Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
The Internet Operating Systems Software Windows

Noticed Welchie/Nachi in Your Bandwidth Bill, Yet? 94

Posted by Cliff from the those-pesky-extra-packets-you-didn't-ask-for dept.
Pinkboard Panther asks: "I have recently received my bill for Internet usage for last month and discovered it is 4 times higher than expected. Since there had been no increase in usage of the sites I run I had to search elsewhere for the exorbitant increase. Eventually I tracked it down to my firewall being bombarded with 20,000 ICMP Echo requests a minute from many different IP addresses. This adds up to $A10 per hour or $A240 a day. I still need to battle with my ISP over whether I should be paying for this. It seems that the Welchie/Nachi worm sends out pings to find what machines are out there before it moves onto deeper probes. I can't believe that I am the only site out there which is being attacked in this way. There must be lots of other sites out there who are affected this way. Maybe they just haven't received their bills, yet?"
This discussion has been archived. No new comments can be posted.

Noticed Welchie/Nachi in Your Bandwidth Bill, Yet? More

Noticed Welchie/Nachi in Your Bandwidth Bill, Yet?

Comments Filter:
  • well here in Toronto, both the major ISPs, Rogers and Sympatico have a nice habit of overcharging these days. Bills of $100 per month and over are not un heard of. There are over 50 broadband providers but many are small-name untested services I wouldnt wanna risk trying. But since the Rogers and Sympatico both have started bandwidth caps, it is time to give the ones without such caps a chance. Let capitalism take its course.
    • Sympatico has removed caps on the High Speed and Ultra High Speed services.
    • "But since the Rogers and Sympatico both have started bandwidth caps..."

      When is the last time you checked on these caps? Both Rogers and Sympatico removed them. When I came back to school at the beginning of the month and was getting my apartment internet service, I called both of them and asked. Both said "No caps!" I went with rogers because I think anything over POTS is crap. Plus I hate Bell with a passion.

      The best Canadian ISP, afaic, is Shaw Cable. I bet they'd be very reasonable in a situatio
    • There are over 50 broadband providers but many are small-name untested services I wouldnt wanna risk trying.

      I'd be surprised if any of them were selling anything other than Sympatico and Rogers.

      Kind of hard to lay your own cable network these days.

    • When Cogeco started leaning towards enforcing their bandwidth caps (amongst other serious snafu's), I signed up with a local broadband ISP (www.jet2.net). To be honest, I have never had a problem.

      Its the same price as Sympatico or Cogeco, good speeds and no issues. I also havent been dicked around for having port 80 running a service, or being double billed.

      I don't get 24x7 technical support, but thats not generally an issue, the service went down once (bell cut my line), they refunded that month.

  • Use NetFlow to prove it was Nachi traffic. (Score:5, Informative)

    by Mordant ( 138460 ) on Friday September 19, 2003 @05:01PM (#7007927)
    See these [cisco.com] links [linuxgeek.org] for more [arbornetworks.com] info [splintered.net].

  • Standing class action law suit (Score:3, Interesting)

    by m0smithslash ( 641068 ) on Friday September 19, 2003 @05:03PM (#7007950) Homepage Journal
    We were just commenting today on how there should be a standing class action law suit against Microsoft. We could not think of a real reason, be you seem to have one here. The loss of business and revenue, whether from your pocket or your ISP's pocket, mulitplied acorss many ISPs seems like a case to me

    My ISP is having almost continual problems being flooded with random worm noise.

    • I agree totally.

      Going slightly off-topic here...
      It seems to me that Microsoft is a *huge* drag on the overall economy these days.
      And it's not just due to the network background noise,
      but putting up with all of the Microsoft holes that can be exploited over the net.

