Brian Krebs reported yesterday that Comcast will be implementing its bot detection feature nationwide. Comcast will apparently put an overlay on websites when visited from an IP that exhibits signs of bot activity. I don’t claim to be a security expert, but I think I’ve been in the business long enough to say “that’s really stupid.”
While I agree with Comcast’s efforts to fight bot infestations, they are going about it in exactly the wrong way. Running man-in-the-middle code is unacceptable, regardless of the intent. If the code is inserted into anything other than HTTP traffic, it will almost certainly break things, and I imagine that certain kinds of HTTP applications will break, too (specifically automated retrieval/parsing of sites). Additionally, it opens up another attack vector if Comcast itself suffers a breach.
Perhaps the worst part of this plan, though, is the impact it has on user education. For most users, nuance is not appropriate. Despite repeated warnings about the illegitimacy of “Your computer is infected!” pop-ups, people still click on them. Now suddenly there’s the Comcast nag with a link to download anti-malware tools. Comcast seems to assume that users can handle the nuance. My own experience suggests otherwise.
Unlike the authors of some of the comments on the post, I’m not concerned that Comcast can determine when a host (well, a customer’s connection, which may have several hosts behind the router) is operating as part of a botnet. While they could be inspecting the contents of the packets, it’s more likely that they’re just using the routing information and other already-visible data. There are some hosts and traffic patterns that are generally indicative of bot activity, but not conclusively so. That’s how the network security group at my employer works, in fact: they determine that a host is displaying suspicious behavior, and notify the local admins to investigate. Sometimes, it’s a false alarm, which is another cause for concern. If users get the Comcast “you’re a bot!” warning, act on it, and it turns out to be false, will they take it seriously again?
I don’t have an answer for Comcast. They’re trying to do a great thing by combating botnets (not altruistically, of course, but helping their network helps their customers too, so who’s to complain?), but the current method of informing affected users is a really bad idea.