Broadband Crackdown

MrPeach writes: "In a move unsurprising to those of us who have had interactions with their so-called customer support, AT&T Broadband and Excite@Home are indefinitely filtering all incoming traffic on http port 80 for residential customers. They could have cut access to those running compromised servers, but instead chose to deny the ability to run a web server to all subscribers to their service. DSL anyone?" DSL won't save you. Verizon is apparently also blocking port 80 for their DSL customers, in addition to blocking outgoing port 25 and requiring use of Verizon's SMTP servers to send email. Verizon is also cheerfully paying fines for screwing over their competitors - the fines will be much less than the extra profit they can squeeze out once their competition is gone.

As a CLEC, this is how we have been coping.

[phoenix_orb]

I work for a regional CLEC out of chicago. We have several thousand installed DSL lines. This is how we have been coping with the Code Red worm... (*as a buisness class of service, we can't be simply turning off all port 80.. many people do host off of our SDSL lines*)

We have a large number of 10.x.x.x addresses for our broadband subscribers. (This saves us the trouble of assigning public IP's to every single customer, because most don't want nor need a public IP). Our NAT server was getting so clogged up with TCP/IP sessions because code red was serching for hosts. (and once it got into the 10.x.x.x network, it has lots of addresses to check.

We simply got a free scanning utility (sorry... I am at home, don't have it here, nor the time to find it. ) After scanning all of our customers, we located around 30 infected computers.) We left messages stating that they were infected, and we were shutting off there connection until they would remove the offending computer..(we could discern the IP itself, and our users are statically assigned, not DHCP thank god..)

Several users were irate as all hell, but the good of the many outwieigh the good of the few correct? Many times the customer simply unplugged the computer and we put them back on. They are then responsible for patching it.. We have been running scans everyday, and have now gotten fewer and fewer code red worms in our user's DSL systems.

I think that this was the ideal approach. Why use a damn sledgehammer when all of about 30 minutes of work allows you to use a use a fly swatter to remove the offending computers.

Re:Verizon DSL is NOT THAT EVIL

[TildeMan]

I'm a Verizon DSL user. My brother and I just got off the phone with tech support. First they tried to convince us that hosting a web server was illegal (after we convinced them that we had seen the ToS which says DSL users are exempt); after about ten minutes of arguing that was changed to "We don't support that." Then they told us that they would not open port 80 for specific machines, and that they would not even tell us ANY details about other ports (like the mysterious 25). I hope to call back later and speak to someone a bit more helpful...

As for why we learned about the port closing from /. long before we heard about it from verizon in a vaguely worded, hidden post, they told us that they didn't send an email because it only affects about 5% of their customers. They also won't notify us when they reopen port 80, however distant that may be. Furthermore, they claim that the vast majority of users who would receive such an email would not care. Still, if I were the average user I certainly would rather hear service/security updates I can ignore than miss ones that might be relevant.

Conclusion: Verizon is at least approaching Evil, if not already there... please let me know if you've had any better experiences with tech support since the start of the filtering!

TildeMan

You can thank IIS..

[victwenty]

Blocking port 80 is the only practical way providers such as @home have to control code red. I'm on their network and in the last 48 hours, I've gotten:

[root@gamara log]# grep DPT=80 messages | wc -l

3722

code red hits, all from other @home users. All W2K/IIS 5.0 users. The ip's I've looked into all have the default pages up too. I've even tried running "dir" commands on a few through the "root.exe" backdoor code red installs, incredulous that it would work, and yes.. thousands of wide open NT boxen. This hasn't even seemed to slow down yet, despite the wide spread publicity which leads me to believe that a large percentage of those stricken are either totally clueless, don't realize they have IIS running (?), or flat out don't care which leaves the ISP little choice. And it may be my perception, or unrelated factors, but my net connection has certaintly seemed more sluggish over the last week, perhaps as a result of upstream saturation, something @home doesn't have much of.

So I would agree, blocking port 80 is the most practical way of defeating this and it should have happened earlier. It's that or ban all microsoft operating systems as a public hazard :)

Re:You can thank IIS..

