Broadband Crackdown

MrPeach writes: "In a move unsurprising to those of us who have had interactions with their so-called customer support, AT&T Broadband and Excite@Home are indefinitely filtering all incoming traffic on http port 80 for residential customers. They could have cut access to those running compromised servers, but instead chose to deny the ability to run a web server to all subscribers to their service. DSL anyone?" DSL won't save you. Verizon is apparently also blocking port 80 for their DSL customers, in addition to blocking outgoing port 25 and requiring use of Verizon's SMTP servers to send email. Verizon is also cheerfully paying fines for screwing over their competitors - the fines will be much less than the extra profit they can squeeze out once their competition is gone.

Re:No blocking yet

[Kenyaman]

The problem on the cable modem networks isn't boneheaded admins. It's silly people who didn't realise they had IIS running on their NT system.

Still seems draconian to me. "We're going to close the intersection of Pine and Elm because there are too many accidents there."

Re:Move to Canada

[stevew]

Actually - I didn't.

I'm one of the earlier @home customers in Fremont CA. which was a test city for the technology. The terms of service I signed didn't limit the things I could run on the system. I checked for that before I signed it.

Unfortunately there is the "out" in the contract where they can unilaterally change the terms of service by simply publishing new ones at a given URL:

So is that binding on me? Not sure - IANAL, but it isn't really fair either. On the other hand, it has been true for most of the time that I've been on the service that they "officially" not allowed ANY kinds of servers on the home systems. For that matter, they even had one version of the dang TOS that let them prohibit me from doing any business over the internet - yeah like going to amazon.com and ordering a book was prohibited. That part got dropped like a hot potato because of a ton of public criticism locally.

I do think they are being heavy handed, and extremely short sighted. They are in many ways restricting freedom of speech by such filters. They are probably legal - but they suck!

Road Runner does more than turn a blind eye

[moller]

I convinced my parents to get Road Runner while I was home from school. We had three computers set up while I was home, two after I left. Both needed internet access. Road Runner charges an extra $6/month for another IP address. Their TOS specifically forbid running a router or DHCP server off of their line (says so in black and white on the contract). I called up customer service to ask about this, they were clueless about what a DHCP server was, and forwarded me to tech support. Tech support was clueless about the contract, and finally I got piped through to some manager. The manager specifically told me to buy a router (you know, one of those little boxes with a DHCP server in it) and hook that up instead of paying for the extra IP address.

So they don't just turn a blind eye, they actively encourage users to violate the contract signed when procuring the cable modem service.

~Moller

Re:Servers were never allowed out on cable

[Ed+Avis]

If the bandwidth is limited, then quota the bandwidth to each user! It's just as possible to eat up the limited upstream bandwidth by uploading large files to Hotmail, but they don't ban that.

they've never allowed servers

[BroadbandBradley]

they've just never done anything about it before.

Re:Verizon DSL is NOT THAT EVIL

[Skapare]

The EVIL that you describe is something that infects most large, and many medium, and even some small, corporations. It's a combination of bureaucracy and authority concentrated (generally it has to be) in people who don't care to deal with reality (or the customers who provide such clues).

5% is enough to send a mailing for. 1% perhaps not. But that's subjective. Someone will be affected. What would be useful is for a signup list for such things to opt-in to get non-general announcements. Then they can justify sending them since they would only go to the people who want them. But they probably don't want to have their web developer(s) spending time (less than a day for a good developer, which I have doubts they have) putting something like that together.

If you'd like to have some fun with then, call them back and raise the original point, again, that got that 5% excuse. Then say "but you keep sending out those crappy email ads to get people to sign up for more services, and less than 1% of the people care about those, so why not just stop annoying people and cancelling that?" :-)

Re:You can thank IIS..

[geekoid]

ban port 80 only for people who are running the OS/Program at risk until it has been patched.
In this case it happens to be IIS, but they can do the same when the next apache expoit shows up..

Re:We haven't done this yet..

[Altrag]

right after they hit www.mcafee.com:80.. err.. oops

AT&T Port 80 Blocking Ineffective, Irresponsible

[Brian+Ristuccia]

The version of AT&T's Broadband Subscriber Agreement that subscribers in my area (Formerly MediaOne Express) have agreed to could only be vaguely construed to prohibit web servers via the following clause:

(g) restrict, inhibit or otherwise interfere with the ability of any other person to use or enjoy the AT&T Equipment or the Service, including, without limitation, posting or transmitting any information or software which contains a virus or other harmful feature; or generating levels of traffic sufficient to impede others' ability to send or retrieve information.

Indeed, the service agreement even mentions things users should consider should they decide to run a personal HTTP/FTP server:

(b) FTP/HTTP Service Setup. Customer should be aware that when using the Service to access the Internet or any other online network or service, there are certain applications, such as FTP (File Transfer Protocol) server or HTTP (Hyper Text Transfer Protocol) server, which may be used to allow other Service users and Internet users to gain access to Customer's computer. If Customer chooses to run such applications, Customer should take the appropriate security measures. Neither AT&T nor @Home Network shall have any liability whatsoever for any claims, losses, actions, damages, suits or proceedings resulting from, arising out of or otherwise relating to the use of such applications by Customer, including without limitation, damages resulting from others accessing Customer's computer.

See http://help.broadband.att.com/subagreelease.jsp for the full text of the subscriber agreement.

AT&T is trying to use the subscriber agreement as a shield against criticism about how they've failed to properly deal with their network's accute inability to handle widespread use of the codered software by subscribers and also their inability to selectively track and remove or restrict users of codered. Running a webserver like IIS+codered that by design, defect, or configuration tries repeatedly to install a software package on every other webserver on the network is surely a prohibited use of the service under the subscriber agreement. Running a web server that only implements RFC2068 and has none of these annoying codered misfeatures probably isn't.

The most effective thing AT&T could do to stop the autoinstallation of codered on customer machines is to block port 80 right at the cable modem on hosts running versions of IIS that support codered. It's certainly within their technical reach, since AT&T does selective layer-3 filtering of ports 137-139 right at the cable per customer request. For hosts that both support and run codered, AT&T should treat the host like they would treat any other compromised host: disconnect it from the network until the owner has recovered control.

Instead of using any of the more effective methods, they're just having routers discard packets bound for port 80. Not only does this solution fail to prevent autoinstallation within AT&T subnets (because that traffic never crosses a router) and from hosts inside AT&T's network to those hosts outside of AT&T's network, but it also inconveniences legitimate users of port 80.

Re:Read your TOS!

[the_tsi]

Seriously.

I'm both a customer of residential broadband and an employee at a DSL ISP -- and I'm not a customer of my own company. For my DSL line, I accept the fact that it's a consumer product and shouldn't be expected to have all the functionality of a product for which someone else (e.g. a business) is paying 4 to 10 times as much. It's ridiculous to assume that your $50/mo connection (which the company is probably losing money on, if not breaking even) can run a web server and a DNS server and what-have-you. If you think that you're entitled to everything and entitled to it for free, get over yourself, get a job and pay for what you use.

On the other hand, where I work, I didn't hesitate to block inbound port 80. It's the first large-scale compulsory filtering of any kind we've done on dialup or broadband. It sort of hurt to do so, but with Code Red et al propogating like rabbits, it had to be done. If (business) users contact us and explain that they're running apache or a patched IIS server, I'll gladly set up an exception for them. But with something like Code Red, everyone has to do their part to stop it from spreading. Despite near-domination by commercial entities, it's still a community which requires upkeep by all participants.

Just my $0.04.

-Chris

Re:Leased Line

[dan_bethe]

I wouldn't use specifically a leased line due to the fact that it's very expensive in most places, but I would consider SDSL. To connect the neighborhood to this outbound point, I would consider either 802.11b or try that homebrew DSL recipe. I might even string heavy duty cabling between houses, across a fence or something. :)

You'd just need neighbors who are cooperative, long-term minded, trusting of the admin, and with startup equipment funding. Consider that everyone's paying $20-80 per month already and that some neighbors can't even get broadband. In my neighborhood, my neighbor had DSL but I couldn't for several months due to insufficient circuits, and our cable network had unstable power levels that fluctuate with environmental conditions.

As for the homebrew DSL, try these links:

• Homebrew S/ADSL
• DSL Blaster
• What To Do With Old DSL Modems?
  • Re:But only one person needs an ISP
• Some Customers Can Roll Their Own DSL

As for the wireless, I'd test compatibility with the environment to make sure it works, and possibly put up signal extending antennae. I heard of someone taking apart an Apple Airport base station, adding a large antenna, and getting line of sight throughput all the way to their ISP. :)

Has anyone tried homebrew DSL? Got any links to any personal experience? In my case, I'd like to hear from someone in the San Francisco Bay Area. Good luck!

Re: default home pages

[coyote-san]

I can't speak for others, but I deliberately left my default Apache/Debian web page up. Anyone who has a need to see the real content can find it easily enough, and in the meanwhile I don't have to worry about some random visitor stumbling across sensitive information. (E.g., detailed information about the packages I have installed, which might tell people what attacks I'm vulnerable to, etc.)

AT&T in Eastern Mass is not blocking

[Ececheira]

I have AT&T Broadband (formally MediaOne) in Eastern Massachusetts, and I'm still able to get to port 80 from outside AT&T's network.

Given that they can control which ports are open on a per user basis (they can unblock SMB if you ask), I would suggest calling and talking to their tech support and explain to them that your system is not affected and that you want port 80 reopened, assuming yours has been blocked. There's no harm in trying ask first...you just might get it.

Re:Verizon DSL is NOT THAT EVIL

[jspaleta]

Okay so I replied to myself...deal. I just called verizon tech support, and here's the scoop.

Verizon IS blocking port 80 from outside verizon's network, and the reason verizon has been giving its tech support people, is that this is a temporary port block becuase of Code Red.

The block started yesterday, and affects in bound traffic into verizon's network. I can get to my website from other verizon addresses, but not from outside of verizon's net. I couldn't get a specific time frame on how long the block is going to be up, but the tech support people have been told that its not permenant.

Does Verizon have a legitimate concern about Code Red investation across its network? Maybe...but since I'm not running in MS products on my LAN and I take the time to secure my stuff, I'm pretty unhappy that my services get knocked off the net like I'm one of the clueless masses.

The best solution to get Verizon to hurry up and unblock the port is for everyone who has a verizon DSL account to call them and tell them in a very nice calm manner that if the block stays in place, your business will go elsewhere. I was call 25 this morning. Let's see if the slashdot effect works over the phone as well....I want to see the number of complaint calls jump to 2000 in the next 30 minutes.

Verizon Tech Support:
1-800-567-6789

-jef

Re:I've read my TOS and it sucks.

[janpod66]

How do you figure??? If your system is DOS'ing someone on the net it may be using the total bandwidth in your area.

Current state:

• Broadband provider may fail to deliver minimum bandwidth.
• One misbehaved user can use up all available bandwidth.
• Broadband provider fails to enforce correct IP addressing, facilitating DOS attacks.
• Broadband provider attempts to control the content of packets.
• Customers don't get a well-defined product and have to live with arbitrary restrictions as their broadband provider flounders.

Desired state:

• Broadband provider delivers minimum bandwidth (more is optional).
• Broadband provider enforces upper limits on bandwidth.
• Broadband provider enforces correct IP addressing.
• Broadband provider is oblivious to content of packets.
• Customers get a well-defined, predictable product at a well-defined, predictable price.

Easy, isn't it?

Re:Quite common already

[einhverfr]

I will never use such a service that requires me to proxy. Simple reason. I support other people in my house and I do so through SSH. If I am not home, I ssh into the box and fix things. If my ISP won't allow it, I won't use them. This is going to play havock with those that use XP when they call for support and drive up support costs for everyone because they can't allow incomming requests for remote desktop support!

Not that I like XP. But I can see this causing lots of angery letters...

Re:The problem is....

[CM39]

Unfortunately that isn't all it is....as I said in a previous post.

"Bundling server software with win2k was stupid, I know several people who werent even aware they were running servers until just the last few day, I guess they were just playing around with add/remove windows components and ended up installing the software which then ran as a service without their ever being aware of it, I imagine quite a few people are in that situation right now. Microsoft could and should have made it a free download for those who knew they wanted it."

I suppose the argument could be made that people were stupid for playing with "add/remove windows components", but microsoft has in many ways gotten as big as they are by claiming their products are almost idiot proof. I guess this is proof they are the idiots.

I'm lucky

[SCHecklerX]

We are allowed to run anything we want, so long as we aren't harassing people or doing anything to breach netiquette. My ISP is really cool with their policies. I just wish they were smarter WRT their own administration (I was effectively not able to browse slashdot for two weeks b/c my IP didn't reverse-resolve!)

Here is our TOS:

http://www.planetcable.net/policies.asp

Re:Servers were never allowed out on cable

[einhverfr]

The author suggests blocking port 80!

There is always port 443! https is good for these things.... They would have to get really anal and make us use their proxies for all usable service ports to be reasonably blocked....

As a CLEC, this is how we have been coping.

[phoenix_orb]

I work for a regional CLEC out of chicago. We have several thousand installed DSL lines. This is how we have been coping with the Code Red worm... (*as a buisness class of service, we can't be simply turning off all port 80.. many people do host off of our SDSL lines*)

We have a large number of 10.x.x.x addresses for our broadband subscribers. (This saves us the trouble of assigning public IP's to every single customer, because most don't want nor need a public IP). Our NAT server was getting so clogged up with TCP/IP sessions because code red was serching for hosts. (and once it got into the 10.x.x.x network, it has lots of addresses to check.

We simply got a free scanning utility (sorry... I am at home, don't have it here, nor the time to find it. ) After scanning all of our customers, we located around 30 infected computers.) We left messages stating that they were infected, and we were shutting off there connection until they would remove the offending computer..(we could discern the IP itself, and our users are statically assigned, not DHCP thank god..)

Several users were irate as all hell, but the good of the many outwieigh the good of the few correct? Many times the customer simply unplugged the computer and we put them back on. They are then responsible for patching it.. We have been running scans everyday, and have now gotten fewer and fewer code red worms in our user's DSL systems.

I think that this was the ideal approach. Why use a damn sledgehammer when all of about 30 minutes of work allows you to use a use a fly swatter to remove the offending computers.

Re:Why not force a download of the patch?

[aoeuid]

Yes, that's nice in theory, but in reality, it's must easier to pay someone $75/hour to type in "access-list 101 deny any any eq 80" on each access router than it is to pay them to type in hundreds of such statements corresponding to each specific users IP address on each of their subnets. And never mind the labour costs, the CPU costs to process that access list for each and every packet would be unreal. (Not to dwell on router configuration, but each line would have to be unique, ie. you couldn't group them together in subnets etc as is usually done, and remember, each and every line is processed until a matching one is found).

Buy CLEC DSL

[sulli]

I work for a big ISP offering DSL from Covad (bankrupt but still operating) and we don't filter nuthin'. Individual users get a dynamic IP, so you have to buy a multi-user setup if you want to put up a permanent web server, but if you run personal web sharing (for example) there's no trouble.

Maybe it's because we don't have as many subscribers as the big boyz, we keep things simple and user-friendly?

Re:I've read my TOS and it sucks.

[janpod66]

Because 99.9% of security issues comes from someone running an unpatched redhat box at home.

Even if that were true, so what? I bought bandwidth from my ISP and I expect them to deliver that bandwidth. If my machine has a security problem and starts attacking other sites on the Internet, that should be my problem, not my broadband provider's problem. My broadband provider may choose to limit my outgoing and incoming bandwidth to a previously contractually agreed-upon minimum, but no further.

By your reasoning, the telephone companies should listen in on our telephone conversations to make sure we don't do anything illegal and don't make prank calls. Wisely, we have chosen not to place that authority in them, and we should take a similar approach to security with broadband providers.

