lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1078944771.439.22.camel@localhost>
From: frank at knobbe.us (Frank Knobbe)
Subject: Comcast using IPS to protect the Internet f
	rom their home user clients?

On Wed, 2004-03-10 at 07:46, Chmielarski TOM-ATC090 wrote:
> Yes, they say they are now doing this.
> http://www.infoworld.com/article/04/03/09/HNcomcastspam_1.html

But this article says they are shutting systems down once identified as
a spam/hack/dos zombie. This can be done easily by reconfiguring the
Cable modem or removing MAC addresses from filter/pass tables (don't
know what types of access controls are in place over there).

It doesn't say they are using an inline IDS/IPS. Where would those IPS's
be? At the major NAPs or peering points? Or distributed in regional
hubs? I'm curious how they are dealing with the performance impact.
Perhaps they are using ASIC based IPS's, or very limited signature sets
(which would explain why a whisker scan completes unimpeded, but a nikto
scans hangs at the same "spot").

So far, a couple others reported that they noticed the same behavior. I
haven't heard anyone say "my scans are not affected". To reproduce the
test, fire off a nikto scan against a remote web server (remember, get
permission first). See if nikto completes without getting stuck. (I used
a recent nikto from the FBSD ports tree).

Anyhow, finding spam sources and bandwidth hogs and turning them off
manually is one thing. Having an network-based intrusion prevention
system sitting in their wires is another. Perhaps they are beta testing
that as an additional method to weed out bad traffic?

Regards,
Frank


PS: I'm completely okay with them filtering as long as they allow me to
tunnel my traffic to corporate servers. Whatever it takes to get rid of
spam is fine with me... 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040310/00d4e2b0/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