homepage Welcome to WebmasterWorld Guest from 50.17.177.99
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

    
Comcast Launches Anti-Botnet Initiative "Constant Guard"
Infected Owners Will Be Warned
incrediBILL




msg:4005632
 4:14 pm on Oct 12, 2009 (gmt 0)

Comcast is taking a leadership role and making a huge step forward in the eradication of botnets.

From their press release on Oct 8, 2009:
As part of this effort, starting today in Denver, CO, Comcast will begin to trial an in-browser notification “Service Notice”, which will alert customers whose computers appear to be infected with a bot (or virus) and request that they go to the Anti-Virus Center and follow a set of instructions to assist with removing the bot from their computer and thereby prevent it from spreading to other users.

[comcast.com...]

Apparently the current Denver trial allows users to close the warnings without taking action, but cannot opt out of getting them.

I will assume that eventually the next step, if the user doesn't take these warnings seriously after 15-30 days of inaction, is that Comcast will block them from the web until it's fixed.

This is a massive win in the "score one for bot blockers" column.

Note that this is right on the heals of the DHS announcing adding 1000 new cyber security employees [webmasterworld.com], perhaps a preemptive strike by Comcast to keep government out of their business?

I've been advocating such action on the part of ISPs for a couple of years now and I'm glad to see Comcast taking the first steps to making it happen.

However, if the US takes steps to become botnet clean, will that leave us at odds with the rest of the infected world that will present a security risk if they refuse to take care of their problem?

 

Baruch Menachem




msg:4005663
 4:50 pm on Oct 12, 2009 (gmt 0)

Such an overdue and good idea. Part of the problem is most of the people in the bot net are clueless of the damage they are doing. I might be a bad guy and not know it.

I am glad someone is helping out on this.

And one great part of this is that most of the really bad part of the web could be scrubbed in a heartbeat if more took this approach.

[edited by: encyclo at 4:54 pm (utc) on Oct. 12, 2009]
[edit reason] fixed typo [/edit]

jdMorgan




msg:4005669
 4:53 pm on Oct 12, 2009 (gmt 0)

How do you see that anti-botnet approach putting the US at odds with the rest of the world?

If major ISPs in the US and elsewhere take similar steps to Comcast's, then that reduces the number of botnets working to infect users all over the world, so everyone benefits.

It's also great that first steps are being taken toward 'prevention' at the network/ISP level rather than relying on individual users to keep their machines 'bot free. Now if only we could see a similar attitude about e-mail spam!

Stopping these problems at their source would be so much better than requiring everyone on earth to run increasingly bloated and performance-draining ant-virus, anti-malware, and anti-spam applications, firewalls, etc. Many of these applications could be 'slimmed-down' if steps could be taken higher-up in the network to prevent bad stuff from propagating in the first place -- I'm certainly not advocating their elimination, but checks at the network layer could very well reduce the burden at the client level.

With 'client activity' monitoring in place, there's also the possibility to collect data needed to locate the 'command and control centers' for botnets. This may raise the perceived risk in running botnets, and if the C&C centers can be quickly shut down or blocked, it will also raise the cost of operating a botnet. So as long as steps are taken to guard ISP users' privacy (by monitoring only for 'bot-related activity and tossing out all other transaction data), it sounds good to me.

Jim

incrediBILL




msg:4005744
 6:43 pm on Oct 12, 2009 (gmt 0)

How do you see that anti-botnet approach putting the US at odds with the rest of the world?

Let me qualify I see it as putting us at odds against the countries that predominantly run the botnets, which probably brings in quite a bit of income for some places.

If you don't think the botnet herders will retaliate at some level then read what happened with Blue Frog by Blue Security [en.wikipedia.org].

Obviously there's a big difference in approach as Blue Frog was actively going after the advertisers in the spam, but cutting off someone's livelihood can invoke repercussions which Blue Frog and some seriously hardened hosting companies were ill prepared to deal with.

Don't forget the botnet attacks on the US & Korean government [webmasterworld.com] and Twitter and Facebook [webmasterworld.com] recently.