Re:We haven't done this yet..

[geekoid]

I would gladley go back to 1200 baud if the only people on the net had to know how and why it worked. Now I would never want to go back to 300 baud ;)

Re:No blocking yet

[sracer9]

"We're going to close the intersection of Pine and Elm because there are too many accidents there."

Exactly. How stupid. That's like grounding all flights of a certain aircraft because it crashed once. Oh wait....

Not really that reasonable, more an act of panic

[FreeUser]

There are utilities which can identify what operating system and web server is listening on port 80. It would be relatively simple for a competent ISP to scan their customers and turn off access to port 80 solely on those systems running a Microsoft Operating System with IIS. It probably wouldn't be completely beyond the pale to write a little utility to test those foolish enough to be running a Microsoft operating system and IIS server, identify those who are vulnerable to Code Red, and shut those machines down, leaving those who have patched (nonforwarding) systems, as well as those wise enough to be using more secure, non-Microsoft systems, in place.

Of course, competent ISP may be an oxymoron these days.

CodeRed scanner

[sheldon]

http://www.eeye.com/html/Research/Tools/codered.ht ml

Re:They should remain blocked

[dasunt]

An AC writes: 99% of cable modem and DSL subscribers do NOT need to run servers of any kind.

Er, wait a second. Lets examine that statement. A server can be for more then ftp/http. For example, you are telling me that 99% of all DSL/Cable subscribers have never hosted a 'net game? I think that doesn't sound realistic.

Think, then post.

~ Das

Re:It would mean them having to do real work

Ok folks..quick TCP lesson here. The goal is to stop the spread of the worm. What good is cutting off inbound port 80 to already infected servers? This will do absolutely NOTHING to stop those infected servers from outbound scanning for new hosts to infect. Apparently a lot of you were sick the day they taught IP and IP school.

Time to change ports.

[Kozz]

So if you must host something but Excite@Home is blocking port 80, change your Apache config to listen on a different port number.

Re:Read your TOS!

[meldroc]

It may be in the TOS, but the "no servers allowed" clause in the agreement is totally unreasonable. Lots of residential customers have plenty of good reasons to have servers - small web servers for their own amusement, Freenet nodes, Quake servers for hosting games with neighbors, an email server that serves as a spam filter, etc. I can understand the need to limit bandwidth with rate caps so one person isn't hogging the network, but within those constraints, people should be able to run servers if they want.

Re:Necessary?

[J'raxis]

Don't be so paranoid; I didn't even mention IIS there. Even this thing I have on my Macintosh called "Personal Web Sharing" control panel lets you change the port.

Well, it hasn't really helped much!

[SCHecklerX]

My web server is still getting a hit from 24.xx.xx.xx every few minutes. It'd be nice if those were hits on my resume from prospective employers :)

Re:Clause?

[dcavanaugh]

"In most cases, simply having the firewall can be a violation of the contract, assuming that you are only allowed to have one computer connected at a time."

I don't think so. I am an AT&T@Home customer, and my recollection of the AUP was something like "connecting multiple computers requires a home LAN" [duh]. Then it talks about purchasing additional IP addresses. It says absolutely nothing that forbids the use of one IP address for multiple computers. I think they want to pretend it can't be done.

IMHO, their AUP begins and ends with the ONE computer that has a direct connection to the cable modem. Sure, they can block outside access to servers inside my LAN, under the "we can do anything just by issuing a new AUP" clause. If my ONE computer happens to be rewriting/forwarding packets on behalf of an internal class B network in my basement, good for me. I am buying bandwidth, and one IP address. Technically, my inside machines don't have an internet connection, they are connected to a machine that does that "Internet stuff" for them. Sure, the whole process looks transparent, but that's not my problem either.

By the time you read this, the people who want to keep their webservers will have moved them to nonstandard ports.

Re:imagine if other utilities did this

[Detritus]

Telephone service is not a privilege. The telephone companies are regulated common carriers and are required by law to offer service to the public on a non-discriminatory basis. The conditions under which service can be refused or terminated are set by state and federal law and regulations, not the whim of some telco executive. The same can be said for other regulated common carriers, such as gas and electric companies.

Same in Salem

[Micah]

my port 80 still works.

I agree that *temporarily* blocking it may be a good idea for stopping Code Red. But for crying out loud, don't *permanently* block it, or I'm gonna look at DSL. (There are several DSL companies, so *one* of them should be good.)

Re:Read your TOS!

[The+Dev]

Back in the day, Internet access meant completely unfiltered ip routing. Anything less and we called it "AOL". My how times have changed.

Re:Read your TOS!

[bacchusrx]

I don't know if its just the prole in me talking or the heat, but it seems to me that the arrogance & pretentiousness of saying, "Get your own T1 or stop complaining," is just a bit mindboggling.

From a social standpoint -- where our priorities are less about the "bottom line" and more about providing for a healthy, vibrant, diverse democracy -- there isn't an incredibly good reason why web servers or other content servers are prohibited on so-called "consumer" Internet service providers.

In some cases the bandwidth isn't there-- I understand that, however, in general, the speeds are suitable for most people's private soapboxes... further, overall and in general, home servers do little harm to the network, Code Red notwithstanding.

And in all seriousness, I doubt anyone expects strict uptime SLAs or performance guarantees from your local @Home franchise. I'm not suggesting that "consumer-grade" Internet access claims to offer such things or even really ought to... However, I tend to believe that the prohibition on servers is more an effort to control media content creation & affordable distribution more than it is an effort to ensure network stability.

In effect, a ban on servers prevents citizens from competing affordably for so-called "mindshare" with big corporations and others who don't sweat the cost of dual redundant T3 connectivity.

Broadband internet access has the potential to really revolutionize media distribution by empowering individuals to affordably control & create new and innovative media outlets.

On the other hand, most home servers probably aren't even public servers but private servers used for, say, development purposes or sharing files between office & home. These uses are of course even less stressful on the network and certainly more benign.

Meh... just some food for thought.

BRx.

Re:I've read my TOS and it sucks.

[Skapare]

Yeah! And it's called offering a lower class service to lower class people who want to pay lower amounts and only care to have the lower class service. Even business has to deal with this as T1 (lower class digit circuit) has less bandwidth and costs less than T3 ... duh!

Punishing Alice for Bob's bad acts

[coyote-san]

Nobody will complain if the ISPs punish users for their individual indifference to numerous warnings. In this case, that would be disabling the cable/DSL modem of any user sending out Code Red requests.

But that's not what's happening. EVERY user, including the responsible IIS user who patched their system and all Apache, NCSA, et al users are being punished for the inactions of others.

If the reason why this is so offensive isn't already clear, let me ask you a question: if I'm going to be punished for the actions of others anyway, why should I give a flying fuck about cleaning up my own act? If you don't hold people individually responsible, most behavior quickly falls to the lowest common demoninator.

Phone analogy

[mwillems]

I just don't get it. I too am on a provider (Cogeco in Canada) who explicitly prohibits running any server in their 5-page AUP.

Imagine, if you will, Bell giving you a phone that can only be used outbound. No incoming phone calls. If you get one, you are disconnected. Preposterous.

The thing that's missing is $$$. If we were charged for incoming connections by the byte, we'd be required, not allowed, to run servers.

Michael

Perfectly Reasonable Response

[gnugeekus]

I'll preface this by saying that I'm a @home customer, and I'm bummed out that I can't run a web server anymore.

I think that this is a perfectly reasonable response from @home. I work at a large ISP and I've seen how rapidly this code red garbage spreds. The little editorial comment that they can "simply block infected machines" is, quite frankly, garbage. Code Red 2 spreads faster than anyone could possibly keep up with blocking one machine at a time.

Code Red 2 is tearing up bandwidth at these cable companies. Its noticeably slowing down my speeds on my home internet connection. Something needs to be done in a hurry, and blocking port 80 is a fast solution that works.

Instead of blaming the broadband providers, why don't you blame the real culprit in this situation: Windows. Get angry at Microsoft; if it weren't for their lousy code and lousy security this problem would not have been possible in the first place.

The problem is....

[fataugie]

Fucking stupid people.

End of story. If a few dumb assholes would patch their shit and keep current with it, then the majority wouldn't suffer. But no.......... This is military logic, one person screws up, and the whole unit pays the price. The problem is, we can't give a blanket party to the fucking dumbasses who refuse to keep current with secuity patches. This goes for Linux/Windows/Macintosh/Amiga/NeXT/BeOS/Solaris/CP /M/DOS/HP-UX/AIX/OS9/QNIX/FreeBSD/OpenBSD

I don't care what you run, if you don't keep current on security patches, you are an asshole.

"If it weren't for dickheads like you, there wouldn't be any thievery in this world Pyle"

Road Runner's AUP varies

[JiveDonut]

Road Runner's AUP varies depending on where you have service. Here in Virginia, there is no restriction on running a server: Morthern Virginia Road Runner AUP

All the say is that you are responsible for securing your services:

Customers are liable for having unsecured services, and would be held liable if unknown 3rd parties utilize these services at any time. It is the customer's responsibility to monitor these services. Examples of unsecured services would be use of SMTP relay, incorrect configuration of Proxy or SOCKS services or unsecured operating systems. /BLOCKQUOTE

thank you

[twitter]

thank you, bacchusrx, for a well thought out and well put thread.

It's sad to see so many people believe that publication has to be expensive. As you point out , it could not be further from the truth technicaly. Someone downloading flash trash and comercially produced video consumes far more bandwith than someone serving static web pages. Still, when I tell people at work that I want to host so much as my own email, they look at me like I have a hole in my head and want to provide Hotmail. What's driving this kind of nonsense? Where are all of these arogant trolls with their "Enterprise missions" coming from?

Keep up the good fight. The web must not end up like broadcast media.

Re:Read your TOS!

[tshak]

If you want to run your own "mini NOC", then pony up the cash and get ISDN, a T1, or something faster put into your basement. But if you are subscribing to a consumer grade ISP's offerings, don't be suprised when this happens. And especially don't start with the geek indignation, because consumer broadband is not meant, nor sold, under the pretense of running home servers.

If I pay $50/month for a 256k pipe, and if I want to do my own personal development and want to be able to show others my site from work, or setup a private FTP so that I can grab files offsite, they sure as hell better not stop me. These are totally legitimate uses of a consumer/home office level Internet connection. Plus, with most connections, you can't run a "mini NOC" due to the bandwidth restrictions (128k - 256k upstream).

Anyone permanently disconnected for running server

[Frank+T.+Lofaro+Jr.]

Anyone here been disconnected permanently/account cancelled/banned for running a server?

Re:Leased Line

[figment]

No offense, but this is quite possibly the worst idea i've ever heard. Hopefully i can convince you that this is the worst idea you've ever thought of.

> Granted I don't know how much one costs but I
> figure at around $40 a month a group of about
> 20-30 should be able to gets something way
> faster that DSL/Cable and without the bullshit.

We have an LADC line (which while only rated for 9600baud, but can do 768k unreliably via HDSL), that runs 4 blocks. It has a heavy distance limitation. It costs $80/mo. This does not include bandwidth charges. Distance matters. A lot. Too far away? Too bad, you'll either need to 56k lease line (haha), or frame relay, or ptp t1. None of these (well except 56k) are in your pricerange.

> around $40 a month a group of about 20-30
> should be able to gets something way faster
> that DSL/Cable and without the bullshit.

Ok, let's say 25 people @ 40bucks, not including the line charge. that's $1k. Call up qwest, or maybe sprint, or maybe a tier 2-N (because that's all you can afford), and if you live near a POP and you're lucky, maybe you can get a full T1.

Ok, now we have a shared T1, for 25 people (who i'm assuming will all be geeks, and will be downloading stuff late at night...) Assume a T1 can get maybe 160k/s throughput (you can't get 100% util on a T1 w/o severe latency problems), you get 6.4k/s. Congrats, you've gotten isdn speeds, for the cost of approximately $120/mo/person. This doesn't include startup costs. xDSL equipment costs a few hundred dollars on each end, and 802.11b accesspoints are a lot more expensive than the cards (no, airports don't count, their distance sucks) and the costs of outdoor antennas are horrendous, not to mention you'd have to find/hire someone to do the professional antenna install for you. You'd need a router for your shared T1, add another $600 in startup there.

> What happens when the network / connection goes
> down. Either we set up some sort of rotation
> but we need an admin to fix stuff and that can
> be expensive.

Expensive is right. You can get a crappy consultant for $75/hr. Say something significant happens once a month for two hours (that's not too unreasonable, given the current codered/sircam problems, and general maintainence, mailserver/dns crap).

Your cost is now $125/mo for slightlyhigherthan isdn speeds. See why this idea isn't that great?

I'm not a big fan of the quality of service of @home or Roadrunner. But at $40/mo, what can you really expect? Does your cable modem/dsl occasionally do over 200k/s? It does? Guess what, just that bandwidth capability alone, would cost you $1.5k/mo to do.

Re:imagine if other utilities did this

[Ronin+Developer]

Like driving, telephone service is a priviledge and not a right. I have never read in the Constitution or its ammendments (ala the Bill of Rights) that I have the right to telephone service. If it isn't there, it is not a right but a priveledge.

We, the citizens of this country, seem to think that somethings as common as telephone service or driving are rights. They are not. Simply because something is regulated or provided for by law does not imply it is a right. If you know what provision of the Consitition guarantees basic or data grade phone service, I'd be much interested in hearing about it.

The United States is *NOT* a communist or socialist society. What you construde as a right may be in those societies. Not here. We may have our liberal factions, but we are capitalist society driven by those rules. Yes, the gov't can establish regulations to provide minimal services such as publicly accessible phone. I don't think data grade service is one of them. Unless you are making an emergency call, you still have to put money in them or you get cut off. No?

If you don't pay your bill, they CAN and WILL cut you off. Same thing goes for cell phone use. The exception is 911 or emergency calls. All public pay phones and cell phones will permit a 911 call at no cost (hence you should keep your cell phone even if you no longer have service).

When I have moved and needed to set up phone service to my new domicile, the phone line at my old residence loses its dialtone. I can not make a phone call when the line has been disconnected DESPITE the fact that there is a phone line running into the old residence. This is because I have not paid for service in both locations.

The service they must provide to you is, naturally, no-discriminatory as you pointed out. But, the rate at which you pay for your calls is based upon a legally binding contract. Go over your allocated minutes or call into a long distance area, and different charges apply. Am I not correct? Regulated or not, they are in the business to make money.

Gas, electric and water companies can also cut off service. But, they may not do so when such action endangers life (that *IS* in the consitituion...You have the right to *life*, liberty and the pursuit of happiness). That is why they won't cut off service in the dead of winter or to a nursing home during a heat wave. When the endangering condition no longer exists, they can and will cut off your service. And, they will temporarily restore it if the dangerous condition resumes.

Re:Road Runner

[Alioth]

Hmmmm. That's not in my RoadRunner TOS - it doesn't even mention servers.

My cable data light started flashing like crazy the other day (and is still doing so). Out of curiousity, I ran iptraf, and discovered the traffic was all ARP packets coming from the default router (and I didn't see any destined for my MAC).

Re:Leased Line

[figment]

Correct. However the usage patterns are that such that the time of activity is the same for all. They could be only using their connection 10% of the time, but everyone is doing it at the same time, you still have those problems.

I'm also assuming equality, which isn't the case. In the ISP world, 90% of the bandwidth is used by the top 10% of the people. One person could easily saturate the t1 and make it utterly miserable for anyone else (we have t1s into apt buildings and we see this exact thing). Again, now you have worst service than a 56k modem can provide.

Who do you want to ofend? Re:so what

[Forge]

I am willing to bet that they have more customers with compromised servers than they have customers who care about running an actual website from the desktop.

Either group will be ofended enogh to change providers if they take action. Busness dictates that you shold chase 2 guys who complain about smoke to keap the 10 goys who pass around fat cigars all the time.

