Broadband Crackdown

MrPeach writes: "In a move unsurprising to those of us who have had interactions with their so-called customer support, AT&T Broadband and Excite@Home are indefinitely filtering all incoming traffic on http port 80 for residential customers. They could have cut access to those running compromised servers, but instead chose to deny the ability to run a web server to all subscribers to their service. DSL anyone?" DSL won't save you. Verizon is apparently also blocking port 80 for their DSL customers, in addition to blocking outgoing port 25 and requiring use of Verizon's SMTP servers to send email. Verizon is also cheerfully paying fines for screwing over their competitors - the fines will be much less than the extra profit they can squeeze out once their competition is gone.

As a CLEC, this is how we have been coping.

[phoenix_orb]

I work for a regional CLEC out of chicago. We have several thousand installed DSL lines. This is how we have been coping with the Code Red worm... (*as a buisness class of service, we can't be simply turning off all port 80.. many people do host off of our SDSL lines*)

We have a large number of 10.x.x.x addresses for our broadband subscribers. (This saves us the trouble of assigning public IP's to every single customer, because most don't want nor need a public IP). Our NAT server was getting so clogged up with TCP/IP sessions because code red was serching for hosts. (and once it got into the 10.x.x.x network, it has lots of addresses to check.

We simply got a free scanning utility (sorry... I am at home, don't have it here, nor the time to find it. ) After scanning all of our customers, we located around 30 infected computers.) We left messages stating that they were infected, and we were shutting off there connection until they would remove the offending computer..(we could discern the IP itself, and our users are statically assigned, not DHCP thank god..)

Several users were irate as all hell, but the good of the many outwieigh the good of the few correct? Many times the customer simply unplugged the computer and we put them back on. They are then responsible for patching it.. We have been running scans everyday, and have now gotten fewer and fewer code red worms in our user's DSL systems.

I think that this was the ideal approach. Why use a damn sledgehammer when all of about 30 minutes of work allows you to use a use a fly swatter to remove the offending computers.

Re:It would mean them having to do real work

[spectral]

It's funny, it wouldn't be too hard to identify code red infectable machines. Anyone infectable is infected already I'm sure, and with code red 2, which acts in a very specific manner. Monitor and figure out which computers are generating local arp requests in the order of a couple ever minute.. boom, suspected code red. Narrows down the list a bit, then a quick scan for /scripts/root.exe on the list, confirms it, and either an email, a phone call, or cut off their service COMPLETELY. Fuck the certain ports shit, cut it off completely. when they call up, talk them through removing it. if they can't (whyt he fuck are they running IIS then? oh well), then have them pay to have someone remove it FOR THEM, then activate the service again. In fact, charge them double labor fees for being retarded in the first place. Simple solution. Especially if it's in the TOS that they can't run servers anyway. DOn't screw the people who knew what they were doing, set it up right, didn't get infected, and aren't transfering a ton (the real reason servers are banned. that and to push them to business accounts..)

Re:Verizon DSL is NOT THAT EVIL

[TildeMan]

I'm a Verizon DSL user. My brother and I just got off the phone with tech support. First they tried to convince us that hosting a web server was illegal (after we convinced them that we had seen the ToS which says DSL users are exempt); after about ten minutes of arguing that was changed to "We don't support that." Then they told us that they would not open port 80 for specific machines, and that they would not even tell us ANY details about other ports (like the mysterious 25). I hope to call back later and speak to someone a bit more helpful...

As for why we learned about the port closing from /. long before we heard about it from verizon in a vaguely worded, hidden post [verizon.net], they told us that they didn't send an email because it only affects about 5% of their customers. They also won't notify us when they reopen port 80, however distant that may be. Furthermore, they claim that the vast majority of users who would receive such an email would not care. Still, if I were the average user I certainly would rather hear service/security updates I can ignore than miss ones that might be relevant.

Conclusion: Verizon is at least approaching Evil, if not already there... please let me know if you've had any better experiences with tech support since the start of the filtering!

TildeMan

My Temporary Work-Around

[Anonymous Coward]

I was more than just a little pissed off about this. I was laid off just recently, and have been relying on contract admin and design work to make ends meet. It kinda sucks when all of the sudden, my demo site falls off the net, and my clients are unable to see the work that I am trying to sell them. I'm sure it makes them uncomfortable about buying my services when I can't even keep my own site online (through no fault of my own).