Imagine the panic that could be caused if they attacked sites like eTrade or Wells Fargo and kept people away from their money for a day or more.

Let's just hope Comcast can weather any storm it might cause ;)

blend27




msg:4005768
 7:26 pm on Oct 12, 2009 (gmt 0)

Buddy of mine owns a small PC Repair shop in town. Just talked to him about this matter. We are 6(comcast):2(FIOS):2(other ISPs) hood around here. His response was: Build me a new Site/Forum Please, Prety Please. He says the same people show up every 3 month for Slow Performance Checkup. Lots of students from a local colledge that rent in town as well. You wouln'd believe the MSCONFIG screen-shots he shows me once in a while.

It is good for Every body.

Amen 2

dstiles




msg:4005838
 9:22 pm on Oct 12, 2009 (gmt 0)

This idea was proposed in Europe (forget which country) last year-ish. It was dropped because the ISPs would have had to access the users' computers to determine the bot-ishness, which someone decided was an illegal access of computers and could end the ISPs in court.

I would welcome such activity IF it didn't in itself degrade my computer performance. The problem is, if your machine is behind a router or firewall, how does the ISP get in?

Or are the ISPs using traffic through their service to detect bot activity? In which case there is the recent concern about traffic interception (as in phorm and nebuadd).

I'd be interested in how comcast were getting around these objections. As I said, I'm in favour - providing bot detection is as far as it goes.

On a different note, my web server gets a LOT of bad-bot traffic from comcast but I'm never sure if it's virus-related or hackers.

wilderness




msg:4005854
 9:54 pm on Oct 12, 2009 (gmt 0)

Comcast could utilize staff more effectively by closing their many vulnerable open proxies that others are using.

incrediBILL




msg:4005863
 10:02 pm on Oct 12, 2009 (gmt 0)

Or are the ISPs using traffic through their service to detect bot activity?

Bingo.

Finding botnets isn't rocket science, they're banging on your servers looking for ways in right now and the honeypots collecting that data can feed it back to the ISPs.

jdMorgan




msg:4005870
 10:11 pm on Oct 12, 2009 (gmt 0)

OK, I was wondering what the intended "at odds" angle was...

I don't know how well Comcast is prepared to evade a DDOS attack, but I support their decision to proceed. Otherwise, they (figuratively, we) put ourselves in an ethical quagmire such as that of ignoring blatantly-obvious child abuse because the abusive daddy, you know, might get mad at us if we said anything to anyone...

DDOS is a doubled-edged sword: Sure it disrupts (or at least inconveniences) the attacked party, but it also reveals the members of the attacking network. So attacking an entity that is already monitoring, recording, and acting upon malicious network activity might not be such a smart thing to do.

Jim

incrediBILL




msg:4005893
 10:50 pm on Oct 12, 2009 (gmt 0)

DDOS is a doubled-edged sword: Sure it disrupts (or at least inconveniences) the attacked party, but it also reveals the members of the attacking network

DDOS also reveals our weaknesses which in the case of Blue Frog and a few others turned out to be the DNS servers which was a massive problem because DDOS'ing the DNS servers knocked out all the customers, not just a single target.

swa66




msg:4005943
 12:23 am on Oct 13, 2009 (gmt 0)

Too little, too late.

It's the wrong approach: users ignore all pop-up warnings , or act on all of them.
I'm not sure which is worse with all the malware that presents itself as "let us clean your PC from malware".

It's bad to showcase this to the bad guys as they'll adapt to it. And more importantly: use it against the users with fake warnings in the hopes they'll act on it.

It's too late: others have been doing better stuff for many years.
The solution is to detect the infected customers and put them in a "walled garden" where they cannot do damage, but can get their problem properly fixed.

Others have been walling of their infected customers for years now. E.g. Qwest's CIPP (Customer Internet Protection Program) program launched in October 2007.
[news.qwest.com...]

incrediBILL




msg:4006030
 5:53 am on Oct 13, 2009 (gmt 0)

Too little, too late.

