Slashdot Mirror
Broadband Crackdown
MrPeach writes: "In a move unsurprising to those of us who have had interactions with their so-called customer support, AT&T Broadband and Excite@Home are indefinitely filtering all incoming traffic on http port 80 for residential customers. They could have cut access to those running compromised servers, but instead chose to deny the ability to run a web server to all subscribers to their service. DSL anyone?" DSL won't save you. Verizon is apparently also blocking port 80 for their DSL customers, in addition to blocking outgoing port 25 and requiring use of Verizon's SMTP servers to send email. Verizon is also cheerfully paying fines for screwing over their competitors - the fines will be much less than the extra profit they can squeeze out once their competition is gone.
The version of AT&T's Broadband Subscriber Agreement that subscribers in my area (Formerly MediaOne Express) have agreed to could only be vaguely construed to prohibit web servers via the following clause:
Indeed, the service agreement even mentions things users should consider should they decide to run a personal HTTP/FTP server:
See http://help.broadband.att.com/subagreelease.jsp for the full text of the subscriber agreement.
AT&T is trying to use the subscriber agreement as a shield against criticism about how they've failed to properly deal with their network's accute inability to handle widespread use of the codered software by subscribers and also their inability to selectively track and remove or restrict users of codered. Running a webserver like IIS+codered that by design, defect, or configuration tries repeatedly to install a software package on every other webserver on the network is surely a prohibited use of the service under the subscriber agreement. Running a web server that only implements RFC2068 and has none of these annoying codered misfeatures probably isn't.
The most effective thing AT&T could do to stop the autoinstallation of codered on customer machines is to block port 80 right at the cable modem on hosts running versions of IIS that support codered. It's certainly within their technical reach, since AT&T does selective layer-3 filtering of ports 137-139 right at the cable per customer request. For hosts that both support and run codered, AT&T should treat the host like they would treat any other compromised host: disconnect it from the network until the owner has recovered control.
Instead of using any of the more effective methods, they're just having routers discard packets bound for port 80. Not only does this solution fail to prevent autoinstallation within AT&T subnets (because that traffic never crosses a router) and from hosts inside AT&T's network to those hosts outside of AT&T's network, but it also inconveniences legitimate users of port 80.
You'd just need neighbors who are cooperative, long-term minded, trusting of the admin, and with startup equipment funding. Consider that everyone's paying $20-80 per month already and that some neighbors can't even get broadband. In my neighborhood, my neighbor had DSL but I couldn't for several months due to insufficient circuits, and our cable network had unstable power levels that fluctuate with environmental conditions.
As for the homebrew DSL, try these links:
As for the wireless, I'd test compatibility with the environment to make sure it works, and possibly put up signal extending antennae. I heard of someone taking apart an Apple Airport base station, adding a large antenna, and getting line of sight throughput all the way to their ISP. :)
Has anyone tried homebrew DSL? Got any links to any personal experience? In my case, I'd like to hear from someone in the San Francisco Bay Area. Good luck!
I have AT&T Broadband (formally MediaOne) in Eastern Massachusetts, and I'm still able to get to port 80 from outside AT&T's network.
Given that they can control which ports are open on a per user basis (they can unblock SMB if you ask), I would suggest calling and talking to their tech support and explain to them that your system is not affected and that you want port 80 reopened, assuming yours has been blocked. There's no harm in trying ask first...you just might get it.
More likely is that they haven't gotten to you _yet_. As a former contractor for them, I can attest they don't always move quickly, but if the order comes from high enough, it will happen. Well, ok, it will happen, but only after after all those damn meetings wrap up. 8-)
http://www.eeye.com/html/Research/Tools/codered.ht ml
Ok folks..quick TCP lesson here. The goal is to stop the spread of the worm. What good is cutting off inbound port 80 to already infected servers? This will do absolutely NOTHING to stop those infected servers from outbound scanning for new hosts to infect. Apparently a lot of you were sick the day they taught IP and IP school.
Actually, it is a feature of the DHCP protocol. By default, you attempt to renew your address lease after 50% of it is gone. If you do not have connectivity to the DHCP server, the client will keep trying to renew the lease until it is able to contact the server again. The client will attempt to renew a lease from the same server that gave it the initial lease. Even if the lease has been expired for some time, the server will still attempt to give the same address. This is default on most DHCP servers. Of course, you can change this and automatically assign a different address each time, but it gives better overall network stability to have clients keep their ip addresses.
Enigma
To get around DYnamic DNS use no-ip (www.no-ip.com) they'll give you a www.?.no-ip.com for your server for free or they'll use your domain name for like $15US a year. All you have to do is run their program and it updates your IP address every tiem it changes. It works really well.
So far, my server is still running. I turned it back on, after it was crashed by Code Red attempts, and received another Code Red attack the next second. Is the ban network wide? Is it not in place yet?