      Maybe the Department of Homeland Security should sue them. ;-)

    • Re:Standing class action law suit (Score:5, Insightful)

      by Anonvmous Coward ( 589068 ) on Friday September 19, 2003 @10:08PM (#7009776)
      "We were just commenting today on how there should be a standing class action law suit against Microsoft. We could not think of a real reason, be you seem to have one here. The loss of business and revenue, whether from your pocket or your ISP's pocket, mulitplied acorss many ISPs seems like a case to me "

      Ugh. It's funny how morals here perform a complete 180 when there's an opportunity to get Microsoft into trouble.

      Here's the simple fact: Microsoft didn't write the worm.

      Now you can make the argument if you like that Microsoft was negligent. Just remember, that if you follow that logic, then Linux could find itself liable down the road. Some jackass comes up with an exploit, it causes trouble, and the Linux community is punished for it. Do you really want that?

      I have other issues with this line of reasoning. If I walk into a hospital with a cellular phone and intentionally use it to jam equipment there, should Nokia be sued for it? What about the company who made the equipment? Considering that the disruption was caused malisciously (sp?), then the finger needs to be pointed at me.

      I would strongly urge the Slashdot Community to be very careful about what you wish for, especially when it concerns punishment for Microsoft. It's fun to hate them and all, but the consequences they recieve could wind up biting you in the butt. Eolas comes to mind...

      • Now you can make the argument if you like that Microsoft was negligent. Just remember, that if you follow that logic, then Linux could find itself liable down the road. Some jackass comes up with an exploit, it causes trouble, and the Linux community is punished for it. Do you really want that?

        Yes.

        That would be fair. And, nevertheless, it would at least level the playing field in the new marketing dominion for the 21st century: responsibility.

        People are sick and tired of things working 'just becase
        • etc.

          Apologies for my recently germanified english ...

        • Re:Standing class action law suit (Score:1, Interesting)

          by Anonymous Coward
          A better solution would be to put the blame (and the cost) on those who directly cause the inconvenience. If the users of infected machines are hit where it hurts most, they will look for better solutions, at which point you get what you want: Safer systems through the magic of market economy. I think inbound traffic should be free. Only outbound traffic is under the customer's control. Don't want to pay for pings? Don't answer them. This way, all traffic is paid for once, not twice like now btw.
        • >Yes.
          >That would be fair. And, nevertheless, it would at least level the playing field in the new marketing dominion for the 21st century: responsibility.

          If you care about the future of Linux you do not want this.

          Say that MS gets sued for a bug. They have lawyers, money and insurance so that legal liability isn't a huge concern. Look at how much money they tossed at SCO. Thats some department's weekly salary cost, not a problem.

          Say that a group working/responsible for Linux code gets sued. Can
          • I do care about the future of Linux, but one thing that everyone that has been involved in Linux has to understand that free, open, honest source code has its liabilities. Linux coders *MUST* be careful not to break laws, and violate other intellectual property - and the only way to do this is to continue to have open publication of the code for others to review.

            If Linux went to court over some IP issue, then that would be fair - the courts are *supposed* to be a fair-dealing arena for the addressing of w

      • I don't think a sufficient case could be made against Microsoft [microsoft.com] yet. But maybe you should talk to your legal department about suing the people whose computers were infected. Then they could turn around and sue M$ for allowing a worm onto their computer.

        • Here's a thought:

          You willingly plug your computer into the public internet. You therefore take the responsibility for anything that the public internet does to your computer.

          It's not like these viruses are breaking the technological rules of the internet. It's not as if they're circumventing IP. They're operating within the rules that you agree to when you jack in, so you have no room to complain when bad things happen.
      • There's a legal theory for enabling evil acts. Pretend I leave my car keys in my car with the motor running. Someone drives my car away and hits someone. I can be sued by the person who got hit.

        Fair? Perhaps not. Possible? Yes.
    • No.

      You could not think of a real reason? So you're just looking for an excuse to justify your bias or hidden reasons.

      There are plenty of other battles worth fighting where the real reasons are obvious to you. So why not fight those instead?