My temporary fix was as follows:

1. Moved all of my virtual hosts from domain.com:80 to temp.domain.com:82
2. Created A and CNAME records for temp and www.temp, pointing to my server at home.
3. Had a friend install a VirtualHost on his web server, with an index.cgi that redirects requests to my temporary virtual hosts (see below).
4. Pointed @ and www at my friend's server.

Here's what the redirector script looks like. Note that I originally tried a simple redirect, but found that meta refresh was more effective for this application:

#!/usr/bin/perl
my $redirect = "http://temp." . $ENV{HTTP_HOST} . ":82" . $ENV{REQUEST_URI};
print "Content-type: text/html\n\n";
print "\<meta http-equiv=\"Refresh\" content=\"0\;URL=$redirect\"\>;";

Re:Leased Line

[RzUpAnmsCwrds]

That's already done in my area. It's called Colorado Wireless Cooperative. For about $60/month, you get a 5mbit downstream and 5mbit upstream connection. You can do anything you want with it. So yes, this is possible. CWC actually uses a 802.11b variant with special anteannas. Works great!

Recess: School's out

[Graymalkin]

Since the advent of broadband in homes people have been wasting as much bandwidth as possible by downloading warez and MP3s and bootleg copies of feature films at all times of the day. You notice CD-Rs and large hard drives are often purchased by the same people with fat internet pipes. Hmmm.
Now virus and worm writers are taken advantage of these people that have been screwing their networks up the ass for years now. I feel so so bad. Webservers that shouldn't have been running in the first place are being blocked. Man I'm heartbroken.
I don't think broadband is a bad thing at all and nor am I against downloading large chunks of data. Freeware, patches, legal ISOs, music, ect is all cool and why you've got the fast pipe in the first place. The problem lies in the folks running their webservers and anon FTPs that are filling up the outgoing frames which normally don't get filled up on consumer oriented pipes. I wouldn't want to be the dude trying to manage the consumer network that was never intended for such traffic. If it were me I'd cap your monthly bandwidth and start charging like web hosts do. Whoever thought it was a good idea to leave broadband unthrottled and uncapped was a jackass. It works fine when you can feed a shitload of dialup users with a single T3 or OC line. Things break down when you apply that same model to people who have bandwidth rated at a signifigant portion of a T3 or OC line.

You can thank IIS..

[victwenty]

Blocking port 80 is the only practical way providers such as @home have to control code red. I'm on their network and in the last 48 hours, I've gotten:

[root@gamara log]# grep DPT=80 messages | wc -l

3722

code red hits, all from other @home users. All W2K/IIS 5.0 users. The ip's I've looked into all have the default pages up too. I've even tried running "dir" commands on a few through the "root.exe" backdoor code red installs, incredulous that it would work, and yes.. thousands of wide open NT boxen. This hasn't even seemed to slow down yet, despite the wide spread publicity which leads me to believe that a large percentage of those stricken are either totally clueless, don't realize they have IIS running (?), or flat out don't care which leaves the ISP little choice. And it may be my perception, or unrelated factors, but my net connection has certaintly seemed more sluggish over the last week, perhaps as a result of upstream saturation, something @home doesn't have much of.

So I would agree, blocking port 80 is the most practical way of defeating this and it should have happened earlier. It's that or ban all microsoft operating systems as a public hazard :)

Re:You can thank IIS..

[Elias Israel]

Blocking port 80 is the only practical way providers such as @home have to control code red. I'm on their network...

Respectfully, that's a load of crap.

I've got a Linux host connected to the AT&T network (they were better as MediaOne), and not only can I produce for you a log of the CodeRed infected customer machines that need to be dropped off the net until their owners get smart, but I also have a firewall in place and I routinely spend 2 hours each week reading the firewall logs and reporting on various l0sers who love to attack the ATT network.

I pay ATT around $200 each month for various services, including cable, telephone, and internet.

I'm policing their network for them because they apparently can't be bothered.

You'd think they'd treat people like me as heroes, or at least good customers.

I leave it to you to decide how we have really been treated.

