dslreports logo
site
spacer

spacer
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


view:
topics flat nest 
Comments on news posted 2010-10-01 11:31:29: In October of last year we wrote about a new bot detection and notification system Comcast was working on that would alert customers of possible infection and guide them through cleaning their systems. ..

page: 1 · 2 · 3 · 4 · next


jjoshua
Premium
join:2001-06-01
Scotch Plains, NJ
kudos:3
Reviews:
·Verizon FiOS

1 edit

Open can of worms

So comcast is utilizing technology that can intercept browser requests and spoof responses.

Brilliant.

If they couldn't use the technology to change the ads on web pages, they'll use it "for your own good".

Also, I would like to know how they associate BOTted IPs with the IP that you're actually using right now.


FFH5
Premium
join:2002-03-03
Tavistock NJ
kudos:5

Some interesting links for this service

The Constant Guard Center where the email will direct you if a problem is found:
»constantguard.comcast.net/

How do they determine if your system was taken over and turned in to a bot system:
»constantguard.comcast.net/faqs/H···ast.html
How did Comcast determine that I may have a bot?

We identify infected computers in several ways. First, we get data from reputable Internet research groups that specialize in bot identification. The data we get includes a list of Internet Protocol (IP) addresses that are infected and those that belong to bot command and control channels. Second, we look for malicious behavior exhibited by bots such as spam, distributed denial of service attacks and repeated connections requests to known command and control channels. We then aggregate this data to confirm whether one or more of your computers has been infected.


jlivingood
Premium,VIP
join:2007-10-28
Philadelphia, PA
kudos:2

1 recommendation

reply to jjoshua

Re: Open can of worms

said by jjoshua:

So comcast is utilizing technology that can intercept browser requests and spoof responses.

Brilliant.

If they couldn't use the technology to change the ads on web pages, they'll use it "for your own good".
To get the browser alert you would have needed to ignore several emails. And compared to the alternatives of say, unwittingly having your banking login or credit card numbers stolen by a key logger, unwittingly sending spam, or unwittingly participating in a DDoS attack, my personal opinion is that a browser alert is an okay thing to do.

And it is important to note that the entire web notification system has been fully and openly documented at »tools.ietf.org/html/draft-living···ation-09, and that it leverages open source software and DOES NOT USE DPI. Other alternatives and the general approach have also been fully and openly documented at »tools.ietf.org/html/draft-oreird···ation-09.

Furthermore, for a good topical news story about the severity of the bot problem, check out the front page of the Wall Street Journal today at »online.wsj.com/article/SB1000142···ageone_0 -- which describes how the Zeus botnet was used to steal millions of dollars from banking accounts.

Lastly, you raised a question concerning ad insertion that I want to very directly address. Please refer to »tools.ietf.org/html/draft-living···ation-09 in Section 3.1.12 which says the following and should make clear our position on the matter:
Advertising Replacement or Insertion Must Not Be Performed Under ANY Circumstances
Additional Background: The system must not be used to
replace any advertising provided by a website, or to insert
advertising into websites. This therefore includes both
cases where a web page already has space for advertising, as
well as cases where a web page does not have any
advertising. This is a critical area of concern for end
users, privacy advocates, and other members of the Internet
community. Therefore it must be made abundantly clear that
this system will not be used for such purposes.
--
JL
Comcast


jlivingood
Premium,VIP
join:2007-10-28
Philadelphia, PA
kudos:2

1 recommendation

reply to jjoshua
said by jjoshua:

Also, I would like to know how they associate BOTted IPs with the IP that you're actually using right now.
Our DHCP servers hand out IP addresses and the proper DNS IPs when an account is authorized for service. Thus, a correlation exists between IP address and account. So, for example, if we saw your IP address associated with the bot 10 minutes ago, we'd be able to then send an email to the email address in your account informing you of this.
--
JL
Comcast


FFH5
Premium
join:2002-03-03
Tavistock NJ
kudos:5

2 edits
reply to FFH5

Re: Some interesting links for this service

If you are on a Windows computer, Comcast also directs you to these 2 free products to help protect yourself and keep non-MS software up to date:

»www.immunet.com/free/comcast/index.html
»secunia.com/vulnerability_scanni···onal?cgc

