neoee
join:2006-04-09
Kent, WA
1 edit | Annoyed with Comcast abuse dept.
This is my first post here but I just had to share my recent experience with the Comcast abuse department.
First a tidbit about me. I work for in a network operations center for a company with over 150,000 employees. If it matters I am also CCNP certified (as well as MCSE), studying towards my CCIE.
So one morning early last month I notice my Comcast service is down. Reboot the cable modem and also check my Cisco router behind it. The interface connected to Comcast is being assigned a 192.168.x.x address. I call Comcast support and they tell me they refer me to the Abuse department. Now for those who haven't had the pleasure of calling, you dial a number in NJ and leave a message which indicates you will get a call back in 24 hours "excluding weekends and holidays". Fortunate for me they were already in the process of calling me. So I speak with one of their analysts and am told that something originating from my network is attacking their systems, hence the reason I was cut off. "For security reasons" I am not told what port they are being attacked on. So I made the assumption that the only vulnerable app. I have running is azureus (since its has the IRC plug-in installed). Told Comcast I would take care of it and they turned my service back up.
A couple of days later I am out of state on vacation and get a voice message saying now my service is shutdown for a week and if it happens again they will cut me off indefinately. I call their Abuse dept. again and leave my call back number, over a week later still hadn't heard back. When I return home I call again and also send an email, still nothing. After calling 800-Comcast I get one of their analysts to pass on a message to the Abuse dept. to call me. Finally after another 3+ days of playing phone tag (they never gave me a direct number) I speak with one of their abuse analysts.
Now let me interject that my company mainly uses two companies to provide HSI for people working from home, AT&T DSL and Comcast (in some regions we use Cox and others though). All this time I've been recommending Comcast to our users- that's gonna change.
Also of note, when I returned from vacation I placed an access-list on my router outbound to block and log everything except TCP 80 & 443 going out. My VOIP service won't work, my p2p apps won't work, I can't access my PVR to schedule shows remotely, can't access my computer remotely, IPSEC connections fail, etc. As I'm going along I manage to loosen the restrictions to get *some* of the stuff working again.
Anyways back to my story. So I was on the phone with the abuse person (the word 'analyst' is a waste for these people), and was asking for either an IP address or a port or combination of so I can create an access list to block traffic destined to the matching criteria. With the access list I could also log which device on my network was causing the trouble and resolve the issue. I have 7 computers, a VOIP adapter, 14 routers (lab devices), 2 switches and a terminal server and trying to guess which one might be infected or compromised is not reasonable.
So after what felt like having my teeth pulled, I'm still not getting anywhere. Instead of giving me the information I need to correct the problem the tell me that I have open ports! No SH*T! Some applications require it (Soulseek, bittorrent, VOIP adapter etc.). This continues on and on getting no where since they claim I am in violation of policy by having my ports open, until I finally say fine I'll shut down the ports. Finally they give me a port number, which doesen't even show up in my logs. 
But here's what really amazes me- a couple hours later I get another voicemail from another abuse **** saying that they can't give me ip addresses or port numbers because it is proprietary and they recommend discontinuing use of any applications which scan ports etc. DO YOU THINK I WOULD BE TRYING TO PUT AN ACCESS LIST IN PLACE IF ALL I HAD TO DO WAS STOP USING AN APPLICATION? DO YOU THINK THE ATTEMPTS MADE TOWARDS COMCAST WERE DELIBERATE ON MY PART?
These people (at least the ones I spoke with) have no clue. On their own web page for reporting activity it says to have ip addresses and ports numbers available, else they can't do anything for you... ummm, HOW AM I SUPPOSED TO DO ANYTHING WITHOUT THE SAME INFORMATION?
So I'm going to loosen up my access list even more and do my best to prevent any malicious traffic from going out but in the meanwhile I'm also going to look for another provider. The funniest part is that when I switch to the new provider and remove my ACL completely Comcast will still be getting attacked, since they never did anything to help me resolve the problem, and this time they won't be able to shut me down.  |
|
jakoe420
join:2003-09-05
Knoxville, TN
clubs:
| said by neoee  :Anyways back to my story. So I was on the phone with the abuse person (the word 'analyst' is a waste for these people), and was asking for either an IP address or a port or combination of so I can create an access list to block traffic destined to the matching criteria. With the access list I could also log which device on my network was causing the trouble and resolve the issue. I have 7 computers, a VOIP adapter, 14 routers (lab devices), 2 switches and a terminal server and trying to guess which one might be infected or compromised is not reasonable. Seems reasonable to me that you're responsible for what's happening in your LAN. How is that comcast's responsibility to tell you which one of YOUR machines has a problem?
