Comcast Cuts Infected PCs' Network Connections 592
fidget42 writes "I just noticed this article over at Infoworld. It seems that Comcast is finally doing something about the machines on their network that are being used by spammers. They are now cutting off service to those customers who have computers that have been hijacked by spammers. Now, if only other broadband ISPs would start policing their user base ..."
Cox does this... (Score:5, Informative)
Happened to me. (Score:3, Informative)
Anyhow, my friends at AT&T Broadband (the ones that never answered their phone) sent me a nastygram telling me that I was doing a bit too much port scanning for their liking (duh...)
So I ripped the machine of the network and poked around. Yep, it turned out that my machine was infected a few hours after I installed the OS, and it was doing it's bad thing for WEEKS.
At the time, AT&T just "informed me" that I should stop doing bad things. I think it would have been prudent for them to kill my service until I took corrective action.
Of course, this was 3 years ago or so... a more innocent time...
Re:Is this right? (Score:2, Informative)
Comcast Terms Of Service / Acceptable Use Policy (Score:3, Informative)
From the AUP:
Note: Comcast reserves the right to immediately terminate the Service and the Subscriber Agreement if you engage in any of the prohibited activities listed in this AUP or if you use the Comcast Equipment or Service in a way which is contrary to any Comcast policies or any of Comcast's suppliers' policies. You must strictly adhere to any policy set forth by another service provider accessed through the Service.
So they can terminate service, based on violation of the subarticles:
(vii) restrict, inhibit, or otherwise interfere with the ability of any other person, regardless of intent, purpose or knowledge, to use or enjoy the Service, including, without limitation, posting or transmitting any information or software which contains a worm, virus, or other harmful feature, or generating levels of traffic sufficient to impede others' ability to send or retrieve information;
And transmitting a virus is definitely a violation. Still, it would be nice if there was more information on what will cause them to pull the plug.
Re:Other ISPs start to do this? (Score:5, Informative)
Doesn't just apply to viruses... (Score:2, Informative)
As much as I love OS X (sitting on it right now), it is not "infection-proof".
BSD/OS X is just as vulnerable to hacking as any other Unix system if left unpatched and unmaintained.
Just because there hasn't been a working worm written for BSD/OS X doesn't mean there won't be one.
PLUS, -just- having an updated AntiVirus doesn't solve the problem! It's the patch level too, it's the non-configured software or hardware firewalls, it's the complete dearth of knowledge of the basics of computer security! Everyone has to learn to drive, so everyone has to learn to keep things at a baseline level of security.
Why don't you do your part and instead of calling people stupid, educate those you know, and tell them to educate others?
Re:Nice but... (Score:3, Informative)
Re:Nice but... (Score:4, Informative)
you know, where you see stuff like this recurring in your web server's logs...offending ip removed...
the people they are cutting off are sending out daily attacks to multiple machines, not just once or twice sending out crap here and there. i think you'll be ok.
Re:Or maybe... (Score:3, Informative)
I use my university's network for internet access, paying UK60 a year for access in my room. At the start of the year there were a lot of virus-related problems, mostly people bringing machines in from home and plugging them in without a firewall or AV software.
Network Services don't insist on this. They don't insist on a virus scan first. What they DO do is cut you off if your PC is causing a nuisance to the network, because they're only three men taking care of the main servers and staff terminals (public terminals are someone else's responsibility).
A lot of people whine about it, but IMHO it's fair policy. They're busy enough without having to help the blissfully clueless. That said, it wouldn't kill them if your 60 included a CD with, say, ZoneAlarm and AVG on... (I distributed similar CDs to friends, with Mozilla Firebird, just so they didn't pick up anything nasty.)
The moral of the story: well, there are two. The first is "You're paying us for the service, not for us to hold your hand and show you how to use your computer." The second is that some people really need to be beaten around the head with a clue-by-four.
Adelphia (Score:3, Informative)
-First, the customer is identified, then placed into a 'walled zone'.
