Topic 'Multiple supported properties' in forum 'Qwest' - dslreports.com

Re: Multiple supported properties

Thu, 25 Aug 2011 10:48:35 EDT

DataRiker posted : For less than 15 dollars a month you can have an unlimited transfer VPN to Sweden.

Your traffic will have a little higher ping times, but I doubt most would even notice.

This would save a lot of headaches and BS. No more DMCA letters ever.

Re: Multiple supported properties

Thu, 25 Aug 2011 10:39:07 EDT

ConnieD posted : Huh?

"Bots" float around on the internet, and "stick" to a vulnerability.

Traced to you? Prove it. Traceroute. Ping. Finger. Ook, they did!

Port 2180 is for LAN. It "could" be on your LAN.

If it is your job, Make the flow chart: clean the data stream.

I was thinking more what I said: if you do write a proposal, I would suggest you present it as better than hiring an outside consultant, which costs more, and if they want to hire an outside consultant, then fine. But if they want you to do the same job as an outside consultant, then pay for the job and when, you have achieved it, return to your salary. Unless, of course, they feel you are worth more money! But the short-term in-house consultant fee is a better deal for them, if you can do the job. They have the written proposal, in handwriting is okay, and you say you think you can do the job.

If not, suggest an outside consultant: be a hero for the suggestion.

However, I really think you can do this.

BotHunter.
BotHunter, a free program from SRI International, works with Unix, Linux, Mac OS, Windows XP, and Vista. Though designed for networks, it can also run on stand-alone desktops and laptops.

Do not discount "disgruntled employees" doing this to the hotels.

"Bots" are good for "side money". It could be the guy working in the parking garage. Use the software to track it down, if it is an "inside job".

Re: Multiple supported properties

Thu, 25 Aug 2011 10:10:12 EDT

jjjacer posted : This is from one of our sites, they did not get blocked but got a warning.

-----Original Message-----
From: abuse-nonverbose@qwest.net [mailto:abuse-nonverbose@qwest.net]
Sent: Tuesday, August 23, 2011 8:45 AM
To: **********
Subject: [AB-M18797798O] Virus Infected Bot Traffic and Qwest's Acceptable
Use Policy

Customer ID: ***************************
Circuit ID:  ********

Qwest Security Services has received notification about malicious traffic
originating from this account. This means that this computer or another
computer on your network is trying to infect, attack, or gain unauthorized
access to other computers on the Internet.

This malicious traffic has been determined to be from some form of a "Bot"
instance.

Computers infected with bots are considered compromised hosts. They may be
used
to send spam (also called Unsolicited Bulk Email, or UBE), scan other
computers
for vulnerabilities, take advantage of security holes, perform identity
theft,
and/or be used as part of Distributed Denial of Service (DDoS) attacks.
These
programs also allow computers used by attackers or spammers to hide their
identity and location. These bots are often spread by viruses or worms.

Please see the Acceptable Use Policy at:
         »www.qwest.com/legal/usagePolicy.html

Please make sure that the system software is up to date, that antivirus
software is installed with current antivirus signatures, and that your hard
disk(s) have been scanned to detect and remove all viruses, worms, trojans,
or
other software which allow unauthorized remote control of your systems.

Qwest also recommends checking to be sure that you are not running an open
proxy or an open relay. More information on open relays can be found at:
         »www.mail-abuse.com/an_sec3rdparty.html

If you believe you have an open proxy, check the documentation for your
proxy
server or firewall for information on how best to secure it.

