Slashdot Mirror
Comcast Cuts Infected PCs' Network Connections
fidget42 writes "I just noticed this article over at Infoworld. It seems that Comcast is finally doing something about the machines on their network that are being used by spammers. They are now cutting off service to those customers who have computers that have been hijacked by spammers. Now, if only other broadband ISPs would start policing their user base ..."
Now, if only other broadband ISPs would start policing their user base ..."
ATTBI (back in 2002) was disabling people's account for being infected with worms... People's modem CFG file would be set to disabled.cfg and they would have block sync but wouldn't be permitted onto the network.
If Comcast took over from ATTBI and is using parts of their existing network, I just can't understand why modems were not being disabled recently for infection by worms.
Because we all know Corporations policing is a VERY GOOD THING!tm
You'd be first in line to moan about them 'infringing' on your interweb right!
which side of the fence are we on? We don't like bandwidth limits, but we do like automatically triggered cutoffs, because we all know there is no such thing as a false positive.
also, say grandma gets infected. She is best off downloading updated definitions for her old version of symantec, and letting AV take care of it. how do you do that with no intarweb?
Doesn't this force those users to go out to CompUSA and buy a copy of McAfee or Norton antivirus?
Blocking web access also means that those users aren't able to download good, free virus scanners like Grisoft's AVG.
I have been pwned because my
For example, I administer a mail server, and occasionally have to mail a virus or spam to myself to check that the filters are operating correctly. It would be very inconvenient if I got my connection pulled each time that happened.
I know anecdotal evidence is pretty much worthless, but my friend got infected with all sorts of nasty ad/malwares, along with Blaster and a couple other worms. Cox deactivated his cable modem, he had to call them and go through phone hell to get his service back. So I'm not really sure it's only Comcast doing this.
I'm on top of my game like I'm standin' on Xbox.
Although a lot of of the spammer are not spammers but people with infected computers. But they wont do anything unless they have to. Cutting net access to them will force them to fix the problem one way or an other. Most people who are hacked will go well it is not affecting me so I wont fix it. But with their connection gone then it is affecting them. Now they can fix it them self or hire someone to do it. But this is a good first step.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
I applaud this decision. Even though it will possibly cost them customers or cost them additional tech support time, they will be cutting off peoples owned windows boxes.
Lets hope they hold to this once the calls start coming in from people who have everything from Bagle to Netsky (along with probably a heavy dose of spyware too)
... would be to put the network connection onto a quarantined sub-net where all the necessary virus removal tools were available. Once the machine was cleaned up, it would be allowed general network access again.
Fine, stop the infected machines from DDOs'ing. But hey, can the SERVICE be a little more SERVICE friendly ? Like this: DHCP Message comes up: "Dear Comca$t customer. Your computer seems to be infected with a computer virus. We will only allow you access to our FREE antivirus tools site until you have resolved this problem. Please contact us at blah,. blah, blah". Then let 'em into a site that they control with standard tools to detect and blow away those worms." Might make the customers happy instead of ticked off.
That explains why I haven't been spammed by a Comcast box for ... 36 minutes :(
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
I for one welcome our new connection blocking ISP overlords?
First time for me...
I agree that this should be done in extreme cases where the customer is CONTACTED before so that information and education can be PROVIDED. Simply clipping the wire does not fix the issue for anyone but the ISP.
Second, Backroads.net implemented the policy above with much success. I was happy as a customer of theirs.
It is unfortunate that this has to be done, but wouldn't a more effective solution be to block all ports but 80 or maybe even force all their traffic to a URL with an explaination of the virus and let them know that they can not do anything on the web until it is fixed?
SP
This reminds me of the idea of putting people in jail for debt. Bankruptcy amounts to a life sentence, since there was no possible way a person could make up the sum of money while in jail, away from the work force.
How can these people fix the problem without access to up-to-date patches and virus scans?
To me, this sounds like an OK idea, because I bet this will be the ONLY way that many users FIND OUT that their computers have become zombie spambots.