said by neoee :So I'm going to loosen up my access list even more and do my best to prevent any malicious traffic from going out but in the meanwhile I'm also going to look for another provider. The funniest part is that when I switch to the new provider and remove my ACL completely Comcast will still be getting attacked, since they never did anything to help me resolve the problem, and this time they won't be able to shut me down. So you have malicious traffic originating from YOUR network and you think it's comcast's fault because they wouldn't give you an IP address? You have 7 computers, it shouldn;t take that long to find the problem and fix it. I must have missed something because your post makes no sense to me, sorry. |
|
CajunTek
Insane Cajun
Premium,MVM
join:2003-08-08
Arlington, TX
 ·RoadRunner Cable
| reply to neoee
Hmmm.. I was going to ask the same questions as jakoe420 but now I don't have to..
I will add one thing.. If that machine is still spewing, whoever you choose as a replacement for comcast, will be no happier with you than comcast..
--
da Cajun Darn I hate Malware |
|
Combat Chuck
Too Many Cannibals
Premium
join:2001-11-29
Erie, PA | reply to neoee
you may want to go to:
»www.mynetwatchman.com/
and look to see if they have any incidents originating from your IP. It'll tell you the ports the attacks originated from. |
|
rody_44
Premium
join:2004-02-20
Quakertown, PA | reply to neoee
you get upset with comcast. but they shut you down and you said you would fix it. then you didnt and you get madder when they shut you down again. i wonder how mad you will be on the third offense. i believe thats when they shut you off for good. |
|
BillOSX33
join:2006-04-03
Chicago, IL
| reply to neoee
What about the Comcast Executive Complaint center?
Take the connection out of the ethernet port of the modem one weekend, then if they call back with more BS say "I'm sorry but I had the plug out of the ethernet port which proves you are just making this up" |
|
CajunTek
Insane Cajun
Premium,MVM
join:2003-08-08
Arlington, TX
·RoadRunner Cable
| I've helped clean up several machines on the comcast.net network that got the abuse shutdown.. I have yet to find an error on comcast's part in this.. There's always a first time.. I suspect this isn't it..
--
da Cajun Darn I hate Malware |
|
neoee
join:2006-04-09
Kent, WA
| reply to neoee
My problem is that all they tell you is something is attacking their network, fix it. Its like telling you to go find a needle in a haystack, except the needle looks like all the other hay. Contacting them results in less then intelligent answers. They shift the issue to something else saying I'm violating policy by having my ports open (no where in their abuse policy is it stated as such). Am I the only one forwarding ports?
This is from Comcast's website, when reporting abuse:
quote:
Network Abuse Submission Guidelines
1.Provide a brief, general description of the network abuse incident.
2.Include all logs or information relevant to the incident, ensure the logs your submitting contain:
a.Date of incident
b.Time of incident and time zone
c.Source Internet protocol (IP) address or host name
d.Destination IP address or host name
e.Destination port
...
In closing, Comcast cannot investigate an incident of network abuse without the information requested above.
...
Now if Comcast cannot investigate without that information, what makes you think I can? I'm told their server IP and port on which they are being attacked is "proprietary information", fair enough, but if I was intentionally attacking them wouldn't I already know what it was? They are already being hit on them so what more harm could be done? |
|
neoee
join:2006-04-09
Kent, WA
| reply to BillOSX33
BillOSX33, thanks for the suggestion but I don't think they are making it up. I do believe that their concern was real (though I haven't seen it in the logs). But them shifting the issue and not providing me the information to correct doesen't help.
I haven't heard more complaining from them since I've placed the ACL but its also making the use of the service impossible with some applications. |
|
CajunTek
Insane Cajun
Premium,MVM
join:2003-08-08
Arlington, TX
·RoadRunner Cable
| reply to neoee
You may not.. But there have been suggestion on how to find out.. and then since this very forum (as well as comcast.net's on forums) has a security section.. and a securty clean up section.. All with tools to help you find out why you might have a port open that is spewing..
I suggest you see these rules: »Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance
and then post for more help here:
»Security Cleanup
--
da Cajun Darn I hate Malware |
|
BillOSX33
join:2006-04-03
Chicago, IL
| reply to neoee
If they told me the server IP and port was "proprietary information," I would have said "fine, cancel my account, the reason I want to cancel is proprietary" and called up the local telco or someone who could provide service. Just make sure you have an alternative before you do that.
I don't know why the server IP and port is "proprietary".
Try opening port 5060 (SIP authentication for VoIP) to see if they are bitching that you are attacking via VoIP.
