Slashdot Mirror

← Back to Stories (view on slashdot.org)

Comcast Warns Customers Suspected of Bot Infection

Posted by Soulskill on from the wonder-what-this-does-when-it-detects-torrents dept.

eldavojohn writes "Comcast is pushing a new program nationwide that warns customers if they might have a bot infection. It puts a semitransparent overlay on the top of the website you're viewing, warning you that you may have a bot installed if the provider detects botnet traffic from your residence. Of course, if you have multiple machines running behind a router or modem then you're going to have a difficult time pinning down which machine might have the infection."

7 of 196 comments (clear)

  1. Re:Mixed feelings by Anonymous Coward · · Score: 2, Informative

    FTFA:

    Douglas said the bot intelligence is coming from Damballa, an Atlanta-based security company that monitors botnet activity and identifies botnet control networks. If Damballa spots a Comcast Internet address that is phoning home to one of these botnet command centers, Comcast’s system flags that customer’s address for a service notice.

  2. Re:Mixed feelings by amicusNYCL · · Score: 4, Informative

    That's a good point, but the screenshot does look pretty reasonable. It could have been done a lot worse, but it looks like they're at least acknowledging the trust issue.

    That being said, it's not difficult to figure out which ISP a certain IP belongs to and for someone to forge these things.

    --
    "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  3. Re:Wait, what? by StikyPad · · Score: 5, Informative

    They do send an e-mail, at first. If the traffic continues unabated, they redirect port 80 traffic (only) through a proxy which adds the notice to the server response (the web page you request). It doesn't break or tamper with anything else.

    Personally, I don't see a problem with this, since, if you're allowing botnet traffic, you're already abusing the TOS (with or without your knowledge -- and after the notice, certainly ignorance isn't an excuse), and as such you're not really entitled to "unbroken" service, or any service at all for that matter. I think providing this notice is a good compromise.

    Rather than making a separate post, I also want to address one of the points in TFS: "Of course, if you have multiple machines running behind a router or modem then you're going to have a difficult time pinning down which machine might have the infection."

    This is rather missing the point -- realistically, if any machine inside your network has been compromised, you should assume that the entire network has been compromised, and you should be inspecting/sanitizing/protecting all of the machines accordingly. You should likewise assume that all of your online accounts have been compromised, change your passwords from a trusted location, and check for any unauthorized activity.

    --
    https://www.eff.org/https-everywhere
  4. Re:Norton? Really? by macbiv · · Score: 1, Informative

    I used to have the same opinion on Norton. However, recently I was hired by a shop that uses/sells Norton exclusively. The 2010 and 2011 versions aren't that bad. They fix infected drivers pretty well, a quick scan only takes a few minutes max on a p4/512mb system, and have a detection rate on par with what I've seen from Vipre or MSE. I'm not saying its the best, I'm just saying its not the worst.

  5. Re:Wait, what? by StikyPad · · Score: 2, Informative

    I didn't say they don't deserve service, I said they don't have a right to it. What people deserve is only rarely related to what they get. Moreover, their presence on the network is necessarily degrading the experience for everyone else who's being responsible with their activity. Do responsible users *deserve* to be inundated with attacks from the machines of people who, for whatever reason, aren't "advanced user interested in computers and all things technical?" What if we were discussing dogs instead of computers? Would the behavior of their animals be justified by ignorance, incompetence, or apathy?

    As I said I think an adequate balance is struck in this case -- there's no disruption of service, *especially* as far as the non-technical user is concerned, and as for erring on the side of caution (false positives) if you think that's a mistake, then I hope you're not an admin.

    --
    https://www.eff.org/https-everywhere
  6. Re:Mixed feelings by Capt.DrumkenBum · · Score: 2, Informative

    I don't know about you. But as soon as I realize it is a call from an autodialer, I hangup.

    --
    If I were God, wouldn't I protect my churches from acts of me?
  7. Re:Mixed feelings by thegarbz · · Score: 2, Informative

    If they weren't "inspecting" traffic then the internet wouldn't work. How else would you route data from one computer to another without inspecting the traffic to see where the data needs to go? This same level of data can also tell you if the computer is a bot. For instance if your computer is only sending data to a port 25 to seemingly random hosts continuously for days, take a guess at what is happening, it's likely to only be one of two things. Same thing for suddenly getting a lot if 100% identical requests from 50 computers on your network at the same time going to the same destination, maxing out their own connection.

    This is no different than the telephone company "inspecting" the line for a 2600Hz tone when the phone was placed off hook. A lot can be done without looking at the content of the data.