Slashdot Mirror
Comcast Cuts Infected PCs' Network Connections
fidget42 writes "I just noticed this article over at Infoworld. It seems that Comcast is finally doing something about the machines on their network that are being used by spammers. They are now cutting off service to those customers who have computers that have been hijacked by spammers. Now, if only other broadband ISPs would start policing their user base ..."
Now, if only other broadband ISPs would start policing their user base ..."
ATTBI (back in 2002) was disabling people's account for being infected with worms... People's modem CFG file would be set to disabled.cfg and they would have block sync but wouldn't be permitted onto the network.
If Comcast took over from ATTBI and is using parts of their existing network, I just can't understand why modems were not being disabled recently for infection by worms.
Are these guys even allowed to do this based on the user agreement they get their subscribers to sign? I'm sure most of these computers that get hijacked are used by Joe Somebody who probably has no idea that his computer has been hijacked. If Comcast and other ISPs are so keen on cutting off access to spammers, why not provide a firewall and antivirus programs along with their subscriptions? I'm sure it'd cost them a pidly amount and wouldn't really be all that hard to work out a deal with these software vendors to bundle them into the deal. Maybe I'm way off base here but it just doesn't sound right to just cut off acess.
... would be to put the network connection onto a quarantined sub-net where all the necessary virus removal tools were available. Once the machine was cleaned up, it would be allowed general network access again.
Fine, stop the infected machines from DDOs'ing. But hey, can the SERVICE be a little more SERVICE friendly ? Like this: DHCP Message comes up: "Dear Comca$t customer. Your computer seems to be infected with a computer virus. We will only allow you access to our FREE antivirus tools site until you have resolved this problem. Please contact us at blah,. blah, blah". Then let 'em into a site that they control with standard tools to detect and blow away those worms." Might make the customers happy instead of ticked off.
It also means that those users cannot download the latest anti virus definitions, if they use Viruscan or NAV. On the other hand, the argument can be made that they should've taken steps sooner, before their machine became part of the problem.
Woe be on to them, all who rise against poor people, shall perish in a the end. Buju Banton
Because we all know Corporations policing is a VERY GOOD THING!tm
It's presumably a terms-of-service violation so technically you're in breach of contract and they can do what the hell they want.
I for one welcome our new connection blocking ISP overlords?
First time for me...
I agree that this should be done in extreme cases where the customer is CONTACTED before so that information and education can be PROVIDED. Simply clipping the wire does not fix the issue for anyone but the ISP.
Second, Backroads.net implemented the policy above with much success. I was happy as a customer of theirs.
It is unfortunate that this has to be done, but wouldn't a more effective solution be to block all ports but 80 or maybe even force all their traffic to a URL with an explaination of the virus and let them know that they can not do anything on the web until it is fixed?
SP
Because we all know Corporations policing is a VERY GOOD THING!tm
Well, a coworker brought in his virus-ridden computer for me to take a look at, precisely because Comcast threatened to turn off his pipe. The interesting thing is that he knew he had a problem, but because he could work with a slower computer he didn't take care of it. So at least one zombie box that would have been 'put up with' by its owner is now off the net.
OTOH, I'm worried about the precedent this sets. Who knows what other things will bring the 'death penalty' from the ISPs? What ports will be shut down because 'you don't need them'?
One man's -1 Flamebait is another man's +5 Funny.
I think so.
My sister's university would not allow her PC back on the school network after they cut ALL student network access in the wake of MyDoom, until it could be verified by a tech at the school that she was running Norton AV.
Her PC runs Debian and only Debian. It took more than a month for her to find a sane enough tech in admin to realise that it was pointless trying to do so. All of the rest tried the different bullshit techniques telling her why all PCs are a problem regardless of OS.
The most classic was one of the last techs, a supposedly bright 35 year old guy who came around with a warezed copy of NAV to attempt installing on her PC. He not only knew what Linux was when he recognised it, but told her to make her PC secure she'd have to install Windows and THEN put NAV on.