I can't speak to value of Immunet product(review here: »www.pcmag.com/article2/0,2817,2365093,00.asp), but I have used the free Secunia PSI scanner for a long time to keep all my non-MS products up to date with latest updates. That is a worthwhile product.


jjoshua
Premium
join:2001-06-01
Scotch Plains, NJ
kudos:3
Reviews:
·Verizon FiOS

2 edits
reply to jlivingood

Re: Open can of worms

said by jlivingood:

[And compared to the alternatives of say, unwittingly having your banking login or credit card numbers stolen by a key logger, unwittingly sending spam, or unwittingly participating in a DDoS attack, my personal opinion is that a browser alert is an okay thing to do.
My opinion is that it's not. Supply the pipe and stay out of the security business.

BTW, your own TOS say so.
In all cases, you are solely responsible for the security of any device you choose to
connect to the Service, including any data stored or shared on that device. Comcast
recommends against enabling file or printer sharing unless you do so in strict compliance with
all security recommendations and features provided by Comcast and the manufacturer of the
applicable file or printer sharing devices. Any files or devices you choose to make available for
shared access on a home LAN, for example, should be protected with a strong password or as
otherwise appropriate.

It is also your responsibility to secure the Customer Equipment and any other Premises
equipment or programs not provided by Comcast that connect to the Service from external
threats such as viruses, spam, bot nets, and other methods of intrusion.


BadNew

@tds.net

opt in

Something invasive like this should be opt in. Glad I don't have comcast if they are forcing this stuff on me.


jlivingood
Premium,VIP
join:2007-10-28
Philadelphia, PA
kudos:2

1 recommendation

reply to jjoshua

Re: Open can of worms

said by jjoshua:

My opinion is that it's not. Supply the pipe and stay out of the security business.
While I respect your opinion, one user's lack of security now can affect many, many other users.
--
JL
Comcast


FFH5
Premium
join:2002-03-03
Tavistock NJ
kudos:5
reply to BadNew

Re: opt in

said by BadNew :

Something invasive like this should be opt in. Glad I don't have comcast if they are forcing this stuff on me.
Would you prefer they just disconnect your service? For people with bots, that would be my preferred solution. That would get their attention.


jjoshua
Premium
join:2001-06-01
Scotch Plains, NJ
kudos:3
Reviews:
·Verizon FiOS
reply to jlivingood

Re: Open can of worms

said by jlivingood:

said by jjoshua:

My opinion is that it's not. Supply the pipe and stay out of the security business.
While I respect your opinion, one user's lack of security now can affect many, many other users.
Next time, try to design your networks so it doesn't.


beck
Premium,MVM
join:2002-01-29
On The Road
kudos:1
Reviews:
·Stablehost.com

6 of one, half dozen of the other

While I think it is GOOD that people get rid of these things, I'm not sure on how to notify them of it.

Keep teaching people to NOT open email that is not expected (not just from they don't know) and to run if some anti-virus stuff pops up because it's fake. I'm not sure how to resolve this. Because if we tell them "except Comcast" the scammers will be doing Comcast. The scammers are already doing Comcast emails to direct people to bad web sites or give them a trojan etc.

I don't know of a good way to notify customers other than shut them down so they finally call and then tell them. But that costs Comcast $$ for the tech and lots of being upset for the customer. Perhaps the notice has to go out in the US mail?
--
Some people are like slinkies - not really good for much.
But they bring a smile to your face when pushed down the stairs.


Clever_Proxy
Premium
join:2004-05-14
Villa Park, IL

Business accounts

Is this system being launched for business accounts along with residential?

When an alert is triggered, who will it affect on my network? The person with the potential botnet or everyone on my network?


vpoko
Premium
join:2003-07-03
Boston, MA
reply to jjoshua

Re: Open can of worms

said by jjoshua:

Next time, try to design your networks so it doesn't.
It's really not accurate to blame that on Comcast. As long as the internet allows TCP/IP endpoints to reach each other, one user's lack of security is going to have a potential impact on other users, especially if those other users aren't using precautions like firewalls.

chimera

join:2009-06-09
Washington, DC
reply to jjoshua
From what I can tell that's exactly what they are trying to do now. The alternative to this sort of message is just knocking the user offline for good and that doesn't actually help users resolve infection issues when they need tools from the internet to do so.

chimera

join:2009-06-09
Washington, DC
reply to Clever_Proxy

Re: Business accounts

It would have to since they are all using the same external IP address unless you have multiple gateways.


knightmb
Everybody Lies

join:2003-12-01
Franklin, TN

1 edit

1 recommendation

reply to jlivingood

Re: Open can of worms

said by jlivingood:

said by jjoshua:

So comcast is utilizing technology that can intercept browser requests and spoof responses.