Re:Wrong about SMTP @ Verizon

[TheSync]

I also have no problems with connecting to outside hosts on the standard SMTP port through Verizon DSL, but others swear they can't.

Re:I've read my TOS and it sucks.

[TMB]

If anyone can explain a good reason for banning servers rather than limiting data volumes, I'm all ears. I think it's either a combination of laziness and sloppy thinking on the part of the providers, or a desire to force the "users" to also be "content consumers" rather than "content providers". Hanlon's razor, I believe, favours the former explanation.

No, the second is closer to the truth. It's the same reason why companies can't buy a residential phone line. The vast majority of people who want to run servers want to do it for commercial reasons. And therefore have money to pay for a more expensive connection than cheap broadband. By forbidding the use of servers on the residential cable/DSL service, they force all the companies to use the (more expensive) business services. Voila, more money for them, and the only people who get screwed are the relatively small number of us who are poor individuals but who want to run services on priveleged ports on our home boxen.

[TMB]

Re:Move to Canada

[Enigma2175]

DHCP servers must have a MAC address memory or something because it will assign me the same IP address all the time (and its not a feature of my dhcp client)

Actually, it is a feature of the DHCP protocol. By default, you attempt to renew your address lease after 50% of it is gone. If you do not have connectivity to the DHCP server, the client will keep trying to renew the lease until it is able to contact the server again. The client will attempt to renew a lease from the same server that gave it the initial lease. Even if the lease has been expired for some time, the server will still attempt to give the same address. This is default on most DHCP servers. Of course, you can change this and automatically assign a different address each time, but it gives better overall network stability to have clients keep their ip addresses.

Re:Verizon DSL is NOT THAT EVIL

[TildeMan]

I'm a Verizon DSL user. My brother and I just got off the phone with tech support. First they tried to convince us that hosting a web server was illegal (after we convinced them that we had seen the ToS which says DSL users are exempt); after about ten minutes of arguing that was changed to "We don't support that." Then they told us that they would not open port 80 for specific machines, and that they would not even tell us ANY details about other ports (like the mysterious 25). I hope to call back later and speak to someone a bit more helpful...

As for why we learned about the port closing from /. long before we heard about it from verizon in a vaguely worded, hidden post, they told us that they didn't send an email because it only affects about 5% of their customers. They also won't notify us when they reopen port 80, however distant that may be. Furthermore, they claim that the vast majority of users who would receive such an email would not care. Still, if I were the average user I certainly would rather hear service/security updates I can ignore than miss ones that might be relevant.

Conclusion: Verizon is at least approaching Evil, if not already there... please let me know if you've had any better experiences with tech support since the start of the filtering!

TildeMan

Re:Clause?

[geekoid]

ROT13 my email address
oh no, you're not going to get me that easy, G-Man. :)

Re:Verizon DSL is NOT THAT EVIL

[Rasvar]

My main suggestion would be to remap your server to look at port 8080 or something like that. Since it is personal use and you probably only give it to a few folks, adding :8080 at the end of the url should not be that big of a problem and it bypasses the port 80 block.

Re:Servers were never allowed out on cable

[roystgnr]

So please, stop deflecting the blame when really you yourselves (or your friends who don't patch) are at fault.

You have a 5-digit Slashdot user ID, and yet you seem to believe that someone here is "friends" with administrators of unpatched Microsoft webservers? Where have you been hiding? Half the people here wouldn't be friends with administrators of *patched* Microsoft webservers...

Simply not true - for some AT&T's

[TBone]

Like Gregoyle said, those of us that ended up in AT&T as a result of them buying MediaOne RoadRunner have a different ToS/AUP than the rest of the Extire@Home people. For example, if you go to theit help site (help.broadband.att.com) and enter 32202 (downtown Jacksonville), you will get the set of documents that reflect the MediaOne user agreements. No where in those documents does it say we are not allowed to run servers, and in fact, says that if we run servers, AT&T will not be held responsible. However, their level 1 tech support is stupid, and told me that if you enter Server in the search window, there's documentation that says "you may not run servers". The local Franchise Board is going to get a call from me next week - AT&T is already under investigation here in Jacksonville for crap Cable TV service and support, if they are slamming my original ToS with a new one, and not giving my ample notification, then they are going to have more problems.

Re:Taking business elsewhere - !@#$%

[rreyelts]

If you don't like their actions or policies, then take your business elsewhere.

This attitude makes me sick. The idea of capitalism seems great, but it just doesn't work. How can I take my dollars elsewhere, when there's nowhere else to go? Every saturated market ends up in the hands of an oligopoly - not much better than a monopoly. In the case of broadband access, it's even worse, because of the government sanctioned monopolies on cable. Go on, ask me what choices I have for broadband access. [sigh]

One frustrated broadband user, -Toby

My Temporary Work-Around

I was more than just a little pissed off about this. I was laid off just recently, and have been relying on contract admin and design work to make ends meet. It kinda sucks when all of the sudden, my demo site falls off the net, and my clients are unable to see the work that I am trying to sell them. I'm sure it makes them uncomfortable about buying my services when I can't even keep my own site online (through no fault of my own).

My temporary fix was as follows:

1. Moved all of my virtual hosts from domain.com:80 to temp.domain.com:82
2. Created A and CNAME records for temp and www.temp, pointing to my server at home.
3. Had a friend install a VirtualHost on his web server, with an index.cgi that redirects requests to my temporary virtual hosts (see below).
4. Pointed @ and www at my friend's server.

Here's what the redirector script looks like. Note that I originally tried a simple redirect, but found that meta refresh was more effective for this application:

#!/usr/bin/perl
my $redirect = "http://temp." . $ENV{HTTP_HOST} . ":82" . $ENV{REQUEST_URI};
print "Content-type: text/html\n\n";
print "\<meta http-equiv=\"Refresh\" content=\"0\;URL=$redirect\"\>;";

Want to have some fun?

[drix]

Here's a question which I've put repeatedly to the monarchs and @Home over the past few years. Never once have I received a response. I think that's telling.

What is your definition of "server"?

Chew this over for a couple milliseconds and you realize that, by banning servers from their TOS, they are effectively forbidding the use of all instant messaging services, many online games, all peer-to-peer applications, IRC, and a host of others. One is left to infer that the only kosher activities on the @Home network are web browsing and checking e-mail. They would never be caught dead saying this, but you can't not get that idea from a strict reading of the contract. Even in an single e-mail to an inquisitive customer, they would of course never be caught dead admitting this. To do so would, of course, invite lots of fun sloganeering on behalf of the various DSL providers, who would like nothing more than to put the phrase "@Home bars you from using 90% of the Internet services that you want to; we don't" into @Home's pipe and watch them smoke it. So, if you're a little bored on this Wednesday night, fire off an e-mail to your friends at @Home and await the response. :)

@Home Carnivore

[ergo98]

@Home would then basically be running a relative of Carnivore, and imagine if every time I tried to look at your post @Home suddenly clamped the connection shut.

The logistics of something like that be MASSIVE, as normal stateful firewalling is simply saying "who connected to who and has there been any data in the last X interval?" Actually keeping track of the content of each stream, while as mentioned guaranteed to incide outrage on sites such as this, would be a massive undertaking for millions of users with millions of connections. Although on the "bright" side, once they have that in place they can then turn it on for connection dropping for keywords like "linux", "warez", "crackz", "porn", "drugs", etc.

@HOME

So far, my server is still running. I turned it back on, after it was crashed by Code Red attempts, and received another Code Red attack the next second. Is the ban network wide? Is it not in place yet?

I must be the only one...

I'm posting AC because it seems each time I post my opinion on this topic, I lose karma...

I don't see any reason why providers shouldn't block port 80 incoming. The only reason to have that open is to run a webserver -- something most broadband providers explicitely disallow for residential customers. That's one of the reasons why a "business" account usually costs a lot more, even for the same speeds.

Just because they let it ride up to now, doesn't mean they have any less a right to block it now. If they'd been doing this all along, I'm sure most people wouldn't be complaining now.

Sure, it's nice to run a webserver at home, but residential service doesn't usually come with any kind of real uptime guarantees, etc. It just makes more sense to either get a business account, or get a real webserver (lease one, or use a shared provider, whatever).

With the amount of port 80 requests in my firewall logs on my cable connection, I would welcome a block on port 80 personally. I've already bored of looking at 'dir' listings and deleting files on these idiot Windows/IIS machines... but seriously, it's time to put this thing to rest and move on. And get a webserver.

Re:Road Runner

[shaper]

Whoa! That's different from what I just read on my AUP. I note that the top of the page you link says Kansas City. The service that I use is "Road Runner of the Mid-South" and it's AUP is at http://www.midsouth.rr.com/local/terms/tos.shtml

It's different! Hmmm... Note the additional bullet point that disallows you "to host or operate any type of server including but not limited to web, ftp, gaming, mail, wingate, etc. Running such software/hardware is STRICTLY prohibited for residential and business service." The bold, all-caps emphasis on "strictly" is original to the page, I did not add it.

I wonder if they would really insist that I not turn on Web Sharing on my Mac OSX box, especially since it is actually Apache!

Re:Simply not true...

[Pfhreakaz0id]

>I don't even know if MS IIS supports this, but luckily I'm not running IIS .. You've GOT to be kidding. Do you really think IIS wouldn't support something as trivial as running on a different port?

Re:People are becoming consumers, not content crea

[gad_zuki!]

, all UNIX users on these cable modems suffer because Microsoft did not make a secure web server.


So do NT and 95/98 customers. You know you can run Apache on those platforms don't you?

While I think your over the top soma metaphor is somewhat representative of reality, I certainly don't see "web content" as the great creative force geeks and designers think it is. TV ratings haven't dropped because of the net its just adapted to more profitable shows like Survivor.

Not to mention the web has created almost as many Web/IM "chair potatoes" as TV has done.

Re:Read your TOS!

[twitter]

packets is packets. "I love lucy" eats more bandwith than my mail server. In any case, the cable companies are defending their monopoly franchises by citing the "massive changes" to infrastructure they have already made.

Re:Leased Line

[regen]

Ok, now we have a shared T1, for 25 people (who i'm assuming will all be geeks, and will be downloading stuff late at night...) Assume a T1 can get maybe 160k/s throughput (you can't get 100% util on a T1 w/o severe latency problems), you get 6.4k/s.

You are assuming that every user will be using the system 100% of the time, which isn't typical. If on average a user has a duty cycle of 10% (10% active packet transmission, 90% idle), which is still high, you'll see average bandwidth of 64KB/s.

Re:We haven't done this yet..

[fanatic]

ideally you could just block the customers with infected IIS servers,

Which accomplishes NOTHING for the current situation. Blocking inbound port 80 to the infected is worthless - they are ALREADY infected. Blocking outbound port 80, which WOULD do some good, will also stop them from using a web browser, which is bound to piss them off.

Wrong about SMTP @ Verizon

[Salamander]

I'm a Verizon DSL customer, and I have no problems connecting to outside servers from inside Verizon's network to send mail. Yes, I just checked. My understanding is that it's only the converse that is banned - connecting to Verizon's servers from outside. This has been true ever since I got my DSL account (two years ago) and is a big pain in the ass, but it's not as bad as what people are claiming.

Yes, I know the thing about SMTP was only an aside, and that most of the commotion is about HTTP. Nonetheless, it still bears correction.

Re:Wrong about SMTP @ Verizon

[Salamander]

It's entirely possible that they're applying different policies to different parts of their network, either intentionally or otherwise. I know that after Bell Atlantic bought Nynex the two halves of their network were not particularly well integrated and ran by very different rules, so it's not a stretch to imagine that the former-GTE and former-BA parts (for example) exhibit different behaviors. I guess what I should have said is that from my house in Lexington MA - which was New England Telephone, then Nynex, etc. - I can get to outside SMTP servers just fine. Whether that applies to someone in, say, Delaware might be a whole different matter.

Re:We haven't done this yet..

[hearingaid]

to install said T1s and so on, yes, you had to get approval hoops. but to gain access to them?

no. :)

zitface? that would be high school: the time before tcp/ip. (for me. I'm not an american.)

usenet? yes. lurker? no. hah.

.edu? never, wrong country. :) (and besides - who only had one address? jeez, even legally I usually had about four. :)

FWIW, I only rarely telnetted into VAXen. most of the time I used SET HOST. :)

Re:Read your TOS!

[bacchusrx]

Again, these aren't totally valid arguments. I've not seen any valid, technical reason to prohibit servers on broadband connections that cannot be satisfied by other means. As I've said before, the real push seems to be to restrict home users from being content producers.

It also creates an artificial market-- why would I buy "business class" bandwidth or co-locate a server for a site that's adequately hosted on broadband for a fraction of the price? We're not talking "enterprise, mission-critical, ecommerce" web applications or anything... we're talking about noncommerical, nonprofit media forums.

I run a site that gets maybe 100 hits a day, is frequented by only a small group of 15 visitors. However, we have very complicated custom web applications the drive the sorts of things we do... free or paid shared hosting is not an option. Nor is it a real possibility to shell out money for co-location or "business class" bandwidth for this sort of thing -- that of course generates no profit. The idea that the home user should settle for less (yanno, the idea that a 5MB, add-riddled, censored, GeoCities account "is good enough") -- that only big corporations should have access to high quality server applications -- is disturbing. It reinforces the idea that the Internet is here for business-- not for culture, not for recreation, not for academia, not for the free exchange of ideas.

Access to the tools big business uses is a real possibility with broadband since a lot of hobbyists, enthusiasts or professionals working in their spare time can put together a lot of the same things that corporate and "ecommerce" sites can...

As I say, I'm not claiming that broadband needs to come tethered to the sorts of service levels that corporate folks are expecting-- nobody suggests such a thing... but there's no good reason to limit people to Geocities because... "pfah! if you're serious, you'd co-locate in an Exodus data center."

That argument is pretentious and elitist. I get no Darwinian thrill from seeing only the moneyed have access to technologies all of us could use, enjoy and share at minimal cost.

BRx.

roadrunner is fine

[Trepidity]

I subscribe to RoadRunner, and my port 80 http server is still accessible to the outside world...

Re:Read your TOS!

[janpod66]

Seriously people... Most, if not all, broadband providers prohibit running servers from home accounts

And what exactly is a "server"? Is accessing your Pilot calendar remotely using a server? Is using an FTP client a server? What about identd? What about my PC vendor's remote Windows support system? Is running a client connection to establish a VPN to some other host on the Internet and poking out a server socket on that machine "running a server"? Let's be concrete please, because my TOS don't actually say. They are so vague that the provider can make up what they mean whenever they like.

And especially don't start with the geek indignation, because consumer broadband is not meant, nor sold, under the pretense of running home servers.

That would be true if broadband providers fully owned all the rights of way and infrastructure. They don't. They tear up public streets and use public spectrum only because the communities where they deliver service let them. They can be kicked out if they don't satisfy the needs of the community. And peer-to-peer and servers are crucially important in particular for non-commercial and non-profit uses.

Furthermore, for broadband providers to try to control whether you may run a "server" is the beginning of content controls. The next thing you know, you'll only be able to connect to the commercial sites of your provider's choosing.

Broadband providers should be legally required to provide universal Internet connectivity and set rates and limitations based on bandwidth and volume only. Possibly, there might be two rate structures, one for non-commercial and another for commercial customers. But providers should have no business deciding what content or packets travel over their networks, as long as the packets are properly addressed and their format is according to spec.

Re:Servers were never allowed out on cable

[figment]

As an ISP, we have a very similar and equally stupid "no servers" statement in our AUP. And I like it.

@Home and others had the exact same philosophy that we did, "we really don't care, unless it starts to become a problem." We (as in the ISPs), were quite lenient (yes, i have a webserver running at home) because we believe in the exact same things you do, we're geeks too.