RST
Code Red showed up in August of 2001. Anti-virus vendors, and even Microsoft, released detection and cleaning tools. To this day, two and a half years later, I am still getting Code Red hits from infected machines.
It is about bloody time that a large provider has become willing to proactively cut off infected machines. Now if only UUNet would do the same, as most of the Code Red hits I receive come from within my own NSP's network.
-Chris
-- This sig is only a test. If this were a real sig it would say something witty. --
Mail Admins do yourself a favor.
Just nuke the following -
client.comcast.net
and
client2.comcast.net
And for good measure - client.attbi.com
That should take care of most of the zombie / virus / idiot mail. None of their residential customers should be sending email directly from a dymamic IP address. This will seriously cut a good bite of the spam / viruses you are receiving, and you don't have to worry about missing email because they should be relaying through central mail servers.
As a Matter of fact yes, having the owners of Networks policing them from abuse that affects other people on the Network as well as third parties is a very good thing, even if they are Corporations. Much better than having a knee jerk reaction of "a business did it so it's evil".
Quemadmodum gladius neminem occidit, occidentis telum est
Wouldn't this be better served by simply blocking egress port 25 (eg, users can't send email out on port 25 to anything other than the ISP's own email server) and also enable SMTP auth on the ISP's server?
That way, any SMTP engine isn't going to be able to connect at random to various mail servers, and if they try to connect to the user's ISP mail server, it will have to know the username/password. And if it happens to get that info (or uses the user's own mail client) the ISP should be able to log large scale email traffic based on username.
You can't send a message with DHCP- thats a network assignment protocol. As in, you get your IP from them with that.
It would be even better to send them a "Net Send " but thats been disabled due to viruses and spam.
Frankly those users have ignored all the obvious aspects of being infected (100% cable light flashing) and have probably consumed more bandwidth than an army of teenagers downloading MP3s. That cable *should* be cut and I stand by my comments about desiring cable access being denied to them UNTIL they remove their virus.
Frankly, they AREN't running a virus scanner because... obviously... the logs go on for days. Weeks. A few for months. So how exactly do you want to make them call in for more information? Why, you cut out their access. Very quickly they call in. If they don't, well, they weren't using the service and they will call in when they want to... at which point a qualified technician can 'walk them thru' downloading a virus scanner and installing it.
Because lets face it- if they are spamming the net with a virus thats been on their machine for months, a little DHCP message (hah) ain't gonna do nothing to stop them.
I used to kick users off of the dial-up ISP I managed when I'd catch them running the Back Orifice client. I made a few kids cry. One of them said his mom was going to beat the crap out of him when she found out why their Internet service didn't work anymore.
If you're running Windows without a firewall or antivirus software on Comcast's network, getting the plug pulled on your access should be the least of your concerns. What you really deserve is a serious flogging.
go through phone hell
I am also a Cox subscriber and I believe that their phone "service" should be labeled cruel and unusual punishment.
Also, has any other Cox users noticed a decent amount of Port Scanning from Cox? Is this part of their scanning for Viruses/worms? After one weekend where I was scanned twice in a matter of hours, I sent my logs to their "abuse" address. I have yet to hear back from them. Coincidentally, I have yet to be scanned since then.
Sig it.
Tell me about it. During the NIMDA virus hysteria, my ISP cut off my internet connection because it said I had the NIMDA virus. Since I was running Linux, that was impossible but it tooks weeks to settle the issue.
The really irony was that one of the support agents suggested that this whole mixup wouldn't have happened if I was just using a "normal" operating system like Windows or the Mac!
a problem is that spammer are nasty and if you're a geek you would do anything to stop them and so on. but what about people who trade copyrighted material? If you're an ip lawyer for the MPAA your position would be to ask comcast to block internet access to those pc (because morals aside, it's illegal in the US).
A major issue in spam is the credit card processing facilities. actually visa and mc have an immense power to stop spammers. they could simply block the processing of credit cards of companies engaging in spam. amex did it for porn and no-one complained.