--
Thank you in advance,
Bill |
|
neoee
join:2006-04-09
Kent, WA
| reply to CajunTek
CajunTek, I just looked at the post and am already doing as suggested. All my devices are running McAfee virus scan enterprise edition (provided by my company), DATS updated nightly. Spybot also running on every restart, though I'm running FF on all my computers and haven't had a single issue, etc.
As someone who commonly has to deal with large scale problems caused as a result of people not taking the steps you mentioned, believe me I do my best to prevent these. But I thank you for the suggestions.
said by "jakoe420" :
Seems reasonable to me that you're responsible for what's happening in your LAN. How is that comcast's responsibility to tell you which one of YOUR machines has a problem?
Your right it is my responsibility, I never said it wasn't.
said by "jakoe420" :
So you have malicious traffic originating from YOUR network and you think it's comcast's fault because they wouldn't give you an IP address? You have 7 computers, it shouldn;t take that long to find the problem and fix it. I must have missed something because your post makes no sense to me, sorry.
I cleared counters on the interface heading to Comcast last night after placing a new ACL on it. Here's the current stats:
Last clearing of "show interface" counters 08:05:10
Input queue: 1/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/2/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 75000 kilobits/sec
5 minute input rate 18000 bits/sec, 33 packets/sec
5 minute output rate 131000 bits/sec, 16 packets/sec
1384161 packets input, 111937504 bytes
Received 930779 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
510690 packets output, 479319684 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
Now of the 510690 packets that went outbound in the last 8 hours tell me which packet is malicious. Thats essentially what Comcast is telling me to do. |
|
jakoe420
join:2003-09-05
Knoxville, TN
clubs:
| said by neoee :Now of the 510690 packets that went outbound in the last 8 hours tell me which packet is malicious. Thats essentially what Comcast is telling me to do. It doesn't matter which PACKET is malicious. You said you have 7 computers on your network. The problem is coming from one of those. Find the problem, clean it, and the malicious packets stop going out. You don't need to know what the packets are, just that it's coming from one of those 7 PCs. If you know your equipment and how it's used, you shouldn't have too much trouble finding the one that's doing it. |
|
BillOSX33
join:2006-04-03
Chicago, IL | reply to neoee
Maybe you could turn off the computers one-by-one. Turn off computer 1 one night, if you get a call from them say you are working on finding the problem computer, then turn computer 2 off...
Works good for eliminating the problem computer |
|
99664227
Heavily MODerated
Premium
join:2002-11-21
USA
1 edit | reply to neoee
Your certs aren't worth the toilet paper their written on if you can't determine what is going on on your own LAN. Lastly, tell us how dial up is when Comcast terms your account.
--
Market go up. Market go down. |
|
phattieg
join:2001-04-29
Winter Park, FL
 ·Verizon Wireless B..
·Sprint Mobile Broa..
1 edit | reply to neoee
said by neoee :My problem is that all they tell you is something is attacking their network, fix it. Its like telling you to go find a needle in a haystack, except the needle looks like all the other hay. Contacting them results in less then intelligent answers. They shift the issue to something else saying I'm violating policy by having my ports open (no where in their abuse policy is it stated as such). Am I the only one forwarding ports? This is from Comcast's website, when reporting abuse: quote:
Network Abuse Submission Guidelines
1.Provide a brief, general description of the network abuse incident.
2.Include all logs or information relevant to the incident, ensure the logs your submitting contain:
a.Date of incident
b.Time of incident and time zone
c.Source Internet protocol (IP) address or host name
d.Destination IP address or host name
e.Destination port
...
In closing, Comcast cannot investigate an incident of network abuse without the information requested above.
...