There is a certain responsibility that comes with being a part of the internet, one that has become greatly understated since the commoditization and commercialization of the 'net as a whole: do not become a danger or a malfeasance to the rest of the machines that are also connected.
Unfortunately, this is something that seems to be lost on the clients of broadband always-on connections, especially those that are used by folks with little or no proficiency. While they have no intention of becoming spam-hosts, or DDOS platforms, by not keeping their machines protected against the various evils that lie in waiting out there, they unwittingly become part of the problem.
This does not reduce the hassles and costs to other sysadmins and users of the 'net as a whole. That said, it seems only fair for an ISP to mitigate the problem by pulling the connection of a user whose systems(s) are spewing out malware.
There are reasonable precautions one should take, that is, having a good firewall, keeping the machine patched and having good virus protection. No, this does not come without some effort and not always without cost. But, to be connected to the internet full-time, it is a cost of doing business, not unlike having insurance for your car in case you cause an accident. Liability insurance is to protect the public, and you from losing everything should you do harm to others. Keeping worms, trojans and viruses off of your machine also protect not only you but others as well.
So, it is really a matter of responsibility.
It's about the easiest thing ion the world for the ISP to and it's _very_ effective. Another option would be for ISP's to force all SMTP traffic through their own mailserver and virus scan it. They could easily spot a home user sending a couple of thousand messages in an hour or one spreading infected email everywhere.
If you want unfettered access you can pay for a co-lo box and take the responsibility too. People can't keep hiding behind their ISP and dynamic IPs. I'm all for personal freedoms on the net, but with freedom comes responsibility. Deal with it.
You obviously have never worked as tech support.
You could send out that email every day, with detailed instructions, and it would have very, VERY little effect on the number of infected/hijacked machines.
Most users just won't do that stuff. Especially if it involves anything more complicated than "Click here". Multi-step instructions are not going to be followed. Unless, of course, it's going to win them a free trip to Disneyland.
As far as "don't install spyware"...well, spyware is hard to classify, and a lot of it installs pretty silently. Expecting users to be able to distinguish between "bad" pop-up dialogs asking to install Gator and "good" pop-up windows asking to install Flash (or whatever) is asking too much.
Attachments in emails are just going to be opened, period. No one ever learns their lesson in that regard.
You can't send a message with DHCP- thats a network assignment protocol. As in, you get your IP from them with that.
It would be even better to send them a "Net Send " but thats been disabled due to viruses and spam.
Frankly those users have ignored all the obvious aspects of being infected (100% cable light flashing) and have probably consumed more bandwidth than an army of teenagers downloading MP3s. That cable *should* be cut and I stand by my comments about desiring cable access being denied to them UNTIL they remove their virus.
Frankly, they AREN't running a virus scanner because... obviously... the logs go on for days. Weeks. A few for months. So how exactly do you want to make them call in for more information? Why, you cut out their access. Very quickly they call in. If they don't, well, they weren't using the service and they will call in when they want to... at which point a qualified technician can 'walk them thru' downloading a virus scanner and installing it.
Because lets face it- if they are spamming the net with a virus thats been on their machine for months, a little DHCP message (hah) ain't gonna do nothing to stop them.
That's all well and good, but . . .
I work for one of the largest meta-ISPs. To put things simply, my employer operates the back-end of of a few hundred interest services. Said employer shall remain nameless, and no, my email address does not reflect said employer.
Anyway. I'm a graveyard shift network operator. There isn't a whole lot to do on the graveyard shift except make sure nothing bursts into flames. So I'm pretty bored until about 5am when our authentication logs gets rolled into the database.
And this is when i can go through all the complaints about spam, viruses, port scans, and whatever else our teeming masses of end users have perpetrated, and figure out exactly who's computer is doing what. And then shut 'em off.