-This walled zone will route/allow the cable modem to go only to one specific location, a certain web page in this case.
-Said web page will include downloads for virus fixes and such. Customer goes there, downloads, and cleans up his computer.
-When it has been verified that the customer has gone there and cleaned up, they check his system, then reactivate his account.
To me it seems like a pretty nifty way of stopping virus spreading while keeping the customer informed of what's going on.
We do this (Score:3, Informative)
Re:DHCP message? Since when? (Score:4, Informative)
My cable light has been flashing intermittently ever since the latest Windows worm. It's not because my (Fedora Linux) computer is infected, it's because every other infected computer on the net is periodically scanning my entire block of IP addresses. Every time they try to infect an unused address in that block, our helpful routers send an ARP packet to every cable modem user. I've seen more than a hundred per second during bad periods.
Maybe DSL users (who don't have to share the same bandwidth with everyone in their neighborhood) or users at smarter cable modem companies (who could be caching these things a bit longer, not sending out ARP requests for the same IP address every few seconds) would see a difference if they were infected by a virus, but at least Road Runner Austin users are probably all used to constantly flickering cable modem lights by now.
Re:Other ISPs start to do this? (Score:2, Informative)
They had no hesitation reconnecting him once he'd fixed the problem, but the fact is that they noticed and acted.
The ISP in question is Eclipse Networking (UK) who are a really good ADSL supplier. (I've got 8 public IPs and reverse-DNS)
It would be good if more ISPs took the time to sort this stuff out, often it's people who don't even know their machine has been hijacked.
Re:Other ISPs start to do this? (Score:5, Informative)
Now, most cable modems have solder pads for a diagnostic connector, which is usually a 3 wire RS-232 serial connection. Sometimes it uses an unusual voltage, and you need a little box to change the levels. If you got access to the diagnostic connector, and your modem had the proper flash image in it, then you could program it through the diagnostic interface.
I can imagine that some modems you purchase from Fry's or what have you will look for config on ethernet, though I doubt many of them do.
For more insight on why this typically won't work, the default route on the device typically points to the cable interface, or does not exist if the cable interface is not hot, and the device has two modes of operation with regard to IP addresses on the internal interface; either it sets itself to 192.168.100.1, or it sets itself to whatever the config file tells it, and it starts proxying DHCP requests. Either way it is not going to be able to find your bogus TFTP server on the network unless it is badly misconfigured to begin with.
Re:Plot by virus scan companies? (Score:3, Informative)
My experience with this (Score:5, Informative)
The problem here is that Comcast is doing shutting down people's connections with no recourse to find out why or to re-enable it.
I received an email and an automated phone call from Comcast stating that I had an infected computer and I must clean it up. I was immediately pleased that they noticed, but frustrated that I could be infected. 5 PCs with varying OSs, all with firewalls and/or antivirus software, so I thought it was unlikely but possible. After doing a full scan I found no viruses.
So I called Comcast's 800 number. They said I need to call a different long-distance number. That number is an automated system with nothing but dead ends. If I select the option about "Viruses and spam emails" then it tells me to email abuse at comcast.net if I get a bad email. But I don't want to report a spam, I received a report. All the options did approximately the same thing: Told me something I already know then hung up. Several calls later, I used the "leave a message" option. A week goes by and I received no call back. I replied to the email but received no response. Nobody on the service number would talk to me about it.
So I receive another email telling me that my service may be disabled if I don't fix the problem. So what do I do now?
To top it off, this isn't the first time. About 8 months ago, Comcast calle and told me I was reported for sending spam. When the read me part of the SpamCop report (which they refused to do many times) it turned out to be a SpamCop report that my roommate made! We _reported_ the spam, we didn't _send_ it! After much arguing, the guy finally got it and left us alone. Mistakes happen, but what irks me the most is that they wanted to tell me I sent a spam, and make sure I corrected my behavior, but refused to tell me the source of the report, or what the email was, or when it was sent, or anything!