But frankly, you guys failed. If everyone had just patched their servers regularly, and knew the least bit about their computer, and wtf it was doing, then this would never have been a problem, and we wouldn't have to do such rediculous measures such as this. Yes, i think this is a rediculous measure, but so is leaving your computer unpatched for any decent amount of time. So please, stop deflecting the blame when really you yourselves (or your friends who don't patch) are at fault.

Re:Not a huge surprise..

[loraksus]

hmm. I've always fought to get the thing on. well, what can I say...

Re:Not a huge surprise..

[Detritus]

IIS has the bad habit of getting installed by piggybacking on the installation of other software. I've seen this happen when a ftp server or Visual Studio is installed. Maybe you didn't want IIS, but you get it anyway.

Re:Leased Line

[RzUpAnmsCwrds]

That's already done in my area. It's called Colorado Wireless Cooperative. For about $60/month, you get a 5mbit downstream and 5mbit upstream connection. You can do anything you want with it. So yes, this is possible. CWC actually uses a 802.11b variant with special anteannas. Works great!

Re:Move to Canada

[SCHecklerX]

Actually, my ISP hardcodes our MAC addresses to our DHCP assigned IP Address, so it never changes anyway. No need to pay the extra money for a static IP that way, I guess :)

Re:Verizon DSL is NOT THAT EVIL

[heliocentric]

Ahem... go here check the system status where you are. East coast it says:

DSL Network

Posted Date: 8/6/01 10:18:41 PM CST

Status: Open

In an effort to limit the propagation of the Code Red internet worm across the Verizon internet services network, Verizon has placed filters on the network to protect its end users from being infected with the Code Red Internet Worms. These filters will not impede users ability to browse the internet but will prevent infected machines from scanning Verizon internet services network. Verizon is doing all we can to protect our end users from this internet worm. If you feel you may have been infected with this worm, please contact a virus/network security websites to learn about the latest patches and/or symptoms of this internet worm.

I'd also like to point out that if your machine really is really so open... then why is it that I can ping you... yet no web pages load? Could it be that maybe verizon is filtering incoming port 80??

I'm mad 'cause when I called to sign up and I told them I'd be running linux they said I couldn't and I did - so why I am being cut off when it is impossible for me to get infected with code red???

Re:Read your TOS!

[ergo98]

If I pay $50/month for a 256k pipe, and if I want to do my own personal development and want to be able to show others my site from work, or setup a private FTP so that I can grab files offsite, they sure as hell better not stop me.

Or what? You'll beat them up? They can do whatever they want, and if you don't like it you can look at the competitors (which in this case would be one of the many tetering on the edge of bankruptcy DSL providers). Let your dollars do the voting for you, but as the previous poster mentioned indignation is just sad: They don't owe you anything, and you know what the deal is every month that you pay the bill.

Re:We haven't done this yet..

[hearingaid]

you know, t1s and t3s have been around for a while. it's just that in the old days you had to Know Things to get access to them.

now, the idiots have broadband. is this better? I am not sure. I suppose in a way. I now have DSL whereas a few years ago I was running SLiRP on my university's sun box for free 'net access.

And what is your alternative?

[mwillems]

I run servers too where I am not allowed to. Because, like most, I have no alternative. Cable or dialup. No ISDN possible here, no ADSL no leased lines. Why do you trhink they can behave like nazis in the first place? Because we have no choice!

Re:No blocking yet

[Velox_SwiftFox]

That's odd. There isn't any such clause in the subscriber agreement that the AT&T page listed at in the Slashdot announcement links to.

Could you provide a URL for what you are quoting?

The explanation given and the clause given as an excuse are (quoting from the above links) an extremely long stretch in IMO:

Why Can't AT&T@Home Residential Customers Run Web Servers?

The AT&T@Home residential service offering is a consumer product designed for your personal use of the Internet. Customers must ensure that their activity does not improperly restrict, inhibit, or degrade any other user's use of the Services, nor represent (in the sole judgment of AT&T Broadband) an unusually large burden on the network itself.

The benefits and privileges available from the AT&T@Home, and the Internet in general, must be balanced with duties and responsibilities so that other customers can also have a productive experience.

Under the terms of the AT&T Broadband Subscriber Agreement customers are not to restrict, inhibit or otherwise interfere with the ability of any other person to use or enjoy the AT&T Equipment or the Service. See Prohibited Uses of Service (g) in the AT&T@Home Subscriber Agreement.

The clause referred to:

g) restrict, inhibit or otherwise interfere with the ability of any other person to use or enjoy the AT&T Equipment or the Service, including, without limitation, posting or transmitting any information or software which contains a virus or other harmful feature; or generating levels of traffic sufficient to impede others' ability to send or retrieve information;

So, where do they get off filtering a small, low-bandwidth server that doesn't do what "clause g" prohibits?

It's obligatory.

[SuiteSisterMary]

In 2001,worm was happening.
Customer1: What happen?
Customer2: Somebody set up us the port filter.
Computer: We get mail. Customer1: What?
Customer2: Email client turn on.
Customer1: It's you !!!
Cable Provider: How are you, gentlemen ???
Cable Provider: All your TOS are belong to us !!!
Customer1: What you say???
Cable Provider: You have no chance to host, make your time.
Cable Provider: Ha ha ha !!!
Customer1: Move boxen.
Customer2: You know what you are doing?
Customer1: For great serving,
Custoemr1: Move every boxen.

Re:They ought to filter on an http-server basis

[JatTDB]

Let's say you're a network admin at a large broadband ISP. Code Red is bringing the network to its knees. Despite media attention over the few weeks now that Code Red has been out there, thousands of machines on your network are still infected. Something has to be done to make the network stable again. Do you:

A) Start scanning every IP on your network to look for servers running IIS, thus generating a huge list that you now have to put into a router as an access list, and keep updating those servers change IPs, not to mention deal with calls from users that have figured out that the blocking is not total and want their host unblocked, or

B) Make one big general rule that kills all inbound traffic on port 80

The first solution, while significantly more friendly to the users, is a recipe for a support nightmare.

Re:I don't know anything about port blocking but..

[s390]

If you've got *proof* that @home servers were port-scanning you, maybe you've also got a great lawsuit. They attack your "home" - they pay! When you signed up with them, you didn't give them any rights to attempt to compromise your system. Class action time....

Just my 2 qubits...

And who dtermines this?

[mwillems]

Err.. so now we have you (whoever you are) determining who gets full access to the Internet? How do you think all of us here got our experience? If we only allow experienced users rather than people who have just installed Linux for the first time, who determines when they know enough? What, we introduce an exam? Who sets the syllabus? The government? Who takes the exam? MS? An MSCE required? Or knowledge of IPX? Or NetBIOS? Can we discriminate?

I see plenty of trouble ahead if we go your way.

Michael

Re:Leased Line

[figment]

You have a point. Sort of.

There is a large large large difference between an office and a home. The problem is out of those 40 ppl in the office, 3 or 4 can do that internet radio thing w/o a problem.

The problem is we're comparing apples and oranges. Consider who would pay $125/mo for internet access, it's not going to be your typical light user who checks their aol mail once a night, it's going to be the heavy users who are going to tax the connection.

That's probably the largest problem with the do-it-your-self thing, if you do it like this, short of becoming an ISP, you don't have the ability sell to the "light users" which will allow yourself to either a) be profitable if that's your goal, or b) keep your costs down.

We have many offices that have 2ch isdn (that's a rocking 128kbit!) that have 50 people in it and do quite well, but if you went up to each one of them and asked if they'd pay $125/mo for an internet connection, you'd see some pretty funny facial expressions.

Re:Read your TOS!

[Stiletto]

One point that isn't often brough up, is that while it may not be against the TOS to run a server, it _IS_ against the TOS to interfere with other's connections. The link to AT&T that slashdot provided above illustrates this.

If you're hosing Code Red, you're interfering with my (and others') connection!

I said it before, and I'll say it again: Find the people who are too stupid to admin their IIS servers and YANK their connections. Let the rest of us use our connections responsibly.

Sure, it sucks that port 80 is blocked, but as long as they use this time to identify the people aiding and abetting the Code Red worm, I'm all for it.

Recess: School's out

[Graymalkin]

Since the advent of broadband in homes people have been wasting as much bandwidth as possible by downloading warez and MP3s and bootleg copies of feature films at all times of the day. You notice CD-Rs and large hard drives are often purchased by the same people with fat internet pipes. Hmmm.
Now virus and worm writers are taken advantage of these people that have been screwing their networks up the ass for years now. I feel so so bad. Webservers that shouldn't have been running in the first place are being blocked. Man I'm heartbroken.
I don't think broadband is a bad thing at all and nor am I against downloading large chunks of data. Freeware, patches, legal ISOs, music, ect is all cool and why you've got the fast pipe in the first place. The problem lies in the folks running their webservers and anon FTPs that are filling up the outgoing frames which normally don't get filled up on consumer oriented pipes. I wouldn't want to be the dude trying to manage the consumer network that was never intended for such traffic. If it were me I'd cap your monthly bandwidth and start charging like web hosts do. Whoever thought it was a good idea to leave broadband unthrottled and uncapped was a jackass. It works fine when you can feed a shitload of dialup users with a single T3 or OC line. Things break down when you apply that same model to people who have bandwidth rated at a signifigant portion of a T3 or OC line.

You're violating our Double Secret AUP!

[Velox_SwiftFox]

I'll have to take your word for it, I guess. The link you supply seems to only be available to Excite@Home customers, so it is hard to tell if it would apply to other AT&T customers.

My question is if with such a variety of AUPs, which one applies to a particular customer? I would presume only those ones presented to them.

It appears some of AT&T's customers have an AUP that doesn't support the poster I was replying to's "Hello, read your contract" sarcasm, though, if they were only given pointed at the same apparently official AT&T AUP document I quoted. If AT&T Broadband has such a clear statement elsewhere that would apply to all (noncommercial) customers, I can only wonder why they pointed at one that only makes a half=assed excuse for their actions...

Re:Servers were never allowed out on cable

[Skapare]

I would suspect that each router into each segment has the access list to block it. That would explain why some places still don't have it blocked (haven't got it configured in all of them, yet). And yes, that could mean that within a segment, the traffic can still go through. Maybe this is why CR2 narrowed its scan range.

Re:Clause?

[IronChef]

I am an @Home subscriber in Seattle. Here is the truly hilarious service they provide.

- As an @Home user you are not supposed to do anything business related, including someting as simple as sending email to your office.

- If you want to do business, you can easily upgrade your cable @Home connection to an "Excite@Work" DSL connection. Except that @Work simply isn't available over most of the @Home coverage area.

So they tell you to upgrade to a product they can't sell you. Hilarious.

I would happily pay more for @Home CABLE service if they would give me a fixed IP and not block servers. Not that they are at the moment, but I smell trouble on the horizon. That Qwest DSL with the month-to-month pricing is looking better all the time.

Re:I've read my TOS and it sucks.

[figment]

wow i suck and can't type.

What i really meant is that 99.9% of security problems from home are stuff i don't want to deal with. blah. sleep time for me.

Re:The end of a state of denial

[mgarraha]

I had AT&T@Home in the fall of 1999. During that time, home.com got onto the MAPS RBL for failing to shut down open SMTP relays. That got their attention! To demonstrate good faith to MAPS, they conducted a campaign of probing customer machines on port 25 and sending nastygrams to people running servers. Their response to the present incident makes much more sense.

Re:I've read my TOS and it sucks.

[janpod66]

It's an interesting question you raise there: did you actually buy bandwidth?

Yes, that is what my TOS say. If yours don't, they should.

Unfortunately, it is their problem when they start receiving huge numbers of abuse calls because you left your box open.

You are confusing what is with what should be. Of course, this is the way things are right now. I'm arguing that it shouldn't be. The access provider should be a carrier, with no responsibility for what travels over their wires, other than making sure that the IP headers are correct. What happens right now is that ISPs stick their fingers in all sorts of content controls, but the one thing they don't do and the one thing that they actually should control is that every packet is identified correctly.

You can thank IIS..

[victwenty]

Blocking port 80 is the only practical way providers such as @home have to control code red. I'm on their network and in the last 48 hours, I've gotten:

[root@gamara log]# grep DPT=80 messages | wc -l

3722

code red hits, all from other @home users. All W2K/IIS 5.0 users. The ip's I've looked into all have the default pages up too. I've even tried running "dir" commands on a few through the "root.exe" backdoor code red installs, incredulous that it would work, and yes.. thousands of wide open NT boxen. This hasn't even seemed to slow down yet, despite the wide spread publicity which leads me to believe that a large percentage of those stricken are either totally clueless, don't realize they have IIS running (?), or flat out don't care which leaves the ISP little choice. And it may be my perception, or unrelated factors, but my net connection has certaintly seemed more sluggish over the last week, perhaps as a result of upstream saturation, something @home doesn't have much of.

So I would agree, blocking port 80 is the most practical way of defeating this and it should have happened earlier. It's that or ban all microsoft operating systems as a public hazard :)

Re:You can thank IIS..

[Elias+Israel]

Blocking port 80 is the only practical way providers such as @home have to control code red. I'm on their network...

Respectfully, that's a load of crap.

I've got a Linux host connected to the AT&T network (they were better as MediaOne), and not only can I produce for you a log of the CodeRed infected customer machines that need to be dropped off the net until their owners get smart, but I also have a firewall in place and I routinely spend 2 hours each week reading the firewall logs and reporting on various l0sers who love to attack the ATT network.

I pay ATT around $200 each month for various services, including cable, telephone, and internet.

I'm policing their network for them because they apparently can't be bothered.

You'd think they'd treat people like me as heroes, or at least good customers.

I leave it to you to decide how we have really been treated.

"We're the phone company. We don't care. We don't have to."

Re:You can thank IIS..

[Todd+Knarr]

I can think of a more effective solution: every time a Code Red probe goes out, deprovision the modem belonging to the customer with that IP address. They've got a proven AUP violation and a proven security problem that's disrupting their network. That's more than enough justification for jerking the account entirely. This has the dual benefits of shutting down Code Red and forcing people to actually learn how to secure their systems which makes future problems slightly less likely, and doesn't impact those of us who aren't susceptible to Code Red at all.

Re:You can thank IIS..

[victwenty]

Personally, I would rather my ISP not institute a system to scan all valid http traffic for strings which might just happen to buffer overflow an IIS server. If ISP's started instituting this, how long do you think it would be until somebody started imbeding such strings in innocent looking links (or via redirects) on pages such as slashdot? As if goatse.cx wasn't bad enough..

Re:Read your TOS!

[bacchusrx]

I work for one such company, so I'm well aware ;)

However, use of so-called "shared" or "virtual" web hosting services limits greatly the sorts of applications you can create and run. It also limits your ability to administer your machine and configure the applications you use the way you see fit.

Some hosts are more forgiving than others, but, for highly specific development environments any shared host is less than ideal. Also, censorship considerations by [corporate] hosting providers may also be a concern...

Further, shared web hosting says nothing of other content servers which may be unavailable completely or available in shared configurations only in highly restricted circumstances.

BRx.

Re:Not a huge surprise..

[loraksus]

Yeah, iis installs itself in 2k right?
If you're running iis, you know you are running iis. Not to say that you'll patch it, but neither do many sysadmins (who, btw, have faster internet connections)

do you think asymmetry fell from the sky???

[janpod66]

With many modern broadband technologies, there is no technical reason for any asymmetry. In fact, you could even change the allocation dynamically. The reason for the existing asymmetry is simply that companies decided on that. It's probably part marketing ("there is no demand for anything else") and part deliberate long-term strategy ("we don't want end-users to create and distribute much content").

Re:Not a huge surprise..

[norton_I]

I already have. But they aren't scanning for port 80 servers, they are just filtering it at their routers. On the other hand, the arp storm that had been going on for the past 4 days died this morning.

