Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Broadband Crackdown

michael posted more than 13 years ago | from the brave-new-world-of-high-speed-internet-access dept.

The Internet 790

MrPeach writes: "In a move unsurprising to those of us who have had interactions with their so-called customer support, AT&T Broadband and Excite@Home are indefinitely filtering all incoming traffic on http port 80 for residential customers. They could have cut access to those running compromised servers, but instead chose to deny the ability to run a web server to all subscribers to their service. DSL anyone?" DSL won't save you. Verizon is apparently also blocking port 80 for their DSL customers, in addition to blocking outgoing port 25 and requiring use of Verizon's SMTP servers to send email. Verizon is also cheerfully paying fines for screwing over their competitors - the fines will be much less than the extra profit they can squeeze out once their competition is gone.

Sorry! There are no comments related to the filter you selected.

Move to Canada (1)

DickPhallus (472621) | more than 13 years ago | (#2169335)

Bell hasn't cracked down on me yet... I run a small webserver... I mean what harm does a 16 KB upstream cost the bastages anyway?

Re:Move to Canada (1)

jmcneill (256391) | more than 13 years ago | (#2169341)

Ditto for NBTel.. although with all of the crap going on here lately, I wouldn't be suprised if they followed suit. And the only other option (that isn't even an option yet) is Rogers@Home, and I doubt that would be much better.

Re:Move to Canada (1, Insightful)

aoeuid (250239) | more than 13 years ago | (#2169365)

Officially Rogers@home does not allow web servers, but that URL beside my name is hosted on Rogers in Ottawa, and has been for quite some time. Yet here in London, I've heard its a different story. So I guess maybe they are selective about it.

Personally, I think its my god given right to use allocated bandwidth however I choose. Its one thing to limit bandwidth, quite another to censor what bytes are allowed in my incoming or outgoing tcp segments.

Re:Move to Canada (1)

Swaffs (470184) | more than 13 years ago | (#2169348)

Shaw here in Winnipeg hasn't cut me off yet either.

Re:Move to Canada (0)

Anonymous Coward | more than 13 years ago | (#2169358)

I'm with Bell in Canada, too, and I'm being swamped with other Bell users scanning my port 80

I scan their box, and if I find smtp up and running, I send them an email telling them to clean their machine.

Re:Move to Canada (1)

trolebus (234192) | more than 13 years ago | (#2169411)

How do you get around the dynamically assigned IP's if you have a webserver. I mean, even my router needs to be rebooted from time to time (I think it may be Bell Canada disconnecting me because they needed the IP and I was idle but I'm not sure)

Re:Move to Canada (1)

Kwikymart (90332) | more than 13 years ago | (#2169446)

My ISP (DCCNET, Delta BC, Canada), uses dynamic IPs. However, the DHCP servers must have a MAC address memory or something because it will assign me the same IP address all the time (and its not a feature of my dhcp client). However, if I take too long to run the dhclient it will assign that IP to someone else. It's still dynamic, but not completely. No filtering of anything as well. Its metered but they actually never charge you when you go over your limits.

Oh goodness gracious! (0)

Anonymous Coward | more than 13 years ago | (#2169466)

who let dehli on the net

Re:Move to Canada (0)

Anonymous Coward | more than 13 years ago | (#2169459)

How do you get around the dynamically assigned IP's if you have a webserver. I mean, even my router needs to be rebooted from time to time (I think it may be Bell Canada disconnecting me because they needed the IP and I was idle but I'm not sure)

try dyndns.org [dyndns.org]

Re:Move to Canada (2)

Malc (1751) | more than 13 years ago | (#2169465)

I have Sympatico HSE. My router (Netgear RT314) hasn't had a problem since I installed it last October. I got a .ca domain through easydns.ca... nobody has had a problem access my web site or sending me email, all on my dynamic IP. You can also use free services like dyndns.org or Granite Canyon. It's easy. If you have further questions, go to news://sympatico.highspeed [sympatico.highspeed] . There are lots of people there who do the same and can help.

Re:Move to Canada (2)

Malc (1751) | more than 13 years ago | (#2169490)

Bell happily imposes a port 25 filter. The coverage is patchy though as only people with Sympatico IPs and their own SMTP server are restricted from sending me email. Based on this experience and the level of activity (I've had 2,000 hits since Saturday, mainly from Sympatico IPs), I wouldn't be surprised if they start filtering port 80... although I'm sure they're too incompetent to roll it out quickly. You could say that they already have a port 80 filter... they have a translucent craching interception proxy on port 80 in some areas.

If I lived in Ottawa, Toronto or Montreal (??), I would switch to Istop.

No blocking yet (2, Interesting)

Heem (448667) | more than 13 years ago | (#2169339)

I'm on @home and as far as I can tell port 80 is not yet blocked... I wonder for how long they will block the port and what clause in their contract they will hide behind?

Clause? (5, Insightful)

DiveX (322721) | more than 13 years ago | (#2169357)

The hide behind clause will most likely be the one that says 'you may not run a server in connection with the @Home residential service'. http://home.com/support/aup/

Re:No blocking yet (4, Insightful)

natet (158905) | more than 13 years ago | (#2169422)

Hello, read your contract. @home does not allow their residential customers to run webservers anyway.

From their service agreement.

AT&T Broadband does not allow servers to be connected to the cable modem. This means that no computer in a personal network can be used as a server.

Hmmm, sounds like a pretty good clause to hide behind, eh?

Re:No blocking yet (2, Informative)

icewalker (462991) | more than 13 years ago | (#2169451)

Too bad when Windows XP comes out, every PC running it will be a server! I guess @Home will just have to outlaw Windows XP as well.

My nice apache server just keeps on hummin!