Below is the email Comcast sent me. It looks like a form email, with no specific statement about what went wrong.
I work for Comcast (Score:4, Informative)
But, users are dumb, and I'll agree with that. Last summer when the blaster worm came out, we emailed out customers ahead of time telling them they need to download the microsoft patch.
On top of that, the Microsoft Windows Update popup that comes up by default, once a week, users still continue to ignore it because they don't know what it does.
Personally, I'd like to see more type of this internet policing by ISP's. They should also be blocking people who have open SMB shares on their Windows Networks. I cant count the number of times I've purposely went in Someones SMB share and dropped a text file telling them how to fix it.
I, however, disagree with the Government policing of the internet. I believe the internet should be policed by the people who pay for it to be there. That would be us and the ISP's
Re:Yes Yes! (Score:5, Informative)
We as the People-Who-Know need to be spending time helping those who don't to become self-reliant, rather than telling them 'Sorry. You can't access the net until you clean up your system. Sorry, I can't really help you do it. Call someone else.'
Comcast is already doing this. From the article:
So, they block their access to trigger the support call, and then help them secure their machine. I think this is the right approach.Re:Nice but... (Score:4, Informative)
Re:Bad Idea (Score:1, Informative)
Blues Brothers (Score:5, Informative)
Jake: "Hey what's goin' on?"
Cop: "Oh those bums won their court case so they're marching today"
Jake: "What bums?"
Cop: "The fucking Nazi party!"
Jake: "Illinois Nazis"
Elwood: "I hate Illinois Nazis!"
the list of Comcast offenders (Score:2, Informative)
Magnitude 6 = 1 million emails/day
Re:Other ISPs start to do this? (Score:2, Informative)
Getting to the topic, it would be possible for me to write a program to do that all automatically, but it would be extremely ornate, and probably not worth the trouble.
Re:Other ISPs start to do this? (Score:3, Informative)
I verified this myself. Set up a TFTP server on an interface with the same IP address as the headend. Then as you reboot the modem, be constantly pinging the modem's HFC IP address through the spoofed interface you created. The cable modem, when it comes up, will then try to TFTP its config file from YOUR machine and not the headend, because you have injected your MAC address into its ARP table for that IP address.
The encryption on the configuration file wasn't a big deal either, because you could get most of the needed information via SNMP IIRC. Most ISPs now disable SNMP and have bots scanning for connections where the actual speed doesn't match the account information.
Re:Yes Yes! (Score:1, Informative)
Other Companies (Score:1, Informative)
It's time people start taking responsibility for their actions when using a computer. Computers need to be patched frequently with Windows Update [microsoft.com]. AntiVirus programs such as Norton Antivirus [symantec.com], Mcafee VirusScan [mcafee.com], or Trend Micro PC-Cillin [trendmicro.com] (my personal favorite) are needed with updates and scans run, at the very least, weekly. Computers also need anti-trojan programs such as The Cleaner [moosoft.com] and anti-spyware programs such as Spybot Search & Destroy [safer-networking.org] and Adaware [lavasoft.de]. Even go as far not to use the default Internet programs, Internet Explorer [microsoft.com] and Outlook Express [microsoft.com]. Instead, use free, open source programs such as Mozilla Firefox (browser) [mozilla.org] and Thunderbird (e-mail) [mozilla.org].
Naturally, the majority of people on
Re:Cox does this... (Score:2, Informative)
Yahoo gets the prize (Score:2, Informative)
However, SenderBase says Yahoo's 6 MTA's are all in the top 10 senders of e-mail. Only XO Communications and thehdhd.com out-send them. thehdhd.com (at #6) seems to be openly dedicated to producing spam.
So, when will Yahoo clean up its act? Is it even possible for them to take the same kind of stance that Comcast is?
I wish more ISP's would... (Score:2, Informative)