Slashdot Mirror
Broadband Crackdown
MrPeach writes: "In a move unsurprising to those of us who have had interactions with their so-called customer support, AT&T Broadband and Excite@Home are indefinitely filtering all incoming traffic on http port 80 for residential customers. They could have cut access to those running compromised servers, but instead chose to deny the ability to run a web server to all subscribers to their service. DSL anyone?" DSL won't save you. Verizon is apparently also blocking port 80 for their DSL customers, in addition to blocking outgoing port 25 and requiring use of Verizon's SMTP servers to send email. Verizon is also cheerfully paying fines for screwing over their competitors - the fines will be much less than the extra profit they can squeeze out once their competition is gone.
I work for a regional CLEC out of chicago. We have several thousand installed DSL lines. This is how we have been coping with the Code Red worm... (*as a buisness class of service, we can't be simply turning off all port 80.. many people do host off of our SDSL lines*)
We have a large number of 10.x.x.x addresses for our broadband subscribers. (This saves us the trouble of assigning public IP's to every single customer, because most don't want nor need a public IP). Our NAT server was getting so clogged up with TCP/IP sessions because code red was serching for hosts. (and once it got into the 10.x.x.x network, it has lots of addresses to check.
We simply got a free scanning utility (sorry... I am at home, don't have it here, nor the time to find it. ) After scanning all of our customers, we located around 30 infected computers.) We left messages stating that they were infected, and we were shutting off there connection until they would remove the offending computer..(we could discern the IP itself, and our users are statically assigned, not DHCP thank god..)
Several users were irate as all hell, but the good of the many outwieigh the good of the few correct? Many times the customer simply unplugged the computer and we put them back on. They are then responsible for patching it.. We have been running scans everyday, and have now gotten fewer and fewer code red worms in our user's DSL systems.
I think that this was the ideal approach. Why use a damn sledgehammer when all of about 30 minutes of work allows you to use a use a fly swatter to remove the offending computers.
Blah Blah Blah.
Telephone service is not a privilege. The telephone companies are regulated common carriers and are required by law to offer service to the public on a non-discriminatory basis. The conditions under which service can be refused or terminated are set by state and federal law and regulations, not the whim of some telco executive. The same can be said for other regulated common carriers, such as gas and electric companies.
Mea navis aericumbens anguillis abundat
I think that this is a perfectly reasonable response from @home. I work at a large ISP and I've seen how rapidly this code red garbage spreds. The little editorial comment that they can "simply block infected machines" is, quite frankly, garbage. Code Red 2 spreads faster than anyone could possibly keep up with blocking one machine at a time.
Code Red 2 is tearing up bandwidth at these cable companies. Its noticeably slowing down my speeds on my home internet connection. Something needs to be done in a hurry, and blocking port 80 is a fast solution that works.
Instead of blaming the broadband providers, why don't you blame the real culprit in this situation: Windows. Get angry at Microsoft; if it weren't for their lousy code and lousy security this problem would not have been possible in the first place.
> Granted I don't know how much one costs but I
> figure at around $40 a month a group of about
> 20-30 should be able to gets something way
> faster that DSL/Cable and without the bullshit.
We have an LADC line (which while only rated for 9600baud, but can do 768k unreliably via HDSL), that runs 4 blocks. It has a heavy distance limitation. It costs $80/mo. This does not include bandwidth charges. Distance matters. A lot. Too far away? Too bad, you'll either need to 56k lease line (haha), or frame relay, or ptp t1. None of these (well except 56k) are in your pricerange.
> around $40 a month a group of about 20-30
> should be able to gets something way faster
> that DSL/Cable and without the bullshit.
Ok, let's say 25 people @ 40bucks, not including the line charge. that's $1k. Call up qwest, or maybe sprint, or maybe a tier 2-N (because that's all you can afford), and if you live near a POP and you're lucky, maybe you can get a full T1.
Ok, now we have a shared T1, for 25 people (who i'm assuming will all be geeks, and will be downloading stuff late at night...) Assume a T1 can get maybe 160k/s throughput (you can't get 100% util on a T1 w/o severe latency problems), you get 6.4k/s. Congrats, you've gotten isdn speeds, for the cost of approximately $120/mo/person. This doesn't include startup costs. xDSL equipment costs a few hundred dollars on each end, and 802.11b accesspoints are a lot more expensive than the cards (no, airports don't count, their distance sucks) and the costs of outdoor antennas are horrendous, not to mention you'd have to find/hire someone to do the professional antenna install for you. You'd need a router for your shared T1, add another $600 in startup there.