Brilliant.

If they couldn't use the technology to change the ads on web pages, they'll use it "for your own good".
To get the browser alert you would have needed to ignore several emails. And compared to the alternatives of say, unwittingly having your banking login or credit card numbers stolen by a key logger, unwittingly sending spam, or unwittingly participating in a DDoS attack, my personal opinion is that a browser alert is an okay thing to do.

And it is important to note that the entire web notification system has been fully and openly documented at »tools.ietf.org/html/draft-living···ation-09, and that it leverages open source software and DOES NOT USE DPI. Other alternatives and the general approach have also been fully and openly documented at »tools.ietf.org/html/draft-oreird···ation-09.

Furthermore, for a good topical news story about the severity of the bot problem, check out the front page of the Wall Street Journal today at »online.wsj.com/article/SB1000142···ageone_0 -- which describes how the Zeus botnet was used to steal millions of dollars from banking accounts.

Lastly, you raised a question concerning ad insertion that I want to very directly address. Please refer to »tools.ietf.org/html/draft-living···ation-09 in Section 3.1.12 which says the following and should make clear our position on the matter:
Advertising Replacement or Insertion Must Not Be Performed Under ANY Circumstances
Additional Background: The system must not be used to
replace any advertising provided by a website, or to insert
advertising into websites. This therefore includes both
cases where a web page already has space for advertising, as
well as cases where a web page does not have any
advertising. This is a critical area of concern for end
users, privacy advocates, and other members of the Internet
community. Therefore it must be made abundantly clear that
this system will not be used for such purposes.
As someone who runs (2) separate ISP, I can give some useful and expensive advice (for free no less) on this. First, after reading all the info I could find in your links, this won't work.

Mainly because most of the stuff you are doing is easy to block by bot operators and fact that's all out there for anyone to read kind of defeats the purpose. It's great that you want to stop bot operators, actually wonderful, but this way to go about it as far as the final steps of trying to get the message to the user (if e-mail doesn't work) has been tried many times and unfortunately doesn't work as well as you would think.

First thing obstacle is the new IE that Microsoft released is going to mess up a lot of that because they put such paranoid protection features into it. IE 9 isn't going to be much better.

Second is one again, the message insertion. E-mails are one thing, but the first sue-happy troll that finds out you inserted any message on their website will just tie up Comcast in court. Comcast probably has a powerful legal team, but not an invincible legal team. Someone is going to injunction you to stop the service and thus kind of defeat the whole purpose of it. Mainly because now you will be assigning Trojan/Virus blame to the website that user was on. The non-technical user's first reaction is going to be "blame the site" because "I was at Google and a got a message that my system had a virus, it must have come from Google!!!"

The best advice I can give is the notification part. Try to contact the user in non-invasive ways and you'll get plenty of gold stars. Otherwise, as you've read, there is already resistance to this and it's not even through the ringer yet. I know this isn't directed at you, but pass the info up the chain and hopefully someone at the top will listen.
--
Fight Insight Ready (Was NebuAD) and the like:
Click Here to pollute their data


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1

1 recommendation

reply to jjoshua
said by jjoshua:

said by jlivingood:

said by jjoshua:

My opinion is that it's not. Supply the pipe and stay out of the security business.
While I respect your opinion, one user's lack of security now can affect many, many other users.
Next time, try to design your networks so it doesn't.
i'd suggest you take this up with some of the largest carriers in the world then -- att, verizon, level(3), teliasonera, ntt, globalcrossing, etc. botnets affect everybody (in fact, there have been several times where dslr has been hit by a ddos from a botnet). these attacks are sourced from customer networks (i.e. your lec's and mso's) and attack financial, government, and commercial enterprise networks alike. no one wins from this -- from increased congestion at the node level, increased transit at the carrier end, heavy utilization on routing gear (depending on the type of attack and where it's destination is), and the possible breach of security if the botnet is used to exploit holes within networks with personal information.

comcast is being open and honest regarding their policies, documenting everything with the ietf. of course -- the simple answer is -- if you don't want to see browser injection, don't get pwned in the first place. seems simple, eh?

