Noticed Welchie/Nachi in Your Bandwidth Bill, Yet? 94
Pinkboard Panther asks: "I have recently received my bill for Internet usage for last month and discovered it is 4 times higher than expected. Since there had been no increase in usage of the sites I run I had to search elsewhere for the exorbitant increase. Eventually I tracked it down to my firewall being bombarded with 20,000 ICMP Echo requests a minute from many different IP addresses. This adds up to $A10 per hour or $A240 a day. I still need to battle with my ISP over whether I should be paying for this. It seems that the Welchie/Nachi worm sends out pings to find what machines are out there before it moves onto deeper probes. I can't believe that I am the only site out there which is being attacked in this way. There must be lots of other sites out there who are affected this way. Maybe they just haven't received their bills, yet?"
rate limiting may indeed help (a bit) (Score:2, Interesting)
(Linux/netfilter example:
Overcharging (Score:1)
Re:Overcharging (Score:2)
Re:Overcharging (Score:2)
When is the last time you checked on these caps? Both Rogers and Sympatico removed them. When I came back to school at the beginning of the month and was getting my apartment internet service, I called both of them and asked. Both said "No caps!" I went with rogers because I think anything over POTS is crap. Plus I hate Bell with a passion.
The best Canadian ISP, afaic, is Shaw Cable. I bet they'd be very reasonable in a situatio
Re:Overcharging (Score:2)
I'd be surprised if any of them were selling anything other than Sympatico and Rogers.
Kind of hard to lay your own cable network these days.
Re:Overcharging (Score:2)
Its the same price as Sympatico or Cogeco, good speeds and no issues. I also havent been dicked around for having port 80 running a service, or being double billed.
I don't get 24x7 technical support, but thats not generally an issue, the service went down once (bell cut my line), they refunded that month.
Use NetFlow to prove it was Nachi traffic. (Score:5, Informative)
Re:Use NetFlow to prove it was Nachi traffic. (Score:4, Informative)
Re:Use NetFlow to prove it was Nachi traffic. (Score:2)
Standing class action law suit (Score:3, Interesting)
My ISP is having almost continual problems being flooded with random worm noise.
Re:Standing class action law suit (Score:2)
Going slightly off-topic here...
It seems to me that Microsoft is a *huge* drag on the overall economy these days.
And it's not just due to the network background noise,
but putting up with all of the Microsoft holes that can be exploited over the net.
Maybe the Department of Homeland Security should sue them. ;-)
Re:Standing class action law suit (Score:5, Insightful)
Ugh. It's funny how morals here perform a complete 180 when there's an opportunity to get Microsoft into trouble.
Here's the simple fact: Microsoft didn't write the worm.
Now you can make the argument if you like that Microsoft was negligent. Just remember, that if you follow that logic, then Linux could find itself liable down the road. Some jackass comes up with an exploit, it causes trouble, and the Linux community is punished for it. Do you really want that?
I have other issues with this line of reasoning. If I walk into a hospital with a cellular phone and intentionally use it to jam equipment there, should Nokia be sued for it? What about the company who made the equipment? Considering that the disruption was caused malisciously (sp?), then the finger needs to be pointed at me.
I would strongly urge the Slashdot Community to be very careful about what you wish for, especially when it concerns punishment for Microsoft. It's fun to hate them and all, but the consequences they recieve could wind up biting you in the butt. Eolas comes to mind...
Re:Standing class action law suit (Score:3, Insightful)
Yes.
That would be fair. And, nevertheless, it would at least level the playing field in the new marketing dominion for the 21st century: responsibility.
People are sick and tired of things working 'just becase
s/things working/things not working/ (Score:1)
Apologies for my recently germanified english
Re:Standing class action law suit (Score:1, Interesting)
Re:Standing class action law suit (Score:1)
Re:Standing class action law suit (Score:2)
>That would be fair. And, nevertheless, it would at least level the playing field in the new marketing dominion for the 21st century: responsibility.
If you care about the future of Linux you do not want this.
Say that MS gets sued for a bug. They have lawyers, money and insurance so that legal liability isn't a huge concern. Look at how much money they tossed at SCO. Thats some department's weekly salary cost, not a problem.
Say that a group working/responsible for Linux code gets sued. Can
Re:Standing class action law suit (Score:1)
If Linux went to court over some IP issue, then that would be fair - the courts are *supposed* to be a fair-dealing arena for the addressing of w
Re:Standing class action law suit (Score:2)
I don't think a sufficient case could be made against Microsoft [microsoft.com] yet. But maybe you should talk to your legal department about suing the people whose computers were infected. Then they could turn around and sue M$ for allowing a worm onto their computer.
Re:Standing class action law suit (Score:1)
You willingly plug your computer into the public internet. You therefore take the responsibility for anything that the public internet does to your computer.