The date, time (GMT), IP addresses, and Qwest Circuit-ID identified
in our investigation are as follows:

Date                IP              Circuit-ID               Additional Info
=================== =============== ========================
========================================
2011-08-21 13:51:18 72.164.191.114  13645521                 infection =>
'bots', subtype =>  'sinkhole', port =>  '2180', cc =>  74.208.164.166 ,
cc_port =>  '80', type =>  'tcp', count =>  '1', p0f_detail =>  '2000 SP4, XP
SP1+', sourceSummary =>  'Drone Report', p0f_genre =>  'Windows'
2011-08-21 13:51:18 72.164.191.114  13645521                 infection =>
'bots', subtype =>  'sinkhole', port =>  '2180', cc =>  74.208.164.166 ,
cc_port =>  '80', type =>  'tcp', count =>  '1', p0f_detail =>  '2000 SP4, XP
SP1+', sourceSummary =>  'Drone Report', p0f_genre =>  'Windows'

Regards,
-- 
Qwest Security Services    sysop@qwest.net, abuse@qwest.net

        Acceptable Use Policy
    »www.qwest.com/legal/usagePolicy.html

Re: Multiple supported properties

Thu, 25 Aug 2011 09:54:00 EDT

nonymous posted : Are these business accounts? How is Qwest determining the infected computers and why do they care? It is not cable and one infected computer should not affect anything else on the Qwest network. I mean they advertise your own private connection.
Are they going by ports used. if so maybe just blocking those ports if they are not normally needed by your hotel guests.

Re: Multiple supported properties

Thu, 25 Aug 2011 09:27:54 EDT

ConnieD posted : I do think is would be adviseable to find out the applicable laws for the hotels, rooms/suites, restaurants, shops, coffeeshops, lobby.

It doesn't require a law degree. Most law is written for third-grade readers, with a glossary of the meaning of the difficult words right there. There are also printed phamphlets of applicable laws in "business branch" libraries, law libraries, and the Small Business Administration. Hotel Associations sometimes have it available.

I also think it would be helpful to make a flow chart: labeled boxes (ISP, router, LAN, WiFI) and lines between the boxes with one-way or two-way arrows to see how the data has to flow.

I also think having a box of recycled hard drives, with software to correct any bad sectors, and maybe arrange so another hard drive comes up when the previous hard drive is 80% - all of it run as an external hard drive would be a good idea for his logs. You could pay retail for those storage towers for music at NewEgg or a discount house.

It would be good to see how far their WiFI reaches, and how vulnerable it is to "wardriving".

I think, if you are paid to do a job, then, do it.

If they are not paying enough, they should pay more.

I would write a proposal. It doesn't have to be fancy: here is what I will do for you. The list could include speak to the rep and negotiate better service, find out what other ISPs offer, integrate more of a backup system for logging, (use nice words like costing, rather than purchase), etc.

I know a "consultant" for city and county government who makes big bucks, to report what is available: hardware, software, and service providers.

I would add this: very little "techno-speak" is actually necessary.

If someone just wants to talk circles around you, then, talk to someone else who wants to communicate.

Re: Multiple supported properties

Thu, 25 Aug 2011 02:42:04 EDT

Vchat20 posted : I'm with DataRiker on this one. This should be considered a public network with little expectancy of filtering/'baddie prevention' (for lack of a better term off the top of my head) beyond bandwidth management. And as long as you have a commercial connection from Qwest (I will assume right away that you are), I'd bitch them out about their 'network management' and if they refuse to do anything about it, take your business elsewhere. Or rather it should be the other way around. Threaten to take your business elsewhere and if they still don't give in, actually follow through with it. That really is your best bet.

As has already been stated, it is going to be VERY difficult to do any proactive filtering to prevent this from happening again, the very least needing to be an upgrade of your firewall combined with tons of man hours to have it set up right and then regularly keeping it up to date on rules so nothing slips through. Once all that would be set and done you enter the slippery slope issue of filtering and potential guest complaints.
--
I swear, some people should have pace-makers installed to free up the resources. Breathing and heart beat taxes their whole system, all of their brain cells wasted on life support.-two bit brains, and the second bit is wasted on parity! ~head_spaz

Re: Multiple supported properties

Wed, 24 Aug 2011 15:22:20 EDT

DataRiker posted : Absolutely.

But they are actually not so different.

Our case was unique because most of our internet originated in our Library, which complicated the situation.

According to our law faculty, if it was physically located outside of our main library the same rules would not apply.

WTF...

Re: Multiple supported properties

Wed, 24 Aug 2011 15:20:18 EDT

ConnieD posted : The rules are different for a commercial business or a public institution, than for one individual on their own computer.