MediaOne blocks in the Twin Cities...

[HongPong]

A couple days ago AT&T (formerly MediaOne) blocked port 80 here in Mpls./St Paul. I instant messaged with a tech guy last night and he was less than friendly about it.. considering how I was in such a good mood. Also, somewhere along the line they fsck'ed up and blocked http://www.roadrunner.com from me. Some URL port filtering message came up, which wasn't cool because I couldn't remember the tech support email address. Here's some choice transcripts:

Tech: What sort of problems are you having?
Me: well, i'm running a Linux/Apache server which I know is immune... and I read on slashdot that you guys blocked off all port 80 incoming connections, so my server can't be reached by anyone, which annoys me and I'm wondering if there's any way to get things open again. i was just wondering if i could get unblocked.
tech: At this time AT&T will continue to block the port until they can find a more permanent solution to the problem.
Me: also, you should know that a lot of official mediaone sites are blocked as well
Tech: Which ones?
Me: example: www.roadrunner.com and its related sub-domains
Tech: I will escalate the issue about blocking the sites. But as for the port blocking, we cannot unblock them as of now.
Me: ugh... there's nothing in my User Agreement about port blocking... i'd suspect someone in a worse mood than me would get in your face about that
Tech: Try looking at Section 10.9.
I didn't have the user agreement on hand so I gave up. Just now I dug it out and I feel misled. Me: oh darn

So I dug out this 10.9 thing which he speaks of. (My user agreement is structured differently than the one they have online) In any case, the agreement explicitly permits non-commercial use of servers as long as they don't mess things up. Section 10.9: You agree that AT&T and ServiceCo shall have the right to take any action that either AT&T Broadband or ServiceCo deems appropriate to protect the Road Runner service, its facilities and equipment. Frankly blocking my server isn't an action which protects the Road Runner facilities, service or equipment. In fact since my connection is a 2-way modem, it is harming the service. I understand the problems they are having, but a blanket blocking isn't the way to go on this. I have taken all appropriate security measures on my web server, and my service is being penalized by other users' failure to do so.

Re:A simple go-around:

[Corgha]

What is happening is that your server is prepending the server name to the URL

Actually, that's not the case, and I figured out that the problem was a BASE tag in the HEAD. Time to do a recursive grep.

In any case, the point of my post was that "just change the port" is not as easy as it sounds, and there are a bunch of ways that it can cause problems.

Additionally, since running a server is not against the TOS or AUP for AT&T customers (like me), and that's one of the reasons why I chose Mediaone service so long ago, I had (I think) a reasonable expectation that they would not suddenly and arbitrarily block a port without first changing the AUP or TOS, and that I should now have to jump through these hoops because of lusers running IIS is just silly. I know, I was foolish for thinking that I could rely upon a service provider with whom I had a contractual agreement. Silly me.

So now I have to get DSL from Speakeasy (until Verizon pushes them out of business), which means a lot more money and waiting a few months for Verizon to twiddle their thumbs before they can do an install to an apartment less than 100 yards from the CO. In the meantime I have to set up a redirect service, which is another pain in my ass.

Re:If you're in Eastern Mass. AT&T's lying

[bill.sheehan]

I'm not on AT&T. I deliberately went with Verizon DSL because they didn't care what I was doing with my bandwidth. There are no prohibitions against httpd, etc. in the Verizon AUP.

What disturbs me most is not so much that they did it, but that they gave absolutely NO notification. I was beating up my server and firewall yesterday trying to figure out why I couldn't access my webserver from outside of my home LAN. Finally I got the bright idea that I was being blocked, and started checking around. Verizon's website has an announcements section, but there's nothing there about filtering http. Finally found a rather oblique reference on their system status page.

It's no way to run an airline...

I thought I'd read The Power of Positive Thinking, but what's the use...

They should remain blocked

99% of cable modem and DSL subscribers do NOT need to run servers of any kind. By leaving them open across the board you open the door for this kind of worm to propogate across misconfigured systems where people have gone and accidently installed IIS or even an unpatched UNIX box. Does that mean you shouldn't be allowed to run servers period? No! What should be required is for your to sign a consent statement that says you are responsible for any damage caused by attacks taking place from or to your machine and will pay any cleanup costs needed to deal with attacks against a server on your network. There should also be a formal risk assessment and penetration test conducted against your server setup to determine if it is indeed ready to be connected to the Internet. Too many people are putting these god damned buggy open machines on the Internet and then bitching about censorship when an ISP filters them. If people would take responsibility and make sure their systems are constantly updated it wouldn't be an issue, but most DON'T. And no, I'm not talking about the uber geek average Slashdot guy who upgrades their kernel every night to the latest version and has a cron job setup to do an apt-get update. I'm referring to Joe Average who installed his first Linux box to fiddle with or the guy who installs IIS during the Win2k install because it was there and he wants a full install of the OS. These people should not have full unfettered access to the Internet. You guys are starting to sound like the people I have to deal with who absolutely demand to have complete unfiltered access to the Internet so they can run whatever god awful program of the day they've come up with as a business requirement that is blocked by the firewall. Netmeeting anyone? Oh, you want to punch IPSec holes through the firewall? Uh huh.. no... FTP??? You want an FTP site on your desktop? Uhhh.. no.

Re:Even if you did run a Web server...

[loraksus]

you're not in the backwards usa. I know people in BC that get 1.5mb up and down and 3 static ips for $40 a month. We get analy raped down here in the states.

virus protection

[Proud+Geek]

All they are doing is trying to eliminate the two latest and nastiest network viruses, sircam and code red. Sircam starts sending stuff on port 25, and code red works by receiving stuff on port 80. I thought people WANTED those two worms squished!

And for anyone complaining, read your TOS first. As several other people have pointed out, it specifically prohibits running servers, and allows this in other ways as well. You're not guaranteed an unbreakable or complete Internet connection for your $35 a month.

Re:We haven't done this yet..

[TMB]

Which accomplishes NOTHING for the current ituation. Blocking inbound port 80 to the infected is worthless - they are ALREADY infected. Blocking outbound port 80, which WOULD do some good, will also stop them from using a web browser, which is bound to piss them off.

Sure it pisses them off. So they call you up and say "Why can't I access the web?". And you look up their ISP and say "Because your computer is infected with a worm that is taking up significant bandwidth and trying to infect other computers to do the same. If you fix that, we'll let you surf the web again."

At least if they're pissed off, they'll go and get the fix so they can surf to their pr0n again.

[TMB]

Re:Taking business elsewhere - !@#$%

[Billly+Gates]

". The idea of capitalism seems great, but it just doesn't work"

Remember watching the television footage of the old soviet union right before it fell apart where you had to wait in line six hours for a loaf of bread?

I will take capitalism anytime now thank you. Keep in mind where a monopoly exists there is no true capitalism but rather a monarchy or a dictatorship. A sign of a oligarchy where everything is ruled by a few is also unhealthy because in true capitalism a competitor can come in. This is why I hate most american libertarians or they are call themselves anarchists in europe. They believe the market is the one true god and oppose all government interaction. I believe its the American governments fault for listening to lobbiests from the communication industry that are blocking competition and creating this so called oligarchy and libertarianism encourages this. By the way its the bussinesses playground and they have a right to not let you play.

In New York City where I live there are those who are taking matters in their own hands and sharing or renting out their own bandwith and giving the finger to Timewarner and verizon.

How hard can it be to crack into the internet backbone and have enough geeks volunteer to setup fiber and spliters to people's homes. Perhaps what we should do is collect money and see how much it will cost to have UUnet to let us in. If we can wire ourselves with fiber for one centralized hub, it may be only $12 a month plus we can have our own servers. The reason why commercial dsl lines are expensive is because only bussinesses use them and do not want to hack around like this but rather pay a telco company though the roof instead.

Fix if you have apache

[hey!]

If you have access to another server running Apache, try this.

(1) On the blacked out server, add the following directive to httpd.conf:

Port 81

This sets the port to 81, which is not blocked. Your users can't find you yet unless you tell them, so we need access to another server and to make some DNS changes.

Suppose your old server was really "blah.mediaone.net", but you've been calling it "foo.mydomain.com". You also have access to some ohter server "bar.mydomain.com" at IP adress "123.456.789.123".

(2) Change your DNS to have a CNAME from "foo.mydomain.com" to "123.456.789.123".

This means that people will be directed tothe "bar.mydomain.com". Next we have to tell the bar.mydomain.com server to redirect people to "blah.mediaone.net:81".

(3) On foo.mydomain.com, go to the httpd.conf file for Apache. Enter the following

NameVirtualHost 123.456.789.123
#the next is for our existing foo.mydomain.com service
<VirtualHost 123.456.789.123>
ServerName foo.mydomain.com
DocumentRoot /whatever-it-was-before
</VirutalHost>

#Next we fix up the bar.mydomain.com service
<VirtualHost 123.456.789.123>
ServerName bar.mydomain.com
# redirect everything to corresponding blah URI
RedirectMatch permanent ^(.*) http://blah.mediaone.net:81$1
</VirtualHost>

Now, anytime somebody gos to an old url such as "http://bar.mydomain.com/blech.html" they are redirected to "http://blah.mediaone.net:81/blech.html".

Most things should be working but you need to fix up some things involving cookies that may not be properly sent to your broadband service.

(4) [advisable] Find all places on your broadband hosted service where "foo.mydomain.com" is hard coded and change them to "blah.mediaone.net:81".

There you go. URLS look a bit ugly in the browser but everything now works like status quo ante.

Re:Give me a break

[Dyolf+Knip]

From Bellsouth's DSL TOS:

Customer must maintain Fast Access Service for at least 12 months from the Professional Installation date and pay all charges in connection therewith in a timely fashion.

Well, goodie. Not only did I have to shell out for installation fees (mostly waived), but I'm stuck with whatever inanity they decide to pull for a full year. I really do want to get this particular part of the Agreement nixed.

Re:I've read my TOS and it sucks.

[cyberdonny]

> If 99.9% of all security problems are redhat, then the Code Red II worm is only 0.1%. So, you multiply the code red worms by 1000, that is the number of unsecured redhat boxes, clearly a realistic number.

Good for us. Let's also assume that half of the Red Hat installations have a security problem (which, given Linux' security is clearly an exageration). This would mean that we have at least (assuming 140000 Code Red boxes at the peak, according to Caida):
140000*1000*2 = 280000000 Linux boxes out there!
And that's even taking an extra-ordinarily high ratio of vulnerability. If we take a more realistic ratio of 1% of RHAT boxes being vulnerable, we get:
140000*1000*100 = 14000000000 Linux boxen!
Now how's that for popularity? These are more than people on earth (including Third World countries where most cannot even afford a computer...), and some have the gall to claim that Linux' market penetration is negligible!

Re:Move to Canada

[Malc]

"If you run a server, I can't fault them for wanting you to purchase a business account."

Why? What's so special about a server that warrants having a business account? Let me tell you, 3 hours of playing Quake 3 will consume more of my ISPs bandwidth than 3 months of the small number of hits on my personal web site. I don't need nor care for what a business account offers me.

It's sounds to me like you've already given in and are happy to let the ISPs make up the rules. Sorry, but I'm not. As a customer, I have the right to make demands for change if I don't like the service. Thankfully there is a small amount of competition for DSL in my area, and I see several acceptable alternatives if my ISP limits its service any further. I want to run servers and host my own domain, and I don't see why I should have to pay through the nose for the priviledge.

If running a server requires a business account, does that also apply to peer-to-peer software, where everybody is a server?

CLEC giving out bogus IPs

[Frank+T.+Lofaro+Jr.]

Dynamic IPs are bad enough, but at least you are on the Internet when you have one.

A non-routable IP means you are not actually on the Internet, just connected to a device that is. You can not receive incoming connections at all, which affects more than servers (e.g. FTP clients not in passive mode).

Putting people on NAT by default seems extreme.

How much more do you charge for a REAL dynamic IP? For a real static IP?

Re:Read your TOS!

[sharkey]

Yep. That seems to directly contradict this prior section of the agreement:

RESELL THE SERVICE OR OTHERWISE CHARGE OTHERS TO USE THE SERVICE, IN WHOLE OR IN PART, DIRECTLY OR INDIRECTLY, OR ON A BUNDLED OR UNUNBUNDLED BASIS. THE SERVICE IS TO BE USED SOLELY IN A PRIVATE RESIDENCE; LIVING QUARTERS IN A HOTEL, HOSPITAL, DORM, SORORITY OR FRATERNITY HOUSE, OR BOARDING HOUSE; OR THE RESIDENTIAL PORTION OF A PREMISES WHICH IS USED FOR BOTH BUSINESS AND RESIDENTIAL PURPOSES. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, THE SERVICE IS FOR PERSONAL AND NON-COMMERCIAL USE ONLY AND CUSTOMER AGREES NOT TO USE THE SERVICE FOR OPERATION AS AN INTERNET SERVICE PROVIDER, A SERVER SITE FOR FTP, TELNET, RLOGIN, E-MAIL HOSTING, "WEB HOSTING" OR OTHER SIMILAR APPLICATIONS, FOR ANY BUSINESS ENTERPRISE, OR AS AN END-POINT ON A NON-COMCAST LOCAL AREA NETWORK OR WIDE AREA NETWORK, OR IN CONJUNCTION WITH A VPN (VIRTUAL PRIVATE NETWORK) OR A VPN TUNNELING PROTOCOL

Don't you love a provider that feels the need to scream at you, when they can't even find the states they do business in on the map?

Of course, dig into the agreement deeper, and it appears that the "Service" consists solely of the software they installed on your Windows PC or Mac. You could argue that since you are not using that software, you are not using the "Service" to run said servers, end-points, etc., but merely connecting to their network without using the "Service."

Of course, IANAL.

Re:Verizon DSL is NOT THAT EVIL

[supz]

Please forgive me if I don't make entirely too much sense right now, as I just woke up. (Yes I'm on the East Coast, Yes it's 2:29 AM, Yes I have insomnia)

I noticed this happened around 5 am yesterday morning (Tuesday, August 7th). Well I didn't notice it, I just tailed my apache logs and web requests seemed to stop coming in around that time. None the less, I got into work that day and noticed I couldn't access my personal web page... NOTE: Personal, not commercial. I put pretty pictures, that I've taken with my digital camera, on it. I was however able to ssh into it and ftp into it.

What was going on? I got scared for a second cause I thought perhaps they started enforcing some term of their service, but it wasn't until I got home and (not so thoroughly) skimmed through their TOS that I realized running a server was not against their TOS, as a matter of fact they worded it so JUST dialup users cannot run a "server of any kind", and it seemed to be fine for DSL users.

So I call up Verizon, talk to a couple different people, none of which knew a single thing about anything. One tried to accuse me of violating the TOS, and I told them it said I'm allowed to run a server in it. She shut up immediately.

Another told me that since I wasn't patched against code red, my internet service was being blocked. I told her I wasn't using a Microsoft operating system therefore I'm not affected by it, and even if I wanted to I wouldn't be able to apply the patch. She told me that because I didn't apply the patch, port 80 was being blocked. Again, I explained to her I wasn't running a Microsoft OS. In the end I think I explained it to her around 5 times... hopefully she knows a little more about computers now.

Finally I got to some guy who was somewhat intelligent, although he did call Linux, L-EYE-NUCKS, he seemed to have some understanding of how to press buttons. I asked him why port 80 was being filtered, and he told me because Microsoft had recommended they block the port. (BTW, I totally agree with someone else that commented on this, who said that because of Microsoft building insecure web servers, we are paying. That is fuct) I asked him if there was anything they could do to unblock the port for me, like put me on another subnet and give me a static IP (I'm a sneaky bastard), or put some kind of flag on my account. He told me that for the time being there was no work around, however he would post a memo and suggest to their tech team they find a way around the port blocking for users who are patched, or not running a Microsoft OS. I asked how long the filtering would stay in place ... he told me it would only last for another couple hours. Right there I told him I didn't think that was true, but he insisted it would only last another hour or two, MAX... port 80 is still blocked.

