  jjoshuaPremium
join:2001-06-01
Scotch Plains, NJ
kudos:3
 ·Verizon FiOS
1 edit | Open can of worms So comcast is utilizing technology that can intercept browser requests and spoof responses.
Brilliant.
If they couldn't use the technology to change the ads on web pages, they'll use it "for your own good".
Also, I would like to know how they associate BOTted IPs with the IP that you're actually using right now. | |
|
 |  jlivingoodPremium,VIP
join:2007-10-28
Philadelphia, PA
kudos:1 | Re: Open can of worms said by jjoshua:So comcast is utilizing technology that can intercept browser requests and spoof responses. Brilliant. If they couldn't use the technology to change the ads on web pages, they'll use it "for your own good". To get the browser alert you would have needed to ignore several emails. And compared to the alternatives of say, unwittingly having your banking login or credit card numbers stolen by a key logger, unwittingly sending spam, or unwittingly participating in a DDoS attack, my personal opinion is that a browser alert is an okay thing to do. 
And it is important to note that the entire web notification system has been fully and openly documented at »tools.ietf.org/html/draft-living···ation-09, and that it leverages open source software and DOES NOT USE DPI. Other alternatives and the general approach have also been fully and openly documented at »tools.ietf.org/html/draft-oreird···ation-09.
Furthermore, for a good topical news story about the severity of the bot problem, check out the front page of the Wall Street Journal today at »online.wsj.com/article/SB1000142···ageone_0 -- which describes how the Zeus botnet was used to steal millions of dollars from banking accounts.
Lastly, you raised a question concerning ad insertion that I want to very directly address. Please refer to »tools.ietf.org/html/draft-living···ation-09 in Section 3.1.12 which says the following and should make clear our position on the matter:
Advertising Replacement or Insertion Must Not Be Performed Under ANY Circumstances
Additional Background: The system must not be used to
replace any advertising provided by a website, or to insert
advertising into websites. This therefore includes both
cases where a web page already has space for advertising, as
well as cases where a web page does not have any
advertising. This is a critical area of concern for end
users, privacy advocates, and other members of the Internet
community. Therefore it must be made abundantly clear that
this system will not be used for such purposes.
--
JL
Comcast | |
|
| | jjoshuaPremium
join:2001-06-01
Scotch Plains, NJ
kudos:3 Reviews:
·Verizon FiOS
2 edits | Re: Open can of worms said by jlivingood:[And compared to the alternatives of say, unwittingly having your banking login or credit card numbers stolen by a key logger, unwittingly sending spam, or unwittingly participating in a DDoS attack, my personal opinion is that a browser alert is an okay thing to do. My opinion is that it's not. Supply the pipe and stay out of the security business.
BTW, your own TOS say so.
In all cases, you are solely responsible for the security of any device you choose to
connect to the Service, including any data stored or shared on that device. Comcast
recommends against enabling file or printer sharing unless you do so in strict compliance with
all security recommendations and features provided by Comcast and the manufacturer of the
applicable file or printer sharing devices. Any files or devices you choose to make available for
shared access on a home LAN, for example, should be protected with a strong password or as
otherwise appropriate.
It is also your responsibility to secure the Customer Equipment and any other Premises
equipment or programs not provided by Comcast that connect to the Service from external
threats such as viruses, spam, bot nets, and other methods of intrusion.
| |
|
| | | jlivingoodPremium,VIP
join:2007-10-28
Philadelphia, PA
kudos:1 | Re: Open can of worms said by jjoshua:My opinion is that it's not. Supply the pipe and stay out of the security business. While I respect your opinion, one user's lack of security now can affect many, many other users.
--
JL
Comcast | |
|
| | | | jjoshuaPremium
join:2001-06-01
Scotch Plains, NJ
kudos:3 Reviews:
·Verizon FiOS
| Re: Open can of worms said by jlivingood:said by jjoshua:My opinion is that it's not. Supply the pipe and stay out of the security business. While I respect your opinion, one user's lack of security now can affect many, many other users. Next time, try to design your networks so it doesn't. | |
|
| | | | |  vpokoPremium
join:2003-07-03
Boston, MA | Re: Open can of worms said by jjoshua:Next time, try to design your networks so it doesn't. It's really not accurate to blame that on Comcast. As long as the internet allows TCP/IP endpoints to reach each other, one user's lack of security is going to have a potential impact on other users, especially if those other users aren't using precautions like firewalls. | |
|
| | | | | chimera
join:2009-06-09
Washington, DC | From what I can tell that's exactly what they are trying to do now. The alternative to this sort of message is just knocking the user offline for good and that doesn't actually help users resolve infection issues when they need tools from the internet to do so. | |
|
| | | | | | patcat88
join:2002-04-05
Jamaica, NY
kudos:1 | Re: Open can of worms said by chimera:From what I can tell that's exactly what they are trying to do now. The alternative to this sort of message is just knocking the user offline for good and that doesn't actually help users resolve infection issues when they need tools from the internet to do so. You get blocked and are told to dial your ISP's CS 800 number or something similar and then through the IVR after listening to a script you can unblock your internet connection. If you don't fix it you get more emails until again your blocked and you have to unlock your connection through the IVR. | |
|
| | | | | | | | As a Comcast user, I would personally prefer a telephone call or restriction to a walled garden until I call in vs intercepting my web traffic and doing any kind of insertion into it.
You'll never get me by email as I don't use Comcast as a email service provider.
What we're saying here is 'responsible network management' allows us to intercept and inject into traffic. I wonder what the next 'responsible network management' leveraging this established practice would entail.
I support Comcast trying to do something about the bots on it's network, but to resort to hacking the data stream isn't the right way to go about it when there are better solutions available. It doesn't matter if you use Open Source methods to perform the hack, it's still a hack into a private data stream.
Just how does this effect web updates via http port 80 using WGET requests?
