I have had problems with my HTTP service since Nov 2011 - and it's a direct result of the Constant Guard e-mail / in browser notification. Some background:
I'm not a n00b user - software engineer on security teams. Work alongside pentesters, vscan, ethical hackers, etc.
I have a motorola sb6121, behind that is an apple airport extreme. I have one Win7 (running Kaspersky) and one MacOSX machine.
When I get the constant guard e-mail alert, I promptly lose HTTP service for 1 - 2 days. I can still use SSH, e-mail and chat clients (sametime, IRC, google talk). I work from home, and can still get to my Corporate VPN. I can still ping HTTP sites like google.com, comcast.com, comcast.net.
The first few times I had this problem, I freaked out and ran netstat, nmap, wireshark, and kismet to scan my network and the networks around me. I also ran the MS Malware removal tool, Kaspersky malware removal tool, McAfee stinger, kaspersky root kit detector, and installed rubotted on my Win7 machine. This last time, I decided to install and run the Norton suite from comcast on both my mac and my windows machine (I've since uninstalled it - Norton sucks). NONE of these things has found any problems. The only thing found has been a few trojan attachments that came into junk mail - they're automatically removed, and I'm not dumb enough to click them anyway.
Since this has been happening, I have been keeping track. I have received the e-mail notices from constant guard at least twice when I had no computers connected to the network at all. If these e-mails are being sent right when 'bot' activity is detected, then there is a problem in your detection. I have also taken zero actions 6 times, and within 1 - 2 days, my HTTP service mysteriously starts working again. This tells me that my connectivity issues are originating from the comcast side. Servers will 'bounce' and try to recover themselves - home user computers / networks do not.
The thing that seems to fix the problem the fastest - I power off and disconnect my modem from the cable, then connect my Mac directly to the modem, power up and wait for an in-browser alert to come from Constant Guard. As soon as I get that alert, if I acknowledge it, I get a second e-mail from Constant guard, but then my HTTP service starts working almost immediately. The problem is, the in-browser alert may come in a few minutes, or it may come in 20 hours. Also, when I power cycle the modem, I only have HTTP connectivity for 2 - 5 min - I have to keep cycling my modem until I get the in browser alert, which gets old REALLY fast.
I've looked at the constant guard in browser alert code, and it appears similar to an HTML Injection attack or cross site scripting attack. So I think one of two things is happening:
1) My security is seeing that popup as suspicious, and is not letting it through - and Comcast keeps sending it, which means that comcast is inadvertantly blocking my other HTTP return traffic
2) Comcast is intentionally blocking my HTTP traffic
I have requested the security logs / evidence of bot activity from Comcast several times, and Comcast has not provided one shred of evidence to support their claim. Without evidence, this whole thing looks like a campaign to scare users into buying additional services from Comcast. In fact, in the bottom of the Constant Guard alert, is this nice little disclaimer:
"This is a service-related email. Comcast will occasionally send you service-related emails to inform you of service upgrades or new benefits to your Comcast High-Speed Internet service. "
This disclaimer tells me that the Constant Guard alert is nothing more than a sales pitch that borders on fraud.
No matter what, this is affecting my HTTP service that I am paying good money for. Comcast needs to disable the constant guard alerting to my account until they get it fixed.
UPDATE: 2011-02-06 10:00 am MST
Spent an hour on hold trying to get to the customer Security Assurance group - finally got in. Spoke with a very patient tech who reviewed my ticket. According to him, he ran a tool to detect bot activity that they have available, and saw no bot activity from my IP Address. He also saw no history of bot activity on this IP address for quite a while. I had a different IP address last week (because of DHCP) and was able to provide that to him - saw no bot activity there either.
I informed him of my suspicion that the in browser notification was possibly malformed / flooding return HTTP requests (blocking my HTTP service) - he was able to lift that 'gate', and as soon as he cleared that alert, my HTTP service worked again. He referred me to level 3 support, and I'm awaiting a call back, but at least I can access HTTP now.
Just happened again tonight right around 23:00 MST.
This time I did have my computer online at least.
No note from Comcast Constant Guard bot alert yet. Waiting for that to arrive.
Comcast appears to be doing some sort of maintenance at the moment - half of my comcast customer panels state that information is unavailable.
I finally gave up waiting for the in-browser notification (the gate) after 2 hours and shut down the computer. I called into the comcast security center the next morning (30 min hold) - and as soon as they lifted the gate, my service worked fine.