> What happens when the network / connection goes
> down. Either we set up some sort of rotation
> but we need an admin to fix stuff and that can
> be expensive.
Expensive is right. You can get a crappy consultant for $75/hr. Say something significant happens once a month for two hours (that's not too unreasonable, given the current codered/sircam problems, and general maintainence, mailserver/dns crap).
Your cost is now $125/mo for slightlyhigherthan isdn speeds. See why this idea isn't that great?
I'm not a big fan of the quality of service of @home or Roadrunner. But at $40/mo, what can you really expect? Does your cable modem/dsl occasionally do over 200k/s? It does? Guess what, just that bandwidth capability alone, would cost you $1.5k/mo to do.
Actually, it is a feature of the DHCP protocol. By default, you attempt to renew your address lease after 50% of it is gone. If you do not have connectivity to the DHCP server, the client will keep trying to renew the lease until it is able to contact the server again. The client will attempt to renew a lease from the same server that gave it the initial lease. Even if the lease has been expired for some time, the server will still attempt to give the same address. This is default on most DHCP servers. Of course, you can change this and automatically assign a different address each time, but it gives better overall network stability to have clients keep their ip addresses.
Enigma
It also creates an artificial market-- why would I buy "business class" bandwidth or co-locate a server for a site that's adequately hosted on broadband for a fraction of the price? We're not talking "enterprise, mission-critical, ecommerce" web applications or anything... we're talking about noncommerical, nonprofit media forums.
I run a site that gets maybe 100 hits a day, is frequented by only a small group of 15 visitors. However, we have very complicated custom web applications the drive the sorts of things we do... free or paid shared hosting is not an option. Nor is it a real possibility to shell out money for co-location or "business class" bandwidth for this sort of thing -- that of course generates no profit. The idea that the home user should settle for less (yanno, the idea that a 5MB, add-riddled, censored, GeoCities account "is good enough") -- that only big corporations should have access to high quality server applications -- is disturbing. It reinforces the idea that the Internet is here for business-- not for culture, not for recreation, not for academia, not for the free exchange of ideas.
Access to the tools big business uses is a real possibility with broadband since a lot of hobbyists, enthusiasts or professionals working in their spare time can put together a lot of the same things that corporate and "ecommerce" sites can...
As I say, I'm not claiming that broadband needs to come tethered to the sorts of service levels that corporate folks are expecting-- nobody suggests such a thing... but there's no good reason to limit people to Geocities because... "pfah! if you're serious, you'd co-locate in an Exodus data center."
That argument is pretentious and elitist. I get no Darwinian thrill from seeing only the moneyed have access to technologies all of us could use, enjoy and share at minimal cost.
BRx.
Life after capitalism? The participatory economics project
In 2001,worm was happening.
Customer1: What happen?
Customer2: Somebody set up us the port filter.
Computer: We get mail. Customer1: What?
Customer2: Email client turn on.
Customer1: It's you !!!
Cable Provider: How are you, gentlemen ???
Cable Provider: All your TOS are belong to us !!!
Customer1: What you say???
Cable Provider: You have no chance to host, make your time.
Cable Provider: Ha ha ha !!!
Customer1: Move boxen.
Customer2: You know what you are doing?
Customer1: For great serving,
Custoemr1: Move every boxen.
Vintage computer games and RPG books available. Email me if you're interested.
[root@gamara log]# grep DPT=80 messages | wc -l
3722
code red hits, all from other @home users. All W2K/IIS 5.0 users. The ip's I've looked into all have the default pages up too. I've even tried running "dir" commands on a few through the "root.exe" backdoor code red installs, incredulous that it would work, and yes.. thousands of wide open NT boxen. This hasn't even seemed to slow down yet, despite the wide spread publicity which leads me to believe that a large percentage of those stricken are either totally clueless, don't realize they have IIS running (?), or flat out don't care which leaves the ISP little choice. And it may be my perception, or unrelated factors, but my net connection has certaintly seemed more sluggish over the last week, perhaps as a result of upstream saturation, something @home doesn't have much of.