Obtaining Perfection isn't Perfect!

Re:No blocking yet (1)

X-Dopple (213116) | more than 13 years ago | (#2169464)

Strange. Port 80 here in Salt Lake City isn't filtered yet, but it could be only a matter of time.

How else do you stop a Code Red worm, however? I think this is one of those situations that, in order to stop, you have to throw the baby out with the bathwater.

It was fun running a webserver while it lasted..

so what (2, Insightful)

FreakBoy (70961) | more than 13 years ago | (#2169340)

what will this do?
@home users can still infect other @home users, along with the rest of the net.

Re:so what (1)

superpeach (110218) | more than 13 years ago | (#2169486)

Actually, @home users can still infect anyone else anywhere if only incoming port 80 connections are blocked. I dont know how codeRed decides who to do next, but from looking at my logs it isn't just "attacks" from people on the local network (as I am getting connections from USA, France, China...). To completely stop the spread of the worm over the @home network incoming and outgoing port 80 connections would need to be blocked.

Hum... (0)

Anonymous Coward | more than 13 years ago | (#2169342)

Just an excuse to shutdown people trying to run a small business at home? Or does that kind of thing go on?

We haven't done this yet.. (3, Insightful)

BiggestPOS (139071) | more than 13 years ago | (#2169343)

But considering the average level of intelligence of our customers is close to NIL, I really think we should. We get a lot of emails, and calls from people who have detected attacks from our Customers, and we call the customers, and they are just like, "Wha?"

Its great. So instead we just let the network FLOOD. But good thing we aren't blocking port 80, that would SCREW over like what, .1% of our cusomters?

Re:We haven't done this yet.. (1)

ogre2112 (134836) | more than 13 years ago | (#2169398)

It comes down to.. The people that know how to use their computers gt fucked over by those who don't.

Re:We haven't done this yet.. (2, Interesting)

Heem (448667) | more than 13 years ago | (#2169447)

It comes down to.. The people that know how to use their computers gt fucked over by those who don't. add the word AGAIN to that phrase. And if we want to get on a network where we are our peers know what they are doing, we have to pay out the ass. I liked it better when it took some BRAINS to use a computer, it wasn't cool to be a geek, and everyone I know isn't calling me every 10 minutes to fix their damn computer.

is this ____the___ mr peach?? (-1, Offtopic)

graphicsboy (96499) | more than 13 years ago | (#2169345)

how do i know you are the real mr peach?

*BSD is dying (-1, Offtopic)

Anonymous Coward | more than 13 years ago | (#2169349)

*SD is dying

Yet another crippling bombshell hit the beleaguered *BSD community when last month IDC confirmed that *SD accounts for less than a fraction of 1 percent of all servers. Coming on top of of the latest Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as further exemplified by failing dead last [sysadminmag.com] in the recent Sys Admin comprehensive networking test.

You don't need to be a Kreskin [amdest.com] to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood. FreeBSD is the most endangered of them all.

Let's keep to the facts and look at the numbers.

OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to another charnel house.

All major surveys show that *BSD has steadily declined in market share. *BSD is very sick nd its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS hobbyist dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.

*BS is dying

Re:*BSD is dying (0)

Evil MarNuke (209527) | more than 13 years ago | (#2169393)

fuck it. I'll still run OpenBSD as my firewalls, name, and ftp server.

Too bad we *ALL* have to suffer... (0)

spam368 (43865) | more than 13 years ago | (#2169350)

Its too bad we all have to suffer, jsut because some (okay..most) people use microsoft products....those of us that choose to run linux (and yes...we usually have webservers) are being block when we arent even perpetuating the virus...

filtering (0)

Anonymous Coward | more than 13 years ago | (#2169351)

can't you just change the port # your web server is running on? That sux but it would be better than nothing.

Re:filtering (1)

SnapperHead (178050) | more than 13 years ago | (#2169371)

Sure, your best bet is to run your server on port 443 only. SSL :)

This more or less prevents quite a few simular attacks.

Re:filtering (1)

Heem (448667) | more than 13 years ago | (#2169472)

can't you just change the port # your web server is running on? That sux but it would be better than nothing
Sure, you could change the port, but try telling your mother-in-law, that when she wants to look at the recent pictures of her grandson, to connect to port 8080. She'd say something along the lines of.. 'WHAT'S THAT NOW?' 'COME AGAIN?' And going back and getting links changed around the net to include the :8080..

Quite common already (5, Insightful)

SnapperHead (178050) | more than 13 years ago | (#2169359)

Actually, cable and DSL providers are already blocking port 80 (and most lower ports) for months. I am a Charter cable customer. When I first signed up, all ports below ~1500 where blocked. (With the expection of 53, 113, and a few of others) Customers where forced to use there proxy server. Even outbound port 80 was blocked.

After complaining for 4 months about it. and many phone calls to there head techs and managers. I finally won. I proved to them why blocking all of those ports was insaine. I simply wanted to run NTP on my machine. (Well, my entire LAN, but they didn't know anything about that :) Which requires 123/UDP.

As the months went on, more and more ports started opening. One thing that they have relized is that people will run servers regardless. People who abuse it (setting up high traffic sites) will be shutoff. Personally, I think its insaine. I should have the right to run a personal site, as long as it doesn't get out of hand. If it did get to that point, I wouldn't be hosting on cable.

So, they blocked the ports. I wonder how long it will stay. I would be very carefull, they may use this as an excuse to keep the ports blocked.

Working with the large companys his difficault, tring to convince them that they should unblock them. I can kinda of understand there postion. But, then again, it kinda upsets me.

Re:Quite common already (0)

Anonymous Coward | more than 13 years ago | (#2169389)

insane is spelled like this:

i-n-s-a-n-e.

