+Brett+Wat]

I would definitely like to take issue with the idea that "users" means "client applications". It is my opinion that the ISP should not care one whit whether my applications use the Internet by initiating outbound TCP connections, or by accepting inbound TCP connections. The distinction with UDP is even less relevant. All of these schemes result in inbound and outbound traffic. If they wish to say something about traffic volumes, then let them do so, but I do not want them dictating how I use that volume (other than reasonable constraints on network abuse, and other legal matters).

If anyone can explain a good reason for banning servers rather than limiting data volumes, I'm all ears. I think it's either a combination of laziness and sloppy thinking on the part of the providers, or a desire to force the "users" to also be "content consumers" rather than "content providers". Hanlon's razor, I believe, favours the former explanation.

Re:I've read my TOS and it sucks.

[figment]

Yah i should rephrase.

I like companies that have security problems. Then they hire me at an extraordinarly high consultant's rate, and pay me to fix it.

What I really mean when i say that, is that 99.9% of security issues is from people at home, who i really don't want to deal with, because they pay some incredibly small amount of money each month to leech extraordinarly more bandwidth than they should. And when i said redhat, i really shouldn't have, i'm not dissing redhat or linux in particular, i get the exact same problems with IIS/W2K.

Re:I've read my TOS and it sucks.

I can tell you the business rational behind this, but I do not think that you will consider it a "good reason". The ISPs desire to limit web servers and the serving of content is a sign of their desire to price discriminate. Price discrimination is a rational goal for a business that is seeking to maximize their profit. If permitted, and it is in the US, it allows a business to extract excess profits that theoretically surpass the profits that a monopoly provider can extract. It is quite common and the theory behind it is that you try to extract the maximum amount of money that the customer would be willing to pay for the good or service. Airlines are the most familiar practice of price discrimination. So the reality is that you might only be willing to spend $50.00 a month on a connection that supports web servers, but you will not drop the connection if you lose the perk. The real concern is that the business that is buying the $900.00 a month T-1 would consider replacing it with a multi homed DSL and Cable modem connection. The business sees this as leaving $850.00 a month on the table.

Simply not true...

[Gregoyle]

Most, if not all, broadband providers prohibit running servers from home accounts

Definitely not all. MediaOne (now AT@T Broadband) never prohibited it. I understand your reasoning, but if you chek the TOS, many companies do not explicitly prohibit running your own server, and some even explicitly permit it.

What AT&T (at least the Roadrunner service) prohibited was duplication of their services. You weren't allowed to run as an ISP, and they also reserved the right to shut you down if you used up too much bandwidth. You weren't allowed to run a commercial web-server, because they sold web hosting.

I don't disagree with their decision, as inconvenient as it is for me. I can just have my webserver listen to a port that is not 80. I don't even know if MS IIS supports this, but luckily I'm not running IIS.

Think about it this way: if the virus was actually eating enough bandwidth and resources to affect the general home user experience, they would get complaints from those users. Maybe they will open the ports back up. Ha. that kind of stuff never happens. oh well... guess I have to look for a new ISP (maybe speakeasy.net, even though ovad is going belly up...)

Re:Simply not true...

[Zog]

Read your contract - it's in there; they just never truly enforced it.

Fine with me...

[nuxx]

I don't have a problem with this at all. Code Red II has been a SERIOUS problem around here (want to see 40MB of logs of random arp requests from Saturday night while I was sleeping?). Most people who can afford cable should also be able to afford the $15/mo or so for decent hosting services. If you need to do anything more custom than a reasonably priced host can offer then you are probebly capable of running your site on a non-standard port. (Remember finding all sorts of :8080, :8008, etc servers way back when?) Sure, I'd like it if they (@Home) eventually turns back on all ports, but it's not really that big of a deal. I don't want to host off of my cable modem anyway, it's 128k upstream. When someone else on a nice connection starts hitting me everything slows here.

Maybe @Home will try some sort of filtering on their transparent proxies to stop any worm-related strings as they are sent to keep @Home users from sending the worm to outside networks? You'll still have the problem of internal machines infecting each other, but judiciously monitoring logs and turning off the port of infected machines should take care of that.