I agree completely that it would be great if there were some way i could efficiently get the end user to disinfect or secure their systems without having to resort to strong-arm tactics, but the truth is that, for 99.99999% of home users, disabling their supply of email and porn is the only way we can get them to sit up and pay attention.
Think about it. If you got some popup on your screen that said you have a virus and your internet connection is at risk, you'd just close it and go about your business. Unless your connection didn't work, and then you'd call customer service and try and get it 'fixed'.
Heck, most people get popups that tell them that sort of thing all the time.
Would a smart person trust that the 'free' antivirus tools are indeed what they claim to be without some way of independently verifying that? I sure wouldn't.
Would an *average end user be able to use them effectively? That joke isn't even funny. I did my time in tech support - the sheer number of people who have asked me what a comma is while I'm trying to help them disable call waiting on their phone line are shadowed only by the monumental stupidity of the woman who was overheard - on several calls - shouting at her husband - over and over - "IT'S THE A IN THE CIRCLE! THE *A* IN THE *CIRCLE*!!!". It would be funnier if it didn't make one lose all faith in the future of humanity.
Furthermore, have you considered the liability issues here? You want a corporation to tell a user to run a program that proports to remove a virus from their system? a FREE program? What happens when it runs across some new variant of some virus, thinks it's the old variant, does the wrong thing to remove it, and ends up rendering the whole system inoperable? I'll tell you what, some arm-chair attorney is going to threaten legal action. You have no idea how frequently this really happens. Even if you so much as recommend third party software.
So we cut 'em off. Just to force them to call us. And then we tell them, essentially, "Look, buddy. Your computer has this problem. And your computer's problem is our problem. And that makes it your problem. We don't care what you do to solve this problem, but you better do it. We suggest antivirus software as a first step. We hear that you can get a free version of something called AVG."
And then, if they seem to understand, we turn their connection back on, so that they can update their norton or download avg or whatever.
And every week, there's two or three end users who get their accounts totally closed because we've been over this with them three times already and they haven't managed to get the picture.
I wish there were a kinder, gentler way to do it. So far, I don't think there is.
This is just like television, only you can see much further.
I'm one of the sysadmins for a company with a large number of remote employees. Recently, one called me saying Comcast told them they had a trojan. Well, I couldn't fly out to look at the laptop and the employee couldn't exactly just send the computer and work from nothing. I had this person seek local help, and after several attempts Comcast still shut down internet service.
I understand that techies across the world think this is super-fantabulous, but this is horrendous for the average end-user. Comcast doesn't (I will refrain from saying can't or won't) say what a user's system is infected with, or what exactly it's doing...just that there's some "illicit traffic" coming from that IP. That's great, now how am I supposed to diagnose the problem? It wouldn't be that difficult if the machine were in front of me, but how to I walk Mary End User through complicated tasks over the phone while she's already frustrated? If Comcast were doing more - i.e. they told you what the problem was and the steps you can take to remedy it - I would be more supportive of this. As it stands, it's just going to make a lot of end-users get cheated by shady local PC repair places while they get the run-around from fifteen different vendors. Make jokes about virus scans all you want, but nothing is fool-proof...and since any fool is equipped with a computer these days, infections will happen and malicious attacks will succeed. So +1 to Comcast for taking some initiative, and -2 for crappy execution and not giving half as much of a flying foo as they'd leave their customers to believe.
This is a very bad idea! The best source for antivirus and spyware-removal software is on the internet. To me, it looks like they're burring the problem instead of fixing it.
Now, here's my humble suggestion for a better solution. If a PC is identified as a compromised machine, it's added to a pool of machines that all gets a special IP and special DNS servers (I assume they run DHCP - if they don't they should). Now, the new DNS servers resolve all addresses to a special page dedicated to downloading anti-spyware and virus checkers. Maybe even an online scanner like housecall. So, when Joe Luser fires up his web browser, he reaches this page no matter what he types. Once he's machine is cleaned, he will be removed from the compromised pool.
Underholdning.info
I have a suggestion.