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."

dagg

join:2001-03-25
Galt, CA

1 edit
reply to jlivingood

ignore this comment


newview
Ex .. Ex .. Exactly
Premium
join:2001-10-01
Parsonsburg, MD
kudos:1
Reviews:
·DIRECTV
·Comcast

1 edit

I stopped checking Comcast email

I stopped checking my Comcast email a long time ago because Comcast keeps insisting on sending me spam about the latest, greatest "thing" they are trying to sell me on . . . even though my email preferences are set to NOT receive their marketing emails. Their Marketing Department labels EVERYTHING "service and account related" even when it's obviously an attempt to get you to BUY something.

Email Preferences:
quote:
I do not want to receive emails from Comcast or its partners containing offers or promotions related to Comcast and XFINITY TV, Internet and voice services. (Please note, you will continue to receive emails related to your services and account even if you opt-out of other emails.)
I have a feeling that a LOT of subscribers have done the exact same thing I have, since Comcast's Marketing Department seems to think your email account belongs to them, and they never check their Comcast email. I foresee a lot of subscriber's first clue about this new Constant Guard Bot Detection is going to be in the form of the Browser Alert.

Basically, Comcast has eroded the trust of their email recipients by constantly sending their spamvertisements to the point of subscribers ignoring any communication form Comcast. You reap what you sow.

Don't get me wrong, by and large I think this bot detection program is a "good thing" but Comcast is going to have to get the word out by different means other than email since they've destroyed that relationship for a lot a people.
--
The Rules of Spam


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
reply to beck

Re: 6 of one, half dozen of the other

said by beck:

Keep teaching people to NOT open email that is not expected (not just from they don't know) and to run if some anti-virus stuff pops up because it's fake. I'm not sure how to resolve this. Because if we tell them "except Comcast" the scammers will be doing Comcast. The scammers are already doing Comcast emails to direct people to bad web sites or give them a trojan etc.
yes -- i'm sure there are contradictory messages that will confuse the sub. i'm assuming this is why the browser injection would happen. i would assume that this would come with an identification code and a phone number to call -- or even better -- with a note to just "call comcast customer service". the user would then use the known comcast customer service number and give them the message id to verify that this is indeed coming from comcast and action needs to be taken.

no system is perfect -- and education is most important. but, for the people who choose not to listen, this could be a good first step.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."

dagg

join:2001-03-25
Galt, CA
reply to FFH5

Re: opt in

and as someone that spends my days cleaining up infected machines all day long, yes, i would prefer that identified bots get null routed.

ISurfTooMuch

join:2007-04-23
Tuscaloosa, AL

1 recommendation

reply to beck

Re: 6 of one, half dozen of the other

And, the thing is, you can give people good advice until you're blue in the face, and they still won't take it. How many worms have we seen since "I LOVE YOU" hit back in 2000? Yeah, that wasn't the first, but it was the one that hit the media in a big way, and, since then, there have been dozens and dozens that have made the mainstream media, yet people still stupidly do the same things that get them infected.

As for security, hell, I know people who won't even take the most basic precautions, like not running Windows in administrator mode all the time. Yeah, XP running in limited user mode broke too many things, but Vista and 7 improved greatly on that. And the thing is, these folks can't even articulate why they don't want their account set up as a standard user, even if they'll also have access to an admin account should they need it. They simply think it's too much trouble and won't have it.

Sorry to rant, but I couldn't help myself.


jlivingood
Premium,VIP
join:2007-10-28
Philadelphia, PA
kudos:2

1 recommendation

reply to jjoshua

Re: Open can of worms

said by jjoshua:

Next time, try to design your networks so it doesn't.
You may want to tell that to the folks who designed the Internet. The problem of bots does not apply only to the Comcast network - it is a massive, global problem.
--
JL
Comcast


jlivingood
Premium,VIP
join:2007-10-28
Philadelphia, PA
kudos:2
reply to beck

Re: 6 of one, half dozen of the other

said by beck:

