Comcast Employs New Botnet Alert System → Phone?

Whatever happened to when the ISP detected your machine as being a virus infested plague on their network and just shut you down.Then the ISP uses something called a 'Phone' and tells the customer why they won't have Internet for a while. But the customer may get their connection for a day(at least) to download a trusted, recommended anti-virus product. With a one week trial of restoration of service, to see that they are indeed clean.

DNS redirection hacking breaks the Internet, and as mentioned above, Virus writers will make small scripts to mimic the warning message and then take you to FAKE anti-virus products.

Cutting off Internet access or blocking Internet access with a walled garden are approaches which have drawbacks...we discussed these in our Bot Mitigation IETF draft...its available at (reference section 6): »tools.ietf.org/html/draf ··· ation-03

Did that really ever exist? Probably for a while. But Bots spread too fast. ISPs are not able to take on the cost of staying on the phone and handholding customers through the cleaning process.

Plus, the Internet has grown from a nice-to-have to a need-to-have. If Comcast puts you in their "screened garden" you can still do most things on the Internet essential to keeping you employed or schooled, but you're still prompted to take care of the issue. Phone and mail doesn't work because people often don't take unexpected calls or read unexpected mail.

If users will respond to it, and if things don't tend to break, this may be a better way. It's a good experiment to conduct and Comcast is being open about their conducting it.

I forsee additional difficulty in that if they are *only* blocking port 80 to the redirect that people who are gamers or for various reasons might not recognize the notice. Likewise do most bots operate on 80? I'd imagine not, so they would continue at the same time.

I still applaud the idea, it's a good start, but I think there are definitely kinks to iron out.

at school we use cisco clean access for wireless, and Norton Enterprise, and we haven't had virus problem in years. What is a given is that when something is brought up, people bring all the negative things about it, but the underlying problem is the important part. This website has made me more aware, and when I can I steer people to it. I think that most people if informed want todo the right thing, but some are lazy and don't give a $hit. When a company tries for what ever reason, they should be commended as one step, not derided. For full disclosure I get a lot of Starbucks cards from the ones that for lack of a good reason, are lazy and don't give a $hit that their computer is spewing out crap. When it grinds to a halt, I get the call. Some times I can't think of a way to inform people short of disconnection

Absolutely. I know one guy who is probably infected today but won't get the notice until Comcast figures out how to inject the message into World-of-Warcraft, somehow.

Still lots to learn for sure. But to be clear we are not blocking port 80 or putting users in a walled garden - for precisely the reason you state. To wit, the user may not notice since they are just using VoIP or doing gaming or something else non-web-based.

Because the "Phone" is VOIP-based and went away right after you shut their connection down.

you know what works well JL?

a phonecall.

Yup, that's right. Get a two tier calling system in place.

tier 1: the person who calls and explains - make sure they have a damn good plan and not a script
tier 2: someone TECHNICALLY PROFICIENT who can explain what is going on and options available (suggesting free/open source is easy here - you're not asking the customer to spend money). Make sure it's someone who can tell people in layman's terms why using an antivirus program on an infected PC isn't going to detect anything, especially if they're using mcafee or symantec.

Just make sure both are people who can speak understandable english, and you have yourself that good ole customer service thing.

Hell, I'll do it myself, and I'll do it in the *evenings* when people are actually home (take note of that), if comcast wants to pay me to do so.

Part of comcast's shoddy record is that things can only be done 9-5, be it tech support or otherwise. Put in second shifts. People like that kind of thing. Am I going to call comcast or have an appointment when I'm on a 9-5 job? hell no.

Because the "Phone" is VOIP-based and went away right after you shut their connection down.

++++

Not sure how Comcast does it but around here TWC uses another VLAN for the VoIP phone. I would think its quite difficult to infect their Arris modem box so I can understand a 128Kb port with no filters on it for phone.

Which is why we are not testing a walled garden that would do just that.

We've been doing phone calls for awhile and the problem is that it doesn't scale particularly well, especially in comparison to how rapidly malware is spreading. Phone calls do continue though, from our CSA team.

Except phone calls cost a lot of money and having an engineer or technician on the other end instead of a script reader costs even more. A better solution would be to have the message say:

1. An infection has been detected on this network and may or may not be present on this computer.

2. That this message is from Comcast and users may experience fake alerts which is a result of malware on their system and as such they should not purchase or give their credit card information out to any popups that may appear including this one as these may be scams.

3. Provide a phone number to call for information about this problem and links to guides.

4. Tell users to scan their computer for malware or contact their support provider and if the user doesn't have one at this point it may make sense to provide phone numbers for local support companies which comcast could partner with based on an IP / Geolocation check. This bit is a bit dubious since it provides the potential for advertising, but at the same time it also would allow Comcast to funnel users to a trusted outlet.

I for one applaud Comcast for taking this approach and I wish them the best of luck. I think walled gardens are a bad idea for all but the worst infections, so with luck ComCast can do this right and provide the rest of us with a basic working model.

True if the cable provider was also supplying your phone service. For 3rd party SIP-based VOIP, it goes out over IP just like the rest of your data.

If the connection gets cut and grandma croaks because her cardiac monitor couldn't phone home, there'd be a lawsuit in short order.

Disable/wall garden only port 80. Another idea is have a X hour timer for reenabling internet access to get tools, after a couple a couple times the reenable link is clicked (stop abuse by lazy), block the user until they call tech support.

Uh, you cut me off, I don't pay all of the bill.
Also, most networks at home have more than one device connected. That could cause major problems!

I like that it looks like Comcast is trying to do some good though... Kudos!

People use 3rd party Voip that isn't on that VLAN. They would be SOL.