Pretty simple

[pbur]

Ok, @Home and most DSL providers state in your agreement that you won't run any servers at all. This has been stated before in the previous responses and I completely agree with them.

When I had DSL, my ISP knew I was running servers and even gave me appropriate reverse lookups.

But now that I am on cable, I just went ahead and put a machine in a co-location facility and hooked it up to a T3 line. A friend of mine split the bill and it is basically what I was paying for my DSL access.

Most people sitting at home don't need to be running servers, and those that feel that they have too, should look at dedicated DSL with a provider that understands you are running servers or go with a hosting company.

Just my .02

Add the different port to the DNS Name....

[Dwaine+Garden]

I just went to the site where I purchase my domain. Change the IP address to include the new port. 24.65.345.34:8080 So when I type in www.emuit.com it redirects me to my site. What's the big deal. The DNS name does not change.

my light is still !#@! blinking

it's still blinking. Network traffic still seems at the same level as yesterday. Fortunately, my porn downloads at the same speed as it always has. Overreaction is typical of 85% of the world, and it inevitably gets them in trouble.

Umm

[savrinor]

They could have cut access to those running compromised servers, but instead chose to deny the ability to run a web server to all subscribers to their service.

Running such a server is against their TOS anyway, unless you upgrade to a more expensive service.

At any rate, I do disagree with this action. I (and some others I know on @home) have been logging the code red attempts using programs like websnarf, and sending the logs to DShield and SecurityFocus. This, I believe, is important to monitoring the spread of Code Red, and of course now that can't happen. @Home users were the hardest hit and the most infected, judging from my logs.

@Home could've simply blocked the port on machines that were infected. They routinely scan their users throughout the day for security holes, it wouldn't be difficult at all to adapt that to a code red scan. But no, let's take the easy way out, and block potentially useful information from being gathered.

Feh.

TiVoWEB

[creep]

Maybe a little off-topic, but I'll digress for the fun of it..

I can always move my website to other places--I have plenty of friends who have business service who can give me free space for a website. Long as they don't block the port that I've got my TiVoWEB setup on, I'm happy..:)

From A Business Perspective, It Makes Sense

[Jucius+Maximus]

[Rummaging in drawer for flamesuit...]

"They could have cut access to those running compromised servers, but instead chose to deny the ability to run a web server to all subscribers to their service."

Honestly, if I was in the position of the ISP, I would just have cut off all port 80. It makes perfect sense, from a business perspective, that is.

[donning flamesuit...]

I mean, do you really expect them to sift through millions of accounts, determine which ones were compromised with CodeRed IIS servers and block them off? And this list would have to be dynamically maintained , of course, and more port 80s continually blocked because Code Red II is still on the loose. And the ISP couldn't discriminate. If they decided to block all compromised IIS, they'd have to keep up with each and every server running.

It would simply be a logistical nightmare where thousands of hours of work are diverted from network administration, support, maintenance, etc. It wouldn't work. They'd probably have to start up a whole new management division to keep track of it. And then their support people would continually be taxed by calls from people who are getting blocked when their neighbor's Apache box is still serving up pages.

And even if they did do this, how would they correct for human typos in the blocking tables and correcting for all of it, verifying that it was an error, etc?

So Which would you prefer? An ISP where you could just run a proxy and keep your server running, or one that throws all their support staff into keeping the IIS boxes under control and doesn't have the people to actually manage/administrate the network/support so your site wouldn't be available half the time anyway?

In an ideal world, they WOULD block only the people who didn't patch their IIS servers and got infected. But unfortunately for *everyone* it just doesn't work that way.

[peeks out from flamesuit helmet... do I have any friends left on /.? ;-]

Re:Linux is not a contender..

[(void*)]

Why is this interesting?

I don't agree that most people require 6 CDROM packs to keep their installations up to date.

But let's pretend this is so. Make some comparative facts to commercial osftware offerrings. Sounds more reasonable now, Mr Coward?

Not surprising

[ioman1]

I am not suprised that company's are doing this. Give people power and they will abuse it. Take away their power and people whine. If you want to host a server, but the hosting or approprate bandwidth.

