Re: Comcast man-in-the-middle attack - tech

[J Edgar Hoover <zorch () totally righteous net>]

When I brought this thread up, I was wearing my "comcast customer" hat. In
that context, I felt it was obviously inappropriate for my provider to be
logging the content of my packets.

Apparently many network admins/security professionals don't agree.
Managing a network does at times require the use of invasive diagnostic
tools, and network professionals need to defend their ability to use them.
The appropriate use of these tools probably warrants discussion in an
ethics thread.

Other Comcast customers that have contacted me are more interested in the
technical aspects. Questions like;

"I currently have comcast and live in Maryland.  I was wondering if this
server could be one of the reasons why my inet connection has been awful
for the last week and same with my friend who lives in the same area?"

The Inktomi proxy server they are using uses a rather clumsy method, which
does cause some functionality problems, and introduces significant and
perceptable delay. Performance is greatly impaired by the use of this
server.

When a windows user "clicks a link", his machine uses dns to resolve the
IP of the target machine. It then sends tcp traffic to the IP of the
target, which is diverted to the Inktomi server. The Inktomi server then
sets up the full tcp handshake, spoofing the IP of your target, and
accepts the TCP packet(s) destined to your target. It parses the content
for the Host: field, extracts the url, and again does a dns query to
resolve the target IP, and finally sends your request along.

All of this is extra wasted time introduced by the use of this server. The
end result in my case is a perceptable delay in the start of an http
connection, approx 2 seconds longer than it took a week ago.

And some just don't work at all.

Any argument that this "improves the quality of service" is utter BS.

Being "security concious", they appear to be running BlackIce/RealSecure.

Remote management via web browser appears to be enabled, but from a
restricted set of IPs.

SSH-1.99-OpenSSH_2.9p2

Zeus on port 9090.

It appears to me that this machine is ownable. Being a law abiding citizen
I would never do that. Only a bad guy would. So, my traffic is now
available to comcast and any bad guy with the technical abilities and
desire to look at it.

What's new about that? Until a week ago, comcast hadn't provided a
handy-dandy place for a bad guy to find my *logged* traffic. The only
practical way he could get that info was to sniff in realtime, which
introduces more problems than it is worth.

Other than tunneling, I haven't found a way to avoid using this proxy for
http. If anybody has any suggestions, I'd like to hear them.

I'd also like to hear any comments about how to
avoid/own/confuse/clutter/break/make this thing smoke.

A little bird told me there are several ways to exploit this thing, but
I'll leave that to others to explore, I have a feeling comcast is
watching.


z