So I would agree, blocking port 80 is the most practical way of defeating this and it should have happened earlier. It's that or ban all microsoft operating systems as a public hazard :)
99% of cable modem and DSL subscribers do NOT need to run servers of any kind. By leaving them open across the board you open the door for this kind of worm to propogate across misconfigured systems where people have gone and accidently installed IIS or even an unpatched UNIX box. Does that mean you shouldn't be allowed to run servers period? No! What should be required is for your to sign a consent statement that says you are responsible for any damage caused by attacks taking place from or to your machine and will pay any cleanup costs needed to deal with attacks against a server on your network. There should also be a formal risk assessment and penetration test conducted against your server setup to determine if it is indeed ready to be connected to the Internet. Too many people are putting these god damned buggy open machines on the Internet and then bitching about censorship when an ISP filters them. If people would take responsibility and make sure their systems are constantly updated it wouldn't be an issue, but most DON'T. And no, I'm not talking about the uber geek average Slashdot guy who upgrades their kernel every night to the latest version and has a cron job setup to do an apt-get update. I'm referring to Joe Average who installed his first Linux box to fiddle with or the guy who installs IIS during the Win2k install because it was there and he wants a full install of the OS. These people should not have full unfettered access to the Internet. You guys are starting to sound like the people I have to deal with who absolutely demand to have complete unfiltered access to the Internet so they can run whatever god awful program of the day they've come up with as a business requirement that is blocked by the firewall. Netmeeting anyone? Oh, you want to punch IPSec holes through the firewall? Uh huh.. no... FTP??? You want an FTP site on your desktop? Uhhh.. no.
I noticed this happened around 5 am yesterday morning (Tuesday, August 7th). Well I didn't notice it, I just tailed my apache logs and web requests seemed to stop coming in around that time. None the less, I got into work that day and noticed I couldn't access my personal web page... NOTE: Personal, not commercial. I put pretty pictures, that I've taken with my digital camera, on it. I was however able to ssh into it and ftp into it.
What was going on? I got scared for a second cause I thought perhaps they started enforcing some term of their service, but it wasn't until I got home and (not so thoroughly) skimmed through their TOS that I realized running a server was not against their TOS, as a matter of fact they worded it so JUST dialup users cannot run a "server of any kind", and it seemed to be fine for DSL users.
So I call up Verizon, talk to a couple different people, none of which knew a single thing about anything. One tried to accuse me of violating the TOS, and I told them it said I'm allowed to run a server in it. She shut up immediately.
Another told me that since I wasn't patched against code red, my internet service was being blocked. I told her I wasn't using a Microsoft operating system therefore I'm not affected by it, and even if I wanted to I wouldn't be able to apply the patch. She told me that because I didn't apply the patch, port 80 was being blocked. Again, I explained to her I wasn't running a Microsoft OS. In the end I think I explained it to her around 5 times... hopefully she knows a little more about computers now.
Finally I got to some guy who was somewhat intelligent, although he did call Linux, L-EYE-NUCKS, he seemed to have some understanding of how to press buttons. I asked him why port 80 was being filtered, and he told me because Microsoft had recommended they block the port. (BTW, I totally agree with someone else that commented on this, who said that because of Microsoft building insecure web servers, we are paying. That is fuct) I asked him if there was anything they could do to unblock the port for me, like put me on another subnet and give me a static IP (I'm a sneaky bastard), or put some kind of flag on my account. He told me that for the time being there was no work around, however he would post a memo and suggest to their tech team they find a way around the port blocking for users who are patched, or not running a Microsoft OS. I asked how long the filtering would stay in place ... he told me it would only last for another couple hours. Right there I told him I didn't think that was true, but he insisted it would only last another hour or two, MAX... port 80 is still blocked.
I just thought I'd contribute this tid bit. I have Verizon DSL in Northern New Jersey, in Essex County. Again, their TOS did not prohibit running a server, unless you are on a dial up. I would post it here, but there is also some clause in their TOS that prohibits reproducing it, so if some brave soul wants to post it below this, go right ahead =]
I need to get a higher paying job so I can get a T1 and then just have to deal with UUnet fiber-optic cuts because of train wrecks.
SuPz.orG
The hide behind clause will most likely be the one that says 'you may not run a server in connection with the @Home residential service'. http://home.com/support/aup/
Cave, wreck, and deep diver.
Actually, cable and DSL providers are already blocking port 80 (and most lower ports) for months. I am a Charter cable customer. When I first signed up, all ports below ~1500 where blocked. (With the expection of 53, 113, and a few of others) Customers where forced to use there proxy server. Even outbound port 80 was blocked.
After complaining for 4 months about it. and many phone calls to there head techs and managers. I finally won. I proved to them why blocking all of those ports was insaine. I simply wanted to run NTP on my machine. (Well, my entire LAN, but they didn't know anything about that :) Which requires 123/UDP.
As the months went on, more and more ports started opening. One thing that they have relized is that people will run servers regardless. People who abuse it (setting up high traffic sites) will be shutoff. Personally, I think its insaine. I should have the right to run a personal site, as long as it doesn't get out of hand. If it did get to that point, I wouldn't be hosting on cable.
So, they blocked the ports. I wonder how long it will stay. I would be very carefull, they may use this as an excuse to keep the ports blocked.