Read the Acceptabel Use Agreement

[q-soe]

This has propably been said but iam an Optus@Home customer in Aust and it firmly states (about 6 times) in the user agreement, FAQ, member pages and help sections that you cannot run a server on the web, this is in breach of the AUP and you get immediate disconnection.

So if this is the case then why the story ? why the complaints ?

ignorance is no defense - when you sign up for any service or contract you read the terms and conditions - thus you dont have these problems.

End of story - if its not acceptable and you do it you get thrown off - i cant see anything fairer than that and whingeing about it happening is like ignoring the warning on a chaisaw that says dont cut off your leg and doing just that !!

(of course in the US you could sue the company as stupidity is no exclusion - get the right jury and get lucky)

Re:Read the Acceptabel Use Agreement

[Sadfsdaf]

http://help.broadband.att.com/faq.jsp?content_id=5 84&category_id=34

Choose either one, weather you leased your modem or purchased, either or there's a clause that allows you to host both a FTP server and an HTTP server.

802.11b is wireless

[CTboy]

Which he metioned as an option, but as he said, it's slower and has security issues.

As for your question, if you're looking to set up a small wireless network for your home, fed from DSL or cable, I hear Linksys has some pretty good products for home based systems at good prices.

Re:People are becoming consumers, not content crea

[tswinzig]

I am also annoyed that, while Apache and other UNIX web servers are able make a web server without countless remote root exploits, all UNIX users on these cable modems suffer because Microsoft did not make a secure web server.

If you really think that this worm is the reason these ports are getting blocked, you are naive.

This worm is the perfect excuse to finally come in and enforce their unpopular TOS -- no servers should be running on cable/dsl connections (at least for the companies discussed here).

On a side note, I'd like to say PLEASE, FOR THE LOVE OF GOD, DON'T LET TIME WARNER TAKE AWAY MY PORT 80!!

Ahem.

I don't know anything about port blocking but....

[poteet]

...@Home has been port scanning me off and on for this past week. I've called tech support to ask why and all I get is a perfunctory "We don't use that kind of software, it must be a hacker or something...." Yeah, right.

Here's a nifty trick

[thatdammplage]

This is a bit off topic, but I've been sending notes to everyone whose infected machine is hitting my firewall. Note that it won't work if the machine is behind a NAT box or firewall, but about 80% of the messages are going through.

From your Windoze box:

net send xxx.xxx.xxx.xxx "Your computer is infected with Code Red. Please patch your server immediately!"

Replace the xxx with the offending IP addresses (duh!)

I'm pretty sure that net send uses port 137, so there's a good chance that it's blocked, but like I said, about 80% of the messages are getting through. It pops up a message box on the infected system.

Now, if someone would just write a small apps that listens to port 80 for the Code Red packets and attempts a reply with net send

I think I witnessed it.

Here I am reading how @home is blocking port 80. I look over at my cable modem that is blinking non stop, and I have to wonder when they will implement this change. Not 2 minutes later, I look back at the modem, and it's silent. After 5 minutes of down time, it's back up and only has a few blinks every couple of seconds. So, I guess the answer to my question was 12:00 am EST, Thursday, August 9, 2001.

No News is Good News.

I am getting tired of the tone of the typical Slashdot story.

The world is full of enough of this bullshit to make life miserable for a really long time.

I realize it is difficult to be so objective as not to be perceived as a biased news source, but it couldn't hurt to try just a little bit.

Could we please get back to some real news before I stop reading Slashdot altogether? After four years, it just might happen folks.

Re:Linux is not a contender..

But most businesses *do* have a highspeed connection, and that's the segment we're most concerned with. And I've been updating Suse7.1 daily for the last several months. It doesn't take much bandwidth. The biggest was several meg after a re-install (crashed hard-drive) and that could easily be done on a 56 K at night. Oh, and crashes? I've had exactly two unexplained crashes on four machines in three years. What does that average to? One crash every six years. Oh, yeah, I'm sweating that one.

NEVERMIND

If I had waited another 5 minutes, I would have realized that the IIS boxen in my neighborhood were just slow to play again after the downtime.

Missing the forest for the trees.

We're the elite 10% of the internet. The other 90% are llama's who turn their computer off (when they aren't browsing porn) running windows out of the box (what security).