It's never too little, never too late, that's defeatist talk.

The Qwest program doesn't sound all that different from the Comcast version really except Comcast is a few years behind in implementation.

ByronM




msg:4006237
 1:36 pm on Oct 13, 2009 (gmt 0)

It's never too little, never too late, that's defeatist talk.

The Qwest program doesn't sound all that different from the Comcast version really except Comcast is a few years behind in implementation.

It does seem too little too late, Comcast is focused only on making the quickest buck and allowed these machines to be on their network far to long (hey, as long as they pay their 59/month we're happy!).

Browser popup is also entirely the wrong thing to do.. how long will it be before spyware/botnets popup similar warnings and install their own "security" software..

The only solution is to segregate machines into their own network with limited or no access until the consumer gets their crap straight.

jdMorgan




msg:4006257
 2:11 pm on Oct 13, 2009 (gmt 0)

I propose the implementation in HTTP/1.2 of a Client-Detonate server response header, in order to facilitate network clean-ups.

This would function similarly to the HCF opcode (Halt and Catch Fire) in early computer instruction sets, and to the RBT (Rewind and Break Tape) command in early magnetic storage controllers.

Comcast doesn't have to get everything perfect the first time out. They can learn from Quest's methodology or they can figure it out by themselves over time just like everyone else does -- What will you be doing today at 1:00 PM Pacific Standard Time? (Hint, it's the second Tuesday of the month in Redmond, WA).

I'm sure they're already getting feedback from security experts across the planet on the pitfalls of in-browser notification (I'm not sure where the "pop-ups" phrase came from), and may switch to a better method before deployment. Warning their customers to "type in" the address and to ignore warnings from other entities that offer clickable links (a la PayPal) for security issues will also help mitigate the potential exploits of the system.

I'd also like to point out that although there is a potential for further abuse by spoofing of ComCast's security alerts, the fact is that the client is still inside ComCast's 'firewalled network,' so these follow-on exploits can be stopped or reduced as well.

Jim

blend27




msg:4006301
 3:33 pm on Oct 13, 2009 (gmt 0)

-- their 59/month we're happy--

After Paying 59 for 7 years, I called last month and they droped it to 32/12 month, no contract, plus router fee. FIOS moved in couple of month ago so they are starting to feel the pinch already, at least localy.

That is not the point of this thread.

Installing ToolBars and offering Free Software(antiVirus) is not a way to go. I remember couple of years ago I was talking to one of the techs from Comcast and he said I had to install a software on all of my PCs in the network to fix the Connection Issues. Nahhhhh.

Block the PC from internet without any soft installed to monitor traffic, not like they don't know where I had my "Lo Mein" last time via my IP.

jdMorgan




msg:4006331
 4:02 pm on Oct 13, 2009 (gmt 0)

I haven't seen any mention of them requiring software to be installed, except in forum threads. As far as I can tell, they're going to be monitoring packet source and destination addresses, suspicious patterns of activity, etc. There is no need for client software in order to do those functions.

It doesn't hurt to offer free software, as long as it's from a trusted source. Given that we can assume that most of these infected users are "low-tech" people, the timing of Microsoft's release of their free "Security Essentials" --formerly know as OneCare-- is serendipitous (or perhaps even related). A free Microsoft product would be an 'easy sell' to such customers, and the 'trust issue' is moot since all infected users are most likely to be running Windows in the first place.

Jim

wilderness




msg:4006379
 5:29 pm on Oct 13, 2009 (gmt 0)

Jim,
Blend was referring to the software requirement of Comcast to it's customers, which purchase internet access.

I had a similar requirement with another provider some seven years ago. After I threw a bloody fit when their requirement changed some settings and default options on my computer, it took tech support at least a couple of hours to lead me through the process of un-installing all the individual modules entirely.

Recently with the same provider I was required to throw another fit because the 3rd party tech support could not comprehend that I was unwilling to install additional software, which same tech had previously told me would NOT be required.

The 3rd party tech support by these providers creates the entire mess and/or lack of communication. They simply don't understand or comprehend the English language.