I just thought I'd contribute this tid bit. I have Verizon DSL in Northern New Jersey, in Essex County. Again, their TOS did not prohibit running a server, unless you are on a dial up. I would post it here, but there is also some clause in their TOS that prohibits reproducing it, so if some brave soul wants to post it below this, go right ahead =]

I need to get a higher paying job so I can get a T1 and then just have to deal with UUnet fiber-optic cuts because of train wrecks.

Re:We haven't done this yet..

[krogoth]

Here's an idea: people who ask can get ports unblocked for free. That way you protect the idiots without restricting the people who want to run a real server.

Re:I'm on @Home and I'm not blocked

[AaronW]

@Home blocked SMB a couple of years ago at my end. I used to be able to see all of my neighbor's computers, some of which had enabled full sharing. I reported this problem to @Home several times, but they didn't care about this major security breach. They finally fixed it after several articles appeared describing the huge hole. I think IIS is a much bigger hole. IIS should be banned.

Re:I've read my TOS and it sucks.

[ZxCv]

Bupkis.

99.9% of security issues comes from companies that don't believe they are at risk. There are those running unpatched linux boxes at home. But compare that number to the number of companies with admins who either dont know any better or just don't care and it pales in comparison.

If you think the AUPs are that strict for any other reason than marketing, then you don't know corporate america well enough.

Verizon blocking ports

[mschaffer]

I wonder if Verizon is only blocking ports in certain areas. Recently, Verizon has just pulled the plug on incoming port 80 in my area. They are also blocking incoming port 21 and a few others around here since I started DSL service with them.

Re:Verizon DSL is NOT THAT EVIL

[Micah]

> Yeah that'd be swell, blockign outgoing port 80.

Then what would you use it for.... gopher?

Re:Leased Line

[tshak]

Ok, now we have a shared T1, for 25 people (who i'm assuming will all be geeks, and will be downloading stuff late at night...) Assume a T1 can get maybe 160k/s throughput (you can't get 100% util on a T1 w/o severe latency problems), you get 6.4k/s.

Oh give me a break. We run a 40 person office on a 256k (small 'k', your 'k' should be a 'K') frame relay (768 burst... have yet to see it) with a tier 2-N provider (I swear we are about 10 hops away from any POP) and for the most part bandwidth is NOT a problem - even with people streaming "Internet radio" etc. all day long. 25 people sharing a T1 != 25 concurrent downloads of high-rez natlie portman pictures.

Re:I've read my TOS and it sucks.

[figment]

> If anyone can explain a good reason for banning
> servers rather than limiting data volumes, I'm
> all ears.

Because 99.9% of security issues comes from someone running an unpatched redhat box at home.

This is not something tier1 tech support can handle, a real sysadmin has to look at it, figure out where it's coming from, and figure out what is going on. That costs money. Say it took collectively 30mins of peoples time to figure it out, already that has costed more than what you've paid for this month's service.

The AUP would not be this stupid or strict if these things weren't a real problem. But they are. Until people (not necessarily you), get the brains to keep their computer up to date and know what's going on, the ISPs will have to keep these stupid provisions just to protect their ass.

Re:Servers were never allowed out on cable

[Mike+Hicks]

I do wonder, though.. Where exactly are they blocking access? At every single router in their networks? I somehow doubt that.. I suspect there'll still be plenty of internal traffic (but I could be wrong..)

Re:We haven't done this yet..

[Cato]

Unfortunately true - ideally you could just block the customers with infected IIS servers, but that might require router access control lists with a large set of IP addresses. It all depends on how many customers are infected, vs. how many run web servers (intentionally). Altogether, it might be best to mail all customers to notify them of port 80 blocking, and invite them to email you for unblocking if they need it unblocked - this will protect future customers who are clueless enough to have IIS running without realising (typically small businesses with Windows NT/2000 server).

Re:SSL anyone?

[Old+Wolf]

Well, on their website they say that their certificates are only supported by Internet Explorer 5.01 and higher. I think this would explain your problem.

Re:People are becoming consumers, not content crea

[Sc00ter]

You're a moron. This was totally for Code Red. I used to work for M1, I know people that still work for AT&T. It's temporary, it's not against their AUP, in fact in their cable modem leasing agreement they say it's okay to run a web server. But they won't support it.

Go to slashduh, there's a big story on there about it with details and links to their policies.

Re:Clause?

[pongo000]

I've often wondered what, exactly, do the words "in connection with" mean? How far into your internal LAN do the tendrils of @Home extend? If I'm behind a firewall, and I'm simply shuttling packets across the firewall to a web server, can my web server, which isn't connected directly to @Home, be considered "connected with" the service?

Re:Move to Canada

[SirGeek]

Because somewhere burried in your TOS (that you MUST have signed) you agreed NOT to run any servers...

If you run a server, I can't fault them for wanting you to purchase a business account.

Re:Verizon DSL is NOT THAT EVIL

[jspaleta]

That would be more work than just a straight port block. Hopefully Verizon is working on some type of filtering solution to replace across the board port block....hopefully. -jef

Re:Read your TOS!

[cyberdonny]

> If you want to run your own "mini NOC", then pony up the cash and get ISDN,

Hey, cable (and DSL) is way faster than ISDN. So do you mean I have to chose between fast connectivity, and non-anal service, but can't have both?

> T1, or something faster put into your basement.

Yeah, pony up the cash, indeed.

No blocking yet

[Heem]

I'm on @home and as far as I can tell port 80 is not yet blocked... I wonder for how long they will block the port and what clause in their contract they will hide behind?

Re:No blocking yet

[natet]

Hello, read your contract. @home does not allow their residential customers to run webservers anyway.

From their service agreement.

AT&T Broadband does not allow servers to be connected to the cable modem. This means that no computer in a personal network can be used as a server.

Hmmm, sounds like a pretty good clause to hide behind, eh?

Re:No blocking yet

[icewalker]

Too bad when Windows XP comes out, every PC running it will be a server! I guess @Home will just have to outlaw Windows XP as well.

My nice apache server just keeps on hummin!

Obtaining Perfection isn't Perfect!

so what

[FreakBoy]

what will this do?
@home users can still infect other @home users, along with the rest of the net.

We haven't done this yet..

[BiggestPOS]

But considering the average level of intelligence of our customers is close to NIL, I really think we should. We get a lot of emails, and calls from people who have detected attacks from our Customers, and we call the customers, and they are just like, "Wha?"

Its great. So instead we just let the network FLOOD. But good thing we aren't blocking port 80, that would SCREW over like what, .1% of our cusomters?

Re:We haven't done this yet..

[Heem]

It comes down to.. The people that know how to use their computers gt fucked over by those who don't. add the word AGAIN to that phrase. And if we want to get on a network where we are our peers know what they are doing, we have to pay out the ass. I liked it better when it took some BRAINS to use a computer, it wasn't cool to be a geek, and everyone I know isn't calling me every 10 minutes to fix their damn computer.

Re:We haven't done this yet..

[Daffy+Duck]

Yeah, back when it was just geeks on the net, things were so much better. No AOLusers clogging up Usenet and we had all this broadband access to ourselves.

Oh wait, there *was* no broadband access until all these losers showed up. Must just be a coincidence.

Re:We haven't done this yet..

[eap]

This is perhaps the best idea I've heard on /. all day. I guess the only problem would be that by agreeing to allow port 80 traffic to your machine, AT&T would be explicitly allowing you to run a web server, and this would cause them problems later if they wanted to deny port 80 traffic. It's a position they are not likely to put themselves in.

However, I strongly encourage everyone affected by this to call and complain to AT&T. Threaten to switch to another provider, or even go back to dialup.

Their number is: 1-888-824-8152

Clause?

[DiveX]

The hide behind clause will most likely be the one that says 'you may not run a server in connection with the @Home residential service'. http://home.com/support/aup/

Re:Clause?

[The+Famous+Brett+Wat]

The @Home service to which I subscribe does indeed have this restriction, but they never did define what a "server" is. In order to use the service, you need to have a DHCP client, and the DHCP client listens on UDP port 68 for DHCP server requests. If a server is defined as "software which listens on a TCP or UDP port for incoming connections or packets and generates responses to those requests", then both the DHCP client and the DHCP server are "servers".

Perhaps they mean "servers" in a less formal sense, like "mail servers" and "web servers". That definition still allows various "peer to peer" software which is simultaneously client and server. On the other hand, maybe they do mean servers in a formal sense, but the DHCP client is implicitly excepted from this rule because they mandate its use.

Whatever the case, it's a rule that pisses me off because my servers are always more reliable than their servers, and I hate being forced to pay for service that's worse than self service.

Quite common already

[SnapperHead]

Actually, cable and DSL providers are already blocking port 80 (and most lower ports) for months. I am a Charter cable customer. When I first signed up, all ports below ~1500 where blocked. (With the expection of 53, 113, and a few of others) Customers where forced to use there proxy server. Even outbound port 80 was blocked.

After complaining for 4 months about it. and many phone calls to there head techs and managers. I finally won. I proved to them why blocking all of those ports was insaine. I simply wanted to run NTP on my machine. (Well, my entire LAN, but they didn't know anything about that :) Which requires 123/UDP.

As the months went on, more and more ports started opening. One thing that they have relized is that people will run servers regardless. People who abuse it (setting up high traffic sites) will be shutoff. Personally, I think its insaine. I should have the right to run a personal site, as long as it doesn't get out of hand. If it did get to that point, I wouldn't be hosting on cable.

So, they blocked the ports. I wonder how long it will stay. I would be very carefull, they may use this as an excuse to keep the ports blocked.

Working with the large companys his difficault, tring to convince them that they should unblock them. I can kinda of understand there postion. But, then again, it kinda upsets me.

Re:Quite common already

[calags]

First time I read it I thought he meant to write asinine which in this context means the same thing :)

Verizon DSL is NOT THAT EVIL

[Deadbolt]

Verizon *DOES NOT BLOCK* outgoing port 25 *OR* port 80! I've been running my own mail server off the standard DSL offering, $40 a month, for almost a month now and never one hint of problems. I can send mail anywhere. I can telnet to port 25 on any Internet-accessible mail server.

And correct me if I'm wrong, but if Verizon blocks outgoing port 80, wouldn't that put a bit of a dent in most popular web browsers?

For the love of God, try to be a little accurate! There are plenty of real problems to bitch about!

Re:Verizon DSL is NOT THAT EVIL

[Bullschmidt]

Same experience here.. although I don't run the web server. I *JUST* tested my email server.. works fine!

Re:Verizon DSL is NOT THAT EVIL

[Dutchie]

He said 'incoming port 80'. Yeah that'd be swell, blockign outgoing port 80.

Re:Verizon DSL is NOT THAT EVIL

[jspaleta]

The top of this thread needs to be modded up to 5. I've had verizon since last October, and I'm running a web server and smtp server just fine off my LAN. I've nmaped myself from outside verizon and they don't seem to be blocking any ports.

I just re-read the Verizon TOS. An in attachment B, there is a clause that explicitly states that DIAL-UP users can not run servers, and that DSL users are exempt. Attachment B-3q is the clause.

My reading of the Verizon TOS, which covers Dial-ups and DSL users, indiecates that DSL users can do whatever they want with the bandwidth they have, as long as what they do doesn't interfere with network operations and is not illegal. So if you had a Code-Red infected server...they could shut off yer whole account to prevent network degration.

I think someone is confusing Verizon's statement to restrict use of their mail server's to email that includings a valid verizon.net account in the From header, to mean blocking smtp ports...Ttoally inaccurate.

1) Verizon is not blocking web servers
2) Verizon is not blocking smtp servers
3) Verizon isn't blocking any ports as far as I can tell
4) Verizon IS preventing spam from being generated from their mail servers by requiring every piece of mail sent from their smtp servers to have a valid userid@verizon.net.
5) Verizon will shutdown DSL accounts on a case by case basis if you computer account is being used to degrade overall network service (ie you are a spam or virus factory, and Verizon can trace the network congestion back to you)

Speakeasy!

[Evil+MarNuke]

If you want to host servers at host there is only one real choice out there, and that's SpeakEasy. Oh, don't take my word for it, read the Terms of Service. It says:

Personal Web Page Restrictions:

We believe in the right of the individual to publish information that they feel is important to the world via the Internet. Unlike many ISP's we do allow you to run a server (web, mail, etc.) over your DSL line.

Enough said.

Re:Speakeasy!

[Velox_SwiftFox]

Megapath - expensiveish, if you compare to the crap you get from others - issues static IPs - and will sell you extra ones - and doesn't hassle about servers. They assume you are connecting a LAN on your end, not just a Windows box.

No complaints here about anything from them, except when they scared me at first by only promising a connection in 5 weeks - but put it in in six days instead. Since part of this involved waiting for PacBell to connect, I guess they didn't want to promise anything they couldn't be sure to supply because of the third party's involvement.

Not a huge surprise..

[James_G]

To be fair, @Home have always said that their residential customers should not run servers of any kind - this has always been their policy and up until now, they've basically turned a blind eye (At least, they never complained when I ran servers on my cable modem connection).

Now they're doing the sensible thing to contain potentially hundreds of thousands of machines running IIS (Mostly run by people who probably have no idea about worms and the like anyway - even if they knew they were running a web server in the first place).

Seems pretty sensible to me, although my DSL ISP has no problems with me running servers, so I'm happy either way..

Re:Not a huge surprise..

[norton_I]

Given that Windows * is basically always a "server", I choose to intepret "servers" as "public servers". I use ssh, ftp, and HTTP for personal use only, and I am going to be really upset if/when they block my port. ATT@Home already has machines that routinely scan for news servers (authorized-scan1.security.home.net -- I love portsentry). They could easily scan for codered infected machines as well.

Re:Not a huge surprise..

[Detritus]

VisualStudio does not install IIS.

I did a full installation of Visual Studio 6.0 on a Windows 2000 Workstation system and it did install IIS. I believe it was the installer for Visual InterDev 6.0 that installed a bunch of server-type software on the system.

It would mean them having to do real work

It would mean them having to to do real work shutting down accounts of those who are not smart enought to run a 1mo old patch on their systems. I't makes me angry, because if there was another option for a high speed connection, I would have done it a long time ago. All day I have recieved calls from clients wondering if my dev machine dropped off the web. I called att and what they acually said was "when we installed the service, we set up with NT Based systems because it was the fastest way to get it working, not because it was the most secure", then the tech followed with "all of our servers have viruses",, I'm not sure but it sounded like she was'nt too happy with her job..

This really appears to be...

[Mhrmnhrm]

Curing the disease by killing the patient. If I read their statement correctly, AT&T recognizes that the problem is unpatched IIS servers. But they've decided that because this is such a problem (Which I as a lowly dialup user haven't even noticed yet) that it merits shutting down all customer's ability to run webservers, even though they also recognize that most people run Win 9x. The legal basis is contained within their user agreement as a clause basically saying "you can't do anything that will mess up someone else's usage of the service", which really is pretty common.

Their "virus removal" instructions also seem flawed... why would I want to reconnect to the internet *before* the final reboot? Granted, not being connected during the early boot phase makes things take longer, but it will also make sure you can't be reinfected before the patch is fully applied.

Read your TOS!

[SClitheroe]

Seriously people... Most, if not all, broadband providers prohibit running servers from home accounts (it's definitely that way for @Home users, even if they do generally turn a blind eye to small time web servers). They generally also have some sort of clause which basically doesn't guarantee unlimited or uncontrolled inbound or outbound access. For that matter, most broadband (and thinband) providers provide a clause which basically exempts them from any sort of service level agreement.