The original Code Red was mostly harmless. The latest Code Red leaves the computer root (well Administrator) comprimised with a (yes, you guessed it!) HTTP://llama.athome.net/?shell.exe/whatever entry point.

Try to imagine the Absolute Hell that you'll be going through for the forseable future from all those machines.

Try to imagine talking a bazillion grandmothers through fixing the IIS they didn't even know they had, and patching up their comprimised computer.

Or, we can block port 80 *to* the customers. hmmmm.

Start thinking like you have to support a /8 network of grandma's.

Speakeasy Rocks

[Schmerd]

I've had Speakeasy as my ISP for about 18 months now, and I've been absolutely delighted with them. Not only do they not mind if I run servers off of my DSL line, but the connection has been extremely reliable. The line has been down just a few hours (one day) in the last 18 months.

Not Relly Bugging me

[will12]

I may not run iss but even if @home blocks port 80 when i do have my servers up it dosent effect me seing as i mostly use it for a shell to grab my e-mail and ocasionly work on some programing or build in my mud. Personaly i dont have a problem with the solution asuming its temorary anyway, it stops the problem somewhat efectivly but i would rater see some mass e-mailing from the tech department with links to the patch and some easy instructions that even a 4 year old can understand. I am not sure if this will work but how about just telling everyone to go get the patch and run it then reboot if the computer dosent have the hole, ie 95, 3.1 and the others the patch will most likly fail. However I do agre that this hole should have never existed in the first place but oh well it dose were gona have to live with it for awile. A sidenote my badwidth has been affected but thats ok with me because i know there are times when i have used more than my fair share, now when theres someting that eats it up i will just sit back and wait longer to get my pages knowing that even though its a worm it could be other users to.

sorry about the spelling.

Counter Virus

[Nima]

From the looks of my logs its just small residencies that are attacking me , all that needs to be done in my opinion is a release of a counter virus , because lets face the people that are running the machines that are attacking me are not gonna know they are running IIS let alone they are infected with code red 1 or 2.

This needed to be done last week

[AcidBath]

The @Home call center has been getting thousands of calls a day because of the Code Red worm. People calling in for everything from wondering why their activity light is going nuts 24/7 to the poor saps who can no longer connect because the routers and nodes are over loading and going hard down. This port 80 block is needed. Sure some users run servers on port 80. Aside from the fact that they signed a TOS saying they wouldn't, they shouldn't be so arrogant as to think that they (since they know how to run a server) deserve to not help everyone else (newbie or not) have a good internet experience.

Re:Linux is not a contender..

Well now, Mr. Void*, it seems you have a reading comprehension problem.

Which part of attack the facts with arguments did you not understand?

I made my statement, and even cleared it up for simple creatures like you, who are apparently not the sharpest knives but aim at the most irrelevant subjects.

Right now it's your turn to do something with my information, not ask me for more. But as I thought, people like you don't really have a counter argument, you're just pissed because I proved your OS - with which you obviously have a love affair - a piece of crap compared to other software products (that's free products, not commercial, another example of your low comprehension skills).

Moderators.....

[Wntrmute]

We have all these people saying "screw you, you worthless little peon consumer, your AUP says you can't run a server" and here's someone who quotes AT&T's AUP, where it explicitly states that you can.

The above post should so be modded up to 5 by now, so all these know-it-all's yelling "Read your AUP" can actually take their own damn advice.

Needless to say, if I was an AT&T customer, I'd be on the phone quoting their own AUP to them, and canceling my service.

If you're in Eastern Mass. AT&T's lying

[maggard]

AT&T "Customer Service" is claiming that their Acceptable Use Policy forbids servers. This is not true for all customers; I know it's not true at least for the former customers of MediaOne in Eastern Massachusetts.

Partially quoted from:
roadrunner.techtalk.general
3B709BDA.3480@mediaone.net.invalid
chelm@mediaone.net.invalid wrote:

Posting to ATT/RR Home Page on transition to Excited@Home:

New Service Subscriber Agreement

Your AT&T Road Runner home page will automatically change to the new content provided by AT&T @Home on June 30, 2001. Effective with the elimination of the Road Runner content, the AT&T Road Runner Service Subscriber Agreement will be replaced with the AT&T@Home Subscriber Agreement. You can see the new agreement at http://help.broadband.att.com/support under the Policies section of Answers to Questions. Because you are not using @Home software, the @Home End User License Agreement attached to the end of your new agreement will not apply to you.