I don't know of a good way to notify customers other than shut them down so they finally call and then tell them. But that costs Comcast $$ for the tech and lots of being upset for the customer. Perhaps the notice has to go out in the US mail?
Both good suggestions. We have several different notification options identified at »tools.ietf.org/html/draft-oreird···ection-6 and may explore some of these other ones at some point.
--
JL
Comcast


jjoshua
Premium
join:2001-06-01
Scotch Plains, NJ
kudos:3
Reviews:
·Verizon FiOS
reply to tubbynet

Re: Open can of worms

said by tubbynet:

botnets affect everybody (in fact, there have been several times where dslr has been hit by a ddos from a botnet). these attacks are sourced from customer networks (i.e. your lec's and mso's) and attack financial, government, and commercial enterprise networks alike.
I'm not an expert on botnets and ddos attacks. But from what I've read, I think that a very reasonable and relevant thing to do would be to detect and drop all malformed and/or forged packets at the customer's node. If a node with a specific IP is sending out packets with a forged IP, then there's no better place to stop it.

Why don't we see this type of filtering? Wouldn't this be a good solution to a very specific problem? Is there ever a case where a malformed or forged packet is good?


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
said by jjoshua:

I'm not an expert on botnets and ddos attacks. But from what I've read, I think that a very reasonable and relevant thing to do would be to detect and drop all malformed and/or forged packets at the customer's node. If a node with a specific IP is sending out packets with a forged IP, then there's no better place to stop it.
well -- you can't do anything at a "node". this is simply a device that turns the fiber connection into something that can run to the customer's house (i.e. coax). this is simply a passive device. anything that has to happen must occur once it hits a network layer device -- the cmts or some of the ingress routers after the cmts.

additionally -- where are you malforming the packets? who says that a ddos is a malformed anything? they can be as simple as a crafted icmp traceroute packet that expires on a router hop. nothing malformed about that. if you're talking about malformed at the upper layers (osi 5-7), then you're looking at inspecting application data for every single packet on ingress to comcast's network and analyzing them against a database of *everything* that could occur. i'm not sure you'd appreciate the performance hit. how jason is proposing to look at the packets can be peformed at wire-speed (or very near it) and will not cause a significant performance hit on the ingress devices on their network.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."


jjoshua
Premium
join:2001-06-01
Scotch Plains, NJ
kudos:3
Reviews:
·Verizon FiOS
Node was possibly not the correct term. Perhaps the cable modem itself would be better.

Would it be hard to drop all packets with forged source addresses? It's clearly not going to stop all ddos attacks but it's going to do more than a notification system that doesn't do anything.


MalibuMaxx
Premium
join:2007-02-06
Chesterton, IN
reply to jlivingood
darn our government is to be blamed aagain EGAD batman!


jjoshua
Premium
join:2001-06-01
Scotch Plains, NJ
kudos:3
Reviews:
·Verizon FiOS
reply to jlivingood
said by jlivingood:

You may want to tell that to the folks who designed the Internet. The problem of bots does not apply only to the Comcast network - it is a massive, global problem.
Al Gore?

Now I'm confused. You are trying to fix the entire internet?

My point was that a bad user on your network should not be affecting a good user on your network.

No user, knowingly or unknowingly, should be able to affect another user.


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
reply to jjoshua
said by jjoshua:

Node was possibly not the correct term. Perhaps the cable modem itself would be better.
cable modems are pretty stupid in that regard. to get any real intelligence -- you're going to need to have an ingress policy on the provider's kit.

said by jjoshua:

Would it be hard to drop all packets with forged source addresses? It's clearly not going to stop all ddos attacks but it's going to do more than a notification system that doesn't do anything.
the addresses may or may not be forged. thats the difficulty. in the earlier days, this may have been the case to give the providers a difficult time to mitigate the dos -- to make it look like it was coming from all over when it was really just a specific location/carrier/netblock/etc.
the leading "d" in "ddos" stands for distributed. the issue is that when you start creating policies as a provider that drop traffic from netblocks that are causing grief -- is that when you've got 10,000 different ip's in many different blocks, you start blackholing *all* traffic. obviously, the simple solution would seem to be to just block individual ip addresses, but this becomes cumbersome because they are (a) always fluctuating (b) access-lists on carrier gear have limits, especially if you expect any high-speed transmission. there are optimization techniques that can be used, but the box will take a *major* hit -- if not puke all over itself -- when you make it handle acl's that are 10k-20k lines long. it just won't work.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."