Can you check mine, too? How do I do a PM to send my IP address? I have a very similar problem as the person who started this thread. At times I can only pull up a few Comcast pages and nothing else. This problem is much more noticelable when I have my Macs connected to my router (which I have just replaced trying to fix this issue... because my WRT350N Linksys had firmware that had a potential vulnerability for DOS attacks). When connected to the router my connection just dies (I am using DHCP in the router and in the Macs). Sometimes I can't get it back for days, even when I use a single computer connected to the cable modem... which is the only way I ever get a connection now. Am I being flagged out of the system for a period (a Comcast tech said 72 hours) if there is any suspect activity? I've gotten messages that said I had the Alureon malware, this is a Windows infestation.... I have Macs. The Comcast tech I spoke with said it can merely 'look' like Alureon to the Comcast system. Comcast has told me to call Apple and Norton. I've done that. I've installed The Norton software on all my Macs, still no joy. Norton remotely looked at my computers, they said they were clean. When I replaced the router I got service (for all my Macs) from the time I replaced it (4 p.m.) until I went to bed. The next day the problem was back. I've had this for abut 2 months or so. It's seems very strange to me that I can pull up Comcast pages (the support ones) but nothing else. I'd like an explanation for how that works. The tech said my service was basically being suspended when an alert was being given... until I responded to it. I have a ref# from my latest call to Comcast: REF# NA37980971
Can you check mine, too? How do I do a PM to send my IP address? I have basically the same problem. At times I can only pull up a few Comcast pages and nothing else. This is much more noticelable with I have my Macs connected to my router (which I have just replaced trying to fix this issue). I have a ref# from my latest call to Comcast: REF# NA37980971
Karen and Steve
Hi Karen and Steve and welcome to the Comcast Forums,
As you will find out quickly, this is basically a customer to customer forum, in that only those users with the RED user namesare Comcast Employees. The rest of us are customers, just like you, who volunteer tgheir time so we can provide answers for some questions, we obviously do not have access to all info to answer all your questions. That said hre's the info on the PM you requested:
Private Messages (PM’s)
At the top of each Forum page you will see a small white envelope
This is the icon for Private Messages, referred to as ‘PM’s’. A Private Message is a way to communicate in private, to another User, Moderator, or Administrator out of public view in the Forums.
The white envelope turns to yellow when you receive a PM.
To open a PM to read it, double click on the yellow envelope. If you click on the white envelope a window will open with tabs for your Private Message Inbox, Sent Messages, Friends, Ignored Users, and Compose new Message. You can also access this area by clicking on the Username in a Thread or post. By default, Private Messages are enabled. You can disable this feature in My Settings>Preferences> Private Messenger.
Hope this helps!
A veteran - whether active duty, retired, national guard, or reserve - is someone who, at one point in his or her life, wrote a blank check made payable to The 'United States of America', for an amount of 'up to and including my life.'
Happened again last night - approximately 22:30 MST. Fortunately, I was able to immediately take my router offline, and reconfigure to run straight through the modem, and the in-browser alert came up within an hour. I was able to acknowledge the alert and lift the gate. Everything is running normal now.
I may have a source of false signature for your bot service to investigate.
On at least 6 occassions, my wife has been playing Club Pogo (Put out by EA - pogo.com) during the 21:00 - 23:00 time frame (when Comcast systems do maintenance, and I typically lose HTTP service). Perhaps the systems are seeing some traffic associated with that site that is causing a false signature? The site uses a lot of java, some flash for their games.
I had a tech mention the alureon bot (referred to by many other names as well).
The bot doesn't affect Mac systems - especially if updated. If you have a windows system, you can get the Kaspersky root kit removal tool - it will detect and remove alureon, as well as other known root kits.
Turst me, I'd rather not have Norton on there if I could help it but they suggested it so I did it. A Norton tech accessed me remotely and said I was "clean". Who knows if it's accurate or not, I just know that I'm tired of these things that have been going on for months now. Today, as I had the flag lifted AGAIN I was told that March 6 will be the day this stops happening. My patience is growing very thin. Today the tech also said I should try intego.com. I've been searching for the OSX Lion rootkit command with no luck so far, at least, from what I've seen on the internet.
I have not had this issue since 2/14 (shortly after the techs said they would have something new in BETA).
I've had a script running every hour that I'm online and at my home location - it logs my local IP address and checks HTTP connectivity to websites (google.com, comcast.com) - no issues reported there.
I have not done anything to my systems since 2/10, so whatever was happening, it was external, coming from comcast. I still advise pulling norton off of your Mac systems.
uaedirb wrote: so, I have followed the instructions on the xfinity website to self perform the fix for the dnsbot, and still get the red page indicating infection. anyone been able to do this successfully?
Unless the poster has the list of DNS Changer IP addresses, then using the method you posted is not of much value.
The DNS OK website, http://dns-ok.us/, is the best method to use, regardless of Operating System. If your computer, or a program running on it, is using one of the proscribed DNS IP addresses, then the background will be red.
Make sure that all computers on your local network have been checked,. If you use a router, then reset it to factory defaults.
"Once I talked to the inmates of an insane asylum in Hartford. I have talked to idiots a thousand times, but only once to the insane..." Mark Twain