Working with the large companys his difficault, tring to convince them that they should unblock them. I can kinda of understand there postion. But, then again, it kinda upsets me.
until (succeed) try { again(); }
Seriously people... Most, if not all, broadband providers prohibit running servers from home accounts (it's definitely that way for @Home users, even if they do generally turn a blind eye to small time web servers). They generally also have some sort of clause which basically doesn't guarantee unlimited or uncontrolled inbound or outbound access. For that matter, most broadband (and thinband) providers provide a clause which basically exempts them from any sort of service level agreement.
Signing on with a domestic oriented ISP means that you are essentially "users" on their network. Blocking inbound port 80 access is a good starting point for at least protecting their internal network segments. If you were running what is essentially a DHCP/DNS/proxy service for thousands of users, wouldn't you at least take this step to protect the integrity of your network?? (I admit it doesn't begin to solve all the problems, but...)
If you want to run your own "mini NOC", then pony up the cash and get ISDN, a T1, or something faster put into your basement. But if you are subscribing to a consumer grade ISP's offerings, don't be suprised when this happens. And especially don't start with the geek indignation, because consumer broadband is not meant, nor sold, under the pretense of running home servers.
The @Home customer agreements never allowed servers, particularly web servers. There's a valid technical reason, too: Cable bandwidth is asymmetric. There's typically a downstream pool of about 27 Mbps (depending on settings) shared among all users, while the upstream pool is more often in the 2 Mbps or less range. This comes about because upstream has to fit into the narrow patches of usable spectrum below 40 MHz, while downstream just fits among the TV channels between 50 and 750 MHz.
So stick a server out there, get Slashdotted (or even just get mildly popular), and the upstream bandwidth is wiped out for your whole neighborhood (technically, the area of your optical conversion node and CMTS channel). This is a big risk, so the cable companies don't take it. Instead, they do give you some free hosting space at their data centers.
VeriZontal has no such excuse -- ADSL has little upstream bandwidth (they typically provision only 90 kbps) but it's your very own, and they end up with a huge surplus of upstream bandwidth at the back of the DSLAM, where all of the traffic is aggregated. It's downstream that can congest easily. They're just being shmucks as usual. But if their customer agreement doesn't allow servers, then that's the deal -- commercial-grade DSL services allow servers.
The real problem they're addressing (even VZ) is Code Red II. Web servers that get infected will probe their own networks like crazy looking for others to infect. This creates congestion. So shutting off port 80 stops the worm. Crude but effective. See the recent LinuxPlanet column about Charter for how a cable company won't admit that its infected servers are causing huge congestion. The author suggests blocking port 80!
Imagine if the phone company checked your lines for "business use" and shut you down unless you got a business contract.
Or how about the power company, charging you differently depending on how you use the power, and limiting you to, say, 10 amps peak if you don't have a business contract.
I wonder if it isn't appropriate to have a little (eek) government regulation when it comes to these things? Like not blocking any ports for any customer unless it is clearly marked in advertising or something?
I always wonder when my ISP will decide, for the good of all customers, to shut down this or that port or filter or monitor traffic. They'll probably not even notify me, they'll just update the terms of service buried in their web page someplace.
The average American is a mere couch potato which the corporations feed information to the unwashed masses the same way the inhabinents of Huxley's Brave New World were fed soma. The average consumer has nothing to say unless what they have to say is under corporate control. While people running web servers were tolerated when what they did was not attracting the attention of the corporate suits, they are being cut off by those who feel that people really shouldn't be running personal web servers.
I am also annoyed that, while Apache and other UNIX web servers are able make a web server without countless remote root exploits, all UNIX users on these cable modems suffer because Microsoft did not make a secure web server.
Thankfully, this is easy enough to work around. E.G:
- Sam
The secret to enjoying Slashdot is to realize that it should not be taken too seriously.
Granted, many people running Win2K or NT and IIS might not realize the service is running, their computer is infected, they are part of the problem.
This is what we've run into at my company.
What our security team did was scan for infected IIS servers and shut down those specific customers.
We then contacted them and informed them to patch immediately once we turned them back on. We also warned them that we would scan again that evening and would not hesitate at shutting them down a second time.
About 50% of those contacted had no clue they even had IIS running. This made it very frustrating.
If anyone can explain a good reason for banning servers rather than limiting data volumes, I'm all ears. I think it's either a combination of laziness and sloppy thinking on the part of the providers, or a desire to force the "users" to also be "content consumers" rather than "content providers". Hanlon's razor, I believe, favours the former explanation.
proof, n. A demonstration that a conclusion is implied by certain premises and axioms.