Re:Quite common already (2, Funny)

calags (12705) | more than 13 years ago | (#2169457)

First time I read it I thought he meant to write asinine which in this context means the same thing :)

Verizon DSL is NOT THAT EVIL (4, Informative)

Deadbolt (102078) | more than 13 years ago | (#2169361)

Verizon *DOES NOT BLOCK* outgoing port 25 *OR* port 80! I've been running my own mail server off the standard DSL offering, $40 a month, for almost a month now and never one hint of problems. I can send mail anywhere. I can telnet to port 25 on any Internet-accessible mail server.

And correct me if I'm wrong, but if Verizon blocks outgoing port 80, wouldn't that put a bit of a dent in most popular web browsers?

For the love of God, try to be a little accurate! There are plenty of real problems to bitch about!

Re:Verizon DSL is NOT THAT EVIL (2)

Bullschmidt (69408) | more than 13 years ago | (#2169366)

Same experience here.. although I don't run the web server. I *JUST* tested my email server.. works fine!

Re:Verizon DSL is NOT THAT EVIL (4, Funny)

Dutchie (450420) | more than 13 years ago | (#2169397)

He said 'incoming port 80'. Yeah that'd be swell, blockign outgoing port 80.

Re:Verizon DSL is NOT THAT EVIL (1)

Deadbolt (102078) | more than 13 years ago | (#2169479)

Actually he just said "port 80" -- I inferred outgoing from context. But you're right. That would be rather dumb, wouldn't it? :) Cheerfully withdrawn.

Re:Verizon DSL is NOT THAT EVIL (0)

Anonymous Coward | more than 13 years ago | (#2169405)

this is just calssic FUD. Verizon isn't that bad. They aren't great, but their not the big evil boogy man either.

Re:Verizon DSL is NOT THAT EVIL (0)

Anonymous Coward | more than 13 years ago | (#2169463)

No shit, I was scared there for a second. Verizon has its bad sides, but leaving their DSL customers more or less alone to run whatever they want is not one of them.

A simple go-around: (1)

Travoltus (110240) | more than 13 years ago | (#2169362)

Put your web server on port 8080 or something, although it would be fun getting to everyone the message that it's on port 8080...

Re:A simple go-around: (3, Informative)

Corgha (60478) | more than 13 years ago | (#2169467)

Not so simple, actually -- I tried this today because of the block, and it works fine in many cases, but there is a hitch.

Let's say someone is looking at "http://foo.ne.mediaone.net:8080/bar/fred.html", and this html file contains a reference to another file, be it a CSS file, an image, an anchor -- whatever. There are three possibilities I want to consider.

In the first, if this reference is of the form "http://foo.ne.mediaone.net/bar/ney.html", it's obviously not going to go to port 8080, but people rarely use absolute references like that, so let's move past that to the more interesting cases.

In the second, if the reference is of the form "ney.jpeg". Here, everything works fine and the client looks for "http://foo.ne.mediaone.net:8080/bar/ney.jpeg".

In the third, with a reference like "/css/rubble.css", you'd like to think that, since the parent URL is in http://foo.ne.mediaone.net:8080, the client would go for "http://foo.ne.mediaone.net:8080/css/rubble.css", but no! It looks up "http://foo.ne.mediaone.net/css/rubble.css" (and spends a long time timing out because of the block).

I have no idea why this is, but it seems to happen in both Netscape and IE. Haven't had time to investigate it thoroughly, so if anyone knows anything about this, I'd appreciate the info.

Re:A simple go-around: (0)

Anonymous Coward | more than 13 years ago | (#2169489)

Yes, anybody that really wants to run a 'webserver' off their computer can always just change the port (assuming they wanted to do real damage -- most people just run a test webserver at most for friends to download pictures and things and wouldn't miss port 80 to much) This move is all because of some asses virus and yes another M$ bug -- thanks you microshit fucks.

Mailservers? (0)

Anonymous Coward | more than 13 years ago | (#2169363)

Day they shut off my mail port is the day I cancel.

Linux is not a contender.. (-1, Insightful)

Anonymous Coward | more than 13 years ago | (#2169364)

If you put Linux next to some other operating systems out there for a cost comparison, the conclusions are devastating for Linux.

Linux costs not only more because of the frequent updates which require new cdrom's to be bought.

Another factor in Linux cost is its maintenance. Linux requires a *lot* of maintenance, work doable only by the relatively few high-paid Linux administrators that put themselves - of course willingly - at a great place in the market. Linux seems to need maintenance continuously.

Add to this the cost of loss of data. Linux' native file system, EXT2FS, is known to lose data like a firehose loses water, when the file system isn't unmounted properly. Other unix file systems are much more tolerant towards unexpected crashes. An example is the FreeBSD file system, which with soft updates enabled, performance-wise blows EXT2FS out of the water, and doesn't have the negative drawback of extreme data loss in case of a system breakdown.

Factor in also the fact that crashes happen much more often on Linux than on other unices. On other unices, crashes usually are caused by external sources like power outages. Crashes in Linux are a regular thing, and nobody seems to know what causes them, internally.

The steep learning curve compared to about any other operating system out there is a major factor in Linux' cost. The system is a mix of features from all kinds of unices, but not one of them is implemented right. A Linux user has to live with badly coave low performance, mangle data seemingly at random and are not in line with their specification. On top of that a lot of them spit out the most childish and unprofessional messages, indicating that they were created by 14-year olds with too much time, no talent and a bad attitude.

I can go on and on and on, but the message is clear. In this world, there is no place for Linux. It's not an option for any one who seeks a professional OS with high performance, scalability, stability, adherence to standards, etc. The best place it should ever reach is the toy store, and even that would be flattering

Re:Linux is not a contender.. (0)

Anonymous Coward | more than 13 years ago | (#2169390)

Not too bad a troll, but loose the one liner reference to buying new cd's. It's a dead giveaway. Still, I grade you a B+ for effort.

Re:Linux is not a contender.. (0)

Anonymous Coward | more than 13 years ago | (#2169484)

Actually, it's an above-average troll. Yeah, the reference to buying new CDs makes the troll lose points, but he's right about ext2 eating itself and ufs+softupdates blowing ext2 out of the water.

It contained facts and ticked off Slashdot readers -- that's a good troll in my book. (And it sure beats the goatse.cx links...)

Re:Linux is not a contender.. (-1, Offtopic)

lostchicken (226656) | more than 13 years ago | (#2169410)

If you're so sure of this, why don't you put your name on it. Anonymous coward.

Re:Linux is not a contender.. (0, Offtopic)

ogre2112 (134836) | more than 13 years ago | (#2169412)

Argument 1: Linux costs not only more because of the frequent updates which require new cdrom's to be bought.

Ok, I'l stop right there, because obviously YOU DON'T KNOW DICK.

Fucking Troll

Speakeasy! (4, Informative)

Evil MarNuke (209527) | more than 13 years ago | (#2169367)

If you want to host servers at host there is only one real choice out there, and that's SpeakEasy. Oh, don't take my word for it, read the Terms of Service [speakeasy.net] . It says:
Personal Web Page Restrictions:

We believe in the right of the individual to publish information that they feel is important to the world via the Internet. Unlike many ISP's we do allow you to run a server (web, mail, etc.) over your DSL line.

Enough said.

Re:Speakeasy! (1)

nbvb (32836) | more than 13 years ago | (#2169485)

Amen to that brother!!

Bless those Speakeasy folks... they kick ass and take names.

There's a reason I spend $91/month on a DSL line...

Now you know why.

--dmjATspeakeasyDOTorg

Re:Speakeasy! (1)

1Oman (308666) | more than 13 years ago | (#2169488)

Telocity has no problem with users running servers either. They even have a help page to aid users who dont know how and you just call them up to get and they set up the dns for you to.

Apache Servers? (0)

Anonymous Coward | more than 13 years ago | (#2169370)

You know, I always love this attitude by the cable and dsl providers towards residential users that seems to come out roughly meaning "even though your paying fourty dollars a month and subscribing to our service. YOU OWE US!" Filtering out specific ports isn't the solution. Good product testing is. What happens when the next exploit comes out? Are we going to firewall ourselves onto our own secluded networks? Revisit the AOL days again anyone? The problem isn't people running webservers off their pc's, the problem isn't the exploit. The problem is the poorly written software that was allowed to get out without proper testing in the first place.

Not a huge surprise.. (3, Insightful)

James_G (71902) | more than 13 years ago | (#2169372)

To be fair, @Home have always said that their residential customers should not run servers of any kind - this has always been their policy and up until now, they've basically turned a blind eye (At least, they never complained when I ran servers on my cable modem connection).

Now they're doing the sensible thing to contain potentially hundreds of thousands of machines running IIS (Mostly run by people who probably have no idea about worms and the like anyway - even if they knew they were running a web server in the first place).

Seems pretty sensible to me, although my DSL ISP has no problems with me running servers, so I'm happy either way..

It would mean them having to do real work (3, Insightful)

Anonymous Coward | more than 13 years ago | (#2169373)

It would mean them having to to do real work shutting down accounts of those who are not smart enought to run a 1mo old patch on their systems. I't makes me angry, because if there was another option for a high speed connection, I would have done it a long time ago. All day I have recieved calls from clients wondering if my dev machine dropped off the web. I called att and what they acually said was "when we installed the service, we set up with NT Based systems because it was the fastest way to get it working, not because it was the most secure", then the tech followed with "all of our servers have viruses",, I'm not sure but it sounded like she was'nt too happy with her job..

This really appears to be... (2)

Mhrmnhrm (263196) | more than 13 years ago | (#2169374)

Curing the disease by killing the patient. If I read their statement correctly, AT&T recognizes that the problem is unpatched IIS servers. But they've decided that because this is such a problem (Which I as a lowly dialup user haven't even noticed yet) that it merits shutting down all customer's ability to run webservers, even though they also recognize that most people run Win 9x. The legal basis is contained within their user agreement as a clause basically saying "you can't do anything that will mess up someone else's usage of the service", which really is pretty common.

Their "virus removal" instructions also seem flawed... why would I want to reconnect to the internet *before* the final reboot? Granted, not being connected during the early boot phase makes things take longer, but it will also make sure you can't be reinfected before the patch is fully applied.

SSL anyone? (1)

DanEsparza (208103) | more than 13 years ago | (#2169376)

Why not use FreeSSL [freessl.com] and port 443 (https)?

Just a thought.

Read your TOS! (5, Insightful)

SClitheroe (132403) | more than 13 years ago | (#2169378)

Seriously people... Most, if not all, broadband providers prohibit running servers from home accounts (it's definitely that way for @Home users, even if they do generally turn a blind eye to small time web servers). They generally also have some sort of clause which basically doesn't guarantee unlimited or uncontrolled inbound or outbound access. For that matter, most broadband (and thinband) providers provide a clause which basically exempts them from any sort of service level agreement.

Signing on with a domestic oriented ISP means that you are essentially "users" on their network. Blocking inbound port 80 access is a good starting point for at least protecting their internal network segments. If you were running what is essentially a DHCP/DNS/proxy service for thousands of users, wouldn't you at least take this step to protect the integrity of your network?? (I admit it doesn't begin to solve all the problems, but...)

If you want to run your own "mini NOC", then pony up the cash and get ISDN, a T1, or something faster put into your basement. But if you are subscribing to a consumer grade ISP's offerings, don't be suprised when this happens. And especially don't start with the geek indignation, because consumer broadband is not meant, nor sold, under the pretense of running home servers.

Re:Read your TOS! (0)

Anonymous Coward | more than 13 years ago | (#2169426)

Actually, many broadband services allow you to serve your own web sites now--I know mine, DirecTV (formerly Telocity), lets you. I think most Covad-based services do, too, and I'm fairly sure Earthlink DSL changed their policy not too long ago to allow this. Of course, it seems Rhythms (provides DSL for DirecTV) and Covad are dying off now (both recently declared bankruptcy) . . .

Re:Read your TOS! (2, Interesting)

Atzanteol (99067) | more than 13 years ago | (#2169432)

Not necessarily... When I originally signed up with MediaOne, I asked about running servers. They were fine with it, so long as I didn't interfere significantly with the other users.

I think this is just a way ATT can claim to be 'proactive on security'...

This sickens me..

Re:Read your TOS! (5, Informative)

almeida (98786) | more than 13 years ago | (#2169436)

http://slashdot.org/comments.pl?sid=01/08/07/19262 12&cid=301 [slashdot.org] . I read my TOS, you obviously didn't.

Re:Read your TOS! (1)

almeida (98786) | more than 13 years ago | (#2169445)

P.S. Personal link is now broken, thanks to a lot of stupid Windows users.

Re:Read your TOS! (1)

Monkeyman334 (205694) | more than 13 years ago | (#2169476)

With @home their upstream is restricted to 15K. So it's not a bandwidth concern, and they never check to see if you have a server running. They just don't want to be liable if you want to sue for an outage, or anything else that may come up.

Red thingie (1)

X.25 (255792) | more than 13 years ago | (#2169381)

Amazing how everyone if bleathing, but noone tried to make a connection to Code Red worm...

Yes, port 80 is being blocked just about anywhere - wanna guess why?

Give me a break (1)

Moonwick (6444) | more than 13 years ago | (#2169383)

Cut access to people with infected servers? Considering that the only way to detect this is by actually taking advantage of the hole itself, somehow I'm not surprised that @home didn't want to make that decision.

Stop being so paranoid. There are other broadband providers in the world.

hmm (0, Flamebait)

mlong (160620) | more than 13 years ago | (#2169386)

I've noticed something here. A sure fire way to get a story posted is to simply mention how company x (big bad business) is screwing group Y over (victim)...throw in a few smart-ass remarks (bait), and maybe a few exagerations (scare tactics) and wham...its frontpage news.

Re:hmm (-1, Flamebait)

Anonymous Coward | more than 13 years ago | (#2169433)

And people say LinuxToday has integrity problems.

Slashdot spreads probably as much FUD as microsoft really.

port 25 is not blocked. That's a lie.

oh no some persons piddly little home page on a 16k\s upstream just got cuaght off, boohoo. Gee ya instead they should just let code red run amok and fuck over everybody.

Why not force a download of the patch? (2)

Omerna (241397) | more than 13 years ago | (#2169387)

Make people download a patch to be able to run a server. Easy. Just make them go to a page that will let them say "Yes, I've downloaded the patch" with a copy of the patch next to the button so it's easy to do it.

Re:Why not force a download of the patch? (1)

linzeal (197905) | more than 13 years ago | (#2169428)

What happens the next time and the next time and the next time . . . ? ? ?

huh ?

Not in Hampton VA. (2, Informative)

QwkHyenA (207573) | more than 13 years ago | (#2169388)

Cox hasn't filtered port 80 here yet. Just ran port detective [portdetective.com] , and it's still open here...As well as port 25.

Re:Not in Hampton VA. (2)

interiot (50685) | more than 13 years ago | (#2169491)

Same here. Not yet on Excite@Home. Code Red is still attacking once every four minutes, so it should be easy to passively tell almost exactly when port 80 service is cut off.

Leased Line (2, Interesting)

trolebus (234192) | more than 13 years ago | (#2169391)

This is getting out of hand. Does anyone know what a leased line costs?

This is an idea I had:
A group of people get together a purchase a leased line, run it into someones home and then put everyone else on a little ethernet network. Granted I don't know how much one costs but I figure at around $40 a month a group of about 20-30 should be able to gets something way faster that DSL/Cable and without the bullshit. I see three main problems.

1. Security: Everyone has to protect their PC a packet filtering router should do the trick but its an added expense. Additionally the security on the leased line has to be good.

2. People: Finding enough people that live such that we can lay all the cable we need without going on city land. This could be the real challenge. I suppose we could hop accross holes in the network with 802.11b but that would be slower and less secure.

3. Time: What happens when the network / connection goes down. Either we set up some sort of rotation but we need an admin to fix stuff and that can be expensive.

Other issues are things like getting IP's (we could use a DHCP server but it would be better to all have our own IP)

Lots of challenges but it could be cool. Has anyone done something like this or has a suggestion on how it could be done better? I get closer and closer especially with crap like this.

Re:Leased Line (1)

visualight (468005) | more than 13 years ago | (#2169475)

Wireless?

I've been thinking along the same lines but I'm not up on what equipment to use etc. I just started yesterday trying to find out what kind of frequencies/watts are required vs. what's available for regular people.

Servers were never allowed out on cable (5, Informative)

isdnip (49656) | more than 13 years ago | (#2169392)

The @Home customer agreements never allowed servers, particularly web servers. There's a valid technical reason, too: Cable bandwidth is asymmetric. There's typically a downstream pool of about 27 Mbps (depending on settings) shared among all users, while the upstream pool is more often in the 2 Mbps or less range. This comes about because upstream has to fit into the narrow patches of usable spectrum below 40 MHz, while downstream just fits among the TV channels between 50 and 750 MHz.

So stick a server out there, get Slashdotted (or even just get mildly popular), and the upstream bandwidth is wiped out for your whole neighborhood (technically, the area of your optical conversion node and CMTS channel). This is a big risk, so the cable companies don't take it. Instead, they do give you some free hosting space at their data centers.

VeriZontal has no such excuse -- ADSL has little upstream bandwidth (they typically provision only 90 kbps) but it's your very own, and they end up with a huge surplus of upstream bandwidth at the back of the DSLAM, where all of the traffic is aggregated. It's downstream that can congest easily. They're just being shmucks as usual. But if their customer agreement doesn't allow servers, then that's the deal -- commercial-grade DSL services allow servers.

The real problem they're addressing (even VZ) is Code Red II. Web servers that get infected will probe their own networks like crazy looking for others to infect. This creates congestion. So shutting off port 80 stops the worm. Crude but effective. See the recent LinuxPlanet column about Charter for how a cable company won't admit that its infected servers are causing huge congestion. The author suggests blocking port 80!

Re:Servers were never allowed out on cable (2, Informative)

almeida (98786) | more than 13 years ago | (#2169454)

From: http://help.broadband.att.com/subagreelease.jsp (b) FTP/HTTP Service Setup. Customer should be aware that when using the Service to access the Internet or any other online network or service, there are certain applications, such as FTP (File Transfer Protocol) server or HTTP (Hyper Text Transfer Protocol) server, which may be used to allow other Service users and Internet users to gain access to Customer's computer. If Customer chooses to run such applications, Customer should take the appropriate security measures. Neither AT&T nor @Home Network shall have any liability whatsoever for any claims, losses, actions, damages, suits or proceedings resulting from, arising out of or otherwise relating to the use of such applications by Customer, including without limitation, damages resulting from others accessing Customer's computer.

911 (1)

bruthasj (175228) | more than 13 years ago | (#2169396)

Hell, there are so many people on these DSL networks running compromised servers, it's like a shotgun wound. You don't care where the bullets went in or where they came out. You wrap the thing until it stops bleeding.

Or, guess what, you're dead. Right now they have a few limited resources, 1) Bandwidth and 2) Time. If they want to fix the problem fast they cut port 80. They let the bleeding stop and then they open up.

If you want to write a program that helps them signature each freaking IP on their network and then filter which one is okay or not, go start your project: SF [sf.net]

These guys want to keep most of their customers. When 100% users are having bandwidth problems because of a virus they drop like flies. When 1% that are running Linux get port 80 blocked drop, they don't give a @#$!.

Quit your whining. And go get webhosting for 10$/month at an offsite provider instead of trying to create a web server from crappy components. You're not losing money are you?!!? I'd have to laugh in your face if your trying to run a useful webserver over DSL.

-out-

The end of a state of denial (2, Interesting)

Senor Wences (242975) | more than 13 years ago | (#2169399)

I'm surprised it has taken AT&T and Excite so long to block port 80. In the agreement each subscriber must sign when she or he enrolls for the service the cable cos. explicitly state that you are forbidden to run a web server on their lines. But from the number of cable carracho servers I have seen, as well as other web servers running from cable, it is clear that many users simply ignore this rule. Granted, many people running Win2K or NT and IIS might not realize the service is running, their computer is infected, they are part of the problem. So it makes sense that in an effort to contain this worm the providers would block port 80. It's just weird that, in light of their stated policy, they have thus far allowed for people to run web servers, etc., on port 80, ignoring the users' abuse of the service just as the users have ignored the rule. All it took was a few careless individuals running unpatched software that shouldn't have had such a nasty exploit in the first place to ruin this wonderful state of denial between the cable cos. and people who want to run a web server on their nice, zippy cable connections. I suppose that's what port 8080 is for....

No sympathy (2)

fremen (33537) | more than 13 years ago | (#2169401)

I really don't have the least bit of sympathy for anyone who has been hit with this. You agree to a contract that describes the terms of your service. That contract almost certainly says that running servers is prohibited, but up until now most ISPs were happy to look the other way for the occasional server that didn't waste their bandwidth. Now that a massive bandwidth hogging, server infecting, people irritating web worm has appeared, and it has been revealed that the average server operator has no clue about computer security. They have a choice, let their customers be potentially vulnerable to a backdoor insertion while a worm goes willy nilly sucking down bandwidth or ignore it and hope that nobody complains. Keep in mind, the majority of home internet users don't run servers. They just want fast access to the web and their e-mail. Disabling your virus infested server is no sweat off their backs, it just improves their quality of service.

They've had the authority to kill server access and now they've done it. They did it with what was probably a good reason, and anybody who has paid any attention realizes that they've had the power to do this for a long time. Count yourself lucky that you got a free server connection for this long.

And, if it really bothers you, get a dedicated server connection with guaranteed connectivity. There's a reason that those connections cost more, and it's all about connection and service guarantees.

Finally, please don't complain that you're running Apache and therefore you should be exempt. Show me one ISP that would bother checking HTTP headers and I'll show you one can of worms that you really don't want to touch with a ten foot pole.

Why don't ISP's provide firewall software? (1)

Jimhotep (29230) | more than 13 years ago | (#2169402)

ISP's like to get all the software you need to use the internet, why don't they include a firewall? I've been using ZoneAlarm for a year now, no problems. In fact, it's fun to run traceroutes on the bastages that try to break in.

RTFA (1)

jpellino (202698) | more than 13 years ago | (#2169404)

And the A stands for AUP... The prohib against servers on your side is old news. Deal. Switch. Go pro. No crybabies.

imagine if other utilities did this (5, Insightful)

Dr. Awktagon (233360) | more than 13 years ago | (#2169407)

Imagine if the phone company checked your lines for "business use" and shut you down unless you got a business contract.

Or how about the power company, charging you differently depending on how you use the power, and limiting you to, say, 10 amps peak if you don't have a business contract.

I wonder if it isn't appropriate to have a little (eek) government regulation when it comes to these things? Like not blocking any ports for any customer unless it is clearly marked in advertising or something?

I always wonder when my ISP will decide, for the good of all customers, to shut down this or that port or filter or monitor traffic. They'll probably not even notify me, they'll just update the terms of service buried in their web page someplace.

Re:imagine if other utilities did this (0)

Anonymous Coward | more than 13 years ago | (#2169453)

Ironically enough, didn't AT&T used to be a government-owned operation a few decades ago?

Re:imagine if other utilities did this (1)

davie (191) | more than 13 years ago | (#2169495)

Speaking from personal experience, I can assure you that some phone companies will require you to pay for a business line if they find out you're using a personal line for business. The reason for this is probably something to do with allocation of resources, but I'll leave it for the telecomheads to fill in the blanks.

Just change the port (1)

Vicegrip (82853) | more than 13 years ago | (#2169415)

Sure, its a bit more of a pain http://www.something.something.something:1111 .. but it works.

My port 80 is not blocked... (1)

Gunark (227527) | more than 13 years ago | (#2169416)

I'm on Rogers@Home here in Toronto (part of the Excite@Home network, I assume) and they are definetly not blocking port 80. They are however blocking the SAMBA port (471 or something?) which is extremely annoying.

Re:My port 80 is not blocked... (0)

Anonymous Coward | more than 13 years ago | (#2169468)

Hey Bozo, it's port 139 and there's a fucking good reason it's blocked, winnukehead.

Running Services has never really been allowed (0)

Anonymous Coward | more than 13 years ago | (#2169417)

I've had cable modems from Charter and ATT. In both cases there was a statement in the user agreement that you were not supposed to run any incoming services. They never really had a reason to crack down on it so they never did, until now.

I'm not trying to defend the cable companies, but maybe you guys should read the agreement you made with the service provider before you complain about the current situation.

People are becoming consumers, not content creater (5, Insightful)

Kiwi (5214) | more than 13 years ago | (#2169419)

I can understand the thinking behind this move. The sort of people who make a decision are thinking in terms of traditional big media thinking, which goes like this:

The average American is a mere couch potato which the corporations feed information to the unwashed masses the same way the inhabinents of Huxley's Brave New World were fed soma. The average consumer has nothing to say unless what they have to say is under corporate control. While people running web servers were tolerated when what they did was not attracting the attention of the corporate suits, they are being cut off by those who feel that people really shouldn't be running personal web servers.

I am also annoyed that, while Apache and other UNIX web servers are able make a web server without countless remote root exploits, all UNIX users on these cable modems suffer because Microsoft did not make a secure web server.

Thankfully, this is easy enough to work around. E.G:

http://24.x.x.x:8080/whatever.html

- Sam

They ought to filter on an http-server basis (0)

Anonymous Coward | more than 13 years ago | (#2169429)


If one is running Apache, Code Red is not an issue. They should block port 80 for those machines running IIS. Once again, MS's "innovation" brings things to their lowest common denominator.

Necessary? (2)

J'raxis (248192) | more than 13 years ago | (#2169439)

I don't know about this. Yes, it's going to piss off a lot of people, however I think it was somewhat necessary. I have *.mediaone.net, and the combination of port 80 scans and ARP broadcast packet storms, my modem was receiving between 10 and 30 packets per second nonstop for two days. I can't even imagine how much bandwidth that adds up to over the whole network.

Oh, and: Any halfway decent webserver [apache.org] allows you to run on another port they're only blocking port 80, not HTTP traffic in general (is that even possible?). You already have a shitty-looking address: h1290736218736078216472164230187467.mediaone.net what's wrong with adding an :81? ;)

I also think the cable company was probably quite pissed off over the Code Red hit their AUP specifically prohibits servers and here are hundreds of machines all running IIS webservers and making themselves quite visible.

Has anyone tried tzo.com? (0)

Anonymous Coward | more than 13 years ago | (#2169441)

I am one of the victims of AT&T. I understand that TZO.com has a service that lets you put your server on another port, like port 8080, and the do some sort of forwarding to it so that it appears to be on port 80. Has anyone used this? it is $99 dollars for the year, but I am considering it.

Road Runner (4, Informative)

chill (34294) | more than 13 years ago | (#2169443)

While Road Runner isn't blocking (my cable modem light is still going nuts even when my computer is off); it is part of their Terms of Agreement: no e-mail servers, no web servers, no port scans.

If you want to run an e-mail or web server, get a business line ($295/month w/1 IP; $325/month w/5 IP).

However, they have been turning a REAL BLIND EYE to all of the above. I get port scanned daily and it looks like 30%+ of the machines on my subnet are running a web or mail server. (According to my *cough* port scan *cough* of the subnet.)