If moving to production, shouldn't the documents move out of draft status? | |
|
| | | | |  tubbynetreminds me of the danse russePremium,MVM
join:2008-01-16
Chandler, AZ
kudos:1 | said by jjoshua:said by jlivingood:said by jjoshua:My opinion is that it's not. Supply the pipe and stay out of the security business. While I respect your opinion, one user's lack of security now can affect many, many other users. Next time, try to design your networks so it doesn't. i'd suggest you take this up with some of the largest carriers in the world then -- att, verizon, level(3), teliasonera, ntt, globalcrossing, etc. botnets affect everybody (in fact, there have been several times where dslr has been hit by a ddos from a botnet). these attacks are sourced from customer networks (i.e. your lec's and mso's) and attack financial, government, and commercial enterprise networks alike. no one wins from this -- from increased congestion at the node level, increased transit at the carrier end, heavy utilization on routing gear (depending on the type of attack and where it's destination is), and the possible breach of security if the botnet is used to exploit holes within networks with personal information.
comcast is being open and honest regarding their policies, documenting everything with the ietf. of course -- the simple answer is -- if you don't want to see browser injection, don't get pwned in the first place. seems simple, eh?
q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..." | |
|
| | | | | | jjoshuaPremium
join:2001-06-01
Scotch Plains, NJ
kudos:3 Reviews:
·Verizon FiOS
| Re: Open can of worms said by tubbynet: botnets affect everybody (in fact, there have been several times where dslr has been hit by a ddos from a botnet). these attacks are sourced from customer networks (i.e. your lec's and mso's) and attack financial, government, and commercial enterprise networks alike. I'm not an expert on botnets and ddos attacks. But from what I've read, I think that a very reasonable and relevant thing to do would be to detect and drop all malformed and/or forged packets at the customer's node. If a node with a specific IP is sending out packets with a forged IP, then there's no better place to stop it.
Why don't we see this type of filtering? Wouldn't this be a good solution to a very specific problem? Is there ever a case where a malformed or forged packet is good? | |
|
| | | | | | | tubbynetreminds me of the danse russePremium,MVM
join:2008-01-16
Chandler, AZ
kudos:1 | Re: Open can of worms said by jjoshua:I'm not an expert on botnets and ddos attacks. But from what I've read, I think that a very reasonable and relevant thing to do would be to detect and drop all malformed and/or forged packets at the customer's node. If a node with a specific IP is sending out packets with a forged IP, then there's no better place to stop it. well -- you can't do anything at a "node". this is simply a device that turns the fiber connection into something that can run to the customer's house (i.e. coax). this is simply a passive device. anything that has to happen must occur once it hits a network layer device -- the cmts or some of the ingress routers after the cmts.
additionally -- where are you malforming the packets? who says that a ddos is a malformed anything? they can be as simple as a crafted icmp traceroute packet that expires on a router hop. nothing malformed about that. if you're talking about malformed at the upper layers (osi 5-7), then you're looking at inspecting application data for every single packet on ingress to comcast's network and analyzing them against a database of *everything* that could occur. i'm not sure you'd appreciate the performance hit. how jason is proposing to look at the packets can be peformed at wire-speed (or very near it) and will not cause a significant performance hit on the ingress devices on their network.
q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..." | |
|
| | | | | | | | jjoshuaPremium
join:2001-06-01
Scotch Plains, NJ
kudos:3 Reviews:
·Verizon FiOS
| Re: Open can of worms Node was possibly not the correct term. Perhaps the cable modem itself would be better.
Would it be hard to drop all packets with forged source addresses? It's clearly not going to stop all ddos attacks but it's going to do more than a notification system that doesn't do anything. | |
|
| | | | | | | | | tubbynetreminds me of the danse russePremium,MVM
join:2008-01-16
Chandler, AZ
kudos:1 | Re: Open can of worms said by jjoshua:Node was possibly not the correct term. Perhaps the cable modem itself would be better. cable modems are pretty stupid in that regard. to get any real intelligence -- you're going to need to have an ingress policy on the provider's kit.
said by jjoshua:Would it be hard to drop all packets with forged source addresses? It's clearly not going to stop all ddos attacks but it's going to do more than a notification system that doesn't do anything. the addresses may or may not be forged. thats the difficulty. in the earlier days, this may have been the case to give the providers a difficult time to mitigate the dos -- to make it look like it was coming from all over when it was really just a specific location/carrier/netblock/etc.
the leading "d" in "ddos" stands for distributed. the issue is that when you start creating policies as a provider that drop traffic from netblocks that are causing grief -- is that when you've got 10,000 different ip's in many different blocks, you start blackholing *all* traffic. obviously, the simple solution would seem to be to just block individual ip addresses, but this becomes cumbersome because they are (a) always fluctuating (b) access-lists on carrier gear have limits, especially if you expect any high-speed transmission. there are optimization techniques that can be used, but the box will take a *major* hit -- if not puke all over itself -- when you make it handle acl's that are 10k-20k lines long. it just won't work.
q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..." | |
|
| | | | | | | | | jjoshuaPremium
join:2001-06-01
Scotch Plains, NJ
kudos:3 Reviews:
·Verizon FiOS
| Re: Open can of worms said by tubbynet:the issue is that when you start creating policies as a provider that drop traffic from netblocks that are causing grief -- is that when you've got 10,000 different ip's in many different blocks, you start blackholing *all* traffic. I don't think that you understand. I'm suggesting that there should be a way to stop a very specific type of malicious traffic at the source. I'm not talking about filtering at the destination. | |
|
| | | | | | | | | tubbynetreminds me of the danse russePremium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
1 edit | Re: Open can of worms said by jjoshua 
I don't think that you understand. I'm suggesting that there should be a way to stop a very specific type of malicious traffic at the source. I'm not talking about filtering at the destination.
i do. hence this post above -- »Re: Open can of worms
cable modems are pretty stupid in that regard. to get any real intelligence -- you're going to need to have an ingress policy on the provider's kit.
its not easy to do.
