Comcast, other ISPs Hacked?

[thaddaeus]

Lastnight and tonight around 7 ish, the internet bacame slower than dialup. Called in and found they had system wide outages. Tonight we had the same outage so we called in got customer service which told us their upgradeing the lines from 3 mb to 4mb...Because of the long outages we recieved 3 days creadit so we were transfered over to billing and made a small comment about maybe warning next time their upgradeing and to expect outages, the rep, replied in a confused voice and said that their service had been down due to hackers, alon with them aol and some others had been attacked, and were also expirencing outages.

My question to them if i would have been the one on the phone would be were is all this great technology that Enterprises use to control such threats, and endure a very minimle loss, the fact is they may need to refund multiple days to multiple peopl which is a huge loss. I also read in an E-week article that 90% of all companies who lose a connection to their database for more than 10 days will file bankruptcy within the year, now i know this is on a wider public base than the companies this article represented, but the cable and internet was owned by AT&T before comcast, and before that TCI.

I know I may have not organized the information presented well but if anyone knows anymore of this, I'm kinda limited to sites at the moment so i cannot check the news/security sites on this topic.

[MorphiusFaydal]

last i checked, changing your DNS servers in /etc/resolv.conf would fix it.

did for me and everyone else w/ the problem in the JL irc channel.

must have been a few core DNS servers that went down that several companies share, or it may have been a confused rep at comcast getting the phrases 'dns server upgrades' and 'we've been hacked' mixed up....

oh well

its all better today (at least.. i think it is.. using new DNS servers fixed it for me...)

[Gertrude]

I'm not sure if Comcast's problems are caused by the same thing or not, but in the past month or two I have seen a large amount of bogus traffic that can bring a DNS server to its knees if there is too many of these connections to it. What looks to be happening is trojan/virus infected PCs will make a TCP connection to port 53 of the DNS sever, and just keep passing blank TCP packets with no actuall TCP payload in the packets. These hosts seem to just sit there and hammer away untill you either block that client all together from accessing the server, or the computer gets shut off. Under most circumstances clients should not be connecting to a DNS server on TCP port 53. So my guess is its either deliberately trying to DoS the DNS servers, or there is a very poorly written virus out there that has got spread around quite a bit, and is causing some unintended problems.

I doubt the sales person you talked to has the most reliable information as they are most likely at the very bottom of the information/rumor chain. So I would take "we've been hacked" with a grain of salt. DoS != hacked

[soulestream]

the best way to cripple the internet(other than letting ms run it ) is to take down DNS servers.
alot of DOS attacks target DNS for that reason

soule

[nabis]

I think a rep. does not have even the right to spread such information

[Parcival]

Originally posted by nabis
I think a rep. does not have even the right to spread such information

Yeah, I was surprised to read that, too. Providers in Switzerland generally conceal hacker attacks to keep their market share.

[undeadska]

If you are using Comcast then there is a pretty good chance that they are using AS1's DNS servers. Once those go down everything comes to a complete halt.

Also, I do network security at work and you can actually establish a full duplex video stream over port 53! This type of attack has become a lot more common over the past couple of months.

[psych-major]

I'm also in Colorado and I was at a client's house setting up their new laptop and wireless network. I was unable to get online via their Comcast cable internet, and then noticed that the cable modem was dark, so I called tech support. I got a recording that said

We are experiencing heavier that normal call volume due to outages in your area. We are aware of the issue and have technicians working to resolve it. Your internet service should be operational again shortly, thank you for your patience.

So I left her fully set up and by the next morning Comcast was back online and her new setup was working.

My Earthlink DSL never went down, they are Carnivore-free, and they advertise on JL. So the moral of the story is, if your ISP can't maintain an acceptable level of service, it doesn't hurt to shop around, because who know what else they are screwing up. (Anyone heard of LexusNexus...)

[JayMan8081]

psych-major-
I've heard of Lexus-Nexus. I live in Dayton, OH where they have offices. They were just recently hacked and had a lot of information taken. One of the guys I work with actually was a co-op for Lexus-Nexus during his undergraduate coursework.