Even if you did run a Web server... (2)

antdude (79039) | more than 13 years ago | (#2169448)

Why would anyone want to do with a 128k upload cap (assuming @Home cable modem service)? :)

it would mean they had to do "real" work (1)

mike13down (513643) | more than 13 years ago | (#2169450)

It would mean they had to do real work if they shut down accounts of offending machines. I spent a good part of last night talking to tech support, they acually said "When we set up the att system we wanted quick and fast setup,not secure , but fast, so we went with NT ", she went on to say " all of our servers are infected with the virus". she did'nt say which one, but she did'nt sound happy with her job last night. And in response to the people who said,"running a server is against TOS", the answer is Yes and no. When I signed the contract with "mediaone"(the last contract i signed) the tos said "servers are not supported on the network", The new ATT one says that ... this is from the att tos "b) FTP/HTTP Service Setup. Customer should be aware that when using the Service to access the Internet or any other online network or service, there are certain applications, such as FTP (File Transfer Protocol) server or HTTP (Hyper Text Transfer Protocol) server, which may be used to allow other Service users and Internet users to gain access to Customer's computer. If Customer chooses to run such applications, Customer should take the appropriate security measures. Neither AT&T nor @Home Network shall have any liability whatsoever for any claims, losses, actions, damages, suits or proceedings resulting from, arising out of or otherwise relating to the use of such applications by Customer, including without limitation, damages resulting from others accessing Customer's computer. "

Reality check (0)

Anonymous Coward | more than 13 years ago | (#2169452)

Given that the Code Red worm and its variants have infected hundreds of thousands of machines, most on services like @home, there really isn't much else they can do. The logistics of trying to find and deal with that many servers means that the blanket blocking wins, particularly given that running servers is against the agreement everybody signed anway.

What the hey? (2, Informative)

Pollux (102520) | more than 13 years ago | (#2169461)

@Home is really jerking your chain. Their user agreement is so bogus:

The benefits and privileges available from the AT&T@Home, and the Internet in general, must be balanced with duties and responsibilities so that other customers can also have a productive experience.

Translation: we're so cheap that we're going to cram as many customers as possible onto a single T1 line, limiting your privilages and your productive experience. Due to the ignorance of the general population, their productive experience is more simplistic and therefore will not come into conflict with our blocking of port 80. Granted, we understand that quite a significant portion of the internet is made up of servers like yours, but our bottom line beats your small desires to contribute to the growing of the world wide web.

Under the terms of the AT&T Broadband Subscriber Agreement customers are not to restrict, inhibit or otherwise interfere with the ability of any other person to use or enjoy the AT&T Equipment or the Service.

Translation: you cannot interfere with other subscribers' use or enjoyment of the internet. We can interfere all we want.

I'm sorry, but it's very plain and simple. @Home subscribers did not purchase a "pay per consumption" plan. They paid a flat rate for service, no matter how much or little they planned to use it. If I subscribe to the daily newspaper, the newspaper company has no right to revoke the Tuesday edition from my house just because they found out that I don't have time Tuesdays to read it. I paid for it, so they are required to give it to me, no matter if I read it or not. Sure, they could come up with some bogus excuse, like "The wasting of paper on an edition of the paper which is not read by the customer is interfering with the paper supply being utilized for the enjoyment of the newspaper by other subscribers." I could then take them to court and let the judge have a good laugh over how stupid the case is.

Unless they specifically say in their user agreement that you will be limited to a certain time, bandwidth, or other limitation of their service, for them to limit your access to the web without proper notice and change to the user agreement is a direct denial of service.

Sprint BroadBand Wireless (0)

reverius (471142) | more than 13 years ago | (#2169462)

I get SprintBroadBand Wireless.

It's about $40 a month, available throughout the U.S. (although limited to certain areas).

I get about 1 - 3 megabits reliably during the day, and at night, it's up to 4 or 5. I'm amazed at how fast the download speeds are.

They've never once done anything bad to me, like blocking ports or anything. Although their terms of service suck, they don't seem to enforce them. :)

Only problem is, b/c it's wireless, ping times suck (lots of latency) and the upload speed is limited to about 30k. :(

Verizon has *not* blocked port 80 here... (1)

jlrowe (69115) | more than 13 years ago | (#2169471)

I just tested it, and it is working using a server running Linux and Apache.

The virtues of small ISPs (2)

hillct (230132) | more than 13 years ago | (#2169477)

It's amazing the quality od sercice(or lack thereof) that people will tolorate from large companies. When I gave up my dialup account in favor of DSL (those many moons ago) I switched from Mindspring to a small local ISP for service and I've never regretted it. Unfortunately there are lots of users who don't investigate their DSL service options before signing up with their local phone company. Small ISPs as a rule will always value their customers more than large outfits just because each customer contributes a larget percentage to their revenues (I don't pay more, they just make less). They'll bend over backwards to provide good customer sercice, and retain their customers.

Unfortunately the three largest ISPs continue to buy up the smaller regional players. One of the steps I've taken to garuntee my quality of service is to have an explicit QOS specific contract (in hopes of avoiding what's hapening to the QWest.net users as they're transitioned to MSN Internet access). What other steps might customers be able to take to insure that their small regional ISPs retain their independance, in this climate of consolidation?

just move the port to someting else (0)

MrBId (205802) | more than 13 years ago | (#2169480)

just like a few others have said move the port to something other than 80 like 8080 shit, i dont care as long as they dont block 21 and 6667.

Just get a job! (2, Informative)

dan_the_heretic (260226) | more than 13 years ago | (#2169481)

If you want a server running a web site, co-locate! I have yet to see a ISP let their customers run a web site without extra cost. What's the big deal! Whinning 'cause you can't get it free? GROW UP! Access costs MONEY. Pay it. Then whine because you don't get the service you pay for!

How is this going to help? (1, Interesting)

Anonymous Coward | more than 13 years ago | (#2169494)

Even if they block off incoming port 80 from the rest of the world, that won't help much. I'm on Roadrunner. Looking at my logfiles, 1340 of the 2038 Code Red attacks I've gotten since Sunday are from other Roadrunner customers. Are they going to block incoming port 80 from each machine internal to their network to every other machine internal to their network?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?