That is why I really do not mind if there are "rules" at a motel, campground, restaurant or coffeeshop. It is no longer, just my computer.

Re: Multiple supported properties

Wed, 24 Aug 2011 15:18:02 EDT

ConnieD posted : port 2812...

I would think a port sniffer, that attacks an open port or uses an "exploit" would have come from the internet, not in-house.

Re: Multiple supported properties

Wed, 24 Aug 2011 15:17:16 EDT

DataRiker posted : I was under the impression it was the total bandwidth usage per location.

Interestingly, before a few years ago we routinely blocked explicit sites until a student brought to our former bosses attention that we may be violating the law.

A few consultations to our law school confirmed indeed we were. ( of course none of the law professors totally agreed, but we erred on the side of caution.)

Re: Multiple supported properties

Wed, 24 Aug 2011 15:14:47 EDT

ConnieD posted : Does the "bandwidth monitoring system" include "packet sniffing"?

or total bandwidth useage from one location?

Re: Multiple supported properties

Wed, 24 Aug 2011 15:14:36 EDT

jjjacer posted : problem is its not always preventable, especialy on open networks, where you only control your devices, not what guests bring in. and i wouldnt mind them blocking during the attack or sending the warning when it happens, then we can block the user doing the abuse, however sending us the notice, or blocking days later will do no good at helping us.

if there was a list of known bottnet ports/ip's that we could add our firewall rules, i would its not hard, but alot of it is not well documented. in the latest email the device came from port 2812, and attacked port 80. at least thats what the isp saw. but there was no one on the network putting out this traffic. so we have no way of figuring out what was causing it.

biggest issue, these devices have limited resources for logging, so if someone was doing something it is usually not logged, or if it is a reboot will erase all logs as they are in ramdisk and not saved to flash

Re: Multiple supported properties

Wed, 24 Aug 2011 15:10:26 EDT

DataRiker posted : Actually, I am not allowed to block traffic for adults unless I have notification from the proper authorities. Our public network falls under the same laws that our public libraries do.

Furthermore, our bandwidth monitoring system would prevent any type of coordinated attack from becoming even remotely an issue.

Re: Multiple supported properties

Wed, 24 Aug 2011 15:04:25 EDT

Bink posted : If your network is being used to attack other networks, it is your responsibility to rectify the situation—or you should be cut off from the rest of the Internet. If you lack the capacity to manage your own network, you shouldn’t be in the business of providing network access.

Re: Multiple supported properties

Wed, 24 Aug 2011 14:53:32 EDT

DataRiker posted : Not entirely open. We do have bandwidth management, but our users are free to use the network how they feel.

As for what our ISP does after our network I don't much care as long as it doesn't block traffic. ISP's are apparently not very good at distinguishing automated research software with zombie bots.

Re: Multiple supported properties

Wed, 24 Aug 2011 14:46:26 EDT

ConnieD posted : "Open-internet"? Really?

I know organizations that have their IT Professionals use "packet-sniffers" to keep their systems runing clean. The "packets" are "packets" in the data stream.

I would think an ISP would be doing that at their internet backbone or trunk.

Re: Multiple supported properties

Wed, 24 Aug 2011 14:29:38 EDT

DataRiker posted :

said by ConnieD:

If you have a different ISP, your problem will not "just go away".

For the most part I bet it would. Get a provider that understands the nature of the business.

When our provider tried this shit, we told them we don't want any network management or we are finding another provider. Can't afford to have our internet down on a state university.

Our rep looked like he just shat his pants and said ok! I guess the thought of losing a 25,000 user network didn't sit well.

Being a university we have an open information policy, and don't restrict our internet unless we are given ample reason too.

Their stupid "network management" got so bad, faculty were buying private connection for their offices in our buildings because some of their distributed computation software would get random resets. We spent untold hours trying to locate the problem on our end, only to find out it was our ISP's "managment"

Policing every connection that comes through your building is going to be impossible, and a management nightmare. And, in my state we are not required to do so. We have a few guidelines to follow which we do. Illegal activity is handled by the proper authorities, of which I am not one of.