      Winning the wrong battle can be very costly.
    • Microsoft made bad software and they will get sued for it. This flaw isn't a direct flaw (read Naders Unsafe at Any Speed about the Corvair) but an indirect flaw (Pintos that went boom after being hit). There are two different classes of product irresponsibility and MS is clearly guilty because they didn't do everything in their power to stop this problem and it lead to direct financial damages to others. They are going to get sued and they will not win.

      In Australia, the big problem was the excessive ab

  • Yup... more info here (Score:4, Informative)

    by Anonymous Cowdog ( 154277 ) on Friday September 19, 2003 @05:09PM (#7007992) Journal
    I've been asking around about this, and it's amazing how many people are just brushing it off as nothing. It is a serious issue for IP addresses that are being hit.

    Here are some more posts on the topic, elsewhere. Note how some people just say "Oh, you are getting hits! Hits are good, no?".

    http://www.webmasterworld.com/forum39/1435.htm [webmasterworld.com]

    http://lists.jammed.com/incidents/2003/08/0369.htm l [jammed.com]

    http://www.derkeiler.com/Mailing-Lists/linuxsecuri ty/2003-08/0002.html [derkeiler.com]

    The blocking rules people suggest (see page five of the first link) don't work at my site, for some reason. Maybe it's because I only have access to .htaccess, not my own httpd.conf.

  • hmm interesting... (Score:4, Insightful)

    by josepha48 ( 13953 ) on Friday September 19, 2003 @05:14PM (#7008034) Journal
    you get charged case someone else uses up your bandwidth by a worm... Well I'd threaten to sue, and then sue, but I think someone else here mentioned there is a class action lawsuit about this.

    However they probably just see the ping using up your bandwidth and that is what they are looking at. I'd probably start loging all IP addresses that are pinging your server and then go after all these users. After all they are infected with this worm and until people who get on the internet start being responsible for keeping their machines firewalled, updates and locked down as much as possible from hackers these things will continue. Most of the MS worms could be prevented if people used zone alarm or black ice or another firewall product. Also most of the Linux and bsd exploits could be avoided if they setup firewalls and update their systems and kept on top of security.

    No it is not your fault, so go after those who are using up YOUR bandwidth and sue them and make them pay. It is their irresponsibility and stupidity that are causing these problems.

    • Black Ice (Score:4, Informative)

      by Vaevictis666 ( 680137 ) on Friday September 19, 2003 @05:33PM (#7008182)
      I don't know if things have changed since I looked at it last, but the latest version of Black Ice Defender was a port monitor, not a firewall.

      The difference is that a real firewall (Like Zone Alarm [zonelabs.com] or Sygate [sygate.com] (free is down at the bottom)) will block the traffic, prompt you to allow/disallow it, and then follow instructions.

      Black Ice, on the other hand, will simply watch ports, log traffic, and when someone tries to access your RPC port or whatnot, it simply sets a flag "Serious Error - Someone Hacking" and starts blinking in the system tray. No real response, no ability to block it in the future, just simple monitoring.

      In other words, it's a complete waste of CPU cycles from a security standpoint, and if you're using it for traffic monitoring you'd be better served with Ethereal [ethereal.com].

      • Maybe we were looking at different products. IIRC, BlackICE Defender had firewall functionality. The new version, now named RealSecure Desktop, shares IDS signatures with other RealSecure products and can do the whole "active response" thing, including blocking packets, sending TCP RSTs, etc. If you use the enterprise version, it is administered centrally using the ISS SiteProtector console software (which is why we're looking at it at $ORK).

        In fact, I seem to recall being impressed with its applic

        • Hmm... OK it looks a lot better than when I last took a look at it if I go by the product blurb.

          Yes it was BlackICE Defender, by Network ICE, that I was referring to, but that was quite a while back. And as far as App-specific firewalling that's why I use Sygate. I never could get myself to like Zone Alarm, and I never got around to re-evaluating BlackICE.

      • No real response, no ability to block it in the future, just simple monitoring.

