Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comcast Cuts Infected PCs' Network Connections

timothy posted more than 10 years ago | from the and-sends-them-copies-of-knoppix dept.

Security 592

fidget42 writes "I just noticed this article over at Infoworld. It seems that Comcast is finally doing something about the machines on their network that are being used by spammers. They are now cutting off service to those customers who have computers that have been hijacked by spammers. Now, if only other broadband ISPs would start policing their user base ..."

Sorry! There are no comments related to the filter you selected.

Other ISPs start to do this? (5, Interesting)

garcia (6573) | more than 10 years ago | (#8520022)

Now, if only other broadband ISPs would start policing their user base ..."

ATTBI (back in 2002) was disabling people's account for being infected with worms... People's modem CFG file would be set to disabled.cfg and they would have block sync but wouldn't be permitted onto the network.

If Comcast took over from ATTBI and is using parts of their existing network, I just can't understand why modems were not being disabled recently for infection by worms.

Re:Other ISPs start to do this? (3, Interesting)

mikeophile (647318) | more than 10 years ago | (#8520065)

It seems like it would be pretty trivial for a virus to re-write the modem CFG file to get back on the network.


Hell, it might as well uncap the modem while it's at it too.

Re:Other ISPs start to do this? (1, Insightful)

avdp (22065) | more than 10 years ago | (#8520157)

in modem, he means cable modem. It's not an integrated piece of hardware but a little box that sits somewhere outside of the PC. I can't really imagine a virus being able to reconfigure the modem, no. At least not trivially.

Re:Other ISPs start to do this? (5, Informative)

mikeophile (647318) | more than 10 years ago | (#8520191)

Take a look at this site [netwide.net] and you will be able to imagine it quite easily.

The GNAA Presents another FP! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8520023)

Are you guys as suprised as I was to find out Rob Zombie was gay?

GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the first organization which
gathers GAY NIGGERS from all over America and abroad for one common goal - being GAY NIGGERS.

Are you GAY [tidbits.com] ?
Are you a NIGGER [i.guns.ru] ?
Are you a GAY NIGGER [antville.org] ?

If you answered "Yes" to any of the above questions, then GNAA (GAY NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for!
Join GNAA (GAY NIGGER ASSOCIATION OF AMERICA) today, and enjoy all the benefits of being a full-time GNAA member.
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the fastest-growing GAY NIGGER community with THOUSANDS of members all over United States of America. You, too, can be a part of GNAA if you join today!

Why not? It's quick and easy - only 3 simple steps!

First, you have to obtain a copy of GAY NIGGERS FROM OUTER SPACE THE MOVIE [imdb.com] (Click Here [idge.net] to download the ~280MB MPEG off of BitTorrent)

Second, you need to succeed in posting a GNAA "first post" on slashdot.org [slashdot.org] , a popular "news for trolls" website

Third, you need to join the official GNAA irc channel #GNAA on Evolnet (or EFNet), and apply for membership.
Talk to one of the ops or any of the other members in the channel to sign up today!

If you are having trouble locating #GNAA, the official GAY NIGGER ASSOCIATION OF AMERICA irc channel, you might be on a wrong irc network. The correct network is Evolnet (or EFNet), and you can connect to irc.gnaa.us as one of the Evolnet servers. (or irc.EFNet.nl for EFNet)
If you have mod points and would like to support GNAA, please moderate this post up.

CLICK HERE TO SIGN THE PETITION TO BRING BACK GOATSE.CX! [petitiononline.com]

________________________________________________
| ______________________________________._a,____ |
| _______a_._______a_______aj#0s_____aWY!400.___ |
| __ad#7!!*P____a.d#0a____#!-_#0i___.#!__W#0#___ |
| _j#'_.00#,___4#dP_"#,__j#,__0#Wi___*00P!_"#L,_ |
| _"#ga#9!01___"#01__40,_"4Lj#!_4#g_________"01_ |
| ________"#,___*@`__-N#____`___-!^_____________ |
| _________#1__________?________________________ |
| _________j1___________________________________ |
| ____a,___jk_ GAY_NIGGER_ASSOCIATION_OF_AMERICA_|
| ____!4yaa#l___________________________________ |
| ______-"!^____________________________________ |
` _______________________________________________'

Yes Yes! (5, Insightful)

canwaf (240401) | more than 10 years ago | (#8520026)

Because we all know Corporations policing is a VERY GOOD THING!tm

Re:Yes Yes! (5, Insightful)

p2sam (139950) | more than 10 years ago | (#8520058)

Here is my preference for internet "policing" in decreasing order:

1. user self-policing
2. ISP self-policing
3. federal government "pound-me-in-the-ass" policing

Re:Yes Yes! (5, Insightful)

thegrommit (13025) | more than 10 years ago | (#8520255)

Here is my preference for internet "policing" in decreasing order:

1. user self-policing


That might be true in an ideal world. However, these users were disconnected because they failed to police themselves.

I know someone who's running a Win98 box thats been infected with SoBig.F for over a month. Yet his copy of Norton AV has been sitting on his desk for the past year. His excuse for not cleaning it up? No time and he doesn't want to reinstall everything.

I'd say it's fair to assume that the vast majority of these Comcast customers are just like him - clueless and happy that way.

Re:Yes Yes! (5, Interesting)

Anonymous Coward | more than 10 years ago | (#8520085)

Because we all know Corporations policing is a VERY GOOD THING!tm

It's presumably a terms-of-service violation so technically you're in breach of contract and they can do what the hell they want.

Re:Yes Yes! (5, Interesting)

OECD (639690) | more than 10 years ago | (#8520095)

Because we all know Corporations policing is a VERY GOOD THING!tm

Well, a coworker brought in his virus-ridden computer for me to take a look at, precisely because Comcast threatened to turn off his pipe. The interesting thing is that he knew he had a problem, but because he could work with a slower computer he didn't take care of it. So at least one zombie box that would have been 'put up with' by its owner is now off the net.

OTOH, I'm worried about the precedent this sets. Who knows what other things will bring the 'death penalty' from the ISPs? What ports will be shut down because 'you don't need them'?

Re:Yes Yes! (1)

DaHat (247651) | more than 10 years ago | (#8520250)

As for your second point... come to south dakota on the midco network... According to the ISP... residential customers no longer need ICMP traffic. Boy I miss being able to ping out!

Re:Yes Yes! (3, Insightful)

nacturation (646836) | more than 10 years ago | (#8520098)

Because we all know Corporations policing is a VERY GOOD THING!tm


It's their service and you're likely violating their AUP by allowing (through ignorance) your machine to be a spamming source. They have every right to police their own network to enforce their TOS.

After all, we've seen how well relying on users to police themselves has worked.

Re:Yes Yes! (2, Interesting)

thales (32660) | more than 10 years ago | (#8520129)

As a Matter of fact yes, having the owners of Networks policing them from abuse that affects other people on the Network as well as third parties is a very good thing, even if they are Corporations. Much better than having a knee jerk reaction of "a business did it so it's evil".

It is a good thing... (3, Insightful)

JaredOfEuropa (526365) | more than 10 years ago | (#8520145)

Because we all know Corporations policing is a VERY GOOD THING!
It sounds scary if you put it that way...

Lets put it another way: the ISP states in their terms & conditions something like: "Subscribers are not allowed to distribute spam or worms over their connection, nor are they allowed to carry out DDOS attacks.". Doesn't sound too unreasonable, does it? Not even if the user breaks this rule unwittingly, because his computer is infected with something nasty.

A rule like this puts the responsibility for the cleanliness of the subscriber's computer firmly with that subscriber. Rightly so, since that user is in an excellent position to do something about it. It sucks being disconnected because of a worm on your machine, but the alternative is to allow the worm to continue to spread.

The only things I worry about is the accuracy of the detection mechanism used on the ISP's side, and the promptness with which they reconnect you after you fix the problem on your machine.

Or maybe... (2, Insightful)

jjhplus9 (654212) | more than 10 years ago | (#8520200)

They should just block the OFFENDING traffic, and help the identified users clean, reconfigure, and protect themselves...

Now that would be a ' Good Thing !

Re:Or maybe... (3, Insightful)

dreamchaser (49529) | more than 10 years ago | (#8520231)

That would be a nice thing for them to do, but they aren't being paid to provide PC support, they are being paid to provide and Internet pipe.

Maybe if people start losing service they'll finally start to educate themselves. Education is still the best weapon to use to further secure the 'Joe User' PC's out there.

Re:Yes Yes! (2, Insightful)

ThisIsFred (705426) | more than 10 years ago | (#8520249)

Well, because one corporation can't police its own defective products, I guess this is the better alternative. And I wish they would start throwing the switch on accounts that are sending out dozens of virus-infected e-mail messages. I'm sick of deleting them from my inbox, and so are my users.

When the policing keeps their own customers... (1)

sczimme (603413) | more than 10 years ago | (#8520257)


from harming others, yes it is a good thing.

I hope you weren't trying to compare this to the RIAA version of policing; that would be ridiculous.

if everyone did this (5, Insightful)

Anonymous Coward | more than 10 years ago | (#8520029)


Now, if only other broadband ISPs would start policing their user base


You'd be first in line to moan about them 'infringing' on your interweb right!

Re:if everyone did this (0)

Anonymous Coward | more than 10 years ago | (#8520101)

And what about to allow setting "protection level" by customers? With default being "high protection". Whoever wants or needs less/no filtration, can set it up.

Re:if everyone did this (0)

Anonymous Coward | more than 10 years ago | (#8520103)

You'd be first in line to moan about them 'infringing' on your interweb right!

No, if you break their terms-of-service then it's up to them if they continue serving you. Your rights were set out in the ToS.

wtf (4, Insightful)

Anonymous Coward | more than 10 years ago | (#8520033)

which side of the fence are we on? We don't like bandwidth limits, but we do like automatically triggered cutoffs, because we all know there is no such thing as a false positive.

also, say grandma gets infected. She is best off downloading updated definitions for her old version of symantec, and letting AV take care of it. how do you do that with no intarweb?

Re:wtf (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8520113)

YHBT, YHL, HAND.

Re:wtf (2, Insightful)

JaredOfEuropa (526365) | more than 10 years ago | (#8520204)

also, say grandma gets infected. She is best off downloading updated definitions for her old version of symantec, and letting AV take care of it. how do you do that with no intarweb?
Grandma will get a friendly warning first, according to the article: "Fix the crap on your box asap or have your access terminated". That will give her time to get the update for her virus scanner.

Re:wtf (1)

sleazyrider (743665) | more than 10 years ago | (#8520243)

She can ask sonny who built the computer for her and forgot to set up the auto update for the antivirus to fix it for her. I really don't care how she gets it fixed, as long as it quits scanning my ports, relaying me spam and spreading the simplest to clean virii. Maybe, just maybe, we can get some of the crud under semi-control if this happens to the offenders. Oh, Comcast will send you notice that you are infected and to patch your machine to the latest update. I got one myself while running a test copy of Windows 2000 Server. They noticed it very shortly after install and let me know there were several updates to be had and I should take care of it ASAP.

Thank you! Next, please take out the virus-infect (0, Troll)

purduephotog (218304) | more than 10 years ago | (#8520036)

One down, one to go. Just think of all those logs your firewall generates that show time 300,000 connections from the SAME IP with the SAME VIRUS SIGNATURE... and Time Warner won't do anything about it (say, for instance, shutting off their cable).

Comcast has taken the right steps here. So again, thank you... maybe that'll be enough to get other providers to start 'assisting' in preventing the continued harassment of my router.

Re:Thank you! Next, please take out the virus-infe (4, Interesting)

cbelt3 (741637) | more than 10 years ago | (#8520075)

Fine, stop the infected machines from DDOs'ing. But hey, can the SERVICE be a little more SERVICE friendly ? Like this: DHCP Message comes up: "Dear Comca$t customer. Your computer seems to be infected with a computer virus. We will only allow you access to our FREE antivirus tools site until you have resolved this problem. Please contact us at blah,. blah, blah". Then let 'em into a site that they control with standard tools to detect and blow away those worms." Might make the customers happy instead of ticked off.

Re:Thank you! Next, please take out the virus-infe (1)

BrookHarty (9119) | more than 10 years ago | (#8520128)

Or have an automated computer call the customer, and inform them they need to clean their computer.

DHCP message? Since when? (4, Interesting)

purduephotog (218304) | more than 10 years ago | (#8520228)

You can't send a message with DHCP- thats a network assignment protocol. As in, you get your IP from them with that.

It would be even better to send them a "Net Send " but thats been disabled due to viruses and spam.

Frankly those users have ignored all the obvious aspects of being infected (100% cable light flashing) and have probably consumed more bandwidth than an army of teenagers downloading MP3s. That cable *should* be cut and I stand by my comments about desiring cable access being denied to them UNTIL they remove their virus.

Frankly, they AREN't running a virus scanner because... obviously... the logs go on for days. Weeks. A few for months. So how exactly do you want to make them call in for more information? Why, you cut out their access. Very quickly they call in. If they don't, well, they weren't using the service and they will call in when they want to... at which point a qualified technician can 'walk them thru' downloading a virus scanner and installing it.

Because lets face it- if they are spamming the net with a virus thats been on their machine for months, a little DHCP message (hah) ain't gonna do nothing to stop them.

False alarms (1, Interesting)

Anonymous Coward | more than 10 years ago | (#8520268)

Tell me about it. During the NIMDA virus hysteria, my ISP cut off my internet connection because it said I had the NIMDA virus. Since I was running Linux, that was impossible but it tooks weeks to settle the issue.

The really irony was that one of the support agents suggested that this whole mixup wouldn't have happened if I was just using a "normal" operating system like Windows or the Mac!

Plot by virus scan companies? (5, Insightful)

ObviousGuy (578567) | more than 10 years ago | (#8520037)

Doesn't this force those users to go out to CompUSA and buy a copy of McAfee or Norton antivirus?

Blocking web access also means that those users aren't able to download good, free virus scanners like Grisoft's AVG.

Re:Plot by virus scan companies? (1)

El_Ge_Ex (218107) | more than 10 years ago | (#8520078)

Doesn't this force those users to go out to CompUSA and buy a copy of McAfee or Norton antivirus?

Not really, I don't have time to RTFA (stupid paper I have to write) but, unless there's a _really_ good form of notification when this happens, all you'll have is people who think their Comcast service has gone downhill lately and switch... ...hmmm, not the best solution for Comcast but certainly works for us! :)

Darwinism of your ISP. Interesting...

-B

Re:Plot by virus scan companies? (2, Interesting)

akintayo (17599) | more than 10 years ago | (#8520080)

It also means that those users cannot download the latest anti virus definitions, if they use Viruscan or NAV. On the other hand, the argument can be made that they should've taken steps sooner, before their machine became part of the problem.

Re:Plot by virus scan companies? (1)

boomer_rehfield (579777) | more than 10 years ago | (#8520174)

And if the exploit wasn't publicly known? Then what, leave it up to the ISP to decide if you could have prevented it? And even if you let them cut the connection, what are you supposed to do? Buy Norton or whatever and have them snailmail you the latest definitions? I just see this creating a metric shit ton of problems.

Whups... (1)

boomer_rehfield (579777) | more than 10 years ago | (#8520227)

I was concentrating on your last statement and forgot your comment about downloading the definitions....

Re:Plot by virus scan companies? (1)

CdBee (742846) | more than 10 years ago | (#8520090)

If users are too stupid to provide for themselves either a working AV or an infection-proof system (OSX) then they don't deserve internet access.

Most are probably incapable of finding and installing a free AV anyway. The ISPs are doing the right thing. They should make AV mandatory for use of their services.

Re:Plot by virus scan companies? (1)

gl4ss (559668) | more than 10 years ago | (#8520117)

that didn't stop the isp from selling the system to them as easy to use, "anyone can use this", system.

Doesn't just apply to viruses... (2, Informative)

Xystance (660413) | more than 10 years ago | (#8520192)

Oh come on now...

As much as I love OS X (sitting on it right now), it is not "infection-proof".

BSD/OS X is just as vulnerable to hacking as any other Unix system if left unpatched and unmaintained.

Just because there hasn't been a working worm written for BSD/OS X doesn't mean there won't be one.

PLUS, -just- having an updated AntiVirus doesn't solve the problem! It's the patch level too, it's the non-configured software or hardware firewalls, it's the complete dearth of knowledge of the basics of computer security! Everyone has to learn to drive, so everyone has to learn to keep things at a baseline level of security.

Why don't you do your part and instead of calling people stupid, educate those you know, and tell them to educate others?

Re:Doesn't just apply to viruses... (3, Insightful)

CdBee (742846) | more than 10 years ago | (#8520252)

Oh, but I do

I work in system support. This conviction of mine that the numbers out stupid people outweigh the power users is borne of considerable experience and many thousands of hours of fixing things for those friends who only call when they have a problem.

There is a massive hard core of people who just DO NOT LEARN from their mistakes. Frankly if ISPs are going to let these dangerously ill-educated people onto the web they should have a duty to deal with the consequences

Anything ISPs do to protect these people or us techies from their side-effects is a good thing.

This isn't a whinger or an outsider speaking. I've got the T-shirt and it wasn't worth what they charged.

Re:Plot by virus scan companies? (5, Interesting)

rebeka thomas (673264) | more than 10 years ago | (#8520100)

I think so.

My sister's university would not allow her PC back on the school network after they cut ALL student network access in the wake of MyDoom, until it could be verified by a tech at the school that she was running Norton AV.

Her PC runs Debian and only Debian. It took more than a month for her to find a sane enough tech in admin to realise that it was pointless trying to do so. All of the rest tried the different bullshit techniques telling her why all PCs are a problem regardless of OS.

The most classic was one of the last techs, a supposedly bright 35 year old guy who came around with a warezed copy of NAV to attempt installing on her PC. He not only knew what Linux was when he recognised it, but told her to make her PC secure she'd have to install Windows and THEN put NAV on.

Provide anti-virus software (1)

catherder_finleyd (322974) | more than 10 years ago | (#8520112)

I would hope that Comcast would start providing anti-virus software. If for no other reason that its DSL competitors are doing so, and advertising that fact!

Nice but... (5, Insightful)

Anonymous Coward | more than 10 years ago | (#8520045)

...I'd like to know that the customers are all made aware of exactly what circumstances will cause their connection to be pulled.

For example, I administer a mail server, and occasionally have to mail a virus or spam to myself to check that the filters are operating correctly. It would be very inconvenient if I got my connection pulled each time that happened.

Re:Nice but... (1)

sk8king (573108) | more than 10 years ago | (#8520199)

That's crazy. They probably only disconnect AFTER receiving complaints about an IP address at a certain time. I've seen people on dialup that are infected and have generated 3000+ complaints from AOL customers after only being online for a few hours. What is the ISP supposed to do? Let them continue getting IP addresses blacklisted and sending out thousands more emails!!

Re:Nice but... (0)

cryan7755 (564641) | more than 10 years ago | (#8520212)

I can say with certainty that they would not block you account for mailing youself a virus file. Simply because you are not infecting your system. The systems being blocked are seriously infected and trying to infect others. signed a comcast engineer.

Re:Nice but... (3, Informative)

Flashbak (684750) | more than 10 years ago | (#8520239)

Why would you need to send test email, be they viruses or spam, via your isp's network? If you need to test filters or anti-virus configuration on your mail server do it locally - surely that's the responsible thing to do. I wouldn't want to propogate a virus even the eicar test virus outside of the networks I directly control. (Yes, I'm well aware the eicar test is benign, but that's not the point.)

Re:Nice but... (4, Informative)

caino59 (313096) | more than 10 years ago | (#8520251)

this is for the people's machines that are constantly trying to hit other machines and infect them....

you know, where you see stuff like this recurring in your web server's logs...offending ip removed...

.client.comcast.net - - [09/Mar/2004:14:43:56 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 302 332

.client.comcast.net - - [09/Mar/2004:14:43:56 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 302 332

.client.comcast.net - - [09/Mar/2004:14:43:57 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 346

.client.comcast.net - - [09/Mar/2004:14:43:57 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 346

.client.comcast.net - - [09/Mar/2004:14:43:57 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 356

.client.comcast.net - - [09/Mar/2004:14:43:58 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 302 376

.client.comcast.net - - [09/Mar/2004:14:43:58 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 302 376

.client.comcast.net - - [09/Mar/2004:14:43:58 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c 1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1941

.client.comcast.net - - [09/Mar/2004:14:43:59 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 357

.client.comcast.net - - [09/Mar/2004:14:43:59 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1941

.client.comcast.net - - [09/Mar/2004:14:44:00 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 357

.client.comcast.net - - [09/Mar/2004:14:44:00 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 357

.client.comcast.net - - [09/Mar/2004:14:44:01 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 337

.client.comcast.net - - [09/Mar/2004:14:44:01 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 337

.client.comcast.net - - [09/Mar/2004:14:44:02 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+d ir HTTP/1.0" 302 356

.client.comcast.net - - [09/Mar/2004:14:44:02 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 356

the people they are cutting off are sending out daily attacks to multiple machines, not just once or twice sending out crap here and there. i think you'll be ok.

HA! Qwest disables accounts... (2, Funny)

daft_one (532587) | more than 10 years ago | (#8520046)

completely at random, just in case they might be infected!
They do the same with phone lines, in case you might be using that line to dial an infected machine up!

Ahh, Qwest... thine spirit of service doth truly amaze.

Cox does this... (5, Informative)

h0mer (181006) | more than 10 years ago | (#8520048)

I know anecdotal evidence is pretty much worthless, but my friend got infected with all sorts of nasty ad/malwares, along with Blaster and a couple other worms. Cox deactivated his cable modem, he had to call them and go through phone hell to get his service back. So I'm not really sure it's only Comcast doing this.

Re:Cox does this... (0)

Anonymous Coward | more than 10 years ago | (#8520161)

I'd rather they warn. My ISP (A local one in regional australia) has now sent me three stern warnings about how they've detected I'm infected with the virus/worm du jour, and information about what I should and should not be doing to prevent infection.

I only have an iMac and a Macintosh IIfx on my connection. I wonder which one it was with SoBig :P. If they had disconnected me three times I wouldn't be with them any more.

Re:Cox does this... (2, Interesting)

AbbyNormal (216235) | more than 10 years ago | (#8520254)

go through phone hell

I am also a Cox subscriber and I believe that their phone "service" should be labeled cruel and unusual punishment.

Also, has any other Cox users noticed a decent amount of Port Scanning from Cox? Is this part of their scanning for Viruses/worms? After one weekend where I was scanned twice in a matter of hours, I sent my logs to their "abuse" address. I have yet to hear back from them. Coincidentally, I have yet to be scanned since then.

Is this right? (3, Interesting)

Millbuddah (677912) | more than 10 years ago | (#8520051)

Are these guys even allowed to do this based on the user agreement they get their subscribers to sign? I'm sure most of these computers that get hijacked are used by Joe Somebody who probably has no idea that his computer has been hijacked. If Comcast and other ISPs are so keen on cutting off access to spammers, why not provide a firewall and antivirus programs along with their subscriptions? I'm sure it'd cost them a pidly amount and wouldn't really be all that hard to work out a deal with these software vendors to bundle them into the deal. Maybe I'm way off base here but it just doesn't sound right to just cut off acess.

Re:Is this right? (1)

sleazyrider (743665) | more than 10 years ago | (#8520125)

They do provide access to the McAfee firewall for free. Also, they point out where free AV programs can be downloaded. So, it's fair for the Comcast folks who just ignore all this to have their syphilitic infected systems cut from public access. Think of it as a public service from Comcast.

Re:Is this right? (2, Informative)

Depili (749436) | more than 10 years ago | (#8520179)

Well, many finnish ISPs offer bundle deals on AV and firewall software with their connections, and atleast the campus network of Helsinki University of Technics cuts infected machines. [www.hut.fi] And IMO cutting spam drones is the right thing to do, but determinating what is infected and what ain't can be little tricky at times.

I'm glad. (4, Insightful)

jellomizer (103300) | more than 10 years ago | (#8520054)

Although a lot of of the spammer are not spammers but people with infected computers. But they wont do anything unless they have to. Cutting net access to them will force them to fix the problem one way or an other. Most people who are hacked will go well it is not affecting me so I wont fix it. But with their connection gone then it is affecting them. Now they can fix it them self or hire someone to do it. But this is a good first step.

A good decision here (4, Insightful)

DarkFencer (260473) | more than 10 years ago | (#8520059)

I applaud this decision. Even though it will possibly cost them customers or cost them additional tech support time, they will be cutting off peoples owned windows boxes.

Lets hope they hold to this once the calls start coming in from people who have everything from Bagle to Netsky (along with probably a heavy dose of spyware too)

Whose fault is this really? (3, Insightful)

Amiga Lover (708890) | more than 10 years ago | (#8520062)

wtf? How is this going to benefit the people who're running the machines?

Try sending out an ISP bulletin with the simple tips on how to avoid getting exploited in the first place. It's dead simple.

1. install patches regularly
2. virus scan
3. don't open attachments
4. don't install spyware.

If people used these 4 simple techniques, while it wouldn't be perfect, it would by my thoughts drop the number of infected machines down by three quarters, which will DRAMATICALLY reduce the efficiency and productivity of running a spamming business, and spammers won't have any choice but to leave you alone.

Cutting people off is just going to get them to take infected machines somewhere else.

Re:Whose fault is this really? (0)

phats garage (760661) | more than 10 years ago | (#8520135)

You could send some people an email with a button embossed with the most deadly looking skull and crossbone icon that flashes the words DON'T CLICK OR I WILL EAT YOUR COMPUTER and its been my experience that button is going to get clicked anyways.

However, I like your optimistic tone.

Re:Whose fault is this really? (4, Insightful)

realmolo (574068) | more than 10 years ago | (#8520215)

You obviously have never worked as tech support.

You could send out that email every day, with detailed instructions, and it would have very, VERY little effect on the number of infected/hijacked machines.

Most users just won't do that stuff. Especially if it involves anything more complicated than "Click here". Multi-step instructions are not going to be followed. Unless, of course, it's going to win them a free trip to Disneyland.

As far as "don't install spyware"...well, spyware is hard to classify, and a lot of it installs pretty silently. Expecting users to be able to distinguish between "bad" pop-up dialogs asking to install Gator and "good" pop-up windows asking to install Flash (or whatever) is asking too much.

Attachments in emails are just going to be opened, period. No one ever learns their lesson in that regard.

Re:Whose fault is this really? (0)

Anonymous Coward | more than 10 years ago | (#8520260)

As an Amiga user you might be interested in some of my auctions for Amiga parts.

see here [ebay.com]

Re:Whose fault is this really? (2, Insightful)

ThePretender (180143) | more than 10 years ago | (#8520267)

If they don't just delete the bulletin right off, they probably won't follow it 100% anyway. If they do:

1. install patches regularly ...or set it up to happen automagically. However, most n00bs are still going to get tripped up by this no matter how easy you *think* it is for them.

2. virus scan
Again, automagic updates would be nice too. This one would probably work out most of the time.

3. don't open attachments
'But it was from my mother/sister/brother/son and they said they loved me!'... This won't work.

4. don't install spyware.
'Gator is spyware? Wait. What is spyware again? It just prefills forms and makes life easier. What? No, it didn't install anything else...' Continue this thought process yourself.

Hate to be cynical, but giving them a warning then shutting them off is probably the best solution. I would also recommend the ISP send out a CD with some cleanup tools since they've effectively cut off these people's access to some of the tools to help themselves.

A better solution... (5, Interesting)

SmackCrackandPot (641205) | more than 10 years ago | (#8520073)

... would be to put the network connection onto a quarantined sub-net where all the necessary virus removal tools were available. Once the machine was cleaned up, it would be allowed general network access again.

Re:A better solution... (4, Interesting)

daveewart (66895) | more than 10 years ago | (#8520187)

quarantined sub-net

My ISP, NTL [ntlhome.com] , did this during the Blaster epidemic. They used some kind of portscan to determine which machines were infected and then put their connections in a 'walled garden'. All web traffic that went through this 'walled garden' resulted in a page describing what the problem was and included lots of pretty pictures explaining how to fix the problem.

The portscanning caused some alarm to those of us with firewalls, until it became clear what they were doing.

I believe their patching instructions were:

  • Download debian-3.0r2-woody.iso
  • Burn to CD
  • Reboot ...
:-)

Happened to me. (3, Informative)

Anonymous Coward | more than 10 years ago | (#8520077)

I had a machine on AT&T (now Comcast) that was infected by a worm. Bummer. I'll tell you, you have to keep up with those service packs even if you're going to directly connect to the network for "just a few hours".

Anyhow, my friends at AT&T Broadband (the ones that never answered their phone) sent me a nastygram telling me that I was doing a bit too much port scanning for their liking (duh...)

So I ripped the machine of the network and poked around. Yep, it turned out that my machine was infected a few hours after I installed the OS, and it was doing it's bad thing for WEEKS.

At the time, AT&T just "informed me" that I should stop doing bad things. I think it would have been prudent for them to kill my service until I took corrective action.

Of course, this was 3 years ago or so... a more innocent time...

That explains it (4, Funny)

gowen (141411) | more than 10 years ago | (#8520082)

That explains why I haven't been spammed by a Comcast box for ... 36 minutes :(

Policing their users? (1)

damitbill (66375) | more than 10 years ago | (#8520084)

Now, if only other broadband ISPs would start policing their user base ..."

I'm not sure ISP should be 'policing' their users. This could lead to them 'policing' for many things. i.e. P2P, content, blogs....

It sounds like a slippery slope.

I for one... (4, Interesting)

Sentosus (751729) | more than 10 years ago | (#8520089)

I for one welcome our new connection blocking ISP overlords?

First time for me...

I agree that this should be done in extreme cases where the customer is CONTACTED before so that information and education can be PROVIDED. Simply clipping the wire does not fix the issue for anyone but the ISP.

Second, Backroads.net [backroads.net] implemented the policy above with much success. I was happy as a customer of theirs.

It is unfortunate that this has to be done, but wouldn't a more effective solution be to block all ports but 80 or maybe even force all their traffic to a URL with an explaination of the virus and let them know that they can not do anything on the web until it is fixed?

SP

Re:I for one... (4, Insightful)

mccalli (323026) | more than 10 years ago | (#8520265)

Simply clipping the wire does not fix the issue for anyone but the ISP.

It fixes the issue for me as well. And you. And, in fact, anyone at all who isn't the person infected.

Having said that, I agree with your point about prior contact. I'm fully in favour of cutting off virused connections however, and in a reasonably swift time limit too.

Cheers,
Ian

Overkill (2, Insightful)

Anonymous Coward | more than 10 years ago | (#8520105)

Why disable the account when they could just block certain ports?

Re:Overkill (2, Insightful)

PepsiProgrammer (545828) | more than 10 years ago | (#8520205)

I admin a small non profit wireless isp, and this is what I generally try to do, although our user base is small enough (~110 right now) that I can do this and call them up to tell them they have a virus. But this wont work for all types of viruses, if you block someones smtp access you might cause more trouble than just shutting them down outright.

Code Red Lives! (3, Interesting)

ChrisKnight (16039) | more than 10 years ago | (#8520107)

Code Red showed up in August of 2001. Anti-virus vendors, and even Microsoft, released detection and cleaning tools. To this day, two and a half years later, I am still getting Code Red hits from infected machines.

It is about bloody time that a large provider has become willing to proactively cut off infected machines. Now if only UUNet would do the same, as most of the Code Red hits I receive come from within my own NSP's network.

-Chris

So if we take a "blaster" scenario... (3, Insightful)

Osrin (599427) | more than 10 years ago | (#8520108)

How is an infected user supposed to resolve the issues that they have if they can't get to an update or patch?

Re:So if we take a "blaster" scenario... (1)

evilviper (135110) | more than 10 years ago | (#8520266)

How is an infected user supposed to resolve the issues that they have if they can't get to an update or patch?

The same way you get home after taking your car in to a shop for repairs...

Would you prefer the alternative? (Hint: there is no alternative)

Debtor's Prison (5, Insightful)

Anonymous Coward | more than 10 years ago | (#8520111)

This reminds me of the idea of putting people in jail for debt. Bankruptcy amounts to a life sentence, since there was no possible way a person could make up the sum of money while in jail, away from the work force.

How can these people fix the problem without access to up-to-date patches and virus scans?

How To Take Care of Comcast (2, Interesting)

jchawk (127686) | more than 10 years ago | (#8520115)

Mail Admins do yourself a favor.

Just nuke the following -

client.comcast.net

and

client2.comcast.net

And for good measure - client.attbi.com

That should take care of most of the zombie / virus / idiot mail. None of their residential customers should be sending email directly from a dymamic IP address. This will seriously cut a good bite of the spam / viruses you are receiving, and you don't have to worry about missing email because they should be relaying through central mail servers.

any way out for those cut off ? (1)

selderrr (523988) | more than 10 years ago | (#8520122)

how are they supposed to update their virus definitions ? I find this a very narrow sighted policy.

possibly hard stuff to clean (1)

v1 (525388) | more than 10 years ago | (#8520130)

If they are mainly targetting "hijacked" computers that are spam engines, this sort of problem may be more difficult for the average user to fix than say a virus. If a spamhaus is remoting maybe 200 computers, is that enough to catch Symantec's attention and make a definition for? Possibly not. Removal of this sort of "low incidence" non-viral back door would then require the user to nuke and pave their system unless they were/knew someone familiar with registry editing etc.

well... (1, Insightful)

circletimessquare (444983) | more than 10 years ago | (#8520131)

don't cut them off

send them an email saying something like "type ftp://blah.blah.blah in your internet explorer (would they be using any other browser?) and run the virus remover exe you see there"

then dump them into a quarantine subnet with access to nothing else except that ftp address

that email would be the last email in their inbox

just cutting them off leaves them no recourse

Re:well... (1)

Joecuba (736359) | more than 10 years ago | (#8520184)

send them an email saying something like "type ftp://blah.blah.blah in your internet explorer (would they be using any other browser?) and run the virus remover exe you see there"

And how the hell is the user supposed to know that is a genuine email? We are trying to STOP people clicking and instaling things, also we are trying to stop people beleiving everything they read in an email message.

Cut the idiots off and MAIL them a CD with all the patches / updates / anti-virus.

Good (1)

Joecuba (736359) | more than 10 years ago | (#8520133)

They should fine them as well. The great unwashed who think all there is to opersting a computer is pressing the start button and firing up their email program should be scared into GETTING A CLUE. I have to say, the number of PC's I see full to the brim with viri, trojans, spyware, adware etc is frightening. These machines are almost grinding to a hault because of all the malware on them. Its pathetic.

One Good Result (4, Insightful)

VernonNemitz (581327) | more than 10 years ago | (#8520138)

To me, this sounds like an OK idea, because I bet this will be the ONLY way that many users FIND OUT that their computers have become zombie spambots.

'Net Users Need a Certain Amount of Responsibility (5, Insightful)

ausoleil (322752) | more than 10 years ago | (#8520139)

There is a certain responsibility that comes with being a part of the internet, one that has become greatly understated since the commoditization and commercialization of the 'net as a whole: do not become a danger or a malfeasance to the rest of the machines that are also connected.

Unfortunately, this is something that seems to be lost on the clients of broadband always-on connections, especially those that are used by folks with little or no proficiency. While they have no intention of becoming spam-hosts, or DDOS platforms, by not keeping their machines protected against the various evils that lie in waiting out there, they unwittingly become part of the problem.

This does not reduce the hassles and costs to other sysadmins and users of the 'net as a whole. That said, it seems only fair for an ISP to mitigate the problem by pulling the connection of a user whose systems(s) are spewing out malware.

There are reasonable precautions one should take, that is, having a good firewall, keeping the machine patched and having good virus protection. No, this does not come without some effort and not always without cost. But, to be connected to the internet full-time, it is a cost of doing business, not unlike having insurance for your car in case you cause an accident. Liability insurance is to protect the public, and you from losing everything should you do harm to others. Keeping worms, trojans and viruses off of your machine also protect not only you but others as well.

So, it is really a matter of responsibility.

Why not... (3, Insightful)

Shirov (137794) | more than 10 years ago | (#8520142)

Require the installation of a "personal firewall" when the users sign up for an account. Hell, everything else and the kitchen sink was on that CD when I signed up for Comcast... This would probably cut 99% of the problems out. If not a software based solution, how about a hardware based one? How hard would it be to put a firewall in the router they charge 4.95/m to use? Hell, tech support could configure it for grandma, grandpa, mom, dad, ...

But I guess it is easier to just shut them off, and then charge a reconnection fee... eh?

--ryan

This applies to the whole "freedom has its limits" (1)

Xystance (660413) | more than 10 years ago | (#8520146)

The fundamental conflict here is freedom.

Freedom of access no matter what the activity.

The problem with that, is some activities infringe on the freedoms of others. In my humble opinion (and I really mean that), once you start infringing on the freedoms of others on the Internet by your activity (or inactivity to solve your virus problem), you lose your access.

The biggest problem with all these worms is that they don't just infect a single computer, they spread, threatening thousands of people per computer infected (if not more). That's not fair to the others on the Internet.

Bottom Line: If you can't keep your computer from pounding mine, AND reducing the total amount of bandwidth available to me on the network and on our node, then you don't deserve access until you've rectified the situation.

If it's poor grandma who gets cutoff... she wouldn't be able to solve the problem herself even if she did have Internet access. Do you really expect her to update her virus definitions, grab the necessary Windows Updates, boot into safe mode, disable System Restore, run the VirusScan, remove everything, then run the Windows Updates, THEN reboot into regular mode?

That's a lot to expect of -anyone- unfortunately. It's not a hard process to follow, but computers intimidate the most intelligent people out there... (sigh)

Don't cut, cripple (0)

Anonymous Coward | more than 10 years ago | (#8520150)

As some have pointed out, cutting off someone's connection can be too drastic (no more antivirus updates, for example). Instead, why not reduce it to "barely usable", maybe even gradually tightening? Here are some ideas:

1) Throttle traffic, especially outbound.
2) Increase latency.
3) Disable ports.
4) Restrict IP addresses.

Any suggestions? Problems?

Re:Don't cut, cripple (2, Insightful)

cbmeeks (708172) | more than 10 years ago | (#8520207)

Because the "Little Old Granny" wouldn't have a clue that she was being throttled. Blocking is a good idea. However, the blocked message should be something like "We have detected your machine has a virus. Please CALL Comcast at..." Then, the customer support person could help out. cb

SCO (1)

bjoeg (629707) | more than 10 years ago | (#8520164)

Now we only need SCO to start sueing spammers, cause spam is their patented source code. But honestly, good job from ComCast, but yes there might be a problem fixing the whole damn thing when you need the tools from the net. But again "Format C:" usually takes care of that.

We only support Windows (0)

Anonymous Coward | more than 10 years ago | (#8520167)

So much for only supporting Windows. They just added some more non-depreciable costs to their bottom line.

Self Inflicted DDOS (1)

manganese4 (726568) | more than 10 years ago | (#8520171)

Until they fix their computer, just block their ability to send email except to their ISP and bounce all spam back to the email address registered with the ISP. Of course, this would simply end up being a DDOS against MSN and Yahoo.

bullshit in protection? (0, Offtopic)

Vo0k (760020) | more than 10 years ago | (#8520178)


Do your ISPs use bogus antivirus counter-measures?

Mine:
-disallows attachments with .js extension
-disallows connections not-through-proxy and does some filtering there
-disallows mail with From: other than their own mailserver
-requires written permission for starting your own mailserver
-allows connections matching your IP against your MAC address (despite lack of DHCP) - you need to "register" your new network card
-limits ICMP to 2/s so if 3 people (out of hundreds) launch ping at the same time, packets start vanishing.

Comcast Terms Of Service / Acceptable Use Policy (3, Informative)

SignalFreq (580297) | more than 10 years ago | (#8520180)

Here [comcast.net] is Comcast's Terms Of Service.

From the AUP:
Note: Comcast reserves the right to immediately terminate the Service and the Subscriber Agreement if you engage in any of the prohibited activities listed in this AUP or if you use the Comcast Equipment or Service in a way which is contrary to any Comcast policies or any of Comcast's suppliers' policies. You must strictly adhere to any policy set forth by another service provider accessed through the Service.

So they can terminate service, based on violation of the subarticles:

(vii) restrict, inhibit, or otherwise interfere with the ability of any other person, regardless of intent, purpose or knowledge, to use or enjoy the Service, including, without limitation, posting or transmitting any information or software which contains a worm, virus, or other harmful feature, or generating levels of traffic sufficient to impede others' ability to send or retrieve information;

And transmitting a virus is definitely a violation. Still, it would be nice if there was more information on what will cause them to pull the plug.

Overkill (5, Insightful)

Albanach (527650) | more than 10 years ago | (#8520190)

I know of at least one ISP in the UK who respond promptly to omplaints about spamming and worm infections. Their response is that user gets informed of the situations and port 25 gets blocked. No outgoing mail.

It's about the easiest thing ion the world for the ISP to and it's _very_ effective. Another option would be for ISP's to force all SMTP traffic through their own mailserver and virus scan it. They could easily spot a home user sending a couple of thousand messages in an hour or one spreading infected email everywhere.

If you want unfettered access you can pay for a co-lo box and take the responsibility too. People can't keep hiding behind their ISP and dynamic IPs. I'm all for personal freedoms on the net, but with freedom comes responsibility. Deal with it.

ISPs blocking infected users (1)

DFJA (680282) | more than 10 years ago | (#8520193)

Some ISPs periodically scan their users' computers to see if they are exhibiting open relay behaviour, then inform the user that they will be disconnected unless they fix the problem. Now I'm sure it can't be difficult for them to test for a whole load of possible infections/configuration problems on their networks and take an appropriate action. If they all did this, then the spam problem would be dramatically reduced.

No warning? (1)

breakinbearx (672220) | more than 10 years ago | (#8520201)

As a whole, this is a very good move by Comcast, and, should other ISPs pick up the slack, could make the internet a much more civil place for me and my inbox. However, I certainly hope that they are giving forwarning to the people who are having their accounts disabled. There are many tech inepts out there that have no idea that their computer is laden with viruses and such. So when Comcast disables their account, you get the "Oh no! The Internet is broke!" Hopefully, Comcast gives these people warning and has a good help service for those who don't know how to purge their computers of the viruses.

A suggestion: (1)

scorp1us (235526) | more than 10 years ago | (#8520213)

Put these users on their own vlan. Give them access to their web email servers and send them a message with a download link to fprot or whatever virusscan package is out there. Let them download it. Once the spamming stops, put them back on the regular internet.

We all love the ISP network police - NOT (0)

Anonymous Coward | more than 10 years ago | (#8520219)

I remember, I was too poor to pay $300 for business cable, and when code red rolled around they blocked my webserver and mailserver. I tried explaining to the technical support that I wasn't GNU/Linux is not vulnerable to Code Red but to no avail. This made my customers (our family business really happy.

The worst part is they had said I was allowed to run a server.

block egress 25, enable smtp auth (1, Interesting)

Anonymous Coward | more than 10 years ago | (#8520225)

Wouldn't this be better served by simply blocking egress port 25 (eg, users can't send email out on port 25 to anything other than the ISP's own email server) and also enable SMTP auth on the ISP's server?

That way, any SMTP engine isn't going to be able to connect at random to various mail servers, and if they try to connect to the user's ISP mail server, it will have to know the username/password. And if it happens to get that info (or uses the user's own mail client) the ISP should be able to log large scale email traffic based on username.

TDC does that too... (1)

LowerThanZero (140558) | more than 10 years ago | (#8520232)

Now, if only other broadband ISPs would start policing their user base

TDC (Danish telco) started doing this and it really pisses me off! I mean my Linux machines will never get infected (I'm way to paranoid) yet they've blindly cut port 25 for all ADSLs [tdconline.dk] ! I have to use now their stupid mail relay with 10MB limit, tinfoil hat required etc.

NTL did something similar to me... (1)

rob.sharp (215152) | more than 10 years ago | (#8520242)

I'm a little hazy on the details as it was a while ago, and I don't boot into windows that often these days, but they sent an email to my NTL email account asking me to install virus software, as they thought I may be infected. Which was nice of them!

Finally! (1, Interesting)

Anonymous Coward | more than 10 years ago | (#8520253)

I used to kick users off of the dial-up ISP I managed when I'd catch them running the Back Orifice client. I made a few kids cry. One of them said his mom was going to beat the crap out of him when she found out why their Internet service didn't work anymore.

If you're running Windows without a firewall or antivirus software on Comcast's network, getting the plug pulled on your access should be the least of your concerns. What you really deserve is a serious flogging.

It's just like Orwell...agian (1)

till3y (760745) | more than 10 years ago | (#8520256)

So all of the sudden a music lable can enter my home and search the place becuase I might have an illegal mp3 or I might have burned a CD for a friend. Wow! is it me or does it seem like the goverment is a big fan of the book 1984? I don't understnad why you have to use commandos aremd to the teeth with army choppers to get a 12 year old to stop downlaoading Hillary Duff. I think that my rights on-line shoudln't be sold out for profit, and I shouldn't have to spend life in jail all because I sampled a CD.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?