I noticed this happened around 5 am yesterday morning (Tuesday, August 7th). Well I didn't notice it, I just tailed my apache logs and web requests seemed to stop coming in around that time. None the less, I got into work that day and noticed I couldn't access my personal web page... NOTE: Personal, not commercial. I put pretty pictures, that I've taken with my digital camera, on it. I was however able to ssh into it and ftp into it.
What was going on? I got scared for a second cause I thought perhaps they started enforcing some term of their service, but it wasn't until I got home and (not so thoroughly) skimmed through their TOS that I realized running a server was not against their TOS, as a matter of fact they worded it so JUST dialup users cannot run a "server of any kind", and it seemed to be fine for DSL users.
So I call up Verizon, talk to a couple different people, none of which knew a single thing about anything. One tried to accuse me of violating the TOS, and I told them it said I'm allowed to run a server in it. She shut up immediately.
Another told me that since I wasn't patched against code red, my internet service was being blocked. I told her I wasn't using a Microsoft operating system therefore I'm not affected by it, and even if I wanted to I wouldn't be able to apply the patch. She told me that because I didn't apply the patch, port 80 was being blocked. Again, I explained to her I wasn't running a Microsoft OS. In the end I think I explained it to her around 5 times... hopefully she knows a little more about computers now.
Finally I got to some guy who was somewhat intelligent, although he did call Linux, L-EYE-NUCKS, he seemed to have some understanding of how to press buttons. I asked him why port 80 was being filtered, and he told me because Microsoft had recommended they block the port. (BTW, I totally agree with someone else that commented on this, who said that because of Microsoft building insecure web servers, we are paying. That is fuct) I asked him if there was anything they could do to unblock the port for me, like put me on another subnet and give me a static IP (I'm a sneaky bastard), or put some kind of flag on my account. He told me that for the time being there was no work around, however he would post a memo and suggest to their tech team they find a way around the port blocking for users who are patched, or not running a Microsoft OS. I asked how long the filtering would stay in place ... he told me it would only last for another couple hours. Right there I told him I didn't think that was true, but he insisted it would only last another hour or two, MAX... port 80 is still blocked.
I just thought I'd contribute this tid bit. I have Verizon DSL in Northern New Jersey, in Essex County. Again, their TOS did not prohibit running a server, unless you are on a dial up. I would post it here, but there is also some clause in their TOS that prohibits reproducing it, so if some brave soul wants to post it below this, go right ahead =]
I need to get a higher paying job so I can get a T1 and then just have to deal with UUnet fiber-optic cuts because of train wrecks.
SuPz.orG
I wonder if Verizon is only blocking ports in certain areas. Recently, Verizon has just pulled the plug on incoming port 80 in my area. They are also blocking incoming port 21 and a few others around here since I started DSL service with them.
> servers rather than limiting data volumes, I'm
> all ears.
Because 99.9% of security issues comes from someone running an unpatched redhat box at home.
This is not something tier1 tech support can handle, a real sysadmin has to look at it, figure out where it's coming from, and figure out what is going on. That costs money. Say it took collectively 30mins of peoples time to figure it out, already that has costed more than what you've paid for this month's service.
The AUP would not be this stupid or strict if these things weren't a real problem. But they are. Until people (not necessarily you), get the brains to keep their computer up to date and know what's going on, the ISPs will have to keep these stupid provisions just to protect their ass.
Verizon *DOES NOT BLOCK* outgoing port 25 *OR* port 80! I've been running my own mail server off the standard DSL offering, $40 a month, for almost a month now and never one hint of problems. I can send mail anywhere. I can telnet to port 25 on any Internet-accessible mail server.
And correct me if I'm wrong, but if Verizon blocks outgoing port 80, wouldn't that put a bit of a dent in most popular web browsers?
For the love of God, try to be a little accurate! There are plenty of real problems to bitch about!
"Honey, it's not working out; I think we should make our relationship open-source."
The journey is better then the end.
LFS. Have you built your system today?
The @Home customer agreements never allowed servers, particularly web servers. There's a valid technical reason, too: Cable bandwidth is asymmetric. There's typically a downstream pool of about 27 Mbps (depending on settings) shared among all users, while the upstream pool is more often in the 2 Mbps or less range. This comes about because upstream has to fit into the narrow patches of usable spectrum below 40 MHz, while downstream just fits among the TV channels between 50 and 750 MHz.
So stick a server out there, get Slashdotted (or even just get mildly popular), and the upstream bandwidth is wiped out for your whole neighborhood (technically, the area of your optical conversion node and CMTS channel). This is a big risk, so the cable companies don't take it. Instead, they do give you some free hosting space at their data centers.
