Slashdot Mirror
Broadband Crackdown
MrPeach writes: "In a move unsurprising to those of us who have had interactions with their so-called customer support, AT&T Broadband and Excite@Home are indefinitely filtering all incoming traffic on http port 80 for residential customers. They could have cut access to those running compromised servers, but instead chose to deny the ability to run a web server to all subscribers to their service. DSL anyone?" DSL won't save you. Verizon is apparently also blocking port 80 for their DSL customers, in addition to blocking outgoing port 25 and requiring use of Verizon's SMTP servers to send email. Verizon is also cheerfully paying fines for screwing over their competitors - the fines will be much less than the extra profit they can squeeze out once their competition is gone.
Actually, it is a feature of the DHCP protocol. By default, you attempt to renew your address lease after 50% of it is gone. If you do not have connectivity to the DHCP server, the client will keep trying to renew the lease until it is able to contact the server again. The client will attempt to renew a lease from the same server that gave it the initial lease. Even if the lease has been expired for some time, the server will still attempt to give the same address. This is default on most DHCP servers. Of course, you can change this and automatically assign a different address each time, but it gives better overall network stability to have clients keep their ip addresses.
Enigma
I noticed this happened around 5 am yesterday morning (Tuesday, August 7th). Well I didn't notice it, I just tailed my apache logs and web requests seemed to stop coming in around that time. None the less, I got into work that day and noticed I couldn't access my personal web page... NOTE: Personal, not commercial. I put pretty pictures, that I've taken with my digital camera, on it. I was however able to ssh into it and ftp into it.
What was going on? I got scared for a second cause I thought perhaps they started enforcing some term of their service, but it wasn't until I got home and (not so thoroughly) skimmed through their TOS that I realized running a server was not against their TOS, as a matter of fact they worded it so JUST dialup users cannot run a "server of any kind", and it seemed to be fine for DSL users.
So I call up Verizon, talk to a couple different people, none of which knew a single thing about anything. One tried to accuse me of violating the TOS, and I told them it said I'm allowed to run a server in it. She shut up immediately.
Another told me that since I wasn't patched against code red, my internet service was being blocked. I told her I wasn't using a Microsoft operating system therefore I'm not affected by it, and even if I wanted to I wouldn't be able to apply the patch. She told me that because I didn't apply the patch, port 80 was being blocked. Again, I explained to her I wasn't running a Microsoft OS. In the end I think I explained it to her around 5 times... hopefully she knows a little more about computers now.
Finally I got to some guy who was somewhat intelligent, although he did call Linux, L-EYE-NUCKS, he seemed to have some understanding of how to press buttons. I asked him why port 80 was being filtered, and he told me because Microsoft had recommended they block the port. (BTW, I totally agree with someone else that commented on this, who said that because of Microsoft building insecure web servers, we are paying. That is fuct) I asked him if there was anything they could do to unblock the port for me, like put me on another subnet and give me a static IP (I'm a sneaky bastard), or put some kind of flag on my account. He told me that for the time being there was no work around, however he would post a memo and suggest to their tech team they find a way around the port blocking for users who are patched, or not running a Microsoft OS. I asked how long the filtering would stay in place ... he told me it would only last for another couple hours. Right there I told him I didn't think that was true, but he insisted it would only last another hour or two, MAX... port 80 is still blocked.
I just thought I'd contribute this tid bit. I have Verizon DSL in Northern New Jersey, in Essex County. Again, their TOS did not prohibit running a server, unless you are on a dial up. I would post it here, but there is also some clause in their TOS that prohibits reproducing it, so if some brave soul wants to post it below this, go right ahead =]
I need to get a higher paying job so I can get a T1 and then just have to deal with UUnet fiber-optic cuts because of train wrecks.
SuPz.orG
Verizon *DOES NOT BLOCK* outgoing port 25 *OR* port 80! I've been running my own mail server off the standard DSL offering, $40 a month, for almost a month now and never one hint of problems. I can send mail anywhere. I can telnet to port 25 on any Internet-accessible mail server.
And correct me if I'm wrong, but if Verizon blocks outgoing port 80, wouldn't that put a bit of a dent in most popular web browsers?
For the love of God, try to be a little accurate! There are plenty of real problems to bitch about!
"Honey, it's not working out; I think we should make our relationship open-source."
The journey is better then the end.