        Right Click on the intruder's name -> Block Intruder -> For Hour/For Day/For Month/Forever.

        The same for Trust Intruder.
        • and if you're away from the machine while it happens, what's the default? If it defaults to allow then what's the point?

          • Re:Black Ice (Score:2, Informative)

            by prostoalex ( 308614 )
            That would be Tools->Edit BlackICE Settings, then Firewall tab and level of protection (Paranoid, Nervous, Cautious, Trusting). Defaults to Trusting :-)
      • a real firewall (Like Zone Alarm or Sygate
        Sorry, but Zone Alarm and Sygate are not real firewalls. They're cheap hooks. A real firewall doesn't run in your system tray; it runs in a room, by itself.
    • No it is not your fault, so go after those who are using up YOUR bandwidth and sue them and make them pay. It is their irresponsibility and stupidity that are causing these problems.
      But most Isps don't keep that kind of traffic logs, and if your end of the link is overloaded, your won't be able to either... And you might be charged extra for any retransmits... Wonders how much extra I'd have to pay to get trustworth, detailed connection logs, by provenance/ip/port for any given connexion size/usage... A
      • >Maybe that's why my bandwidth provider won't identify the other end of the link

        It's not hard to identify the other end of the link. One of the things these worms, or at least one of them (Welchi) does is access the root document of your httpd server if you have one running. So you get lots of hits to http://www.yourdomain/, aka index.html, coming from various IP addresses. The most obvious way these hits are distinguished from normal browser accesses is they don't load images or stylesheets.

        So if you
      • Then you need to switch ISP. I'm not 100% sure I understand the problem fully. Is this a DSL web server? If so you have the logs.

        If this is a business account with someone like earthlink then threaten to take them to court to get the logs and IP addresses, I belive that one of the homeland security acts or such require ISP to have this information on hand for security reasons. You need to make it clear to them that you have been hacked or attacked. If you have a server in some colo location and they a

        • I agree [almost] completely, except that you should not pay unless ordered to by a court, and you should file a lawsuit. Since you don't live in the US (and hance the parent's mention of HomeSec doesn't help), I'm not sure what laws you have to protect you, or how discovery proceedings work, but I would assume that there is some method to see all of the information they have on the subject, and from there you should easily be able to prove that it is not something you should be responsible for.

          While you'r
    • Downstream firewalls won't help much. The traffic will still travel through the cable/wires to your computer, it's just that the packets get ignored. These dropped packets still count towards your bandwidth limit/charge.

      Something would need to be done further upstream, at say the ISP. A web frontend to iptables would not be too hard to create, however it would be difficult/repetitive for dialup users who get disconnected after a handful of hours.

      Using Windows 98 on a 4 hour dialup modem connection, the

      • Killerwall Kicks @$$

        Your system has achieved a perfect "TruStealth" rating. Not a single packet ? solicited or otherwise ? was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselv
    • if it's nachi/welchie - good luck tracking down the originating IP - most of them are spoofed.

      i assume it's just proof that the virus writer(s) are as retarded as i'd always thought - or maybe they're really smart and have some reason to flood everything.

      • They're not spoofed. Most of them are infected machines. They are scanning entire network ranges for other machines to infect.

        You'll see all LEDs on your switches light up when a _single_ infected machine is plugged in.

        One friggin ISP here has totally blocked ICMP pings probably because of the worms. You can't use ping for testing and trouble-shooting now. Which is a pain, while I have alternatives on my own systems, when you are troubleshooting at a customer's site you often don't have these alternatives
        • you're right.

          i don't know where i read they were spoofed, but obviously i was smoking crack, and the crack smoked me while i tested it.

          must have nmapped someone behind a firewall the few times i checked - but i just got a fat hit off a Win Me/XP/2003 machine.

          thank goodness it'll time out in 2003 - oh, thank you virus writer for the infinite wisdom that this needed to go on for FIVE MONTHS.