VeriZontal has no such excuse -- ADSL has little upstream bandwidth (they typically provision only 90 kbps) but it's your very own, and they end up with a huge surplus of upstream bandwidth at the back of the DSLAM, where all of the traffic is aggregated. It's downstream that can congest easily. They're just being shmucks as usual. But if their customer agreement doesn't allow servers, then that's the deal -- commercial-grade DSL services allow servers.
The real problem they're addressing (even VZ) is Code Red II. Web servers that get infected will probe their own networks like crazy looking for others to infect. This creates congestion. So shutting off port 80 stops the worm. Crude but effective. See the recent LinuxPlanet column about Charter for how a cable company won't admit that its infected servers are causing huge congestion. The author suggests blocking port 80!
http://slashdot.org/comments.pl?sid=01/08/07/19262 12&cid=301. I read my TOS, you obviously didn't.
While Road Runner isn't blocking (my cable modem light is still going nuts even when my computer is off); it is part of their Terms of Agreement: no e-mail servers, no web servers, no port scans.
If you want to run an e-mail or web server, get a business line ($295/month w/1 IP; $325/month w/5 IP).
However, they have been turning a REAL BLIND EYE to all of the above. I get port scanned daily and it looks like 30%+ of the machines on my subnet are running a web or mail server. (According to my *cough* port scan *cough* of the subnet.)
Learning HOW to think is more important than learning WHAT to think.
Too bad when Windows XP comes out, every PC running it will be a server! I guess @Home will just have to outlaw Windows XP as well.
My nice apache server just keeps on hummin!
Obtaining Perfection isn't Perfect!
The truth is usually just an excuse for lack of imagination.
@Home is really jerking your chain. Their user agreement is so bogus:
The benefits and privileges available from the AT&T@Home, and the Internet in general, must be balanced with duties and responsibilities so that other customers can also have a productive experience.
Translation: we're so cheap that we're going to cram as many customers as possible onto a single T1 line, limiting your privilages and your productive experience. Due to the ignorance of the general population, their productive experience is more simplistic and therefore will not come into conflict with our blocking of port 80. Granted, we understand that quite a significant portion of the internet is made up of servers like yours, but our bottom line beats your small desires to contribute to the growing of the world wide web.
Under the terms of the AT&T Broadband Subscriber Agreement customers are not to restrict, inhibit or otherwise interfere with the ability of any other person to use or enjoy the AT&T Equipment or the Service.
Translation: you cannot interfere with other subscribers' use or enjoyment of the internet. We can interfere all we want.
I'm sorry, but it's very plain and simple. @Home subscribers did not purchase a "pay per consumption" plan. They paid a flat rate for service, no matter how much or little they planned to use it. If I subscribe to the daily newspaper, the newspaper company has no right to revoke the Tuesday edition from my house just because they found out that I don't have time Tuesdays to read it. I paid for it, so they are required to give it to me, no matter if I read it or not. Sure, they could come up with some bogus excuse, like "The wasting of paper on an edition of the paper which is not read by the customer is interfering with the paper supply being utilized for the enjoyment of the newspaper by other subscribers." I could then take them to court and let the judge have a good laugh over how stupid the case is.
Unless they specifically say in their user agreement that you will be limited to a certain time, bandwidth, or other limitation of their service, for them to limit your access to the web without proper notice and change to the user agreement is a direct denial of service.
Not so simple, actually -- I tried this today because of the block, and it works fine in many cases, but there is a hitch.
Let's say someone is looking at "http://foo.ne.mediaone.net:8080/bar/fred.html", and this html file contains a reference to another file, be it a CSS file, an image, an anchor -- whatever. There are three possibilities I want to consider.
In the first, if this reference is of the form "http://foo.ne.mediaone.net/bar/ney.html", it's obviously not going to go to port 8080, but people rarely use absolute references like that, so let's move past that to the more interesting cases.
In the second, if the reference is of the form "ney.jpeg". Here, everything works fine and the client looks for "http://foo.ne.mediaone.net:8080/bar/ney.jpeg".
In the third, with a reference like "/css/rubble.css", you'd like to think that, since the parent URL is in http://foo.ne.mediaone.net:8080, the client would go for "http://foo.ne.mediaone.net:8080/css/rubble.css", but no! It looks up "http://foo.ne.mediaone.net/css/rubble.css" (and spends a long time timing out because of the block).
I have no idea why this is, but it seems to happen in both Netscape and IE. Haven't had time to investigate it thoroughly, so if anyone knows anything about this, I'd appreciate the info.
If you want a server running a web site, co-locate! I have yet to see a ISP let their customers run a web site without extra cost. What's the big deal! Whinning 'cause you can't get it free? GROW UP! Access costs MONEY. Pay it. Then whine because you don't get the service you pay for!
I don't like big words..., does that make me anti-semantic?
Granted, many people running Win2K or NT and IIS might not realize the service is running, their computer is infected, they are part of the problem.
This is what we've run into at my company.