Signing on with a domestic oriented ISP means that you are essentially "users" on their network. Blocking inbound port 80 access is a good starting point for at least protecting their internal network segments. If you were running what is essentially a DHCP/DNS/proxy service for thousands of users, wouldn't you at least take this step to protect the integrity of your network?? (I admit it doesn't begin to solve all the problems, but...)

If you want to run your own "mini NOC", then pony up the cash and get ISDN, a T1, or something faster put into your basement. But if you are subscribing to a consumer grade ISP's offerings, don't be suprised when this happens. And especially don't start with the geek indignation, because consumer broadband is not meant, nor sold, under the pretense of running home servers.

Re:Read your TOS!

[Atzanteol]

Not necessarily... When I originally signed up with MediaOne, I asked about running servers. They were fine with it, so long as I didn't interfere significantly with the other users.

I think this is just a way ATT can claim to be 'proactive on security'...

This sickens me..

Re:Read your TOS!

[almeida]

http://slashdot.org/comments.pl?sid=01/08/07/19262 12&cid=301. I read my TOS, you obviously didn't.

Re:Read your TOS!

[StarTux]

I'll test this "filtering" in a couple of days (DNS updates going on).

If you read the link Slashdot kindly provided for you you will notice this:

Looks as though they updated that part about servers, all I could find was this:

" (b) FTP/HTTP Service Setup. Customer should be aware that when using the Service to access the Internet or any other online network or service, there are certain applications, such as FTP (File Transfer Protocol) server or HTTP (Hyper Text Transfer Protocol) server, which may be used to allow other Service users and Internet users to gain access to Customer's computer. If Customer chooses to run such applications, Customer should take the appropriate security measures. Neither AT&T nor @Home Network shall have any liability whatsoever for any claims, losses, actions, damages, suits or proceedings resulting from, arising out of or otherwise relating to the use of such applications by Customer, including without limitation, damages resulting from others accessing Customer's computer. "

So they do not mind you running the services, just that you are responsible for your security.

For reference:
http://help.broadband.att.com/faq.jsp?content_id =7 92&category_id=54

http://help.broadband.att.com/subagreelease.jsp

StarTux

Re:Read your TOS!

[meldroc]

They can do whatever they want, and if you don't like it you can look at the competitors (which in this case would be one of the many tetering on the edge of bankruptcy DSL providers).

What competitors? For myself and many others, @Home is the only game in town. I'm not in DSL range, and I only have one cable provider I can use, the local monopoly. I can't just tell them to fuck off and go do business elsewhere. There is no elsewhere. Thus, the monopoly has a special responsibility not to abuse their power, which they don't take seriously.

Re:Read your TOS!

[singularity]

What should happen is that any ISP that refuses to carry traffic on port 80 should then provide 5 or 10 megs of web hosting space.

I think that there are several broadband carriers out there than do just that.

Why not force a download of the patch?

[Omerna]

Make people download a patch to be able to run a server. Easy. Just make them go to a page that will let them say "Yes, I've downloaded the patch" with a copy of the patch next to the button so it's easy to do it.

Re:Why not force a download of the patch?

[meldroc]

C'mon, it's not that hard to write a script to detect Code Red packets and cut off their service. Cutting off their service is as simple as setting dhcpd (or whatever DHCP server they use) to refuse to lease an IP address to the infected customer's MAC address.

Not in Hampton VA.

[QwkHyenA]

Cox hasn't filtered port 80 here yet. Just ran port detective , and it's still open here...As well as port 25.

Re:Not in Hampton VA.

[interiot]

Same here. Not yet on Excite@Home. Code Red is still attacking once every four minutes, so it should be easy to passively tell almost exactly when port 80 service is cut off.

Leased Line

[trolebus]

This is getting out of hand. Does anyone know what a leased line costs?

This is an idea I had:
A group of people get together a purchase a leased line, run it into someones home and then put everyone else on a little ethernet network. Granted I don't know how much one costs but I figure at around $40 a month a group of about 20-30 should be able to gets something way faster that DSL/Cable and without the bullshit. I see three main problems.

1. Security: Everyone has to protect their PC a packet filtering router should do the trick but its an added expense. Additionally the security on the leased line has to be good.

2. People: Finding enough people that live such that we can lay all the cable we need without going on city land. This could be the real challenge. I suppose we could hop accross holes in the network with 802.11b but that would be slower and less secure.

3. Time: What happens when the network / connection goes down. Either we set up some sort of rotation but we need an admin to fix stuff and that can be expensive.

Other issues are things like getting IP's (we could use a DHCP server but it would be better to all have our own IP)

Lots of challenges but it could be cool. Has anyone done something like this or has a suggestion on how it could be done better? I get closer and closer especially with crap like this.

Servers were never allowed out on cable

[isdnip]

The @Home customer agreements never allowed servers, particularly web servers. There's a valid technical reason, too: Cable bandwidth is asymmetric. There's typically a downstream pool of about 27 Mbps (depending on settings) shared among all users, while the upstream pool is more often in the 2 Mbps or less range. This comes about because upstream has to fit into the narrow patches of usable spectrum below 40 MHz, while downstream just fits among the TV channels between 50 and 750 MHz.

So stick a server out there, get Slashdotted (or even just get mildly popular), and the upstream bandwidth is wiped out for your whole neighborhood (technically, the area of your optical conversion node and CMTS channel). This is a big risk, so the cable companies don't take it. Instead, they do give you some free hosting space at their data centers.

VeriZontal has no such excuse -- ADSL has little upstream bandwidth (they typically provision only 90 kbps) but it's your very own, and they end up with a huge surplus of upstream bandwidth at the back of the DSLAM, where all of the traffic is aggregated. It's downstream that can congest easily. They're just being shmucks as usual. But if their customer agreement doesn't allow servers, then that's the deal -- commercial-grade DSL services allow servers.

The real problem they're addressing (even VZ) is Code Red II. Web servers that get infected will probe their own networks like crazy looking for others to infect. This creates congestion. So shutting off port 80 stops the worm. Crude but effective. See the recent LinuxPlanet column about Charter for how a cable company won't admit that its infected servers are causing huge congestion. The author suggests blocking port 80!

Re:Servers were never allowed out on cable

[almeida]

From: http://help.broadband.att.com/subagreelease.jsp (b) FTP/HTTP Service Setup. Customer should be aware that when using the Service to access the Internet or any other online network or service, there are certain applications, such as FTP (File Transfer Protocol) server or HTTP (Hyper Text Transfer Protocol) server, which may be used to allow other Service users and Internet users to gain access to Customer's computer. If Customer chooses to run such applications, Customer should take the appropriate security measures. Neither AT&T nor @Home Network shall have any liability whatsoever for any claims, losses, actions, damages, suits or proceedings resulting from, arising out of or otherwise relating to the use of such applications by Customer, including without limitation, damages resulting from others accessing Customer's computer.

The end of a state of denial

[Senor+Wences]

I'm surprised it has taken AT&T and Excite so long to block port 80. In the agreement each subscriber must sign when she or he enrolls for the service the cable cos. explicitly state that you are forbidden to run a web server on their lines. But from the number of cable carracho servers I have seen, as well as other web servers running from cable, it is clear that many users simply ignore this rule. Granted, many people running Win2K or NT and IIS might not realize the service is running, their computer is infected, they are part of the problem. So it makes sense that in an effort to contain this worm the providers would block port 80. It's just weird that, in light of their stated policy, they have thus far allowed for people to run web servers, etc., on port 80, ignoring the users' abuse of the service just as the users have ignored the rule. All it took was a few careless individuals running unpatched software that shouldn't have had such a nasty exploit in the first place to ruin this wonderful state of denial between the cable cos. and people who want to run a web server on their nice, zippy cable connections. I suppose that's what port 8080 is for....

Re:The end of a state of denial

[Kazimira]

Granted, many people running Win2K or NT and IIS might not realize the service is running, their computer is infected, they are part of the problem.

This is what we've run into at my company.
What our security team did was scan for infected IIS servers and shut down those specific customers.
We then contacted them and informed them to patch immediately once we turned them back on. We also warned them that we would scan again that evening and would not hesitate at shutting them down a second time.
About 50% of those contacted had no clue they even had IIS running. This made it very frustrating.

No sympathy

[fremen]

I really don't have the least bit of sympathy for anyone who has been hit with this. You agree to a contract that describes the terms of your service. That contract almost certainly says that running servers is prohibited, but up until now most ISPs were happy to look the other way for the occasional server that didn't waste their bandwidth. Now that a massive bandwidth hogging, server infecting, people irritating web worm has appeared, and it has been revealed that the average server operator has no clue about computer security. They have a choice, let their customers be potentially vulnerable to a backdoor insertion while a worm goes willy nilly sucking down bandwidth or ignore it and hope that nobody complains. Keep in mind, the majority of home internet users don't run servers. They just want fast access to the web and their e-mail. Disabling your virus infested server is no sweat off their backs, it just improves their quality of service.

They've had the authority to kill server access and now they've done it. They did it with what was probably a good reason, and anybody who has paid any attention realizes that they've had the power to do this for a long time. Count yourself lucky that you got a free server connection for this long.

And, if it really bothers you, get a dedicated server connection with guaranteed connectivity. There's a reason that those connections cost more, and it's all about connection and service guarantees.

Finally, please don't complain that you're running Apache and therefore you should be exempt. Show me one ISP that would bother checking HTTP headers and I'll show you one can of worms that you really don't want to touch with a ten foot pole.

imagine if other utilities did this

[Dr.+Awktagon]

Imagine if the phone company checked your lines for "business use" and shut you down unless you got a business contract.

Or how about the power company, charging you differently depending on how you use the power, and limiting you to, say, 10 amps peak if you don't have a business contract.

I wonder if it isn't appropriate to have a little (eek) government regulation when it comes to these things? Like not blocking any ports for any customer unless it is clearly marked in advertising or something?

I always wonder when my ISP will decide, for the good of all customers, to shut down this or that port or filter or monitor traffic. They'll probably not even notify me, they'll just update the terms of service buried in their web page someplace.

Re:imagine if other utilities did this

[Ronin+Developer]

Imagine if the phone company checked your lines for "business use" and shut you down unless you got a business contract.

The have do so for many years with regard to digital service. To residential customers, a phone line is sufficient if if passed voice. If you managed to get over a 300 baud connection , consider yourself lucky and don't complain if bandwidth sucks or you have drop offs.

However, if you want higher bandwidth or guarantees, then you are supposed to order a data grade line (which is usually a business line). In fact, they tell you in their service agreement that if they detect business use of the line, they will charge your more for it.

Telephone service is not a right but a priveledge to those willing to pay for use of the network. Same thing goes for most residential services like @Home. It is their network. You agree to their terms of service prior to them turning the service on. If you want to go outside the bounds of that agreement, then you are expected to pony up and purchase the appropriate service.

There is nothing wrong with them enforcing the terms of their agreement. If you don't like their actions or policies, then take your business elsewhere. However, these actions are being taken to protect their customers from others as well as themselves through their own incompetence and negligience.

The warning signs were plastered everywhere, remedies were posted in accessible locations, and these people did nothing to protect themselves. Now, they complain because their systems have been compromised. Oops.

Or how about the power company, charging you differently depending on how you use the power, and limiting you to, say, 10 amps peak if you don't have a business contract.

They can and do. Power companies routinely offer reduced rates for certain customers willing to meet certain guidelines. Example might be reduced rates for home owners willing to curtail power consumption during peek hours. They provide power real cheap so you can run your refrigerator and other minimal services (like keeping your house at 60 degrees). If you use the added circuits outside the conditions imposed on the line, the will either charge your a fortune or cut you off from the special deal altogether. It's not rocket science.

People are becoming consumers, not content creater

[Kiwi]

I can understand the thinking behind this move. The sort of people who make a decision are thinking in terms of traditional big media thinking, which goes like this:

The average American is a mere couch potato which the corporations feed information to the unwashed masses the same way the inhabinents of Huxley's Brave New World were fed soma. The average consumer has nothing to say unless what they have to say is under corporate control. While people running web servers were tolerated when what they did was not attracting the attention of the corporate suits, they are being cut off by those who feel that people really shouldn't be running personal web servers.

I am also annoyed that, while Apache and other UNIX web servers are able make a web server without countless remote root exploits, all UNIX users on these cable modems suffer because Microsoft did not make a secure web server.

Thankfully, this is easy enough to work around. E.G:

http://24.x.x.x:8080/whatever.html

- Sam

Necessary?

[J'raxis]

I don't know about this. Yes, it's going to piss off a lot of people, however I think it was somewhat necessary. I have *.mediaone.net, and the combination of port 80 scans and ARP broadcast packet storms, my modem was receiving between 10 and 30 packets per second nonstop for two days. I can't even imagine how much bandwidth that adds up to over the whole network.

Oh, and: Any halfway decent webserver allows you to run on another port they're only blocking port 80, not HTTP traffic in general (is that even possible?). You already have a shitty-looking address: h1290736218736078216472164230187467.mediaone.net what's wrong with adding an :81? ;)

I also think the cable company was probably quite pissed off over the Code Red hit their AUP specifically prohibits servers and here are hundreds of machines all running IIS webservers and making themselves quite visible.

Road Runner

[chill]

While Road Runner isn't blocking (my cable modem light is still going nuts even when my computer is off); it is part of their Terms of Agreement: no e-mail servers, no web servers, no port scans.

If you want to run an e-mail or web server, get a business line ($295/month w/1 IP; $325/month w/5 IP).

However, they have been turning a REAL BLIND EYE to all of the above. I get port scanned daily and it looks like 30%+ of the machines on my subnet are running a web or mail server. (According to my *cough* port scan *cough* of the subnet.)

Even if you did run a Web server...

[antdude]

Why would anyone want to do with a 128k upload cap (assuming @Home cable modem service)? :)

What the hey?

[Pollux]

@Home is really jerking your chain. Their user agreement is so bogus:

The benefits and privileges available from the AT&T@Home, and the Internet in general, must be balanced with duties and responsibilities so that other customers can also have a productive experience.

Translation: we're so cheap that we're going to cram as many customers as possible onto a single T1 line, limiting your privilages and your productive experience. Due to the ignorance of the general population, their productive experience is more simplistic and therefore will not come into conflict with our blocking of port 80. Granted, we understand that quite a significant portion of the internet is made up of servers like yours, but our bottom line beats your small desires to contribute to the growing of the world wide web.

Under the terms of the AT&T Broadband Subscriber Agreement customers are not to restrict, inhibit or otherwise interfere with the ability of any other person to use or enjoy the AT&T Equipment or the Service.

Translation: you cannot interfere with other subscribers' use or enjoyment of the internet. We can interfere all we want.

I'm sorry, but it's very plain and simple. @Home subscribers did not purchase a "pay per consumption" plan. They paid a flat rate for service, no matter how much or little they planned to use it. If I subscribe to the daily newspaper, the newspaper company has no right to revoke the Tuesday edition from my house just because they found out that I don't have time Tuesdays to read it. I paid for it, so they are required to give it to me, no matter if I read it or not. Sure, they could come up with some bogus excuse, like "The wasting of paper on an edition of the paper which is not read by the customer is interfering with the paper supply being utilized for the enjoyment of the newspaper by other subscribers." I could then take them to court and let the judge have a good laugh over how stupid the case is.

Unless they specifically say in their user agreement that you will be limited to a certain time, bandwidth, or other limitation of their service, for them to limit your access to the web without proper notice and change to the user agreement is a direct denial of service.

Re:What the hey?

[Markonen]

Or, alternatively, consider this translation: "It is a known fact that upstream bandwidth in a cable network is an extremely scarce resource. At the market's current price point, we are forced to have a modems-to-headend ratio that only permits a typical web surfing workload on the upstream. The decision to actually enforce the no-server policy was made only after empirical data was gathered, proving that even a single file-sharing server could severely disrupt the service level for hundreds of other customers."