Re: Multiple supported properties

Wed, 24 Aug 2011 14:22:42 EDT

ConnieD posted : I know the frustration.

I just ordered Bresnan/Optimum. Why? I couldn't take more "run-around" abuse.

Their "Sales Professional" answered straight questions with straight answers, and, didn't say go to the website after your account starts whenever. I have an appointment to install the service in a "half-day window". I like Direct Pay. She set up "Direct Pay". No hassles.

But.

If you have a different ISP, your problem will not "just go away".

I say "ban" IRC. yes. Most "script-kiddies" use IRC.

I think a nice printed card handed at sign-in is acceptable.

I have had a laminated card presented before signing in.

I think savvy-travelers know there is internet abuse.

I would say, it is important to have it all be pleasant:

"Do you want internet?

We have had to make rules (handing the laminated card).

If you have no objection, you may have a password.

(adding, as appropriate) You will, likely, find there is nothing objectionable (smile pleasantly)."

That should keep your patrons/customers from engaging your personnel in a conversation about the "issues".

If someone tries to "discuss the issues", be courteous but firm.

"That is a Management (better: Owner) decision, sorry".

If they go across the street to a different hotel, you may have saved yourself from getting blocked" by your ISP.

The fact you have ethernet is a big plus for business-class travelers.

The business-class travelers, after all, are very likely your "bread-and-butter". Keep ethernet, if only for their rooms and suites.

Make room/suite assignments appropriately.

Re: Multiple supported properties

Wed, 24 Aug 2011 14:15:54 EDT

DataRiker posted :

said by Bink:

This is your problem, not Qwest's, even though Qwest is taking due diligence and preventing their network from being used as a vehicle to spread viruses.

Totally disagree. Quest shouldn't be blocking any traffic, especially on a commercial account with large public access points.

Our universities provider gets tons of these bot notifications, but we have never had our connection shut off.

We have hundreds of public access points, our provider understands the nature of our network.

Find a different provider.

Re: Multiple supported properties

Wed, 24 Aug 2011 12:31:54 EDT

jjjacer posted : the problem with antivirus, they will only protect our router, and nothing else as there is no way to scan computers that we do not have access or rights too.

We do ban some services, and im thinking we should ban IRC, as that is what most bots use to initiate attacks. the problem with blocks , even with notices in the terms page is guests believe that the internet is supposed to be 100 open and that we do not have the right to block access, heck even terms pages piss guests off.

its a tough subject, you want things secure and workable, but you dont want guests to call in every 5min because they dont know how to click accept, or that our page asking to accept is blocking there yahoo and that they will sue us if we dont remove it. (we here it all!!)

sorry if i sounded a bit of an ahole but ive been in a bad mood as being tech support means everyone blames you for problems. im thinking of setting up opendns on our qwest sites and blocking using p2p and a few other sources of bad stuff

Re: Multiple supported properties

Wed, 24 Aug 2011 11:37:47 EDT

ConnieD posted : If you can go to Pandasoft Active Scan with your system, I would think they can scan it. Maybe javascript is a requirement.

The terms can be anything you like.

I was at a campground that Welcome screen said "This is a family-friendly place. For that reason, we allow no adult sites".

Another way to get attacks, I forgot to mention, is Live Chat.

You could ban Live Chat: Every public place I have been bans Live Chat.

I am not a professional. I am just a somewhat tech-savvy person who uses internet and "helps out" when I can.

I really only know "machine language". I wrote "new syntax" that created the GUI, well, more than printed fan-folds of Snoopy and Merry Christmas and flat-art on the old amber-screen displays. It created the C++ language. I should be rich and famous.

All the things I said are always "good information".

I do not know how to implement any of that on your system.

For one thing, I don't know if you have VPN, or what. I do know an "IT Professional" can make software run silently in the background. However, finding that "IT Professional" is not easy.

But a firewall and an antivirus is always "a good thing".

There must be a small-footprint low-resources firewall that runs on Linux. Look to a legacy-Linux part of a Linux forum?

I do know Frisk has F-Prot Antivirus for Linux.