[thaddaeus]

I'm also suspecting dns servers because my modem had a connection and any ip i typed in was able to find that website, We were actually told the hacker stuff by an upper level customer service guy. The lower level said it was due to upgrades...Go figure

[infiniphunk]

We were actually told the hacker stuff by an upper level customer service guy. The lower level said it was due to upgrades...Go figure

You should be wary of what customer service people tell you; its pretty scary the way call-centers work and what management will ask the reps to tell customers. My 2 cents coming from a few years now of working @ various call-centers. When I did inbound for AT&T, management wanted us to have the mindset that every customer who called to complain about their statement was a complete liar. Sad but TRUE. Also, you have to remember that CCA (customer-care associate) isn't the best paying job, and many of us who do it only do it part time to pay the bills while in school. Many such people are often frustrated, disgruntled; not to mention immature as many are just young kids. So yeah, if your ISP is having a serious technical problem and that causes outage of service, sorry, but don't expect the customer service people to really know what's going on. And don't expect management to encourage the CCA's to tell the public the truth if there has been any kind of security breach.

[thaddaeus]

management wanted us to have the mindset that every customer who called to complain about their statement was a complete liar. Sad but TRUE.

Oh apple tried this on me recently when my iPod was retruned to sender due to bad address, Their web form had changed my address and the guy to tried to blame me for not setting up my account right, although somehow other purchases have been succesful.

[bwkaz]

Originally posted by Gertrude
What looks to be happening is trojan/virus infected PCs will make a TCP connection to port 53 of the DNS sever,

Um, DNS uses UDP port 53, not TCP port 53.

A flood of packets sent to TCP port 53 will not affect the ability of a DNS server to respond -- unless the kernel has trouble responding in general, just because so many packets are coming in.

As to the actual problem, Comcast might be running their DNS servers in "stupid" mode (i.e. "I'll trust whatever traffic I get from wherever" mode). This is the default with BIND 4 and 8, and also with Windows DNS for any version before 2000 SP3. In "stupid" mode, if a malicious upstream DNS server sends some extra records in its reply to the "stupid"-mode server, that server will put those records into its cache, overwriting the records that should be there.

(Windows' DNS server on 2K SP3 and up is still vulnerable to this, if you've configured forwarders that are vulnerable. Microsoft, in their infinite wisdom (), said "Well, the admin has configured a forwarder. Here's a good idea: Let's trust that the forwarder has removed any malicious records from the DNS packet! Yeah, that'll be a good idea! Less work for us, yay!" So if your Windows DNS server makes a request to its forwarder, and the forwarder does not strip out the malicious records, your Windows DNS server will become poisoned, regardless of how well you've set it up.)

It has been happening to a lot of vulnerable DNS servers lately. They query some evil DNS server out on the internet, which provides the answer to the query. But it also provides an extra record, saying "oh by the way, my IP address is the authoritative name server for the .com domain." Vulnerable DNS servers cache that value, so the next time the user tries to look up google.com, the request goes to the evil DNS server (rather than one of Verisign's servers, which is where it should be going). The evil DNS server responds with a preconfigured pair of IP addresses (the same ones no matter what name the user asked for), which serve up a whole slew of IE exploits.

Anyway, Comcast's servers might have been poisoned, which would make them serve up incorrect addresses. This may not be it (especially if you're not getting any response at all), but you never know.

[Gertrude]

Originally posted by bwkaz
Um, DNS uses UDP port 53, not TCP port 53.

A flood of packets sent to TCP port 53 will not affect the ability of a DNS server to respond -- unless the kernel has trouble responding in general, just because so many packets are coming in.

Thats not true. Zone transfers go over TCP 53. Also TCP 53 can be used to help with very long domain names if UDP is inefficient in delivery.

[azambuja]

Originally posted by bwkaz
Comcast might be running their DNS servers in "stupid" mode (i.e. "I'll trust whatever traffic I get from wherever" mode). (...) In "stupid" mode, if a malicious upstream DNS server sends some extra records in its reply to the "stupid"-mode server, that server will put those records into its cache, overwriting the records that should be there.

Why would a big company do/allow something like this? Aren't they supposed have a few of the best techs out there?