"We're the phone company. We don't care. We don't have to."

Re:You can thank IIS..

[Todd Knarr]

I can think of a more effective solution: every time a Code Red probe goes out, deprovision the modem belonging to the customer with that IP address. They've got a proven AUP violation and a proven security problem that's disrupting their network. That's more than enough justification for jerking the account entirely. This has the dual benefits of shutting down Code Red and forcing people to actually learn how to secure their systems which makes future problems slightly less likely, and doesn't impact those of us who aren't susceptible to Code Red at all.

No blocking yet

[Heem]

I'm on @home and as far as I can tell port 80 is not yet blocked... I wonder for how long they will block the port and what clause in their contract they will hide behind?

Leased Line

[trolebus]

This is getting out of hand. Does anyone know what a leased line costs?

This is an idea I had:
A group of people get together a purchase a leased line, run it into someones home and then put everyone else on a little ethernet network. Granted I don't know how much one costs but I figure at around $40 a month a group of about 20-30 should be able to gets something way faster that DSL/Cable and without the bullshit. I see three main problems.

1. Security: Everyone has to protect their PC a packet filtering router should do the trick but its an added expense. Additionally the security on the leased line has to be good.

2. People: Finding enough people that live such that we can lay all the cable we need without going on city land. This could be the real challenge. I suppose we could hop accross holes in the network with 802.11b but that would be slower and less secure.

3. Time: What happens when the network / connection goes down. Either we set up some sort of rotation but we need an admin to fix stuff and that can be expensive.

Other issues are things like getting IP's (we could use a DHCP server but it would be better to all have our own IP)

Lots of challenges but it could be cool. Has anyone done something like this or has a suggestion on how it could be done better? I get closer and closer especially with crap like this.

The end of a state of denial

[Senor Wences]

I'm surprised it has taken AT&T and Excite so long to block port 80. In the agreement each subscriber must sign when she or he enrolls for the service the cable cos. explicitly state that you are forbidden to run a web server on their lines. But from the number of cable carracho servers I have seen, as well as other web servers running from cable, it is clear that many users simply ignore this rule. Granted, many people running Win2K or NT and IIS might not realize the service is running, their computer is infected, they are part of the problem. So it makes sense that in an effort to contain this worm the providers would block port 80. It's just weird that, in light of their stated policy, they have thus far allowed for people to run web servers, etc., on port 80, ignoring the users' abuse of the service just as the users have ignored the rule. All it took was a few careless individuals running unpatched software that shouldn't have had such a nasty exploit in the first place to ruin this wonderful state of denial between the cable cos. and people who want to run a web server on their nice, zippy cable connections. I suppose that's what port 8080 is for....

Re:Read your TOS!

[Atzanteol]

Not necessarily... When I originally signed up with MediaOne, I asked about running servers. They were fine with it, so long as I didn't interfere significantly with the other users.

I think this is just a way ATT can claim to be 'proactive on security'...

This sickens me..

Re:We haven't done this yet..

[Heem]

It comes down to.. The people that know how to use their computers gt fucked over by those who don't. add the word AGAIN to that phrase. And if we want to get on a network where we are our peers know what they are doing, we have to pay out the ass. I liked it better when it took some BRAINS to use a computer, it wasn't cool to be a geek, and everyone I know isn't calling me every 10 minutes to fix their damn computer.

How is this going to help?

[Anonymous Coward]

Even if they block off incoming port 80 from the rest of the world, that won't help much. I'm on Roadrunner. Looking at my logfiles, 1340 of the 2038 Code Red attacks I've gotten since Sunday are from other Roadrunner customers. Are they going to block incoming port 80 from each machine internal to their network to every other machine internal to their network?

Re:Linux is not a contender..

[Anonymous Coward]

Of course I know about downloading Linux instead of buying cdrom's. I've being installing FreeBSD over FTP for quite some years now, you know. The FreeBSD installer could do that before any Linux distribution even had a network install option.

But that doesn't take away the fact that not every one has a high speed internet connection and therefore costly 6+ cdrom packs are needed for most people every few months..

So, my point still stands. Each and every of my arguments is right to the point, and more important, TRUE.