Don

incrediBILL




msg:4006485
 7:53 pm on Oct 13, 2009 (gmt 0)

I never install ISP software but I'm already locked down like Fort Knox, sitting behind a router that's locked down tight, and all machines have A/V so I think we're good to go.

However, a lot of people don't have a clue and without the ISPs help will never have a clean machine.

Hugene




msg:4007088
 7:36 pm on Oct 14, 2009 (gmt 0)

I woudent trust Comcast with a penny, even less with a pop-up windows saying I need an anti-virus. That's going to be the biggest PHISHING back-door ever. I can only imagine the pop-up already: "we're Comcats, and your PC is infected. PLEASE click here"

Totally ridiculous initiative.

If Comcast is so good at detecting bot traffic, why don't they block it?

keyplyr




msg:4007141
 8:57 pm on Oct 14, 2009 (gmt 0)

I see just as much scraper & bad bot activity coming from Comcast as I do from the unmonitored colos and rackspace culprits.

jdMorgan




msg:4007176
 10:19 pm on Oct 14, 2009 (gmt 0)

> I see just as much scraper & bad bot activity coming from Comcast as I do from the unmonitored colos and rackspace culprits.

Which is precisely why they feel they need to do something.

Jim

bkeep




msg:4007438
 10:02 am on Oct 15, 2009 (gmt 0)

I think in theory it would be a good idea but what ever they do there will be away around it. Block traffic on a certain port just set the server to listen to a different one. grep packets for a signature the programmer can just adjust it.

The big question is how will they determine what is legit traffic vs something initiated by a zombie.

dstiles




msg:4007852
 8:51 pm on Oct 15, 2009 (gmt 0)

I wonder what they will do about 80legs, which seems to come from mostly USA ISPs including comcast. Will it be classed as a trojan infestation? If so, what about all the other distributed bots?

dstiles




msg:4007866
 9:18 pm on Oct 15, 2009 (gmt 0)

A new report by UK Parliament seems to be recommending UK ISPs take action against infected machines...

"A recommendation for a voluntary code for ISPs relating to the detection of, and effective dealing with, malware infected machines in the UK. If this voluntary approach fails to yield results in a timely manner, then Ofcom should unilaterally create and impose such a code on the UK ISP industry."

Summary of the report on the UK nodpi site.

wilderness




msg:4007949
 11:32 pm on Oct 15, 2009 (gmt 0)

I wonder what they will do about 80legs

Wouldn't that be a loss to all of mankind ;)

Umbra




msg:4008227
 2:00 pm on Oct 16, 2009 (gmt 0)

If Comcast is so good at detecting bot traffic, why don't they block it?

Because it doesn't give the user a chance to protest in case of a false positive?

Regarding popups, if Comcast can detect bot traffic, then can't they also detect regular browsing traffic? And then use DNS redirection without any extra software or toolbar?

So when Comcast flags a machine and the user tries to visit a website, Comcast redirects them to a warning page about a possible trojan. The user can override this warning screen for x times or x days. After that deadline, Comcast clamps down on all traffic until the machine is clean.

bigcat1967




msg:4009793
 1:58 am on Oct 20, 2009 (gmt 0)

"The big question is how will they determine what is legit traffic vs something initiated by a zombie."

Good call. I don't think they can...

jdMorgan




msg:4009817
 3:05 am on Oct 20, 2009 (gmt 0)

How about 100,000 outgoing HTTP requests per day, all to different servers, requesting all variations on the URL-path phpMyAdmin.php? I see hundreds of these every day on just one server, and they obviously come from botnets. I can see a person logging into his PHP Admin panel 100 times in one day, or even 200 times in one day, but 100,000? -- You'd think after the first 100 tries or so, he'd at least get the filename right! Besides, a person like that should forget about PHP and seek help for "Overly-fast-typing syndrome." It's a bot.

They don't have to stop 100% of the abusive traffic, they just have to raise the cost of developing successful exploits. Do that, and the low end of the market falls out, and a majority of the abuse goes away.

Jim

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved