Slashdot Log In
Broadband Crackdown
Posted by
michael
on Wed Aug 08, 2001 10:20 PM
from the brave-new-world-of-high-speed-internet-access dept.
from the brave-new-world-of-high-speed-internet-access dept.
MrPeach writes: "In a move unsurprising to those of us who have had interactions with their so-called customer support, AT&T Broadband and Excite@Home are indefinitely filtering all incoming traffic on http port 80 for residential customers. They could have cut access to those running compromised servers, but instead chose to deny the ability to run a web server to all subscribers to their service. DSL anyone?" DSL won't save you. Verizon is apparently also blocking port 80 for their DSL customers, in addition to blocking outgoing port 25 and requiring use of Verizon's SMTP servers to send email. Verizon is also cheerfully paying fines for screwing over their competitors - the fines will be much less than the extra profit they can squeeze out once their competition is gone.
This discussion has been archived.
No new comments can be posted.
Broadband Crackdown
|
Log In/Create an Account
| Top
| 790 comments
(Spill at 50!) | Index Only
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
|
2
As a CLEC, this is how we have been coping. (Score:5, Interesting)
We have a large number of 10.x.x.x addresses for our broadband subscribers. (This saves us the trouble of assigning public IP's to every single customer, because most don't want nor need a public IP). Our NAT server was getting so clogged up with TCP/IP sessions because code red was serching for hosts. (and once it got into the 10.x.x.x network, it has lots of addresses to check.
We simply got a free scanning utility (sorry... I am at home, don't have it here, nor the time to find it. ) After scanning all of our customers, we located around 30 infected computers.) We left messages stating that they were infected, and we were shutting off there connection until they would remove the offending computer..(we could discern the IP itself, and our users are statically assigned, not DHCP thank god..)
Several users were irate as all hell, but the good of the many outwieigh the good of the few correct? Many times the customer simply unplugged the computer and we put them back on. They are then responsible for patching it.. We have been running scans everyday, and have now gotten fewer and fewer code red worms in our user's DSL systems.
I think that this was the ideal approach. Why use a damn sledgehammer when all of about 30 minutes of work allows you to use a use a fly swatter to remove the offending computers.
Time to change ports. (Score:3, Insightful)
Perfectly Reasonable Response (Score:5, Insightful)
I think that this is a perfectly reasonable response from @home. I work at a large ISP and I've seen how rapidly this code red garbage spreds. The little editorial comment that they can "simply block infected machines" is, quite frankly, garbage. Code Red 2 spreads faster than anyone could possibly keep up with blocking one machine at a time.
Code Red 2 is tearing up bandwidth at these cable companies. Its noticeably slowing down my speeds on my home internet connection. Something needs to be done in a hurry, and blocking port 80 is a fast solution that works.
Instead of blaming the broadband providers, why don't you blame the real culprit in this situation: Windows. Get angry at Microsoft; if it weren't for their lousy code and lousy security this problem would not have been possible in the first place.
I must be the only one... (Score:3, Insightful)
I don't see any reason why providers shouldn't block port 80 incoming. The only reason to have that open is to run a webserver -- something most broadband providers explicitely disallow for residential customers. That's one of the reasons why a "business" account usually costs a lot more, even for the same speeds.
Just because they let it ride up to now, doesn't mean they have any less a right to block it now. If they'd been doing this all along, I'm sure most people wouldn't be complaining now.
Sure, it's nice to run a webserver at home, but residential service doesn't usually come with any kind of real uptime guarantees, etc. It just makes more sense to either get a business account, or get a real webserver (lease one, or use a shared provider, whatever).
With the amount of port 80 requests in my firewall logs on my cable connection, I would welcome a block on port 80 personally. I've already bored of looking at 'dir' listings and deleting files on these idiot Windows/IIS machines... but seriously, it's time to put this thing to rest and move on. And get a webserver.
It's obligatory. (Score:5, Funny)
Customer1: What happen?
Customer2: Somebody set up us the port filter.
Computer: We get mail. Customer1: What?
Customer2: Email client turn on.
Customer1: It's you !!!
Cable Provider: How are you, gentlemen ???
Cable Provider: All your TOS are belong to us !!!
Customer1: What you say???
Cable Provider: You have no chance to host, make your time.
Cable Provider: Ha ha ha !!!
Customer1: Move boxen.
Customer2: You know what you are doing?
Customer1: For great serving,
Custoemr1: Move every boxen.
You can thank IIS.. (Score:5, Interesting)
[root@gamara log]# grep DPT=80 messages | wc -l
3722
code red hits, all from other @home users. All W2K/IIS 5.0 users. The ip's I've looked into all have the default pages up too. I've even tried running "dir" commands on a few through the "root.exe" backdoor code red installs, incredulous that it would work, and yes.. thousands of wide open NT boxen. This hasn't even seemed to slow down yet, despite the wide spread publicity which leads me to believe that a large percentage of those stricken are either totally clueless, don't realize they have IIS running (?), or flat out don't care which leaves the ISP little choice. And it may be my perception, or unrelated factors, but my net connection has certaintly seemed more sluggish over the last week, perhaps as a result of upstream saturation, something @home doesn't have much of.
So I would agree, blocking port 80 is the most practical way of defeating this and it should have happened earlier. It's that or ban all microsoft operating systems as a public hazard :)
Re:You can thank IIS.. (Score:4, Interesting)
I can think of a more effective solution: every time a Code Red probe goes out, deprovision the modem belonging to the customer with that IP address. They've got a proven AUP violation and a proven security problem that's disrupting their network. That's more than enough justification for jerking the account entirely. This has the dual benefits of shutting down Code Red and forcing people to actually learn how to secure their systems which makes future problems slightly less likely, and doesn't impact those of us who aren't susceptible to Code Red at all.
virus protection (Score:3, Insightful)
And for anyone complaining, read your TOS first. As several other people have pointed out, it specifically prohibits running servers, and allows this in other ways as well. You're not guaranteed an unbreakable or complete Internet connection for your $35 a month.
Re:Move to Canada (Score:5, Informative)
Actually, it is a feature of the DHCP protocol. By default, you attempt to renew your address lease after 50% of it is gone. If you do not have connectivity to the DHCP server, the client will keep trying to renew the lease until it is able to contact the server again. The client will attempt to renew a lease from the same server that gave it the initial lease. Even if the lease has been expired for some time, the server will still attempt to give the same address. This is default on most DHCP servers. Of course, you can change this and automatically assign a different address each time, but it gives better overall network stability to have clients keep their ip addresses.
Clause? (Score:5, Insightful)
Re:Clause? (Score:4, Funny)
- As an @Home user you are not supposed to do anything business related, including someting as simple as sending email to your office.
- If you want to do business, you can easily upgrade your cable @Home connection to an "Excite@Work" DSL connection. Except that @Work simply isn't available over most of the @Home coverage area.
So they tell you to upgrade to a product they can't sell you. Hilarious.
I would happily pay more for @Home CABLE service if they would give me a fixed IP and not block servers. Not that they are at the moment, but I smell trouble on the horizon. That Qwest DSL with the month-to-month pricing is looking better all the time.
Re:No blocking yet (Score:4, Insightful)
From their service agreement.
AT&T Broadband does not allow servers to be connected to the cable modem. This means that no computer in a personal network can be used as a server.
Hmmm, sounds like a pretty good clause to hide behind, eh?
Re:No blocking yet (Score:4, Insightful)
Could you provide a URL for what you are quoting?
The explanation given and the clause given as an excuse are (quoting from the above links) an extremely long stretch in IMO:
Why Can't AT&T@Home Residential Customers Run Web Servers?
The AT&T@Home residential service offering is a consumer product designed for your personal use of the Internet. Customers must ensure that their activity does not improperly restrict, inhibit, or degrade any other user's use of the Services, nor represent (in the sole judgment of AT&T Broadband) an unusually large burden on the network itself.
The benefits and privileges available from the AT&T@Home, and the Internet in general, must be balanced with duties and responsibilities so that other customers can also have a productive experience.
Under the terms of the AT&T Broadband Subscriber Agreement customers are not to restrict, inhibit or otherwise interfere with the ability of any other person to use or enjoy the AT&T Equipment or the Service. See Prohibited Uses of Service (g) in the AT&T@Home Subscriber Agreement.
The clause referred to:
g) restrict, inhibit or otherwise interfere with the ability of any other person to use or enjoy the AT&T Equipment or the Service, including, without limitation, posting or transmitting any information or software which contains a virus or other harmful feature; or generating levels of traffic sufficient to impede others' ability to send or retrieve information;
So, where do they get off filtering a small, low-bandwidth server that doesn't do what "clause g" prohibits?
We haven't done this yet.. (Score:3, Insightful)
Its great. So instead we just let the network FLOOD. But good thing we aren't blocking port 80, that would SCREW over like what, .1% of our cusomters?
Re:We haven't done this yet.. (Score:4, Insightful)
Sure it pisses them off. So they call you up and say "Why can't I access the web?". And you look up their ISP and say "Because your computer is infected with a worm that is taking up significant bandwidth and trying to infect other computers to do the same. If you fix that, we'll let you surf the web again."
At least if they're pissed off, they'll go and get the fix so they can surf to their pr0n again.
[TMB]
Re:We haven't done this yet.. (Score:4, Insightful)
Oh wait, there *was* no broadband access until all these losers showed up. Must just be a coincidence.
Quite common already (Score:5, Insightful)
Actually, cable and DSL providers are already blocking port 80 (and most lower ports) for months. I am a Charter cable customer. When I first signed up, all ports below ~1500 where blocked. (With the expection of 53, 113, and a few of others) Customers where forced to use there proxy server. Even outbound port 80 was blocked.
After complaining for 4 months about it. and many phone calls to there head techs and managers. I finally won. I proved to them why blocking all of those ports was insaine. I simply wanted to run NTP on my machine. (Well, my entire LAN, but they didn't know anything about that :) Which requires 123/UDP.
As the months went on, more and more ports started opening. One thing that they have relized is that people will run servers regardless. People who abuse it (setting up high traffic sites) will be shutoff. Personally, I think its insaine. I should have the right to run a personal site, as long as it doesn't get out of hand. If it did get to that point, I wouldn't be hosting on cable.
So, they blocked the ports. I wonder how long it will stay. I would be very carefull, they may use this as an excuse to keep the ports blocked.
Working with the large companys his difficault, tring to convince them that they should unblock them. I can kinda of understand there postion. But, then again, it kinda upsets me.
Re:Quite common already (Score:4, Insightful)
Not that I like XP. But I can see this causing lots of angery letters...
They should remain blocked (Score:5, Insightful)
Verizon DSL is NOT THAT EVIL (Score:4, Informative)
Verizon *DOES NOT BLOCK* outgoing port 25 *OR* port 80! I've been running my own mail server off the standard DSL offering, $40 a month, for almost a month now and never one hint of problems. I can send mail anywhere. I can telnet to port 25 on any Internet-accessible mail server.
And correct me if I'm wrong, but if Verizon blocks outgoing port 80, wouldn't that put a bit of a dent in most popular web browsers?
For the love of God, try to be a little accurate! There are plenty of real problems to bitch about!
Re:Verizon DSL is NOT THAT EVIL (Score:5, Informative)
I noticed this happened around 5 am yesterday morning (Tuesday, August 7th). Well I didn't notice it, I just tailed my apache logs and web requests seemed to stop coming in around that time. None the less, I got into work that day and noticed I couldn't access my personal web page... NOTE: Personal, not commercial. I put pretty pictures, that I've taken with my digital camera, on it. I was however able to ssh into it and ftp into it.
What was going on? I got scared for a second cause I thought perhaps they started enforcing some term of their service, but it wasn't until I got home and (not so thoroughly) skimmed through their TOS that I realized running a server was not against their TOS, as a matter of fact they worded it so JUST dialup users cannot run a "server of any kind", and it seemed to be fine for DSL users.
So I call up Verizon, talk to a couple different people, none of which knew a single thing about anything. One tried to accuse me of violating the TOS, and I told them it said I'm allowed to run a server in it. She shut up immediately.
Another told me that since I wasn't patched against code red, my internet service was being blocked. I told her I wasn't using a Microsoft operating system therefore I'm not affected by it, and even if I wanted to I wouldn't be able to apply the patch. She told me that because I didn't apply the patch, port 80 was being blocked. Again, I explained to her I wasn't running a Microsoft OS. In the end I think I explained it to her around 5 times... hopefully she knows a little more about computers now.
Finally I got to some guy who was somewhat intelligent, although he did call Linux, L-EYE-NUCKS, he seemed to have some understanding of how to press buttons. I asked him why port 80 was being filtered, and he told me because Microsoft had recommended they block the port. (BTW, I totally agree with someone else that commented on this, who said that because of Microsoft building insecure web servers, we are paying. That is fuct) I asked him if there was anything they could do to unblock the port for me, like put me on another subnet and give me a static IP (I'm a sneaky bastard), or put some kind of flag on my account. He told me that for the time being there was no work around, however he would post a memo and suggest to their tech team they find a way around the port blocking for users who are patched, or not running a Microsoft OS. I asked how long the filtering would stay in place ... he told me it would only last for another couple hours. Right there I told him I didn't think that was true, but he insisted it would only last another hour or two, MAX... port 80 is still blocked.
I just thought I'd contribute this tid bit. I have Verizon DSL in Northern New Jersey, in Essex County. Again, their TOS did not prohibit running a server, unless you are on a dial up. I would post it here, but there is also some clause in their TOS that prohibits reproducing it, so if some brave soul wants to post it below this, go right ahead =]
I need to get a higher paying job so I can get a T1 and then just have to deal with UUnet fiber-optic cuts because of train wrecks [yahoo.com].
Re:Verizon DSL is NOT THAT EVIL (Score:4, Funny)
Speakeasy! (Score:4, Informative)
Not a huge surprise.. (Score:3, Insightful)
Now they're doing the sensible thing to contain potentially hundreds of thousands of machines running IIS (Mostly run by people who probably have no idea about worms and the like anyway - even if they knew they were running a web server in the first place).
Seems pretty sensible to me, although my DSL ISP has no problems with me running servers, so I'm happy either way..
It would mean them having to do real work (Score:3, Insightful)