The conclusions remains: Linux is not an option for any serious computing job out there. Try to attack the FACTS given in my 'troll' with some good arguments.

Oh, you can't? I thought so..

I don't know anything about port blocking but....

[poteet]

...@Home has been port scanning me off and on for this past week. I've called tech support to ask why and all I get is a perfunctory "We don't use that kind of software, it must be a hacker or something...." Yeah, right.

If you're in Eastern Mass. AT&T's lying

[maggard]

AT&T "Customer Service" is claiming that their Acceptable Use Policy forbids servers. This is not true for all customers; I know it's not true at least for the former customers of MediaOne in Eastern Massachusetts.

Partially quoted from:
roadrunner.techtalk.general [roadrunner...lk.general]
3B709BDA.3480@mediaone.net.invalid
chelm@mediaone.net.invalid wrote:

Posting to ATT/RR Home Page on transition to Excited@Home:

New Service Subscriber Agreement

Your AT&T Road Runner home page will automatically change to the new content provided by AT&T @Home on June 30, 2001. Effective with the elimination of the Road Runner content, the AT&T Road Runner Service Subscriber Agreement will be replaced with the AT&T@Home Subscriber Agreement. You can see the new agreement at http://help.broadband.att.com/support [att.com] under the Policies section of Answers to Questions. Because you are not using @Home software, the @Home End User License Agreement attached to the end of your new agreement will not apply to you.

"AT&T@Home Subscriber Agreement" links to:
http://help.broadband.att.com/support/faq.jsp?cont ent_id=584&category_id=34 [att.com]
which leads to:
http://help.broadband.att.com/subagreelease.jsp [att.com]

Which states:

9. Service Characteristics

(b) FTP/HTTP Service Setup. Customer should be aware that when using the Service to access the Internet or any other online network or service, there are certain applications, such as FTP (File Transfer Protocol) server or HTTP (Hyper Text Transfer Protocol) server, which may be used to allow other Service users and Internet users to gain access to Customer's computer. If Customer chooses to run such applications, Customer should take the appropriate security measures. Neither AT&T nor @Home Network shall have any liability whatsoever for any claims, losses, actions, damages, suits or proceedings resulting from, arising out of or otherwise relating to the use of such applications by Customer, including without limitation, damages resulting from others accessing Customer's computer.

(c) File and Print Sharing. The Service functions as a Local Area Network (LAN) in that each Customer is a node on the network. As such, users outside the Customer's home may be able to access the Customer's computer. As well, some software includes capabilities that permit other users across a network such as the Service and the Internet to gain access to the Customer's computer and to the software, files and data stored on the computer. For example, operating systems such as Windows 95 and Apple Macintosh include file sharing and print sharing capabilities which, when enabled, will permit other users to gain access to the Customer's computer even if the Customer is not using the Service. AT&T therefore recommends that the Customer connect only a single computer to the Service and that the Customer disable file and print sharing and other capabilities that allow users to gain access to the Customer's computer. Any Customer who chooses to participate in the Service using other than a single computer or who chooses to enable capabilities such as file sharing, print sharing, or other capabilities that allow users to gain access to the Customer's computer, hereby acknowledges and agrees that the Customer does so at the Customer's own risk, and that neither AT&T nor @Home Network shall have any liability whatsoever for any claims, losses, actions, damages, suits or proceedings arising out of or otherwise relating to such use by the Customer.

And furthermore from the same document:

11. Miscellaneous

(b) Amendment. AT&T may, in it sole discretion, change, modify, add or remove portions of this Agreement, and the Service provided thereunder, at any time. AT&T will notify Customer of any such changes by posting notice of such changes on the Service, or sending notice via e-mail, postal mail or other means. Customer's continued use of the Service following notice of such change shall be deemed to be Customer's acceptance of any such modification. If Customer does not agree to any such modification, Customer must immediately stop using the Service and notify AT&T that Customer is terminating this Agreement in accordance with Section 7(a) of this Agreement. Customer will then be entitled to a refund of any unused portion of any monthly Service fee that has been paid in advance.

Did anyone else get notification before port 80 was blocked? The above policies certianly still seem to be in effect; they're still posted [att.com] and they clearly imply customers may run HTTP & FTP servers at their own risk.