Write up a small business plan based around these knocked-off-the-network infected PCs.
You can charge "$50 + travel fees. Usually under $100" to clean their computer, and get them back online. Yeah. It's a fee, and many people wont be happy about paying it. But, at the same time, it'll teach them a lesson about security on their pc. If they dont want to pay it again, theyll have to do their own security stuff.
You see politics, I see opportunity.
The only real trick to this would be streamlining with comcast, which is next to impossible.
no
"I couldn't fly out to look at the laptop and the employee couldn't exactly just send the computer and work from nothing. I had this person seek local help, and after several attempts Comcast still shut down internet service....this is horrendous for the average end-user." What's horrendous for the end user you speak of is not that Comcast acted responsibly by cutting off a spam zombie's access, but that your IT department has not provided adequate support for remote users.
My other machine is a lever.
The problem here is that Comcast is doing shutting down people's connections with no recourse to find out why or to re-enable it.
I received an email and an automated phone call from Comcast stating that I had an infected computer and I must clean it up. I was immediately pleased that they noticed, but frustrated that I could be infected. 5 PCs with varying OSs, all with firewalls and/or antivirus software, so I thought it was unlikely but possible. After doing a full scan I found no viruses.
So I called Comcast's 800 number. They said I need to call a different long-distance number. That number is an automated system with nothing but dead ends. If I select the option about "Viruses and spam emails" then it tells me to email abuse at comcast.net if I get a bad email. But I don't want to report a spam, I received a report. All the options did approximately the same thing: Told me something I already know then hung up. Several calls later, I used the "leave a message" option. A week goes by and I received no call back. I replied to the email but received no response. Nobody on the service number would talk to me about it.
So I receive another email telling me that my service may be disabled if I don't fix the problem. So what do I do now?
To top it off, this isn't the first time. About 8 months ago, Comcast calle and told me I was reported for sending spam. When the read me part of the SpamCop report (which they refused to do many times) it turned out to be a SpamCop report that my roommate made! We _reported_ the spam, we didn't _send_ it! After much arguing, the guy finally got it and left us alone. Mistakes happen, but what irks me the most is that they wanted to tell me I sent a spam, and make sure I corrected my behavior, but refused to tell me the source of the report, or what the email was, or when it was sent, or anything!
Below is the email Comcast sent me. It looks like a form email, with no specific statement about what went wrong.
But, users are dumb, and I'll agree with that. Last summer when the blaster worm came out, we emailed out customers ahead of time telling them they need to download the microsoft patch.
On top of that, the Microsoft Windows Update popup that comes up by default, once a week, users still continue to ignore it because they don't know what it does.
Personally, I'd like to see more type of this internet policing by ISP's. They should also be blocking people who have open SMB shares on their Windows Networks. I cant count the number of times I've purposely went in Someones SMB share and dropped a text file telling them how to fix it.
I, however, disagree with the Government policing of the internet. I believe the internet should be policed by the people who pay for it to be there. That would be us and the ISP's
It's a reference to the Blues Brothers, one of the greatest movies ever made. If you haven't seen it then you just don't understand the blues.
Jake: "Hey what's goin' on?"
Cop: "Oh those bums won their court case so they're marching today"
Jake: "What bums?"
Cop: "The fucking Nazi party!"
Jake: "Illinois Nazis"
Elwood: "I hate Illinois Nazis!"
Maybe we DID take the blue pill. You wouldn't remember anyway.
A few minutes before I found this thread today I received an automated message from lafn.org. In that message it stated very clearly that it was an automated process that was blacklisting a /24 around a machine on one of our dialup netblocks that was caught sending mail to one of their spamtraps. That user is of course infected as are probably 50% IF NOT MORE of our customers. Our customers, no matter how big they are, no matter how big a customer they *think* they are, no matter what service they pay for have the right to cause 252 other customers at any given moment to be blacklisted. If they think they are that important then we sure as hell don't need them as a customer.