Ironclad Security only exists when you have Chuck Norris on the shift. Do we really have to discuss this? (Plutonite)
I agree with you on your second point. I am a comcast customer because they let me connect out to any port and leave all inbound ports open, which I need to test things as part of my job.
My dream ISP service agreement would be one that guarantees full access to all ports and protocols, but the ISP reserves the right to shut off my connection if it is hijacked.
Nice to see some companies caring about their customers by notifying them there's a problem. I wish Sprint/Earthlink was as good as Comcast in the customer service, hell the one tech guy who came out to work on our line even recomended Comcast over his company. oO
Here's a little story about Sprint/Earthlink you may all enjoy. Last year at around Febuary. They got a hold of my home and said that DSL was available. We signed up and they called a month later saying the 1.5 DSL was available so we signed up for that.
Well for 7 months we had no problems. Everything worked perfectly. Then they decided that individual computers at a home must now go through a router and switched the system over to that. This caused regular disconnects at my house because they neglected to send us any notification of the service change.
After the router was installed and we went through it, we still got regular disconnects from the service. After about 3 month, 3 Sprint technicians, and 1 Earthlink tecnician.
Finally the conclusion was reached that the 1.5 DSL was the problem cause we were about 24,000 feet from the office or just outside the bubble. And we could only get the lower speed. Which doesn't explain why it worked for 7 months w/out a hitch before their connection policy change.
We asked if it was possible to be switched to a closer office, they said there was one closer but it wasn't ready to handle connections. We asked if they could notify us of when it will be ready so we can switch and have better service. The technician said they wouldn't and no reason was given.
At this point your probebly wondering why we didn't switch to Comcast. Well they neglected to send us a bill for about 3 months and repeated calls were getting nowhere so switching was on hold. A carrier pigeon would have been more of an option.
Finally in Febuary another Sprint tecnician came out. This guy knew exactly what he was doing and said that the office closer to use was ready to take connections after he heard our story. He hooked us right up to the closer office thats only 10,000ft away and we've been picture perfect since. I'd like to thank that fellow, but I didn't get his name cause I was at work when he stopped out.
Anyway, it's fellows like that and the ones that take the time to call people about problems that should get the good pay checks. Not the idiots who could careless and leave you hanging.
Sorry for the long winded story. But seeing this article made me think of what happened to me and especially of that one tech guy recomending Comcast over their company.
~~ Behold the flying cow with a rail gun! ~~
Because we all know Corporations policing is a VERY GOOD THING!tm
Wow, you make it sound like a conspiracy theory as if your rights are being taken away. What they're doing is right. It's THEIR network, they can do whatever you want. It's not like you have a right to use the internet.
If I owned an ISP and some computer illiterate moron failed to keep up with patches, I would dump them too. People need to start getting with it and taking responsibility for their own actions. How many years now have all kinds of viruses and worms been glorified in the media? Far back as I can remember.. so saying, "Well, I didn't know" no longer cuts it.
If you're gonna go on someone's network, the least you could do is be kind enough to educate yourself about how to update/protect your own PC.
We have secretly replaced these Slashdot mods' sense of humor with a rusty nail. Let's see if they notice!!
You're obviously not a SysAdmin, or someone else who runs mail servers. Otherwise, you'd be cheering very loudly (and a lot less sarcastically) in response to this (as I am!)
I've lost count of the number of times a virus-infested "spammer zombie" Comcast box has tried to hit our mail servers, and the problem's been going on for at least the last six months. In fact, it has gotten bad enough that I have two entire domains (client.comcast.net and client2.comcast.net) blocked out of our servers altogether.
If Comcast's cable broadband customers are too ignorant or too stupid to take even the most basic of computing security precautions, why should the rest of the 'net have to suffer for their utter lack of responsibility for their systems? If they lose their connection until they TAKE RESPONSIBILITY for cleaning up their system, they have only themselves to blame.
I, for one, am stunned that Comcrap actually DID something useful! Their abuse-handling unit has, in times past, shown all the responsiveness of a sun-warmed snail on vallium.
