Aug 1, 2012

Taking Steps to Prevent Unintentional Network Abuse

Beginning today, we are taking additional steps to secure our network against abuse or attacks that leverage our customer's network devices without their knowledge. The measures are aimed to protect our customers and the quality of their broadband experience, reduce malicious traffic, and help protect targets of abuse or attack that are outside of our network.

The first step we are taking is to prevent distributed denial of service (DDoS) attacks that utilize Simple Network Management Protocol (SNMP) reflected amplification technique. That's quite a mouthful, but it refers to an attack that can occur when SNMP queries with a spoofed source IP address are sent to our customers' home gateway devices. Those home gateway devices, or routers, are customer-owned, and not Comcast-managed. The SNMP queries result in a response from a home gateway device that is reflected and amplified, directing an overwhelming volume of traffic against a target.

To address this issue, we will gradually change our default residential Internet device bootfile to restrict SNMP by default. If customers wish to use SNMP, they can contact our Customer Security Assurance team to be switched to a bootfile that allows SNMP (business class customers are unaffected).

Since the potential for this attack exists on nearly any residential Internet network and since we are sensitive to the implications of blocking a new port, we asked the Broadband Internet Technical Advisory Group (BITAG) to study the issue. The BITAG is an organization we support, that brings together network operators, application providers, community representatives, content producers, equipment manufacturers, and other observers. That group has issued a report today on this issue, which you can find here. Working with BITAG has allowed us to collaborate with other network operators on this issue and has helped us improve our approach to address it.

In addition, we are refining our approach for Simple Mail Transport Protocol (SMTP) specifically the use of TCP port 25. We have for many years blocked this port on an as-needed basis, leaving it otherwise available for customer use, though many other ISPs moved to block port 25 for all users. We used an as-needed block for the convenience of our customers and based on the risks at the time, though for many years M3AAWG, IETF, and other groups recommended that this port should not be used for mail submission by email clients such as Mozilla Thunderbird.

Unfortunately, malicious botnets responsible for sending spam are increasingly abusing this port, which means we need to refine our approach. As a result, we will gradually change our default residential Internet device bootfile to block TCP port 25 by default and direct our customers to use port 465, which is more secure. We will continue to support the industry standard, port 587, but it does not offer the greater security of port 465. If customers wish to use port 25 for SMTP, they can contact our Customer Security Assurance team to be switched to a bootfile that allows SMTP (business class customers are unaffected). For all the details and background on the SMTP decision, please see this companion blog post.

For additional information:

- Full list of blocked ports:

- Comcast's Network Management site:

- Customer Security Assurance:

Tags : Broadband Internet Technical Advisory Group, DDos, Network, Simple Network Management Protocol, SNMP


Follow Us
comments powered by Disqus