Now if Comcast cannot investigate without that information, what makes you think I can? I'm told their server IP and port on which they are being attacked is "proprietary information", fair enough, but if I was intentionally attacking them wouldn't I already know what it was? They are already being hit on them so what more harm could be done? And in this case, Comcast was either notified by e-mail from another ISP, or your modem was flagged in the CMTS for something. In either case, you are less than 0.01% of their overall network. The true definition of "needle in a haystack" is by far the best reason NOT to tell you what is getting you kicked. To put it better, you probably told the rep that you had multiple computers, at that point, it's not Comcast problem, because their terms of service state we support a PC or MAC with a specific operating system, and no routers. If you want the answer to whats causing it, install a packet sniffer yourself and do your own digging. You are paying Comcast to provide you with internet, not manage YOUR network. As a result, Comcast IS managing their network, and blocked your access accordingly with their AUP (Acceptable Use Policy). Comcast does not configure personal routers, or troubleshoot anything that was not put on your computer by the OEM/OS vendor. Sorry my friend, but you're gonna need to remove the network, or do like another poster said, and simply leave ethernet unhooked for a while and see if you get anything else, otherwise, assume it's a compromised PC, and move on. Have you considered ANY PC WITH INTERNET EXPLORER, USING SCRIPTING, IS A CULPRIT DUE TO THE RECENT VUNERABILITY NOTICE MICROSOFT RELEASED!!! Now STOP ARGUING and START UNPLUGGING, lol, you would have the same problem with any other ISP, the fact that Comcast is actually BLOCKING this crap from hitting my PC is wonderful to me. |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
 ·Vonage
 ·AT&T Southeast
·Cingular Wireless
·AT&T CallVantage
1 edit | reply to neoee
To all of the "experts" who have posted in this thread slamming neoee here is a sample of a bogus abuse letter I received from Covad:
said by Covad Abuse Department :
Dear Covad Customer,
It appears that a computer on your network is infected with a virus, worm, or trojan. Your computer is now attempting to infect other computers on the Internet and this violates Covad's Acceptable Use Policy (AUP). It is imperative that this issue is resolved immediately to avoid an interuption in your service.
After locating the computer with the virus:
* Install anti-virus software
* Update your virus definitions
* Run your virus scan to find and remove this virus
Here are some links to look up and explain the type of virus you may have:
»vil.nai.com/vil/default.asp
»www.symantec.com/avcenter/vinfodb.html
»ciac.llnl.gov/ciac/CIACVirusDatabase.html
Please review our AUP for more detailed information. Failure to find and remove this virus may lead to a service interruption or possibly the termination of Covad service.
»www.covad.com/onlinesupportcente···s/legal/
Please notify Covad once this issue is resolved by responding to this email.
Due to the severity of this issue, and to avoid any further proliferation of this virus, we will have to temporarily lock your account if we do not hear from you within 48 hours.
If you have an IT administrator or consultant for your network, please forward this email to them.
Thank You,
Covad Technical Support
Abuse Department
It took numerous emails, telephone calls, and threats of legal action (against Covad, by me) to finally get them to admit that what prompted the abuse letter was actually some jerk who found my Test your firewall page via a Google search, clicked on the portscan link, and then fired off an email to Covad complaining that I was port scanning his network.
I do not know what kind of applications neoee is running, or whether or not one or more of his/her computers is doing something malicious, but I do understand the frustration of dealing with a know-it-all ISP abuse dept that refuses to explain the nature of the alleged abuse. It took several days for me to get Covad to tell me that what I was being accused of was port scanning a specific IP address, and less than a minute of searching my router and web server logs to produce the actual sequence of events.
If Comcast could/would supply similar information to neoee , then possibly his/her problem could be easily corrected as well.
--
Outsourcing is not the same thing as Offshoring!!.
Test your firewall.
Smell the flowers. |
|
neoee
join:2006-04-09
Kent, WA
1 edit | reply to jakoe420
said by "jakoe420" :
It doesn't matter which PACKET is malicious. You said you have 7 computers on your network. The problem is coming from one of those. Find the problem, clean it, and the malicious packets stop going out. You don't need to know what the packets are, just that it's coming from one of those 7 PCs. If you know your equipment and how it's used, you shouldn't have too much trouble finding the one that's doing it.
I should have mentioned only 4 computers were ever on during the time reported by Comcast (I don't think I've even turned the others on in the last 6 months). Of those 4, as I stated before all the computers scan clean using a virus scanner, they also check out with the adware/malware detection programs. So what other tools do I have? I've also looked up the port given to me and there is NO information on it. IANA doesen't even show a standard use for it. I won't tell you which port it is, out of courtesy to Comcast, but I can tell you its was UDP based. So again I've blocked everything outbound and logged it for a week nothing with that as a destination port ever attempted to go out.
said by "tradewiz50" :
Your certs aren't worth the toilet paper their written on if you can't determine what is going on on your own LAN. Lastly, tell us how dial up is when Comcast terms your account.
What are you? Like 13? Did you expect me to be offended with an intelligent response like that? |
|
neoee
join:2006-04-09
Kent, WA | reply to NetFixer
NetFixer, thanks for the sympathetic response. I was starting to lose hope here. Not that I would want anyone else to have to go through something like this, but its somewhat refreshing to know I'm not the only one thats experienced this. |
|
EnasYorl
Thieves World
join:2001-12-02
West | reply to neoee
I'd start by capturing packets on the 7 computers.
D/L for free »www.ethereal.com/ |
|