Bruce Lane, KC7GR,
Blue Feather Technologies
You ask why we don't like bandwidth limits and like automatically triggered cut offs, like the two are equal. I don't mind bandwidth limits as long as they are clear, since you pay for your usage, if you use more, you pay. You're generally not pestering other people when you use more and the burden falls on you as well.
With cut offs it is different. An infected machine is a pain to the entire internet community except (often) the person whose machine got infected. If such a machine gets blocked from the internet, the community benefits and the burden is returned to the owner of the machine. It is all about who carries the burden of the unprotected machine.
Now I do have some experience in working with cut offs, since helped run a campus network when I was a student. Abusers of the network, be they bandwidth hoggers or unprotected systems could get kicked of the network if they didn't update their behaviour. It had in general a good effect on the behaviour of people.
When you do a cut off I would love to see a proper implementation of it. That would mean that a persons connection is not cut off outright, but that only certain services will be available for instance on a private, non-routable subnet. In this way the luser can get the updates nescessary, will be automagically guided through the right steps and then once a scan is done of the system released onto the wild internet again. This doesn't require much human assistance.
As a side note I would also like to mention that I wouldn't mind filtering of users connections for instance on port 25 as long as the user him/herself can disable that feature too... It would be like the speedlimiter on cars which limit them to 250km/h. You can remove it and go faster, but for most people 250 is good enough.
Use Adsense for Charity
I have a suggestion.
Write up a small business plan based around these knocked-off-the-network infected PCs.
You can charge "$50 + travel fees. Usually under $100" to clean their computer, and get them back online. Yeah. It's a fee, and many people wont be happy about paying it. But, at the same time, it'll teach them a lesson about security on their pc. If they dont want to pay it again, theyll have to do their own security stuff.
You see politics, I see opportunity.
The only real trick to this would be streamlining with comcast, which is next to impossible.
no
Comcast is, hands down, the largest spam source of the Internet with approximately 640 million messages every day. Personally, 25% of the spam I receive comes from the Comcast network. Of course, users are unaware that the latest virus has turned their computer into an open proxy sending millions of messages every day. I hope other major ISPs such as Road Runner (180 million), AT&T (150 million), and AOL (140 million) follow suit, and disconnect open proxies and zombies when they are found.
> Recently, one called me saying Comcast told them they had a trojan. ... and a bit further on ...
> Comcast doesn't (I will refrain from saying can't or won't) say what a user's system is infected with, or what exactly it's doing...just that there's some "illicit traffic" coming from that IP.
It might be me but it seems you are contradicting yourself here.
Maybe they are not sayign what trojan it is infected with, could be.
Matter of fact is however that if Comcasts cuttign of the connection affected your business in this specific case, you have a huge problem. Why? Because you were obviously intending to let this user work with a trojaned PC. Have you any clue whatsoever what that means?
No, if you had a business user there on the other end, Comcast may actually have saved you from breach of security and intergity of your company, and possible liability for damage done by this infected PC.
That said, of course it is possible to do this a lot better then Comcast do.
I work in the Network Operations Center for an ISP in the midwest. Trying to police these types of things isn't near as easy as you would think. We are considered a "mid-sized" ISP with around 15,000 customers. Unless we happen to notice an increase in traffic from one of the customers, it's not easy to catch when a user's PC is infected with one of these worms. With the increasing amount of Spam out there, and the fact that the average internet user can't figure out how to dig through the headers to find out for sure where an email originated, we just don't get hear about our users "spamming". When a case is brought to our attention, either through a complaint or by us noticing the increased mail traffic from a user, we immediately take action to get the problem resolved. However even with a properly documented abuse address, we just don't get feedback. There have been at least three different occasions when the first feedback we had that one of our users was "spamming" was when another ISP blocked mail coming from our IP's. We can't track the infected users down if we don't know about them...
To err is human, but to really foul things up requires a computer
I have to interject here that we have a major lack of education problem.