Malwarebytes may run on Linux.

The "Cloud" antivirus will even work on embedded systems on a chip.

I recommended an enterprise-level firewall once to a small government. Their tribal government, actually, said their ISP was taking care of it for them. Not.

Re: Multiple supported properties

Wed, 24 Aug 2011 11:14:02 EDT

jjjacer posted : does Pandasoft Active Scan run from a linksys router, or a devices with only 4-5mb of free space and very little ram.

The issue is, with the limited resources we have, 233mhz router with a few megs of ram, running an old version of linux that has been not supported for years, it is hard to change anything to detect and stop virus/malware/bots on computer we dont own.

secondly, who would let someone else scan there computer, when you goto a motel or hotel do you hand your laptop over to staff so they can scan it before going online, or do you just connect to wifi or ethernet and accept the terms and go online.

Now yes you can catch virus from wifi, but we have client isolation, no devices on our network should be able to communicate to each other, only the gateway/our router.

If the attacker is a guest and is doing on it purpose, we usually notice due to the high bw usage. Spam is usaually stopped as we use redirection of email on port 25. small bots that dont cause much network traffic are very hard to detect, especially since sometimes they work on port 80.

The issue we are having, we get a guest that shows up to the hotel, has some virus/bot that does bad things on the internet and then leaves the next day, then the internet is blocked 7 days later when the guest is already gone making everyone at the hotel pissed.

and what i meant by we cant block people if we offer free wifi, i mean we cant just turn wifi off forever because if we turn it on the internet gets blocked by qwest when a guest with infected computer joins.

so essentially we can either not have wifi, or have wifi and get blocked once a week.

Re: Multiple supported properties

Wed, 24 Aug 2011 10:49:53 EDT

ConnieD posted : Are you allowing patrons/customers to plug directly into ethernet?

I am mystified, you can "catch a virus" from WiFI.

It is possible to have a deliberate attack.

"malware" websites made deliberate attacks.

Hostile "patrons/customers" make deliberate attacks.

"Angry neighbors" make deliberate attacks.

Internet "bots" attack Windows-systems. Internet "bots" attack commercial sites with "exploits" to find credit cards.

I would not have the "referrer string" have the name of the hotel.

Maybe you are having deliberate attacks?

. . .

"we cannot advertise offering free wifi if we have to block people"

When travelling, I stay at motels and at campgrounds. I go to coffeeshops and restaurants.

Their WiFI "front page" at the "login" has "the rules" usually in the context of "Welcome to the"...

Their WiFI is free. I don't see why you cannot.

. . .

I have used Pandasoft Active Scan to clean local county government computers of very nasty "trojans".

I have even cleaned a worm out of a MAC once.

Do you have something nasty, that replicates, like a worm?

I recommend a Pandasoft Active Scan to start.

. . .

It might be helpful for you to get Commodo, even Commodo-free has Geek Buddy and a forum.

Re: Multiple supported properties

Wed, 24 Aug 2011 09:28:17 EDT

jjjacer posted : We do use password control, with random generated passwords that the FD hands out, however the router to the hotel is a embedded linux system that is very limited on what we can add to it. Most of all the firewall rules are done in iptables, we do block some p2p but havent found a way to eliminate it. The best way to think of our router is a very powerful linksys running a stripped down version of debian 4.0.

Beyond that we have no control on whats on the guest computers, if they come from there home with a virus or bot, there is nothing we can really do to detect or block them. However usually they are unable to effect other computers at the hotel due to client isolation.

as far as ports opened, our routers have 80 (for our portal system), 22 (remote management only available from our office), and 1111 for VPN.

The biggest issue is not computers at the hotel, but laptops that guest bring in from elsewhere, we cannot advertise offering free wifi if we have to block people from using their devices because we cant be sure they have a clean computer.

The problem is im not finding anything online really that gives me known ports and firewall rules that i can apply to our systems. and without these it is next to impossible to prevent a user with an infected laptop from causing problems with quest.

so basically i can.