What our security team did was scan for infected IIS servers and shut down those specific customers.
We then contacted them and informed them to patch immediately once we turned them back on. We also warned them that we would scan again that evening and would not hesitate at shutting them down a second time.
About 50% of those contacted had no clue they even had IIS running. This made it very frustrating.
Definitely not all. MediaOne (now AT@T Broadband) never prohibited it. I understand your reasoning, but if you chek the TOS, many companies do not explicitly prohibit running your own server, and some even explicitly permit it.
What AT&T (at least the Roadrunner service) prohibited was duplication of their services. You weren't allowed to run as an ISP, and they also reserved the right to shut you down if you used up too much bandwidth. You weren't allowed to run a commercial web-server, because they sold web hosting.
I don't disagree with their decision, as inconvenient as it is for me. I can just have my webserver listen to a port that is not 80. I don't even know if MS IIS supports this, but luckily I'm not running IIS.
Think about it this way: if the virus was actually eating enough bandwidth and resources to affect the general home user experience, they would get complaints from those users. Maybe they will open the ports back up. Ha. that kind of stuff never happens. oh well... guess I have to look for a new ISP (maybe speakeasy.net, even though ovad is going belly up...)
"He's more machine now than man, twisted and evil."
I'll test this "filtering" in a couple of days (DNS updates going on).
d =7 92&category_id=54
If you read the link Slashdot kindly provided for you you will notice this:
Looks as though they updated that part about servers, all I could find was this:
" (b) FTP/HTTP Service Setup. Customer should be aware that when using the Service to access the Internet or any other online network or service, there are certain applications, such as FTP (File Transfer Protocol) server or HTTP (Hyper Text Transfer Protocol) server, which may be used to allow other Service users and Internet users to gain access to Customer's computer. If Customer chooses to run such applications, Customer should take the appropriate security measures. Neither AT&T nor @Home Network shall have any liability whatsoever for any claims, losses, actions, damages, suits or proceedings resulting from, arising out of or otherwise relating to the use of such applications by Customer, including without limitation, damages resulting from others accessing Customer's computer. "
So they do not mind you running the services, just that you are responsible for your security.
For reference:
http://help.broadband.att.com/faq.jsp?content_i
http://help.broadband.att.com/subagreelease.jsp
StarTux
[Rummaging in drawer for flamesuit...]
"They could have cut access to those running compromised servers, but instead chose to deny the ability to run a web server to all subscribers to their service."
Honestly, if I was in the position of the ISP, I would just have cut off all port 80. It makes perfect sense, from a business perspective, that is.
[donning flamesuit...]
I mean, do you really expect them to sift through millions of accounts, determine which ones were compromised with CodeRed IIS servers and block them off? And this list would have to be dynamically maintained , of course, and more port 80s continually blocked because Code Red II is still on the loose. And the ISP couldn't discriminate. If they decided to block all compromised IIS, they'd have to keep up with each and every server running.
It would simply be a logistical nightmare where thousands of hours of work are diverted from network administration, support, maintenance, etc. It wouldn't work. They'd probably have to start up a whole new management division to keep track of it. And then their support people would continually be taxed by calls from people who are getting blocked when their neighbor's Apache box is still serving up pages.
And even if they did do this, how would they correct for human typos in the blocking tables and correcting for all of it, verifying that it was an error, etc?
So Which would you prefer? An ISP where you could just run a proxy and keep your server running, or one that throws all their support staff into keeping the IIS boxes under control and doesn't have the people to actually manage/administrate the network/support so your site wouldn't be available half the time anyway?
In an ideal world, they WOULD block only the people who didn't patch their IIS servers and got infected. But unfortunately for *everyone* it just doesn't work that way.
[peeks out from flamesuit helmet... do I have any friends left on /.? ;-]
This is a bit off topic, but I've been sending notes to everyone whose infected machine is hitting my firewall. Note that it won't work if the machine is behind a NAT box or firewall, but about 80% of the messages are going through.
From your Windoze box:
net send xxx.xxx.xxx.xxx "Your computer is infected with Code Red. Please patch your server immediately!"
Replace the xxx with the offending IP addresses (duh!)
I'm pretty sure that net send uses port 137, so there's a good chance that it's blocked, but like I said, about 80% of the messages are getting through. It pops up a message box on the infected system.
Now, if someone would just write a small apps that listens to port 80 for the Code Red packets and attempts a reply with net send
The @Home call center has been getting thousands of calls a day because of the Code Red worm. People calling in for everything from wondering why their activity light is going nuts 24/7 to the poor saps who can no longer connect because the routers and nodes are over loading and going hard down. This port 80 block is needed. Sure some users run servers on port 80. Aside from the fact that they signed a TOS saying they wouldn't, they shouldn't be so arrogant as to think that they (since they know how to run a server) deserve to not help everyone else (newbie or not) have a good internet experience.