US Cable Support > Comcast HSI > Comcast Announces Constant Guard Program

Comcast Announces Constant Guard Program

CNet picked this up at »news.cnet.com/8301-27080_3-10370···ogArea.0
--
JL
Comcast

reply to NSM998
Very nice.

Thank you, JL !

reply to NSM998
In a Dr. Evil voice... Very interesting Mr. Powers.

I am interested in seeing how well this works and if there are any ill effects that arise from it. I am sure that removing some bots from the lines will certainly improve performance for everyone.

reply to NSM998
Writing something up about this now, thanks!

Any insight on why Comcast isn't employing a walled garden solution like Cox or Cogeco that essentially locks consumers in a room until they call support and clean their PC?

»Talking Botnets

Not saying one's better than the other, just curious if Comcast considered this as an option?

6.1 Walled Garden Notification
Placing a user in a walled garden is another approach that ISPs may take to notify users. A walled garden refers to an environment that controls the information and services that a subscriber is allowed to utilize and what network access permissions are granted. This is an effective technique because it could be able to block all communication between the bot and the command and control channel, which may impair the ability of a bot to disrupt or block attempts to notify the user.

While in many cases the user is almost guaranteed to view the notification message and take any appropriate remediation actions, this approach poses can pose other challenges. For example, it is not always the case that a user is actively using a computer that uses a web browser or which has a web browser actively running on it. In one example, a user could be playing a game online, via the use of a dedicated, Internet-connected game console. In another example, the user may not be using a computer with a web browser when they are placed in the walled garden and may instead be in the course of a telephone conversation, or may be expecting to receive a call, using a Voice Over IP (VoIP) device of some type. As a result, the ISP may feel the need to maintain a potentially lengthy white list of domains which are not subject to the typical restrictions of a walled garden, which could well prove to be an onerous task, from an operational perspective.

The ISP has several options to determine when to let the user out of the walled garden. One approach may be to let the user determine when to exit. This option is suggested when the purpose of the walled garden is to notify users and provide information on remediation only, particularly since notification is not a guarantee of successful remediation. It could also be the case that, for whatever reason, the user makes the judgment that they cannot then take the time to remediate their computer and that other online activities which they would like to resume are more important. Exit from the walled garden may also involve a process to verify that it is indeed the user who is requesting exit from the walled garden and not the bot.

Once the user acknowledges the notification, then the user decides to either remediate and then exit the walled garden, or exit the walled garden without addressing the issue. Another approach may be to enforce a stricter policy and require the user to clean the computer prior to permitting the user to exit the walled garden, though this may not be technically feasible depending upon the type of bot, obfuscation techniques employed by a bot, and/or a range of other factors. Thus, the ISP may also need to support tools to scan the infected computer and determine whether it is still infected or rely on user judgment that the bot has been disabled or removed. One challenge with this approach is that if the user has multiple computers sharing a single IP address, such as via a common home gateway device which performs Network Address Translation (NAT). In such a case, the ISP may need to determine from user feedback, or other means, that all affected computers have been remediated, which may or may not be technically feasible.

Finally, when a walled garden is used, a list of well-known addresses for both operating system vendors and security vendors should be created and maintained in a white list which permits access to these sites. This can be important for allowing access from the walled garden by end users in search of operating system and application patches.

reply to NSM998
So out of curiosity, how do you keep track of this between the time your research firms provide you with the IP and you entering it into the system to capture the customers attention.

What happens if in the lag time the ip is allocated to someone else who's machine isn't infected. The only way I see to mitigate this is timestamps from the research company and you correlating this with stored info about what customer had that IP during that time period.

If this is the case, how long are you keeping these records so you can hand them over to the feds anytime they want them??

reply to NSM998
Sounds good, Nirmal & Jason. I'm doubtful but a Denver trial sounds like a way to find out for sure. I think the problem will be with user behavior, but maybe I'm jaded by my friend who turns off his AV everytime he tries to install software or play games because he believes it gets in the way.

My recommendation will be to make a panel out of people who were in a state to get the notice and learn:
1. Did they notice it and how long did it take?
2. Did they respond to it and when, how?
3. Did any applications fail to work?

It's important that you don't rely on Customer Support complaints. My expectation is that these folks won't call.

We have to compare these answers against the reality that these bots are not only harming the network but scamming folks. (I do know you guys intercept that junk from compromised hosts and assume you still will.)

This is a technicality in your FAQ above: How is DPI not involved in getting the proxy inserted in the flow? How are you getting HTTP traffic to pass through a proxy without DPI? (I did read Jason's 6A but I don't understand how DiffServ does anything with TCP port 80, that doesn't sound like DiffServ, that sounds like packet inspection, perhaps what some call Shallow Packet Inspection, but then you need DPI to do some forgery and redirection, right?.) If it turns out that it is technically DPI that makes this work, I think it's probably something okay since the alternative is a 100% walled-garden block and this clearly is a network management activity.
--
Robb Topolski -= funchords.com =- District of Columbia -- KJ7RL
Test your Broadband connection today! -- »measurementlab.net/

reply to NSM998
What if a person never ventures to the Comcast home page?
--
Bowling: It's cleaner than baseball.

reply to funchords

Thanks for the focus group info. (Just curious, can you share what percent of Denver you think will see this notice at some point during a day?)

reply to hep cat

reply to NSM998
I think this is a step in the right direction. I always pondered as to when CC would let these people know that their PC's are bots and causing lots of network traffic be it spam and whatnot. I just hope all the CAE's will be ready to handle this when it's nationwide and not make unnecessary truck rolls. I could see it now, "sub complains of service banner".

What happens after the PC is cleaned or replaced. What happens then to the banner?? Let's say they are behind a router but they replaced the PC but since they are on a router the IP doesn't change. When or how will that IP be cleared? Who will verify the info? What happens if the infected PC's IP changes to another IP that is clean, how will it be tracked. I can see people just changing the IP to get a new un-bannered IP and still be infected and the circle continues! Unless CC will also be tracking by MAC addresses but that can be spoofed also...
--
Ultimate Malware Protection!!

Free Windows Cleaning!!

reply to NSM998
Sounds real good, and I hope it works as described, but Comcast doesn't have a great record when it comes to telling the truth about it's network practices, or supporting it's customers. Gotta wonder what the investors get out of this.

reply to NSM998
Nice job, long overdue (not a comcast dig, an ISP dig ) and hopefully it will help the folks who otherwise aren't savvy enough to keep themselves safe.
--
My place : »www.schettino.us

you figure the malware will get smart enough to block the warning message.
--
standard disclaimers apply.