1. Block internet for guests, tough luck, we offer free wifi but you cant use it because we cant trust you

2. Force guests to install software and call tech support to get online causing larger call volumes and more headaches for support

3. deal with qwest blocking internet access to the hotel once a week and hope an account holder can call when this happens and get them unblocked.

4. plead with our hotels that have qwest to drop them and find a better ISP that treats business better than home users.

This is why i wish there is a way for qwest not to do blocking of internet on hotels as it is very hard to control whats coming into the hotel, even with firewalls on our equipment, it wont stop dirty guest PC's and then if we dont allow guests to use there wireless devices, well we cant advertise free wireless internet and most guests demand that hotels have this.

Re: Multiple supported properties

Wed, 24 Aug 2011 08:51:52 EDT

ConnieD posted : I do not have a commercial interest, however gratuities accepted?

Maybe you can cut-and-paste from existing software's "host files"?

On my own computer,

I have a router with NAT and "stateful packet inspection".

In the router,
I manually "authorize" the MAC ID of the computers and devices in my control.
If I notice a "slow down" I check my internet speed with SpeedTest.net and I change the 104-bit randomly generated password in the router. I have free software to randomly generate passwords: use case sensitive letters and numbers, plus random symbols on the keyboard. For ease of use, use cut-and-paste.

In the computer,
I have Panda Cloud antivirus - free (I change, if something is better).
I have PC Tools Firewall Plus - free (I change, if something is better) "stealth" enabled.
I check to see all ports are closed and "stealth" with GRC.com
Note: The Antivirus-Firewall "do-it-all" Suites are not better!

I take all security updates for Windows, for Javascript, for Adobe Flash. I take all security updates for Firefox.

In Firefox, I have Ad blocker and AdBlock Plus: I have all the host files in English and from "eastern european countries" and asian. Take all of the host files, if you have an international hotel.

If you like, you can selectively block p)rn sites, warez, and Limewire, free music and other "malware" website's URL's.

This can be done a number a different ways: in the router, in the browser, or by purchasing "nanny" software designed for families.

However, "nanny" software does not have to BLOCK all "adult sites" if you so choose. You make the selections. That said, I would BLOCK uTP ports and eMule to avoid "excessive use policy" enforcement from your internet provider.

In addition, I have recommended our local public library computers have no USB ports, no SD slot, and no floppy drive on their public computers, because this is how most "malware" is introduced by patrons.

I also recommend their public computers have only access to internet and that on the desktop, no Start or My Computer.

I would have email disabled, requiring use of the patron/customer's own "online email" like gmail, for example.

I would put that statement with the welcome to-the-hotel rules.

If I had a hotel, I would have PC "drones" with no accessible ports whatsoever in the rooms, with everything networked into an on location server, that or WiFI I control.

In fact, the motels I stay-at have only WiFI.

If they are smart, they change their randomly generated password "daily" to be picked up with your room key at the desk.

Re: Multiple supported properties

Tue, 23 Aug 2011 12:53:29 EDT

jjjacer posted : any place i can get a list to block these in our iptable firewall rules

Re: Multiple supported properties

Tue, 23 Aug 2011 11:55:26 EDT

Bink posted : Configure your systems/firewalls appropriately so that when an infected client joins your network, they are prevented from attempting to infect other systems on the Internet.

This is your problem, not Qwest's, even though Qwest is taking due diligence and preventing their network from being used as a vehicle to spread viruses.

Multiple supported properties

Tue, 23 Aug 2011 11:25:01 EDT

jjjacer posted : I work for a HSIA provider for hotels, we have multiple hotels that use qwest, it seams a couple times a month we have issues were qwest blocks the internet and puts up a page about possible virus/bots.

The problem is when this happens guests cant get online, which can cost the hotel alot of money on walkouts.

The biggest issue is these are open networks were hundreds of computers come and go on a daily bases and there is no way of stopping a guest computer with a virus or bot or spammer from joining the network and causing issues. Then by the time we get a notice about it, usually the guest had left the hotel. Is there any way to get qwest to set it up to not block internet access at these sites as all they are doing is making their customers mad because something that was uncontrollable happened and there is nothing that can be done to prevent or stop days after the event.