[Todd+Knarr]

I can think of a more effective solution: every time a Code Red probe goes out, deprovision the modem belonging to the customer with that IP address. They've got a proven AUP violation and a proven security problem that's disrupting their network. That's more than enough justification for jerking the account entirely. This has the dual benefits of shutting down Code Red and forcing people to actually learn how to secure their systems which makes future problems slightly less likely, and doesn't impact those of us who aren't susceptible to Code Red at all.

If you're in Eastern Mass. AT&T's lying

[maggard]

AT&T "Customer Service" is claiming that their Acceptable Use Policy forbids servers. This is not true for all customers; I know it's not true at least for the former customers of MediaOne in Eastern Massachusetts.

Partially quoted from:
roadrunner.techtalk.general
3B709BDA.3480@mediaone.net.invalid
chelm@mediaone.net.invalid wrote:

Posting to ATT/RR Home Page on transition to Excited@Home:

New Service Subscriber Agreement

Your AT&T Road Runner home page will automatically change to the new content provided by AT&T @Home on June 30, 2001. Effective with the elimination of the Road Runner content, the AT&T Road Runner Service Subscriber Agreement will be replaced with the AT&T@Home Subscriber Agreement. You can see the new agreement at http://help.broadband.att.com/support under the Policies section of Answers to Questions. Because you are not using @Home software, the @Home End User License Agreement attached to the end of your new agreement will not apply to you.

"AT&T@Home Subscriber Agreement" links to:
http://help.broadband.att.com/support/faq.jsp?cont ent_id=584&category_id=34
which leads to:
http://help.broadband.att.com/subagreelease.jsp

Which states:

9. Service Characteristics

(b) FTP/HTTP Service Setup. Customer should be aware that when using the Service to access the Internet or any other online network or service, there are certain applications, such as FTP (File Transfer Protocol) server or HTTP (Hyper Text Transfer Protocol) server, which may be used to allow other Service users and Internet users to gain access to Customer's computer. If Customer chooses to run such applications, Customer should take the appropriate security measures. Neither AT&T nor @Home Network shall have any liability whatsoever for any claims, losses, actions, damages, suits or proceedings resulting from, arising out of or otherwise relating to the use of such applications by Customer, including without limitation, damages resulting from others accessing Customer's computer.

(c) File and Print Sharing. The Service functions as a Local Area Network (LAN) in that each Customer is a node on the network. As such, users outside the Customer's home may be able to access the Customer's computer. As well, some software includes capabilities that permit other users across a network such as the Service and the Internet to gain access to the Customer's computer and to the software, files and data stored on the computer. For example, operating systems such as Windows 95 and Apple Macintosh include file sharing and print sharing capabilities which, when enabled, will permit other users to gain access to the Customer's computer even if the Customer is not using the Service. AT&T therefore recommends that the Customer connect only a single computer to the Service and that the Customer disable file and print sharing and other capabilities that allow users to gain access to the Customer's computer. Any Customer who chooses to participate in the Service using other than a single computer or who chooses to enable capabilities such as file sharing, print sharing, or other capabilities that allow users to gain access to the Customer's computer, hereby acknowledges and agrees that the Customer does so at the Customer's own risk, and that neither AT&T nor @Home Network shall have any liability whatsoever for any claims, losses, actions, damages, suits or proceedings arising out of or otherwise relating to such use by the Customer.

And furthermore from the same document:

11. Miscellaneous

(b) Amendment. AT&T may, in it sole discretion, change, modify, add or remove portions of this Agreement, and the Service provided thereunder, at any time. AT&T will notify Customer of any such changes by posting notice of such changes on the Service, or sending notice via e-mail, postal mail or other means. Customer's continued use of the Service following notice of such change shall be deemed to be Customer's acceptance of any such modification. If Customer does not agree to any such modification, Customer must immediately stop using the Service and notify AT&T that Customer is terminating this Agreement in accordance with Section 7(a) of this Agreement. Customer will then be entitled to a refund of any unused portion of any monthly Service fee that has been paid in advance.

Did anyone else get notification before port 80 was blocked? The above policies certianly still seem to be in effect; they're still posted and they clearly imply customers may run HTTP & FTP servers at their own risk.