    • A Class Action lawsuit?
      Against whom?

      Not Microsoft, hopefully.
      I think the blame should rest on the Admins who are too lazy to patch their systems.

      But of course people won't do that.
      That would actually make SENSE... :/

  • 20 cents a meg, anyone..? (Score:5, Informative)

    by zcat_NZ ( 267672 ) <zcat@wired.net.nz> on Friday September 19, 2003 @05:22PM (#7008104) Homepage
    Yep, that's what full-rate ADSL customers pay for traffic in New Zealand, once they get past their pitiful 500M monthly allowance.

    "I run linux.. I'm not affected by Windows worms and viruses" - Yeah, you wish..!
    • Wow that's crazy. What's the reason for that? I know NZ is a long haul from a large land mass, but still. I can eat up 500 meg with a few days of surfing for just news and the small bit of audio/video. Do they send the packets by trained monkey requiring constant care and feeding? Or is there something about NZ that makes a DSLAM 10,000 times more expensive than elsewhere in the world?
      • The reason for that is Telecom NZ. An ex-SOE spun off into a private company, who have an effective monopoly on DSL service provision due to the fact that they own 90% of the copper in the ground. There are other providers, but most lease the copper (or just the DSL service) from Telecom. Zcat is exaggerating slightly with his 500M allowance - there are 128k and 256k flatrate plans available with high/no caps, but most businesses opt for the 4-7Mb/s "full" capped plans - and the caps are low, and the cos
        • I did say 'full rate'.

          Here's some 'no shit' numbers direct from telecom's site [telecom.co.nz] (blatently whoring for another +5 Informative.. :-)

        • Yeah, the have a JetStream Starter plan, where your bandwidth is capped by the ISP, usually to 5-10 gigs. Much more reasonable than 500 megs, however, it's still extremely easy to bang over 5 gigs of traffic w/o downloading any MP3s or music.
        • but most businesses opt for the 4-7Mb/s "full" capped plans - and the caps are low, and the costs are high. I believe the reason that most businesss opt for the fast services, is that the slow 128 or 256DLS service with higher caps are for residential usage only, and businesses aren't allowed to use them!
      • They claim its becasue of the huge costs of running the underseas cables. In NZ that doesn't explain the .02/mb for NZ traffic over the 500m. All the compaines that run underseas cables have been replacing their transponders to reduce their expenses. If they put in new transponders they can go up to 150km between them where the old ones were needed ever 20km. When they upgrade the transponders they get a gain out of the fiber in the order of 1000x or even more. There was already a glut of bandwidth be
  • I get random pings on my 56k dial-up, on an adsl connection, on another 56k dial-up, on a cable connection, I had someone on another dial-up isp run tcpdump and they get it too.

    It's extremely annoying, and has caused me to block the response.
    • Hello,

      Just out of curiosity, I captured ICMP echo request traffic to my ADSL firewall for the last HOUR: got exactly 120 packets, less than 5 KB total... totally irrelevant.

      Maybe the folks who are getting lots and lots of it are being targets of a good'old DDoSes instead of simply being scanned by worms?

      I would investigate that more throughly if I was in their place, instead of just assuming it's worm traffic.

  • nachi (Score:2, Informative)

    by graf0z ( 464763 )
    According to this [counterpane.com] analysis, a simple packetsniffer (like tcpdump) should reveal if it's nachi: if its echo-request storm detects a living IP, a MS RPC DCOM exploit follows (eg on ports 135 or 445).

    /graf0z.

    • Heck just the arp requests are bad enough - all the lights on the affected switches light up.

      tcpdump is only to find the culprit.