(Disclaimer: I have no association with @home)

You might have a leg to stand on if @home was bringing in huge profits and denying you features just to bring in a cent more. But guess what, they aren't, and those downsides of cable modem service are precisely what's enabling them to offer it at the price you are paying now.

Don't like it? Tough. Go out and buy some real Internet bandwidth. It will cost you at least $200 per Mbps per month, in addition to the circuit costs.

Re:Move to Canada

[Malc]

I have Sympatico HSE. My router (Netgear RT314) hasn't had a problem since I installed it last October. I got a .ca domain through easydns.ca... nobody has had a problem access my web site or sending me email, all on my dynamic IP. You can also use free services like dyndns.org or Granite Canyon. It's easy. If you have further questions, go to news://sympatico.highspeed. There are lots of people there who do the same and can help.

Re:A simple go-around:

[Corgha]

Not so simple, actually -- I tried this today because of the block, and it works fine in many cases, but there is a hitch.

Let's say someone is looking at "http://foo.ne.mediaone.net:8080/bar/fred.html", and this html file contains a reference to another file, be it a CSS file, an image, an anchor -- whatever. There are three possibilities I want to consider.

In the first, if this reference is of the form "http://foo.ne.mediaone.net/bar/ney.html", it's obviously not going to go to port 8080, but people rarely use absolute references like that, so let's move past that to the more interesting cases.

In the second, if the reference is of the form "ney.jpeg". Here, everything works fine and the client looks for "http://foo.ne.mediaone.net:8080/bar/ney.jpeg".

In the third, with a reference like "/css/rubble.css", you'd like to think that, since the parent URL is in http://foo.ne.mediaone.net:8080, the client would go for "http://foo.ne.mediaone.net:8080/css/rubble.css", but no! It looks up "http://foo.ne.mediaone.net/css/rubble.css" (and spends a long time timing out because of the block).

I have no idea why this is, but it seems to happen in both Netscape and IE. Haven't had time to investigate it thoroughly, so if anyone knows anything about this, I'd appreciate the info.

The virtues of small ISPs

[hillct]

It's amazing the quality od sercice(or lack thereof) that people will tolorate from large companies. When I gave up my dialup account in favor of DSL (those many moons ago) I switched from Mindspring to a small local ISP for service and I've never regretted it. Unfortunately there are lots of users who don't investigate their DSL service options before signing up with their local phone company. Small ISPs as a rule will always value their customers more than large outfits just because each customer contributes a larget percentage to their revenues (I don't pay more, they just make less). They'll bend over backwards to provide good customer sercice, and retain their customers.

Unfortunately the three largest ISPs continue to buy up the smaller regional players. One of the steps I've taken to garuntee my quality of service is to have an explicit QOS specific contract (in hopes of avoiding what's hapening to the QWest.net users as they're transitioned to MSN Internet access). What other steps might customers be able to take to insure that their small regional ISPs retain their independance, in this climate of consolidation?

Re:The virtues of small ISPs

[jchristopher]

Small ISPs rule! If you're in Southern California, check out cinenet.net for an ISP, minus the "you can't do this and that" terms of service.

They provide a pipe for a reasonable amount of money a month, and let me do what I want with it. Kudos to them.

Just get a job!

[dan_the_heretic]

If you want a server running a web site, co-locate! I have yet to see a ISP let their customers run a web site without extra cost. What's the big deal! Whinning 'cause you can't get it free? GROW UP! Access costs MONEY. Pay it. Then whine because you don't get the service you pay for!

Re:Move to Canada

[Malc]

Bell happily imposes a port 25 filter. The coverage is patchy though as only people with Sympatico IPs and their own SMTP server are restricted from sending me email. Based on this experience and the level of activity (I've had 2,000 hits since Saturday, mainly from Sympatico IPs), I wouldn't be surprised if they start filtering port 80... although I'm sure they're too incompetent to roll it out quickly. You could say that they already have a port 80 filter... they have a translucent craching interception proxy on port 80 in some areas.

If I lived in Ottawa, Toronto or Montreal (??), I would switch to Istop.

Re:People are becoming consumers, not content crea

[interiot]

An alternate hypothesis: an emphasis on consuming could simply be the nature of an asymetric connection.

I've read my TOS and it sucks.

[The+Famous+Brett+Wat]

I would definitely like to take issue with the idea that "users" means "client applications". It is my opinion that the ISP should not care one whit whether my applications use the Internet by initiating outbound TCP connections, or by accepting inbound TCP connections. The distinction with UDP is even less relevant. All of these schemes result in inbound and outbound traffic. If they wish to say something about traffic volumes, then let them do so, but I do not want them dictating how I use that volume (other than reasonable constraints on network abuse, and other legal matters).

If anyone can explain a good reason for banning servers rather than limiting data volumes, I'm all ears. I think it's either a combination of laziness and sloppy thinking on the part of the providers, or a desire to force the "users" to also be "content consumers" rather than "content providers". Hanlon's razor, I believe, favours the former explanation.

Re:I've read my TOS and it sucks.

[figment]

Yah i should rephrase.

I like companies that have security problems. Then they hire me at an extraordinarly high consultant's rate, and pay me to fix it.

What I really mean when i say that, is that 99.9% of security issues is from people at home, who i really don't want to deal with, because they pay some incredibly small amount of money each month to leech extraordinarly more bandwidth than they should. And when i said redhat, i really shouldn't have, i'm not dissing redhat or linux in particular, i get the exact same problems with IIS/W2K.

Simply not true...

[Gregoyle]

Most, if not all, broadband providers prohibit running servers from home accounts

Definitely not all. MediaOne (now AT@T Broadband) never prohibited it. I understand your reasoning, but if you chek the TOS, many companies do not explicitly prohibit running your own server, and some even explicitly permit it.

What AT&T (at least the Roadrunner service) prohibited was duplication of their services. You weren't allowed to run as an ISP, and they also reserved the right to shut you down if you used up too much bandwidth. You weren't allowed to run a commercial web-server, because they sold web hosting.

I don't disagree with their decision, as inconvenient as it is for me. I can just have my webserver listen to a port that is not 80. I don't even know if MS IIS supports this, but luckily I'm not running IIS.

Think about it this way: if the virus was actually eating enough bandwidth and resources to affect the general home user experience, they would get complaints from those users. Maybe they will open the ports back up. Ha. that kind of stuff never happens. oh well... guess I have to look for a new ISP (maybe speakeasy.net, even though ovad is going belly up...)

From A Business Perspective, It Makes Sense

[Jucius+Maximus]

[Rummaging in drawer for flamesuit...]

"They could have cut access to those running compromised servers, but instead chose to deny the ability to run a web server to all subscribers to their service."

Honestly, if I was in the position of the ISP, I would just have cut off all port 80. It makes perfect sense, from a business perspective, that is.

[donning flamesuit...]

I mean, do you really expect them to sift through millions of accounts, determine which ones were compromised with CodeRed IIS servers and block them off? And this list would have to be dynamically maintained , of course, and more port 80s continually blocked because Code Red II is still on the loose. And the ISP couldn't discriminate. If they decided to block all compromised IIS, they'd have to keep up with each and every server running.

It would simply be a logistical nightmare where thousands of hours of work are diverted from network administration, support, maintenance, etc. It wouldn't work. They'd probably have to start up a whole new management division to keep track of it. And then their support people would continually be taxed by calls from people who are getting blocked when their neighbor's Apache box is still serving up pages.

And even if they did do this, how would they correct for human typos in the blocking tables and correcting for all of it, verifying that it was an error, etc?

So Which would you prefer? An ISP where you could just run a proxy and keep your server running, or one that throws all their support staff into keeping the IIS boxes under control and doesn't have the people to actually manage/administrate the network/support so your site wouldn't be available half the time anyway?

In an ideal world, they WOULD block only the people who didn't patch their IIS servers and got infected. But unfortunately for *everyone* it just doesn't work that way.

[peeks out from flamesuit helmet... do I have any friends left on /.? ;-]

Re:Linux is not a contender..

[(void*)]

Why is this interesting?

I don't agree that most people require 6 CDROM packs to keep their installations up to date.

But let's pretend this is so. Make some comparative facts to commercial osftware offerrings. Sounds more reasonable now, Mr Coward?

Read the Acceptabel Use Agreement

[q-soe]

This has propably been said but iam an Optus@Home customer in Aust and it firmly states (about 6 times) in the user agreement, FAQ, member pages and help sections that you cannot run a server on the web, this is in breach of the AUP and you get immediate disconnection.

So if this is the case then why the story ? why the complaints ?

ignorance is no defense - when you sign up for any service or contract you read the terms and conditions - thus you dont have these problems.

End of story - if its not acceptable and you do it you get thrown off - i cant see anything fairer than that and whingeing about it happening is like ignoring the warning on a chaisaw that says dont cut off your leg and doing just that !!

(of course in the US you could sue the company as stupidity is no exclusion - get the right jury and get lucky)

Re:People are becoming consumers, not content crea

[tswinzig]

I am also annoyed that, while Apache and other UNIX web servers are able make a web server without countless remote root exploits, all UNIX users on these cable modems suffer because Microsoft did not make a secure web server.

If you really think that this worm is the reason these ports are getting blocked, you are naive.

This worm is the perfect excuse to finally come in and enforce their unpopular TOS -- no servers should be running on cable/dsl connections (at least for the companies discussed here).

On a side note, I'd like to say PLEASE, FOR THE LOVE OF GOD, DON'T LET TIME WARNER TAKE AWAY MY PORT 80!!

Ahem.

I don't know anything about port blocking but....

[poteet]

...@Home has been port scanning me off and on for this past week. I've called tech support to ask why and all I get is a perfunctory "We don't use that kind of software, it must be a hacker or something...." Yeah, right.

Here's a nifty trick

[thatdammplage]

This is a bit off topic, but I've been sending notes to everyone whose infected machine is hitting my firewall. Note that it won't work if the machine is behind a NAT box or firewall, but about 80% of the messages are going through.

From your Windoze box:

net send xxx.xxx.xxx.xxx "Your computer is infected with Code Red. Please patch your server immediately!"

Replace the xxx with the offending IP addresses (duh!)

I'm pretty sure that net send uses port 137, so there's a good chance that it's blocked, but like I said, about 80% of the messages are getting through. It pops up a message box on the infected system.

Now, if someone would just write a small apps that listens to port 80 for the Code Red packets and attempts a reply with net send

This needed to be done last week

[AcidBath]

The @Home call center has been getting thousands of calls a day because of the Code Red worm. People calling in for everything from wondering why their activity light is going nuts 24/7 to the poor saps who can no longer connect because the routers and nodes are over loading and going hard down. This port 80 block is needed. Sure some users run servers on port 80. Aside from the fact that they signed a TOS saying they wouldn't, they shouldn't be so arrogant as to think that they (since they know how to run a server) deserve to not help everyone else (newbie or not) have a good internet experience.

If you're in Eastern Mass. AT&T's lying

[maggard]

AT&T "Customer Service" is claiming that their Acceptable Use Policy forbids servers. This is not true for all customers; I know it's not true at least for the former customers of MediaOne in Eastern Massachusetts.

Partially quoted from:
roadrunner.techtalk.general
3B709BDA.3480@mediaone.net.invalid
chelm@mediaone.net.invalid wrote:

Posting to ATT/RR Home Page on transition to Excited@Home:

New Service Subscriber Agreement

Your AT&T Road Runner home page will automatically change to the new content provided by AT&T @Home on June 30, 2001. Effective with the elimination of the Road Runner content, the AT&T Road Runner Service Subscriber Agreement will be replaced with the AT&T@Home Subscriber Agreement. You can see the new agreement at http://help.broadband.att.com/support under the Policies section of Answers to Questions. Because you are not using @Home software, the @Home End User License Agreement attached to the end of your new agreement will not apply to you.

"AT&T@Home Subscriber Agreement" links to:
http://help.broadband.att.com/support/faq.jsp?cont ent_id=584&category_id=34
which leads to:
http://help.broadband.att.com/subagreelease.jsp

Which states:

9. Service Characteristics

(b) FTP/HTTP Service Setup. Customer should be aware that when using the Service to access the Internet or any other online network or service, there are certain applications, such as FTP (File Transfer Protocol) server or HTTP (Hyper Text Transfer Protocol) server, which may be used to allow other Service users and Internet users to gain access to Customer's computer. If Customer chooses to run such applications, Customer should take the appropriate security measures. Neither AT&T nor @Home Network shall have any liability whatsoever for any claims, losses, actions, damages, suits or proceedings resulting from, arising out of or otherwise relating to the use of such applications by Customer, including without limitation, damages resulting from others accessing Customer's computer.

(c) File and Print Sharing. The Service functions as a Local Area Network (LAN) in that each Customer is a node on the network. As such, users outside the Customer's home may be able to access the Customer's computer. As well, some software includes capabilities that permit other users across a network such as the Service and the Internet to gain access to the Customer's computer and to the software, files and data stored on the computer. For example, operating systems such as Windows 95 and Apple Macintosh include file sharing and print sharing capabilities which, when enabled, will permit other users to gain access to the Customer's computer even if the Customer is not using the Service. AT&T therefore recommends that the Customer connect only a single computer to the Service and that the Customer disable file and print sharing and other capabilities that allow users to gain access to the Customer's computer. Any Customer who chooses to participate in the Service using other than a single computer or who chooses to enable capabilities such as file sharing, print sharing, or other capabilities that allow users to gain access to the Customer's computer, hereby acknowledges and agrees that the Customer does so at the Customer's own risk, and that neither AT&T nor @Home Network shall have any liability whatsoever for any claims, losses, actions, damages, suits or proceedings arising out of or otherwise relating to such use by the Customer.

And furthermore from the same document:

11. Miscellaneous

(b) Amendment. AT&T may, in it sole discretion, change, modify, add or remove portions of this Agreement, and the Service provided thereunder, at any time. AT&T will notify Customer of any such changes by posting notice of such changes on the Service, or sending notice via e-mail, postal mail or other means. Customer's continued use of the Service following notice of such change shall be deemed to be Customer's acceptance of any such modification. If Customer does not agree to any such modification, Customer must immediately stop using the Service and notify AT&T that Customer is terminating this Agreement in accordance with Section 7(a) of this Agreement. Customer will then be entitled to a refund of any unused portion of any monthly Service fee that has been paid in advance.

Did anyone else get notification before port 80 was blocked? The above policies certianly still seem to be in effect; they're still posted and they clearly imply customers may run HTTP & FTP servers at their own risk.

My short reply...

[Jace+of+Fuse!]

http://www.directvdsl.com

Formerly Telocity.

1.5 down. 256k up.

They don't care what you do.

They don't block any ports.

Their terms of service even say they don't mind what you do. It's your bandwidth.

They only have one rule. If you run something funky, don't go crying to their tech-help for support.

That's MORE than fair.

how @home seems to be getting SLAMMED...

[Polo]

Since code red hit, my cable modem light has been on continuously. Dumping the packets my system sees finds that the bulk of the requests are ARP requests to find the destination machines that code red wants to connect to.

A typical code red request is something like:

"infected" broadcasts: ARP request: who is 24.1.2.3?
24.1.2.3 machine replies: ARP reply: I am (here's my MAC address)
"infected" sends connect packet to 24.1.2.3:80, etc...

However, @home in my area seems to be one large broadcast domain. Althought 24.1.2.3 is not on my subnet, I do see the ARP request from the infected machine. But there are LOTS of them. So the bulk of the packets are arp requests and this is what is REALLY flooding the network. Of course, I also get connect requests to port 80, but there are numerically a lot less packets.

This may only apply to my area though... ymmvw.

so filtering port 80 will help prevent infections, but I wonder how much traffic it will cut down on.