It's hard enough for us as techno-people to keep up with configuring and patching our systems, and keeping the virus defs updated, and the firewall secure. Now we expect John and Jane User to do it while they still think that the E-icon on the desktop 'IS THE INTERNET.'
While it is good that Comcast is doing something about the problem, this is a bad solution to the problem.
We as the People-Who-Know need to be spending time helping those who don't to become self-reliant, rather than telling them 'Sorry. You can't access the net until you clean up your system. Sorry, I can't really help you do it. Call someone else.'
Anyone agree with this?
Developing Retail Point-of-Sale Software
I have heard as much. And I have experienced Time Warner Cable / Roadrunner in Austin, TX doing the same to their customers infected with MyDoom, Blaster, and other nasty remote exploits and trojans. Apparently their engineers pulled the plug on everyone in the area (Buda, Georgetown, Round Rock, Lake Austin, etc.) at once after theyd completed scanning for the exploited.
I know because in that 'pulling of the plug', certain blocks went down completely. Their tech support center was frickin slammed by incoming voice calls. A tech commented that upwards of 95% of his calls were people who complained theyd been cut off, and upon his inspection of the blacklist, were disabled due to vulnerabilities or exploits.
Agreed. My roommate worked for a large broadband ISP in Arkansas which was regularly shutting off connections for usage abuse. Though they didn't have tools to help them. For the most part they just watched the load, checked the logs, and updated router configs manually.
But it worked. And they blacklisted addresses and names of repeat spammer offenders and refused service to them in the future. He said they had the same people buying ISDN lines under different names all the time. Or the same name at a neighbor's house - presumably as an agreement, "I'll provide you with internet if you let me keep a computer in your house". Or maybe the dude just lived on a country road and could set up all the addresses he wanted (:
No sig for you. YOU GET NO SIG!
The most classic was one of the last techs, a supposedly bright 35 year old guy who came around with a warezed copy of NAV to attempt installing on her PC. He not only knew what Linux was when he recognised it, but told her to make her PC secure she'd have to install Windows and THEN put NAV on.
If the school was insisting that all user PCs had to be running NAV, it's possible they bought a site license, so it wasn't necessarily a warezed copy of the software, just something on a CD-R. Also, Symantec does make a linux version of their command line scanner, so it's not absurd that they require she install "NAV" on her machine.
That said, the guy mentioned above is a dumbass on par with a tech at Adelphia cable I once spoke to when my modem lost sync. "We don't support Linux. You need to get a REAL operating system before I can help you."
What part of "shall not be infringed" is so hard to understand?
Why not require a personal firewall? How about prior restraint (the concept, not the legal definition)?
If I'm putting a Solaris box on their network, I don't want to have to install ZoneAlarm on it. I know how to secure Solaris boxes, thankyouverymuch. If they see a problem coming from my IP, they have my permission to nuke it, but until then, leave me alone.
In other words, presume innocent and assume the user will deal with it until proven otherwise -- and then respond with extreme prejudice.
You cannot reasonably force people to a specific set of anti-viral tools. That *is* censorship, it's monopolistic, and it's extremely anti-competitive.
Look, they use DHCP. But have you ever *TRIED* to build a custom routing and firewall table to deal with local exceptions? Or manipulated DNS tables on anything approaching this sort of scale? It's even more impossible because some of the biggest patch and virus sites (such as support.microsoft.com) are using Akamai, and their DNS information is dynamically published by that company to point to the web cache nearest them. Try putting *that* in the routing tables for this little subnet.
A solution that might work in a single office does *NOT* scale well to this size, believe me!
Nope.
I've spent the last 6 years "educating" computer/internet users.
With very few exceptions, the vast majority of them still "don't get it".
I'm more than happy to help people with this stuff, but I won't do it for free any longer. Better to be a well-paid whore, than just a whore.
As an ISP, Yes, I expect my customers to keep their machines patched, their AV up to date, and their firewall configured properly.
If their system becomes compromised, it is THIER responsibility to clean it up. Not mine.