q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..." | |
|
| | | | | | | | | vpokoPremium
join:2003-07-03
Boston, MA | said by jjoshua:I don't think that you understand. I'm suggesting that there should be a way to stop a very specific type of malicious traffic at the source. I'm not talking about filtering at the destination. And which type of malicious traffic is that? | |
|
| | | | | | | | | jjoshuaPremium
join:2001-06-01
Scotch Plains, NJ
kudos:3 Reviews:
·Verizon FiOS
| Re: Open can of worms said by vpoko:said by jjoshua:I don't think that you understand. I'm suggesting that there should be a way to stop a very specific type of malicious traffic at the source. I'm not talking about filtering at the destination. And which type of malicious traffic is that? I was thinking about ICMP flood. | |
|
| | | | | | | | | tubbynetreminds me of the danse russePremium,MVM
join:2008-01-16
Chandler, AZ
kudos:1 | Re: Open can of worms said by jjoshua:I was thinking about ICMP flood. what about tcp syn flooding? crafted sql, rpc, etc. attacks? a botnet isn't just icmp flooding. that is one fraction of *all*botnet attacks that are out there.
q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..." | |
|
| | | | | | | | | vpokoPremium
join:2003-07-03
Boston, MA | Re: Open can of worms said by tubbynet:said by jjoshua:I was thinking about ICMP flood. what about tcp syn flooding? crafted sql, rpc, etc. attacks? a botnet isn't just icmp flooding. that is one fraction of *all*botnet attacks that are out there. Not to mention, how do you decide what's a ping flood? Repeated pings become a DoS attack when the bandwidth of the target is less than the aggregate bandwidth of the source(s) of the attack. I've had occasion to need to run continuous pings on known endpoints (say, Google) while testing for intermittent connection issues. Even though I may have sent thousands of ICMP packets in a short time, it was not an attack.
Ping floods are generally only effective when they're distributed, and if they're distributed then you can't tell just by looking at a single source, whether its an attack.
jjoshua, I suggest you hit the books and learn about networking instead of trying to debate something you don't know much about. | |
|
| | | | | | | | | tubbynetreminds me of the danse russePremium,MVM
join:2008-01-16
Chandler, AZ
kudos:1 | Re: Open can of worms said by poko :
Ping floods are generally only effective when they're distributed, and if they're distributed then you can't tell just by looking at a single source, whether its an attack.
yes. this is true. however, ping attacks are generally considered "old school". they still occur, but there are much better icmp attacks that affect the route processor much more effectively. these attacks not only cause the processor utilization to spike, but will effectively break control-plane processing (a) limiting the access that a network operations center has to the device and (b) break the control plane of the router such that igp and bgp sessions could be broken and may have to wait in queue until the processor can process the neighbor adjacency packets again.
of course -- this whole argument has been network centric. different issues apply when dealing with end-host protection of servers and applications clusters.
q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..." | |
|
| | | | | | | | | jjoshuaPremium
join:2001-06-01
Scotch Plains, NJ
kudos:3 | Is it not the case that these packets all have forged source IPs? | |
|
| | | | | | | | | tubbynetreminds me of the danse russePremium,MVM
join:2008-01-16
Chandler, AZ
kudos:1 | Re: Open can of worms said by jjoshua:Is it not the case that these packets all have forged source IPs? no. what would make them be forged?
thats the point of a *distributed* attack. the ips are not forged -- they are the actual source ip address of the computer being pwned (or the address of the nat'ing router). nothing about a botnet or ddos stipulates that the packets have a forged or spoofed source address. the sheer problem with a distributed attack is that there is no *clean* way to ensure all evil traffic is blocked while all good traffic is passed -- the sheer numbers of ip addresses and netblocks makes it impossible to do so. there are knobs that are provide by major manufacturers of network gear to minimize the collateral damage -- but nothing is perfect (as can be referenced by the major carrier mailing lists, such as nanog, c-nsp, and j-nsp).
q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..." | |
|
| | | | | | | | | jjoshuaPremium
join:2001-06-01
Scotch Plains, NJ
kudos:3 Reviews:
·Verizon FiOS
| Re: Open can of worms I guess that even wikipedia is wrong: »en.wikipedia.org/wiki/Denial-of-···e_attack
If you're telling me that my ideas suck, then what do you propose?
Firewalls keep out intruders but what can we do to enhance them to detect when we are sending out malicious traffic?
Think big. Could firewalls all work with each other to identify similar malicious traffic and then filter the offenders? | |
|
| | | | | | | | | tubbynetreminds me of the danse russePremium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
1 edit | Re: Open can of worms its not wrong -- there are multiple variations of a ddos attack. sure -- the addresses can be spoofed, but there are a lot of knobs available that allow a provider to drop this weird traffic (i.e. inbound to your own autonomous system, sourced with your own netblock address; as_path lists not correlating; etc.). these knobs prevent a good share of this traffic on a properly configured edge ingress router.
If you're telling me that my ideas suck, then what do you propose?
they don't *suck*. they lack information on what is out there and what is being done to prevent ddos and botnets now. if cable modems become more intelligent -- your idea could work. however, there will always be the tinfoil hat crowd that wants all traffic unfiltered -- ignoring the fact that with personal freedom comes personal responsibility. it is the job of the provider/carrier to manage traffic in the best way possible to enhance the experience of all customers. i am for intelligent and transparent network management, whether that be placed on the customer or the carrier.
Firewalls keep out intruders but what can we do to enhance them to detect when we are sending out malicious traffic?
they can -- and many do. my personal web gateway device is a cisco 2821 isr. its running a sizeable chunk of ips/ids definitions that inspect traffic inbound and outbound. i've put similar appliances in customer networks (ips 4200-series from cisco) and have also done a smaller "ips card" for a cisco asa5500-series firewal in smaller customer sites. these devices update definitions and allow granular selection of exploits to be tracked and the actions taken on each definition. the issue is that these devices are (a) often complex to set up (b) require the customer to understand the exploits and what is needed or not (or pay a contractor to manage this device for them) and (c) balance the security requirements with the performance hit (only a worry in high-speed networks). additionally, this is not something that is always going to "drop in" to a customer network -- especially due to the cost and care needed in configuration. sure -- something like this could be dropped into a cable modem, but would you want to pay upwards of $800+ for your previously $50 motorola cable modem?