"AT&T@Home Subscriber Agreement" links to:
http://help.broadband.att.com/support/faq.jsp?cont ent_id=584&category_id=34
which leads to:
http://help.broadband.att.com/subagreelease.jsp

Which states:

9. Service Characteristics

(b) FTP/HTTP Service Setup. Customer should be aware that when using the Service to access the Internet or any other online network or service, there are certain applications, such as FTP (File Transfer Protocol) server or HTTP (Hyper Text Transfer Protocol) server, which may be used to allow other Service users and Internet users to gain access to Customer's computer. If Customer chooses to run such applications, Customer should take the appropriate security measures. Neither AT&T nor @Home Network shall have any liability whatsoever for any claims, losses, actions, damages, suits or proceedings resulting from, arising out of or otherwise relating to the use of such applications by Customer, including without limitation, damages resulting from others accessing Customer's computer.

(c) File and Print Sharing. The Service functions as a Local Area Network (LAN) in that each Customer is a node on the network. As such, users outside the Customer's home may be able to access the Customer's computer. As well, some software includes capabilities that permit other users across a network such as the Service and the Internet to gain access to the Customer's computer and to the software, files and data stored on the computer. For example, operating systems such as Windows 95 and Apple Macintosh include file sharing and print sharing capabilities which, when enabled, will permit other users to gain access to the Customer's computer even if the Customer is not using the Service. AT&T therefore recommends that the Customer connect only a single computer to the Service and that the Customer disable file and print sharing and other capabilities that allow users to gain access to the Customer's computer. Any Customer who chooses to participate in the Service using other than a single computer or who chooses to enable capabilities such as file sharing, print sharing, or other capabilities that allow users to gain access to the Customer's computer, hereby acknowledges and agrees that the Customer does so at the Customer's own risk, and that neither AT&T nor @Home Network shall have any liability whatsoever for any claims, losses, actions, damages, suits or proceedings arising out of or otherwise relating to such use by the Customer.

And furthermore from the same document:

11. Miscellaneous

(b) Amendment. AT&T may, in it sole discretion, change, modify, add or remove portions of this Agreement, and the Service provided thereunder, at any time. AT&T will notify Customer of any such changes by posting notice of such changes on the Service, or sending notice via e-mail, postal mail or other means. Customer's continued use of the Service following notice of such change shall be deemed to be Customer's acceptance of any such modification. If Customer does not agree to any such modification, Customer must immediately stop using the Service and notify AT&T that Customer is terminating this Agreement in accordance with Section 7(a) of this Agreement. Customer will then be entitled to a refund of any unused portion of any monthly Service fee that has been paid in advance.

Did anyone else get notification before port 80 was blocked? The above policies certianly still seem to be in effect; they're still posted and they clearly imply customers may run HTTP & FTP servers at their own risk.

Verizon is NOT blocking port 25

There is no egress port 25 filtering for Verizon DSL customers in Virginia at least. I've been running my own mailserver for quite a while now w/o problems. (which is necessary, since a) I'm unemployed, and b) the Verizon provided email account is nothing but spam...30+ a week on average and climbing. And that from an address that was used for NOTHING except registration for Verizon (or bellatlantic at the time) grrrr).

Verizon hasn't blocked me...

[zinger]

I've got their business account (which costs me $40 more for the same service, but gives me a static ip address) and my service is uneffected. Good thing two, I run my own IDS for a reason...

slashdot needs...

a more configurable threshold setting..

I want to be able to view ONLY all of the -1 comments, or ONLY all of the 0 comments, or ONLY all of the +1 comments, etc.

Sometimes I like to read threads just for the trolls.

I demand that these changes be implemented imediately for the pleasing of myself and other slashdot trolls.

My short reply...

[Jace+of+Fuse!]

http://www.directvdsl.com

Formerly Telocity.

1.5 down. 256k up.

They don't care what you do.

They don't block any ports.

Their terms of service even say they don't mind what you do. It's your bandwidth.

They only have one rule. If you run something funky, don't go crying to their tech-help for support.