All that spam grandma's compromised emachine is spewing may lead to my mail servers being blacklisted. At the very least it increases my workload. Sorry. Not going to put up with it.
Once they've cleaned thier mess up (and yes, it IS THEIR mess), I'll let them back on the network.
Hell, I dropped a customer entirely a few weeks ago because they kept getting pwned. 10 incidents in 3 months. Sorry, but your $20.00 a month isn't worth *that* much work.
Just once, I'd like it if someone called me "Sir".
Without adding, "You're creating a scene."
There are none. Make yourself an intranet and run spambots there to your heart's content. Your freedom to run spambots ends at my incoming port 25.
Obvious troll, but I'll bite. They're not Nazis, they're in business to make money. They have AUPs that probably explicitly state that they're able to cut your service if it's deemed abusive. You also seem to have a warped concept of freedom here. You're paying to use a service, and that service comes with certain rules designed to protect both you and the provider of that service. These terms are agreed upon before you ever pay anything (it's up to you to read them or not, but by signing a contract you agree to follow them,) and if you don't want to abide by the rules, you're free not to have a cable modem. Spambots are destructive; they eat bandwidth and are a pain in the ass to other people. They're also often against the AUP of most broadband providers.
Contracts exist for this very reason; to make sure that the terms of the agreement are fair for both sides. If you don't think they're fair, don't sign the contract. It's that simple. But you probably won't get broadband either.
No, Earthlink will not unblock your port 25 if you call and threaten to drop -- and this is a Good thing. Allowing open port 25 on consumer (and most other classes of users too) is a BAD thing. I believe that if all dialup and broadband consumer users had port 25 blocked that it would stop almost all viruses that are spread via email. Tough titties if somebody doesn't want to use their ISP's mail server -- I don't want to drive 55 either.
Back when I was a clueless newbie, years ago, I set up a server, innocently leaving it as an open relay (this was the base configuration for Sendmail at that time). Within a few weeks, I got irate messages from people being spammed, some of whom, fortunately, included an informative snippet from one of the blackhole servers that told me what the problem was. I secured my servers, and I have learned to periodically check the open relay testers when I do reconfiguration (to make sure I didn't miss anything).
What most cable modem people don't realize when they connect to a broadband line is that every one of them is potentially a server, capable of spewing all kinds of crap. They see a machine on their desk, not really grokking its connectedness to the rest of the world, and that that connectedness is a two-way street.
As for rights, it's no different from using the public highways, except that the possible consequence to the public of ignorance is only monetary, not fatal. If they won't take the responsibility to educate themselves, then somebody else has to do it for them, or "take them off the road."
While cleaning up my spam traps this morning, about 1/3 of it was from attbi.com and comcast.com. They need to climb down the ladder a ways, and start looking seriously at those who are only sending out maybe 10,000 emails a day. It should be easy to identify and whitelist those who are legitimately running very busy mailing lists, and detect which are unwitting spam fountains.
You omitted an option. 2.5: peer policing. Other networks deciding they're not going to put up with your sh*t and drop your packets. Viz: SPEWS, SpamCop, Spamhaus, etc.
SPEWS listed over 9 million Comcast IP addresses a few weeks ago due to ongoing mishandling of network abuse (the entry reads "Poster child of how not to run a broadband network company". This may have had some impact.
I've been going rounds myself with an indivdual manning a /16 for which no postmaster or abuse record exists, and IP WHOIS contacts fail. He still doesn't seem to understand just why this is a problem. However several of the issues were cleared up after customer mail started being blocked by sites referencing RFC-Ignorant.
What part of "gestalt" don't you understand?
Comcast certainly isn't the only ISP doing this and newer viruses/spam trojans are starting to show a trend that spammers are aware that they will be disconnected if they are obvious in their spamming behaviour. So instead of a lot of messages from a lot of machines all at once, it's a lot of machines sending a bit of mail at a constant steady rate but low enough to stay under the radar.
Brian Seppanen
Minister of Information and Propaganda
Area 54 The Secret Government Disco Labs Provo