  • Continuously flickering activity light (Score:3, Interesting)

    by cyberman11 ( 581822 ) on Friday September 19, 2003 @06:01PM (#7008357)
    My router WAN activity light and modem activity light and are continuously flickering, even when no computers on my LAN are turned on. I tried replacing my Linksys BEFSR41 router with a Belkin F5D5231-4 router, and switching from a DSL modem to a cable modem but the new lights flicker just as much as the old ones. Since my computer is powered off, the continuous activity must be coming from the internet. I guess either hackers or worms.
    • More likely broadcast ARP requests ("give me hardware address for xxx.xxx.xxx.xxx"), the more machines on your section of the network, the more "background" traffic of this type you'll see.
    • My router WAN activity light and modem activity light and are continuously flickering, even when no computers on my LAN are turned on.

      A couple months ago mine went from flickering to solid on. My firewall keeps stats on blocked packets, seems to be about 95% ping attempts (Nachi probes probably) and 5% attempts to access Windows Netbios ports.

    • As said before, its probably ARP packets. I used ethereal and found that i was reciving over 100 ARP packets per second. Granted, the packets are small, but over time it adds up.

      At what point is all this background traffic too much? I think its already passed that point.

  • And you didn't notice this before, because? (Score:3, Interesting)

    by Zocalo ( 252965 ) on Friday September 19, 2003 @06:06PM (#7008385) Homepage
    Maybe they just haven't received their bills, yet?"

    This is going to sound harsh, but maybe they actually *look* at their logs and traffic graphs with a little more frequency than you imply that you do, noticed something was amiss and put the onus on the ISP to block it? You quadrupled your bandwidth for the month - that's one *serious* anomaly whether it's steady noise or intermittant spikes, and as such should have been red-flagged no later than day two, and that's assuming you only get a daily email from a cron. With this data you could have requested your ISP filter the traffic upstream, and made a fair claim against paying the already incurred traffic and an insistance against future traffic.

    I'd think long and hard about going to court with this, because there is a pretty good chance that the ISP's lawyers are going to bring this up. If they do, then your companies' technical competence is likely to be brought into question in a big way, and in a public forum too. You might be better off writing this off as experience, setting up some better monitoring tools and moving on.

    Of course, you might have some mitigating circumstances, such as... Well, actually, I can't think of any technical reasons why you couldn't spot this kind of traffic, is there one?

    • Re:And you didn't notice this before, because? (Score:4, Interesting)

      by DaveJay ( 133437 ) on Friday September 19, 2003 @06:37PM (#7008668)
      I can think of one good reason -- although it's a reason that applies to me, not the person who posted the article.

      Here's the reason: I don't know how to do it.

      Okay, granted, it's not a GOOD reason. The thing is, I have a webstats monitor to check my WWW bandwidth, but I don't know how to check my OVERALL bandwidth. Good thing my ISP doesn't charge by the k. :)

      Still, since your post seems quite confident that this should be an easy thing to do, I humbly (and sincerely) request that you give us some suggestions on how to actually monitor such traffic.

      As an example, I'm running e-smith 5.5 on my home server. How would I monitor ALL my bandwidth? Not a step-by-step howto, mind you, just a "here's a great site" or "here's a good product" would help.

      Thanks in advance.
      • For corporates the router connected to the internet has statistics in it like packets sent, received etc. There are many tools to monitor these routers some open others you pay for. If you start to notice spikes or a general increase in volume you can contact the upstream to try to get some of it blocked.

        Another place to get the data is from the firewall. At this level you can get the data broken down by access type -- ICMP, GRE, HTTP, DNS, etc.

      • Re:And you didn't notice this before, because? (Score:4, Interesting)

        by Zocalo ( 252965 ) on Friday September 19, 2003 @08:05PM (#7009209) Homepage
        Still, since your post seems quite confident that this should be an easy thing to do, I humbly (and sincerely) request that you give us some suggestions on how to actually monitor such traffic.

        It is in the context of the poster - (s)he has a firewall and appears to be running a web hosting company. You on the otherhand appear to be a home user, so you may not have as much latitude depending on your ISP and how much control you have over how you get online.