Could firewalls all work with each other to identify similar malicious traffic and then filter the offenders?
yes -- but then you have to establish policy and trust zones between customers, providers, and transit carriers. while many of the aforementioned entities have similar goals when it comes to internet acces -- the specifics on policy may not line up. additionally, if you have fractured trust zones, you open the door for traffic to slip through the cracks. it comes down to a "gentleman's" agreement that everyone does what they need or deem appropriate and if those policies are not followed, mitigation in the best way possible must be done. this is why it often takes time for the interwebs to calm down in a given sector after a some sort of ddos/botnet attack.
its not a clear cut problem to solve. this is why i applaud comcast in providing a transparent solution to an issue that affects us all in some way or another; they are trying to take a step in the right direction.
q.
[edit] having trouble typing today. apparently.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..." | |
|
| | | | | | | | | jjoshuaPremium
join:2001-06-01
Scotch Plains, NJ
kudos:3 Reviews:
·Verizon FiOS
| Re: Open can of worms This part of the discussion got a little bit off topic. However, I think that I was correct when I suggested that comcast COULD build a network where one user's lack of security wouldn't affect other users.
It might require additional technology and resources but it could be done. Thanks for helping me to make my point. | |
|
| | | | | | | | | tubbynetreminds me of the danse russePremium,MVM
join:2008-01-16
Chandler, AZ
kudos:1 | Re: Open can of worms said by jjoshua:This part of the discussion got a little bit off topic. However, I think that I was correct when I suggested that comcast COULD build a network where one user's lack of security wouldn't affect other users. you seem to think that comcast operates in a vacuum. this is not the case. what you are suggesting would take a huge cooperative effort between a large number of carriers and providers. even then -- it would not be foolproof and there are many other issues that plague a carrier that would cause something like this to be an issue. in my mind -- you are making a huge deal over something comcast is trying to handle with this system. however, if every problem begins to look like a nail....
q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..." | |
|
| | | | | | | patcat88
join:2002-04-05
Jamaica, NY
kudos:1 | said by jjoshua:I'm not an expert on botnets and ddos attacks. But from what I've read, I think that a very reasonable and relevant thing to do would be to detect and drop all malformed and/or forged packets at the customer's node. If a node with a specific IP is sending out packets with a forged IP, then there's no better place to stop it. Why don't we see this type of filtering? Wouldn't this be a good solution to a very specific problem? Is there ever a case where a malformed or forged packet is good? Key words, "not an expert", not all traffic can be defined as malicious by any algorithm. A slow normal amount of activity from 1 node towards a website, times 100000 can bring a small to medium site offline instantly. Also algorithmic weaknesses in PHP/ASP/dynamic page generation based website (nearly all sites today) can grind a server to a halt by doing DB heavy things over and over in a loop. | |
|
| | | | | jlivingoodPremium,VIP
join:2007-10-28
Philadelphia, PA
kudos:1 | said by jjoshua:Next time, try to design your networks so it doesn't. You may want to tell that to the folks who designed the Internet. The problem of bots does not apply only to the Comcast network - it is a massive, global problem.
--
JL
Comcast | |
|
| | | | | | | | Re: Open can of worms darn our government is to be blamed aagain EGAD batman! | |
|
| | | | | | jjoshuaPremium
join:2001-06-01
Scotch Plains, NJ
kudos:3 Reviews:
·Verizon FiOS
| said by jlivingood:You may want to tell that to the folks who designed the Internet. The problem of bots does not apply only to the Comcast network - it is a massive, global problem. Al Gore?
Now I'm confused. You are trying to fix the entire internet?
My point was that a bad user on your network should not be affecting a good user on your network.
No user, knowingly or unknowingly, should be able to affect another user. | |
|
| | | | | | | tubbynetreminds me of the danse russePremium,MVM
join:2008-01-16
Chandler, AZ
kudos:1 | Re: Open can of worms said by jjoshua:My point was that a bad user on your network should not be affecting a good user on your network. this is why they're going through the mitigation process and why they are trying to stop all botnet traffic from subscribers through the process outlined in the links provided by jason.
q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..." | |
|
| | | | | | | vpokoPremium
join:2003-07-03
Boston, MA
1 edit | said by jjoshua:My point was that a bad user on your network should not be affecting a good user on your network. No user, knowingly or unknowingly, should be able to affect another user. What the heck are you talking about? If a user can send packets to another user, then they can affect that user. Depending on what software is on the receiving end of those packets, it can be something pretty nasty. It doesn't even matter if both users are on the same ISP's network, the vector here is TCP/IP. | |
|
| | | | | | | | jjoshuaPremium
join:2001-06-01
Scotch Plains, NJ
kudos:3 Reviews:
·Verizon FiOS
| Re: Open can of worms said by vpoko:If a user can send packets to another user, then they can affect that user. Obviously. I'm talking about the case where "A"'s service should not be affected if "B" is attacking "C". | |
|
| | | | | | | | | vpokoPremium
join:2003-07-03
Boston, MA | Re: Open can of worms said by jjoshua:said by vpoko:If a user can send packets to another user, then they can affect that user. Obviously. I'm talking about the case where "A"'s service should not be affected if "B" is attacking "C". Yes, then shared vs. dedicated capacity makes a difference, but the real focus here is protecting "C", who is being attacked by "B", who doesn't even know that he's attacking anyone because his computer is infected. | |
|
| | | | | | | | | jjoshuaPremium
join:2001-06-01
Scotch Plains, NJ
kudos:3 Reviews:
·Verizon FiOS
| Re: Open can of worms said by vpoko:said by jjoshua:said by vpoko:If a user can send packets to another user, then they can affect that user. Obviously. I'm talking about the case where "A"'s service should not be affected if "B" is attacking "C". Yes, then shared vs. dedicated capacity makes a difference, but the real focus here is protecting "C", who is being attacked by "B", who doesn't even know that he's attacking anyone because his computer is infected. I think that you hit the nail on the head with the first part of your statement. | |
|
| | | | | | | said by jjoshua:said by jlivingood:said by jjoshua:My opinion is that it's not. Supply the pipe and stay out of the security business. While I respect your opinion, one user's lack of security now can affect many, many other users. Next time, try to design your networks so it doesn't. Yes, make it so it doesn't. Just block all traffic if a bot is detected. | |
|
| | | | | fiberguyMy views are my own.Premium
join:2005-05-20
kudos:3 | said by jjoshua:said by jlivingood:said by jjoshua:My opinion is that it's not. Supply the pipe and stay out of the security business. While I respect your opinion, one user's lack of security now can affect many, many other users. Next time, try to design your networks so it doesn't. HOLY CRAP! Are you serious? "Stay out of packets..." now "design your network so it doesn't"...
You speak a lot, and a lot comes out, but you want to put some meat behind your statements?
Just remember, you, and every user, is a GUEST on the network that IS the ISP's..
I'm 110% behind Comcast on this one. And any other ISP that would take efforts, that quite honestly, the end user should be doing, and not enough of actually do. | |
|
| | | | |  Fluker
join:2005-04-07
West Lafayette, IN | You can't design a network that simply by design, is able to mitigate-bandwidth sopping DOS and spambots.
I mean, if the network gets congested because 20% of people are unwittingly contributing towards spam mail, is comcast supposed to spend money upgrading the network to facilitate more spam?
I say do it the way quest does. Users with bots on their computer will cause the connection to get sandboxed until the problem is cleaned up. | |
|
| | | | | | zed2608Premium
join:2007-09-30
Cleveland, TN
kudos:1 | Re: Open can of worms another thing i just thought of is a bots will probably just adapt someone will come up with one to hide the browser alert and delete the emails before they are even read | |
|
| | | | | | | where do you come up with this?
just because they can make sure you can't see what's being transmitted across the internet doesn't mean it's their job, nor are they trying to, secure your own pc. You are the kind of person who's essentially telling folks that are trying to help you, that they're doing a bad job. way to go.
If you do something stupid (and I guarantee you do, given how you troll the forums), and get infected, how is it comcast's fault? You're the one that chose to allow your system to get infected. They don't just magically get infected randomly. Linux, Windows, Android, IOS, no operating system is created already infected.
also the "try to design your networks so it doesn't"? They already do this in two forms. 1 is called: they watch for situations where people are spamming or botting, and 2 is called: what they are rolling out now with a browser warning.
With PC's fast enough (and without a trillion toolbars), it's entirely possible that people's systems will be completely pwned without them realizing it.
Do you know how many people don't even know about netstat -b? That alone is huge, but people don't even know to go to the command line first.
TLDR: users are stupid and comcast is providing a reasonable solution without doing anything crazy.
JLivingood, good job on this. I know you guys are doin what you can. Personally I think you should do browser notification first and if not fixed within 3-4 times they get a call instead. That would be good customer service. Most people don't read the email address they gave to comcast or even want to give them one. Why would I want a @comcast email address? I gave you one so that I don't have to read it. | |
|
| | | | | | jjoshuaPremium
join:2001-06-01
Scotch Plains, NJ
kudos:3 Reviews:
·Verizon FiOS
| Re: Open can of worms said by dfxmatt:You are the kind of person who's essentially telling folks that are trying to help you, that they're doing a bad job. way to go. Trying to help by using html injection? No thanks. | |
|
| | | | | | | | The issue is trust factor with Comcast. What they are doing here is deciding what traffic they deem is harmful or suspect at the packet destination IP, making an assumption of what's installed on your machine, then performing an injection attack against your machine's web traffic from sites that have no connection to the issue at all.
Once this practice is established and accepted when does the IP address list start coming from the MPAA or any other faux consortium?
Perhaps that's just to tin foil hat, but I don't feel it's outside the realm of seeing the slippery slope that it is.
I do believe it's good to try to get rid of the bots. I don't like their implementation and feel it should be opt-in or at the very least.. opt out. | |
|
| | | | | | I am going to have to say I agree with him.
Comcast should concentrate on being what they really are: A dumbpipe. Just provide the DHCP service and route packets as fast as you possibly can. The rest isn't your business. | |
|
| | | fiberguyMy views are my own.Premium
join:2005-05-20
kudos:3 | You guys all crack me up... and BBR really needs to get it's collective minds together...
At some points in history, it's the ISPs responsibility to stop Virus attacks and stop being the conduits that spread them... many people have LONG said that the ISP should disconnect those people spreading worms, etc... now that there is an ISP stepping up to INFORM people that their computers are in fact compromised, it's "hands off my computer"..
Sorry, and to be honest, I'm all for an ISP actually BLOCKING and BOOTING users who have infected, compromised, or otherwise healthy computers from THEIR network.
The lack of ability for some people to keep their computers protected should not be my problem in defending myself FROM them. | |
|
| | | | bsoft
join:2004-03-28
Boulder, CO | Re: Open can of worms Actually, my one complaint with Comcast's new approach is that it doesn't go far enough.
Set docsDevResetNow on your CM and then push a walled garden config once it reboots. The walled garden can tell you why you were disconnected and provide Comcast's AV software for download.
I know that this is "inconvenient", but if you are a part of a botnet your connection needs to be disconnected NOW, not allowed to continue DDOSing/spamming/etc. | |
|
| | | | | fiberguyMy views are my own.Premium
join:2005-05-20
kudos:3 | Re: Open can of worms said by bsoft:I know that this is "inconvenient", but if you are a part of a botnet your connection needs to be disconnected NOW, not allowed to continue DDOSing/spamming/etc. BING-O! | |
|
| |  knightmbEverybody Lies
join:2003-12-01
Franklin, TN
1 edit | said by jlivingood:said by jjoshua:So comcast is utilizing technology that can intercept browser requests and spoof responses. Brilliant. If they couldn't use the technology to change the ads on web pages, they'll use it "for your own good". To get the browser alert you would have needed to ignore several emails. And compared to the alternatives of say, unwittingly having your banking login or credit card numbers stolen by a key logger, unwittingly sending spam, or unwittingly participating in a DDoS attack, my personal opinion is that a browser alert is an okay thing to do. And it is important to note that the entire web notification system has been fully and openly documented at » tools.ietf.org/html/draft-living···ation-09, and that it leverages open source software and DOES NOT USE DPI. Other alternatives and the general approach have also been fully and openly documented at » tools.ietf.org/html/draft-oreird···ation-09. Furthermore, for a good topical news story about the severity of the bot problem, check out the front page of the Wall Street Journal today at » online.wsj.com/article/SB1000142···ageone_0 -- which describes how the Zeus botnet was used to steal millions of dollars from banking accounts. Lastly, you raised a question concerning ad insertion that I want to very directly address. Please refer to » tools.ietf.org/html/draft-living···ation-09 in Section 3.1.12 which says the following and should make clear our position on the matter: Advertising Replacement or Insertion Must Not Be Performed Under ANY Circumstances
Additional Background: The system must not be used to
replace any advertising provided by a website, or to insert
advertising into websites. This therefore includes both
cases where a web page already has space for advertising, as
well as cases where a web page does not have any
advertising. This is a critical area of concern for end
users, privacy advocates, and other members of the Internet
community. Therefore it must be made abundantly clear that
this system will not be used for such purposes.
As someone who runs (2) separate ISP, I can give some useful and expensive advice (for free no less) on this. First, after reading all the info I could find in your links, this won't work.
Mainly because most of the stuff you are doing is easy to block by bot operators and fact that's all out there for anyone to read kind of defeats the purpose. It's great that you want to stop bot operators, actually wonderful, but this way to go about it as far as the final steps of trying to get the message to the user (if e-mail doesn't work) has been tried many times and unfortunately doesn't work as well as you would think.
First thing obstacle is the new IE that Microsoft released is going to mess up a lot of that because they put such paranoid protection features into it. IE 9 isn't going to be much better.
Second is one again, the message insertion. E-mails are one thing, but the first sue-happy troll that finds out you inserted any message on their website will just tie up Comcast in court. Comcast probably has a powerful legal team, but not an invincible legal team. Someone is going to injunction you to stop the service and thus kind of defeat the whole purpose of it. Mainly because now you will be assigning Trojan/Virus blame to the website that user was on. The non-technical user's first reaction is going to be "blame the site" because "I was at Google and a got a message that my system had a virus, it must have come from Google!!!"
The best advice I can give is the notification part. Try to contact the user in non-invasive ways and you'll get plenty of gold stars. Otherwise, as you've read, there is already resistance to this and it's not even through the ringer yet. I know this isn't directed at you, but pass the info up the chain and hopefully someone at the top will listen.
--
Fight Insight Ready (Was NebuAD) and the like:
Click Here to pollute their data | |
|
| | | | Can I ask why not just call if there is a problem? | |
|
| | | vpokoPremium
join:2003-07-03
Boston, MA | Re: Open can of worms I assume cost is part of the equation, though if they did it with auto-dialers it might be more reasonable (though still more expensive than a pop-up). I'm not sure which I'd find more intrusive, though, I almost prefer the pop-up. | |
|
| | | | | | Re: Open can of worms I guess I understand the cost. I would rather get a call or letter from comcast.. stamps and or a few minutes of a reps time can't cost that much considering what we all pay for service every month but I don't know.
Messing with web pages has a disadvantage in that it may be a potential magnet for phishers to emulate the comcast guard behavior that everyone now knows exists and use it as an excuse to obtain customer data. | |
|
| | | Reviews:
 ·Fairpoint Commun..
| I'd rather get a letter from Comcast due to my hearing impairment. Besides, this will not work for the people who are deaf.
--
Wirelessly controlling my lights and appliances with Z-Wave, C#, and the Mono Project in Ubuntu Server 10.04! | |
|
| | | | So if I document the steps to tamper with the HTML that passes through my network, it's perfectly OK to do so because I've openly documented it first? | |
|
| | | jlivingoodPremium,VIP
join:2007-10-28
Philadelphia, PA
kudos:1 | Re: Open can of worms said by joshub:So if I document the steps to tamper with the HTML that passes through my network, it's perfectly OK to do so because I've openly documented it first? You do realize that ICAP is already an RFC? We're only leveraging something (ICAP) that is already documented and we're explaining clearly how we're doing that. A good way to avoid getting the notice is to (1) not get infected with malware and (2) if you have been and received emails from us, not ignore the emails.
--
JL
Comcast | |
|
| | | | | | Re: Open can of worms So in your logic, spammers are perfectly OK because they are leveraging RFC821? | |
|
| | | | | | How do you know the person is infected?
What you using is a standard, and would be perfectly acceptable for say a business to use internally, but you're injecting java into a user's private data stream from another company that you may not have any thing to do with. And, we're assuming that your detection methods are so sure a false positive would never occur.
Good thing for Firefox and No-Script (not that I believe I have anything to worry about). But it's nice to know Comcast is monitoring my traffic as much as they are. | |
|
| | zed2608Premium
join:2007-09-30
Cleveland, TN
kudos:1 Reviews:
 ·Charter
| personaly i dont like it would prefer dpi method since i understand it more and would likely catch more bad stuff this method seems rether ineffecient and likely bad guys will come up with way to bypass it
the only way this will ever work is dpi based system regardless i dont like it | |
|
| | | tubbynetreminds me of the danse russePremium,MVM
join:2008-01-16
Chandler, AZ
kudos:1 | Re: Open can of worms said by zed2608:personaly i dont like it would prefer dpi method since i understand it more and would likely catch more bad stuff this method seems rether ineffecient and likely bad guys will come up with way to bypass it the only way this will ever work is dpi based system regardless i dont like it i've added emphasis.
the intent of the emphasis is an exercise best left to the reader.
q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..." | |
|
| | |
| | damoxPremium
join:2002-01-07
Olympia, WA Reviews:
·Comcast Formerl..
| Well I am all for it. I do not think I've ever been infected here at home, but one never knows. I would appreciate it if Comcast is monitoring infectious behavior, because it affects Comcast user's bandwidth. Thanks Comcast!
--
DAMOX | |
|
| jlivingoodPremium,VIP
join:2007-10-28
Philadelphia, PA
kudos:1 | said by jjoshua:Also, I would like to know how they associate BOTted IPs with the IP that you're actually using right now. Our DHCP servers hand out IP addresses and the proper DNS IPs when an account is authorized for service. Thus, a correlation exists between IP address and account. So, for example, if we saw your IP address associated with the bot 10 minutes ago, we'd be able to then send an email to the email address in your account informing you of this.
--
JL
Comcast | |
|
| | dagg
join:2001-03-25
Galt, CA
1 edit | Re: Open can of worms
ignore this comment | |
|
| axus
join:2001-06-18
Washington, DC | Preferable to internet service being disconnected without notification. Cheaper and less creepy than sending a man to knock on your door at 9PM.
It violates network neutrality, but it's not hurting anyone. The right thing to do is probably make it "opt-in", but I'm not going to criticize them for using bad means to a good end.
Let's not pillory Comcast until they start stalling your packets or inserting advertisements into your web pages. | |
|
| | jlivingoodPremium,VIP
join:2007-10-28
Philadelphia, PA
kudos:1
1 edit | Re: Open can of worms said by axus:It violates network neutrality, but it's not hurting anyone. I appreciated your other supportive comments. But I'm not sure I understand your feeling that this somehow violates NN. ?
I just looked at the Open Internet Coalition's website at »www.openinternetcoalition.com
They list these:
(1) ...may not prevent any of its users from sending or receiving the lawful content of the user's choice over the Internet.
Don't see an issue there. This system does not prevent users from sending or receiving lawful content.
(2)may not prevent any of its users from running the lawful applications or using the lawful services of the user's choice
Don't see an issue there. This system does not prevent users from running lawful applications of their choice.
(3)may not prevent any of its users from connecting to and using on its network the user's choice of lawful devices that do not harm the network.
Don't see an issue there. This system does not prevent users from using the devices of their choice.
(4) may not deprive any of its users of the user's entitlement to competition among network providers, application providers, service providers, and content providers.
Don't see an issue there. This system is not anti-competitive in any way.
(5) must treat lawful content, applications, and services in a nondiscriminatory manner. (proposed)
Don't see an issue there either.
(6) must disclose such information concerning network management and other practices as is reasonably required for users and content, application, and service providers to enjoy the protections specified in this part. (proposed)
Seems we've done this one pretty thoroughly...
--
JL
Comcast | |
|
| | | | | Re: Open can of worms Is Comcast verifying what we already know?
That the Norton Security Suite handed out to Comcast customers isn't worth a sh*t?
--
BF69~~~Please stop suffocating gerbils! | |
|
| | | | tubbynetreminds me of the danse russePremium,MVM
join:2008-01-16
Chandler, AZ
kudos:1 | Re: Open can of worms said by S_engineer:Is Comcast verifying what we already know? That the Norton Security Suite handed out to Comcast customers isn't worth a sh*t? or there are customers who, despite this being able to be acquired for free, still refuse (or are unaware they can acquire software) to be proactive in protecting themselves. this is another layer in mitigating the potential threat.
q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..." | |
|
| | | | | | | Re: Open can of worms Norton isn't going to help the person whos going to Russian porn sites or Carribean Poker sites. If you want to get serious about the threat, then you need to clearly identify the problem. Also, theres another reason that people don't take the Norton...thats because they've been infected while Norton was "protecting" the pc before.
--
BF69~~~Please stop suffocating gerbils! | |
|
| | fiberguyMy views are my own.Premium
join:2005-05-20
kudos:3 | said by axus:It violates network neutrality, WHAT "network neutrality" do you speak of? I wasn't aware there was actually something called "network neutrality" other than what some people are trying to get passed into a law, and so far have failed to do.
This entire "network neutrality" statement used by many people is just about as valid as that line in the constitution that says specifically "separation between church and state" that also doesn't exist. | |
|
| fldiverPremium
join:1999-12-27
Jacksonville, FL | I wonder if this is why my service has SUCKED all week. Up down, up down up down. I'd prefer if Comcast is going to continue to raise rates, they maintain some consistent level of service. | |
|
 LinklistPremium
join:2002-03-03
Longport, NJ
kudos:5 |  Some interesting links for this service
»constantguard.comcast.net/
How do they determine if your system was taken over and turned in to a bot system:
»constantguard.comcast.net/faqs/H···ast.html
How did Comcast determine that I may have a bot?
We identify infected computers in several ways. First, we get data from reputable Internet research groups that specialize in bot identification. The data we get includes a list of Internet Protocol (IP) addresses that are infected and those that belong to bot command and control channels. Second, we look for malicious behavior exhibited by bots such as spam, distributed denial of service attacks and repeated connections requests to known command and control channels. We then aggregate this data to confirm whether one or more of your computers has been infected. | |
|
| |
| | | It is disappointing when I go to
»constantguard.comcast.net/
I get a browser security warning in IE8 because the secure page sources insecure content. | |
|
| | opt in Something invasive like this should be opt in. Glad I don't have comcast if they are forcing this stuff on me. | |
|
| LinklistPremium
join:2002-03-03
Longport, NJ
kudos:5 | Re: opt in said by BadNew :
Something invasive like this should be opt in. Glad I don't have comcast if they are forcing this stuff on me.
Would you prefer they just disconnect your service? For people with bots, that would be my preferred solution. That would get their attention. | |
|
| | dagg
join:2001-03-25
Galt, CA | Re: opt in and as someone that spends my days cleaining up infected machines all day long, yes, i would prefer that identified bots get null routed. | |
|
 beckPremium,MVM
join:2002-01-29
On The Road
kudos:1
 ·Stablehost.com
| 6 of one, half dozen of the other While I think it is GOOD that people get rid of these things, I'm not sure on how to notify them of it.
Keep teaching people to NOT open email that is not expected (not just from they don't know) and to run if some anti-virus stuff pops up because it's fake. I'm not sure how to resolve this. Because if we tell them "except Comcast" the scammers will be doing Comcast. The scammers are already doing Comcast emails to direct people to bad web sites or give them a trojan etc.
I don't know of a good way to notify customers other than shut them down so they finally call and then tell them. But that costs Comcast $$ for the tech and lots of being upset for the customer. Perhaps the notice has to go out in the US mail?
--
Some people are like slinkies - not really good for much.
But they bring a smile to your face when pushed down the stairs. | |
|
|
See 9 replies to this post |
|
| |  Business accounts
When an alert is triggered, who will it affect on my network? The person with the potential botnet or everyone on my network? | |
|
| chimera
join:2009-06-09
Washington, DC | Re: Business accounts It would have to since they are all using the same external IP address unless you have multiple gateways. | |
|
 newviewEx .. Ex .. ExactlyPremium
join:2001-10-01
Parsonsburg, MD
kudos:1
1 edit | I stopped checking Comcast email I stopped checking my Comcast email a long time ago because Comcast keeps insisting on sending me spam about the latest, greatest "thing" they are trying to sell me on . . . even though my email preferences are set to NOT receive their marketing emails. Their Marketing Department labels EVERYTHING "service and account related" even when it's obviously an attempt to get you to BUY something.
Email Preferences:
quote:
I do not want to receive emails from Comcast or its partners containing offers or promotions related to Comcast and XFINITY TV, Internet and voice services. (Please note, you will continue to receive emails related to your services and account even if you opt-out of other emails.)
I have a feeling that a LOT of subscribers have done the exact same thing I have, since Comcast's Marketing Department seems to think your email account belongs to them, and they never check their Comcast email. I foresee a lot of subscriber's first clue about this new Constant Guard Bot Detection is going to be in the form of the Browser Alert.
Basically, Comcast has eroded the trust of their email recipients by constantly sending their spamvertisements to the point of subscribers ignoring any communication form Comcast. You reap what you sow.
Don't get me wrong, by and large I think this bot detection program is a "good thing" but Comcast is going to have to get the word out by different means other than email since they've destroyed that relationship for a lot a people.
--
The Rules of Spam | |
|
| axus
join:2001-06-18
Washington, DC | Re: I stopped checking Comcast email Yes, I never check my Verizon mail. They have my gmail account, and have treated it very responsibly. I only get billing notifications and actual important service related emails. But, I've never checked my verizon.net account to know what they send their. | |
|
| | newviewEx .. Ex .. ExactlyPremium
join:2001-10-01
Parsonsburg, MD
kudos:1 | Re: I stopped checking Comcast email said by axus:Yes, I never check my Verizon mail. They have my gmail account, and have treated it very responsibly. I only get billing notifications and actual important service related emails. But, I've never checked my verizon.net account to know what they send their. I'm glad to hear that at least one mega-ISP understands what "No Marketing Emails" means. But I would hesitate to give Comcast an additional email address to contact me, even if it were possible, simple because I do not trust the Comcast Marketing Department to NOT abuse it, as they have done in the past with my actual @comcast.net addresses.
--
The Rules of Spam | |
|
| | Remote Remove Can't they just connect to the victims pc and remove the malware? | |
|
| | | Re: Remote Remove said by DeanD :
Can't they just connect to the victims pc and remove the malware?
I would hope not. If they could, and my PC had issues, Comcast would be blamed. And such a back door would be used by crackers, given enough time. | |
|
| | | | Re: Remote Remove Actually, they could. The fact that the system is infected means it is vulnerable, and, if Comcast really wanted to, they could write a program that would exploit the same vulnerability, install itself, wipe out the infecting malware, patch the vulnerability, and uninstall itself.
Not that I'm saying they should do this. In fact, they shouldn't, but they could. | |
|
| | | | | Re: Remote Remove Actually, Not true.
Most of the malware infections I have removed were a result of the weakest link of the system, The User. More than half of the infections I've seen could easily have been prevented only of the user did not click the link.
Todays virus, worm, trojan horses are rather complicated and many times fix the vulnerabilty behind themselves so another malware cannot come in behind and take over. Most malware now install root kits that are undetectable by Anti-Virus systems. Once your system has been infected, you are toast until the hard drive has been reformatted and the OS has been reinstalled. A job that Comcast is not going to do for free. | |
|
| | newviewEx .. Ex .. ExactlyPremium
join:2001-10-01
Parsonsburg, MD
kudos:1 | said by AstroBoy:said by DeanD :
Can't they just connect to the victims pc and remove the malware?
I would hope not. Oh god, me too. 
I remember their install CDs and the way they trampled all over your system. I definitely would not want anyone from Comcast remotely repairing my computer.
--
The Rules of Spam | |
|
| | | lddbck
join:2005-03-03
Hopewell, VA | Re: Remote Remove Yea repair your PC like they repair your connection problems. No thanks. | |
|
3 edits | Just turn off the users connection Instead of "hacking" the users data stream to insert a message via their browser(after some ignored emails), just turn off their connection.
And then Comcast should then do a instant call to the user stating why the connection is now dead and how to rectify it. And that does not break the Internet either.
In this screen shot by DSLreports,
»/r0/download/1···lert.jpg
How many people are going to try and verify the message? Scammers have used fake messages to scare people into clicking for a quick fix for some time. And got some really nasty infections from it.
I've read posts of Rogers cable internet hacking users data streams to insert ad's. Rogers makes blood money this way. And even have the ability to replace the actual websites ad's with Rogers ad's. And that is censorship. Which leads to not knowing if the website you are viewing(spoofed website) is the actual website that you want.
And never, ever allow a ISP to remotely access your system to 'fix' problems. There is no guarantee that they have any computer repair certification credentials. If they break your system, or delete important files, they will claim No responsibility for any damage.
--
Consumer Rights is more than just a suggestion. | |
|
| |  right...
| |
|
|
|
·