The @Home customer agreements never allowed servers, particularly web servers. There's a valid technical reason, too: Cable bandwidth is asymmetric. There's typically a downstream pool of about 27 Mbps (depending on settings) shared among all users, while the upstream pool is more often in the 2 Mbps or less range. This comes about because upstream has to fit into the narrow patches of usable spectrum below 40 MHz, while downstream just fits among the TV channels between 50 and 750 MHz.
So stick a server out there, get Slashdotted (or even just get mildly popular), and the upstream bandwidth is wiped out for your whole neighborhood (technically, the area of your optical conversion node and CMTS channel). This is a big risk, so the cable companies don't take it. Instead, they do give you some free hosting space at their data centers.
VeriZontal has no such excuse -- ADSL has little upstream bandwidth (they typically provision only 90 kbps) but it's your very own, and they end up with a huge surplus of upstream bandwidth at the back of the DSLAM, where all of the traffic is aggregated. It's downstream that can congest easily. They're just being shmucks as usual. But if their customer agreement doesn't allow servers, then that's the deal -- commercial-grade DSL services allow servers.
The real problem they're addressing (even VZ) is Code Red II. Web servers that get infected will probe their own networks like crazy looking for others to infect. This creates congestion. So shutting off port 80 stops the worm. Crude but effective. See the recent LinuxPlanet column about Charter for how a cable company won't admit that its infected servers are causing huge congestion. The author suggests blocking port 80!
http://slashdot.org/comments.pl?sid=01/08/07/19262 12&cid=301. I read my TOS, you obviously didn't.
While Road Runner isn't blocking (my cable modem light is still going nuts even when my computer is off); it is part of their Terms of Agreement: no e-mail servers, no web servers, no port scans.
If you want to run an e-mail or web server, get a business line ($295/month w/1 IP; $325/month w/5 IP).
However, they have been turning a REAL BLIND EYE to all of the above. I get port scanned daily and it looks like 30%+ of the machines on my subnet are running a web or mail server. (According to my *cough* port scan *cough* of the subnet.)
Learning HOW to think is more important than learning WHAT to think.
Granted, many people running Win2K or NT and IIS might not realize the service is running, their computer is infected, they are part of the problem.
This is what we've run into at my company.
What our security team did was scan for infected IIS servers and shut down those specific customers.
We then contacted them and informed them to patch immediately once we turned them back on. We also warned them that we would scan again that evening and would not hesitate at shutting them down a second time.
About 50% of those contacted had no clue they even had IIS running. This made it very frustrating.
Definitely not all. MediaOne (now AT@T Broadband) never prohibited it. I understand your reasoning, but if you chek the TOS, many companies do not explicitly prohibit running your own server, and some even explicitly permit it.
What AT&T (at least the Roadrunner service) prohibited was duplication of their services. You weren't allowed to run as an ISP, and they also reserved the right to shut you down if you used up too much bandwidth. You weren't allowed to run a commercial web-server, because they sold web hosting.
I don't disagree with their decision, as inconvenient as it is for me. I can just have my webserver listen to a port that is not 80. I don't even know if MS IIS supports this, but luckily I'm not running IIS.
Think about it this way: if the virus was actually eating enough bandwidth and resources to affect the general home user experience, they would get complaints from those users. Maybe they will open the ports back up. Ha. that kind of stuff never happens. oh well... guess I have to look for a new ISP (maybe speakeasy.net, even though ovad is going belly up...)
"He's more machine now than man, twisted and evil."
I'll test this "filtering" in a couple of days (DNS updates going on).
d =7 92&category_id=54
If you read the link Slashdot kindly provided for you you will notice this:
Looks as though they updated that part about servers, all I could find was this:
" (b) FTP/HTTP Service Setup. Customer should be aware that when using the Service to access the Internet or any other online network or service, there are certain applications, such as FTP (File Transfer Protocol) server or HTTP (Hyper Text Transfer Protocol) server, which may be used to allow other Service users and Internet users to gain access to Customer's computer. If Customer chooses to run such applications, Customer should take the appropriate security measures. Neither AT&T nor @Home Network shall have any liability whatsoever for any claims, losses, actions, damages, suits or proceedings resulting from, arising out of or otherwise relating to the use of such applications by Customer, including without limitation, damages resulting from others accessing Customer's computer. "
So they do not mind you running the services, just that you are responsible for your security.
For reference:
http://help.broadband.att.com/faq.jsp?content_i
http://help.broadband.att.com/subagreelease.jsp
StarTux