        The first place to start is your router, since all traffic must pass through it, or a dedicated firewall immediately behind it. The simplest way to acquire traffic stats is with SNMP using a tool like MRTG [ee.ethz.ch] which is how I do it. If you have no control over the router, then you might be able to get the same figures off the port on your switch that it connects to. I say might, because this assumes that you have a switch (likely these days) and that it supports SNMP (not quite as likely).

        Falling back further; no central point of ingress/egress you can monitor and a non-managed switch/hub... OK, we need to look at the traffic on the host NICs directly, on a per host basis. That means a bandwith monitoring and logging tool; any software site will have loads (search on "bandwidth and log") and most host based firewalls can provide this information for you as well.

      • We [earlham.edu] use Cricket [sourceforge.net] to monitor the bandwidth usage on our T1s. Take a look at our PacketShaper reports [earlham.edu]. You can also look at the root [earlham.edu] of the server to see the other stuff that can be monitored.

        Over in CS [earlham.edu], we use Ganglia [sourceforge.net] to monitor [earlham.edu] the network usage coming out of each individual machine.

  • First off (Score:2, Funny)

    by Anonymous Coward
    I would ask my ISP to stop charging me in hex.
  • I doubt that my site will have a problem with that (since it missed the blaster thing), but I'm awaiting to see my bandwidth bill for my normal internet usage this month from my ISP (for my home usage). I've already been quite busy on the internet and I've clocked over 400 of the Swen worm being downloaded from my many email accounts in less than two days.
    If this keeps up, I'm looking at ~800MB of additional traffic.
  • I guess this shows a fundamental problem with the internet as a commercial entity. It's kind of like being charged every time your phone rings. Imagine your bill going up because a bunch of autodialers were set up to call random numbers.

    Seems to me that either billing practices need to be reworked, or the net needs to be modified with considerations like this in mind.
    • It's kind of like being charged every time your phone rings. Imagine your bill going up because a bunch of autodialers were set up to call random numbers.

      The answer is simple...

      If you can find it in your hear to forgive me, just send $1 to Sorry Dude, 742 Evergreen Terrace, Springfield. You have the power!
  • I don't know how things work in your neck of the woods, but here all I had to do was threaten to take my business to another provider because the ISP in question had not bothered to even attempt to filter the 92 byte ICMP echo requests coming from the Internet into their own network.

    Most pings are not 92 bytes exactly. The pings this virus sends out are 92 bytes with a payload of 'AA' repeated to pad it out to 92 bytes.

    You mileage may vary, though, as I have several thousands of dollars monthly worth of l
  • The company I work for hosts 20ish web sites, and have 2 class C address ranges. If your server responds to the icmp packet, you then get hit with a 4k web request. _This_ is what pushed our usage way up.

    Once we blocked the icmp probes, the web requests stopped, and our usage went down to something resembling sensible. The icmp probles are all 92 bytes in length, so they're easy enough to block if you have a decent router (ours is a linux pc). Before I knew about the icmp probes, I was blocking the worms'
  • I came across this article as I was searching for answers to my connection. Within the last three weeks I have been having problems connecting and I have talked to my ISP about the problem. They have sent someone twice to check my network and they always says it fine. Now the funny thing is it works for a few minutes or hours and then its gone for a long time. When I talk to the ISP am told that am giving them funny talk as the traffic on my network seems very busy. While they say its very busy, i cant ev
  • we've got about 64 IP addresses (it was 2x class C's, but we've unrouted most addresses to reduce the cost). This worm is generating on average 13-14 MB per day. Again since I live in Australia, any excess usage is charged at .15c per MB, $2 a day or $60 per month.
  • His FIREWALL is being bombarded with the traffic. Monitoring has nothing to do with this. He's blocking ICMP requests and throwing them away. His ISP on the other hand is charging for all bandwidth used even though this is unwanted traffic. If it is the isp's policy to charge no matter what he is screwed otherwise, if they dont't, he might have a chance to get them to disregaurd that used bandwith.

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close