That's MORE than fair.

how @home seems to be getting SLAMMED...

[Polo]

Since code red hit, my cable modem light has been on continuously. Dumping the packets my system sees finds that the bulk of the requests are ARP requests to find the destination machines that code red wants to connect to.

A typical code red request is something like:

"infected" broadcasts: ARP request: who is 24.1.2.3?
24.1.2.3 machine replies: ARP reply: I am (here's my MAC address)
"infected" sends connect packet to 24.1.2.3:80, etc...

However, @home in my area seems to be one large broadcast domain. Althought 24.1.2.3 is not on my subnet, I do see the ARP request from the infected machine. But there are LOTS of them. So the bulk of the packets are arp requests and this is what is REALLY flooding the network. Of course, I also get connect requests to port 80, but there are numerically a lot less packets.

This may only apply to my area though... ymmvw.

so filtering port 80 will help prevent infections, but I wonder how much traffic it will cut down on.

ONLY SOME ARE BEING BLOCKED

[DigitalGlass]

@home has been exactly truthful. there are still many webservers alive, sweep 24.128.176.xxx for port 80, there is a large number in there, my friends site is in there and he is right down the street. his webserver still works! them saying they can't unblock on a user basis is also a load of BS. how would these sites be working, also, how would any of there sites work at all? Everyone needs to call and complain about the port 80 blocking, or this might not ever go away. if they can unlbock 137-139 on individual accounts, they can do it with 80 too. it is not against my TOS to run a webserver, it states you can run one, but att is not responsible for any damages resulting from it. keep pestering them, eventually, this might be over with. the code red worm isn't just going to go away by blocking port 80, they NEED to send out a mass email with a link to the patch!

Verizon DSL filtering has started here (VA)

[brachism]

I just confirmed with Verizon TechSupport (or at least that what they like to call themselves) that they just began filtering port 80 inbound. I wish I knew this a couple days ago before I wasted 4 hours trying to figure out why my web server stopped working. I never would have chose Verizon's ADSL except for the fact that no other provider could add new customers in my area. Apparently the space allocated to other providers in the central office wasn't large enough to handle the flood of customers wanting to leave Verizon's grip. Anyway I signed one of those 1-year agreements with them. When I signed up they told me they do not filter ports. Now that they are, I wonder if this change in service gives me the right to contest the contract and avoid early termination penalty.

Unhappy Verizon customer in Virginia

Re:Not in Hampton VA...but in CT.

[arubis]

Lucky one you are...Cox@Home users in Connecticut are just as fscked as all the complainers. Isn't complete lack of competition fun?

Any ISP who blocks ports is not an ISP

Any service provider which blocks Internet traffic is not an ISP. The Internet in more than TCP/IP on port 80! Advertising @Home as an ISP is like advertising Windows as a powerful, stable, and virus resistant multitasking operating system. It's a bold face lie and definitely false advertising.

Welcome to the United Corporations of America...

Port 80 workaround

[Mark+Pitman]

Here's what I did to get around @Home blocking port 80. I used register.com to get my domain name and they offer a service to host 3 web pages for you for free. So I set my Apache server to listen on port 81 and added some javascript on the page on the hosting service to redirect to my machine on port 81. Works like a charm.

Re:Port 80 workaround

[CM39]

That will work if the index.html is the only page people enter your site through but I have 150 pages and my hits are distributed amoung them.

If someone is looking for http://www.yoursite.com/whatever.html they will either end up nowhere or a 404 page, if the 404 page has a click here to go to the yoursite.com hompage that's a little better but in my experience if the person looking doesn't find the page they are looking for right away they wont search for it.

So once again I will repost my fix.

Change your server so it handles http requests through port 8080 (or whatever port you wish).

Then configure your dns pointers so that @ uses your server address (more than likely you are already configured this way) ie: 65.96.68.10 in my case.

Now chatsearch.net points to me but won't connect on port 80, then configure www for URL forwarding to ie: http://chatsearch.net:8080/index1.html or whatever the page is since the Virtual Host manager doesn't work if you're redirecting. Now you're all set, http://www.yourdomain.xxx goes where you want it.

Of course people wont be able to connect to you without the www. but the vast majority of hits will still get through.