Will alert customers via proxy system that they need a cleaning...
Comcast reached out to us today to note that they're employing a new strategy to help deal with customers they've identified as having trojan-infected PCs. According to Comcast, the company is going to start issuing alerts on subscriber PCs (see screenshot below) should the user be showing the telltale signs of botnet or spam relay infection. The alert can either be ignored by the customer, or they can click on a link that will take them to the Comcast security center
, which offers cleanup guidance.
Comcast isn't alone in trying to automate the trojan identification and cleaning process. In 2006 we talked with Canadian cable operator Cogeco
about the use of so-called "walled gardens," something Cox Communications also helped pioneer
Walled garden systems take things one step further by modifying configuration files on the modems, and restricting user access to the Internet. Customers in those instances only see links to ISP help and virus cleaning tools, and full access isn't restored until support is convinced the PC's clean.
Comcast tells us they considered the full walled-garden approach, and explored the idea in a draft standarded submitted to the IETF
. Given the high volume of different devices that could be connected to the Internet at any one time (VoIP devices, game consoles), Comcast apparently decided against the idea:
While in many cases the user is almost guaranteed to view the notification message and take any appropriate remediation actions, this approach poses can pose other challenges. For example, it is not always the case that a user is actively using a computer that uses a web browser or which has a web browser actively running on it....As a result, the ISP may feel the need to maintain a potentially lengthy white list of domains which are not subject to the typical restrictions of a walled garden, which could well prove to be an onerous task, from an operational perspective.
For those interested in how the alert system works, Comcast has stopped by our forums
to discuss it in more detail and field any questions you might have (again, nice to see Comcast interacting with the community). Comcast says infected PCs are identified through a combination of independent security research that identifies compromised IPs (via groups like Spamhaus
), and Comcast network analysis. Comcast says the proxy system they're using does not cache any information, and no usage data is tracked or stored in the process:
The notification platform utilizes a standards based approach developed by the Internet Community known as Internet Content Adaption Protocol (RFC3507). When a bot is detected and a customer needs be notified, HTTP traffic (Port TCP 80 only) from the customer's computer is routed via a web proxy. The traffic is routed from the customer's computer to the final destination, a "web server", without modifying the request. When the traffic from the Web server arrives at the proxy the Service Notice is added to HTML content without modifying the original page and then the combined content is routed back to the customer's computer.
Comcast's move is certainly a welcome one. While we imagine some security analysts will argue it doesn't go far enough, you'd have to think that any
statistical erosion of botnet-infected machines has to be a good thing. As with their recent DNS Redirection push
, Comcast also deserves credit for making the process entirely transparent via IETF filings. Still, you have to wonder how many infected customers will avoid the alert, given it looks a lot like the kind of phishing solicitations they're repeatedly told not
to click on by the family computer nerd.
Again though, it's progress. Mega-ISP abuse departments have traditionally been slow to respond to the threat of botnets, which are used for spam, DDoS attacks, or as part of phishing operations. Over the years we've noticed a substantive disconnect between ISP executives and ISP engineers and the amount of resources each feels the problem warrants. With the continual increase in phishing scams, it's nice to see executives at the nation's largest cable company giving the problem some added funds and attention.