It's not like these viruses are breaking the technological rules of the internet. It's not as if they're circumventing IP. They're operating within the rules that you agree to when you jack in, so you have no room to complain when bad things happen.
Re:Standing class action law suit (Score:1)
Fair? Perhaps not. Possible? Yes.
Re:Standing class action law suit (Score:2)
You could not think of a real reason? So you're just looking for an excuse to justify your bias or hidden reasons.
There are plenty of other battles worth fighting where the real reasons are obvious to you. So why not fight those instead?
Winning the wrong battle can be very costly.
Re:Standing class action law suit (Score:2, Interesting)
In Australia, the big problem was the excessive ab
Yup... more info here (Score:4, Informative)
Here are some more posts on the topic, elsewhere. Note how some people just say "Oh, you are getting hits! Hits are good, no?".
http://www.webmasterworld.com/forum39/1435.htm [webmasterworld.com]
http://lists.jammed.com/incidents/2003/08/0369.ht
http://www.derkeiler.com/Mailing-Lists/linuxsecur
The blocking rules people suggest (see page five of the first link) don't work at my site, for some reason. Maybe it's because I only have access to
Re:Yup... more info here (Score:2)
Re:Yup... more info here (Score:1)
Re:Yup... more info here (Score:1)
confusing ? you're not really trying (Score:2)
http://ww.domain.com
http:/wwww.domain.com
http://uuuuuu.domain.com
http://wuuw.domain.com
http://vwv.domain.com
http://w.w.w.domain.com
http://http.domain.com
http://ftp.domain.com
http://domain.domain.com
http://web.domain.com
http://www.domain.domain.com
Re:confusing ? you're not really trying (Score:2)
http://vvvvvv.domain.com
Re:confusing ? you're not really trying (Score:1)
I prefer uuuuuu because it is double u double u double u
Re:confusing ? you're not really trying (Score:1)
http://wvwvwvwvwvwvwv.wvwvwvwvwvw.wvwvwwv.com
but the Internet told me that there was no web site at that address. I was kind of sad, but at the bottom of my screen, the Internet showed me a bunch of links to some Gambling, Small Business, and Home and Garden stuff that I can buy and I wasn't sad any more. Golly gee, I like this Internet thing. It's way cool!
Re:confusing ? you're not really trying (Score:1)
http://wvwvwvwvwvwvwv.wvwvwvwvwvw.wvwvwwv.com [wvwvwwv.com]
Re:Yup... more info here (Score:1)
With a one like that, you need no two--it is implied.
hmm interesting... (Score:4, Insightful)
However they probably just see the ping using up your bandwidth and that is what they are looking at. I'd probably start loging all IP addresses that are pinging your server and then go after all these users. After all they are infected with this worm and until people who get on the internet start being responsible for keeping their machines firewalled, updates and locked down as much as possible from hackers these things will continue. Most of the MS worms could be prevented if people used zone alarm or black ice or another firewall product. Also most of the Linux and bsd exploits could be avoided if they setup firewalls and update their systems and kept on top of security.
No it is not your fault, so go after those who are using up YOUR bandwidth and sue them and make them pay. It is their irresponsibility and stupidity that are causing these problems.
Black Ice (Score:4, Informative)
The difference is that a real firewall (Like Zone Alarm [zonelabs.com] or Sygate [sygate.com] (free is down at the bottom)) will block the traffic, prompt you to allow/disallow it, and then follow instructions.
Black Ice, on the other hand, will simply watch ports, log traffic, and when someone tries to access your RPC port or whatnot, it simply sets a flag "Serious Error - Someone Hacking" and starts blinking in the system tray. No real response, no ability to block it in the future, just simple monitoring.
In other words, it's a complete waste of CPU cycles from a security standpoint, and if you're using it for traffic monitoring you'd be better served with Ethereal [ethereal.com].
Re:Black Ice (Score:2, Insightful)
Maybe we were looking at different products. IIRC, BlackICE Defender had firewall functionality. The new version, now named RealSecure Desktop, shares IDS signatures with other RealSecure products and can do the whole "active response" thing, including blocking packets, sending TCP RSTs, etc. If you use the enterprise version, it is administered centrally using the ISS SiteProtector console software (which is why we're looking at it at $ORK).
In fact, I seem to recall being impressed with its applic
Re:Black Ice (Score:1)
Yes it was BlackICE Defender, by Network ICE, that I was referring to, but that was quite a while back. And as far as App-specific firewalling that's why I use Sygate. I never could get myself to like Zone Alarm, and I never got around to re-evaluating BlackICE.
Re:Black Ice (Score:1)
Right Click on the intruder's name -> Block Intruder -> For Hour/For Day/For Month/Forever.
The same for Trust Intruder.
Re:Black Ice (Score:1)
Re:Black Ice (Score:2, Informative)
Re:Black Ice (Score:2)
Re:hmm interesting... (Score:1)
But most Isps don't keep that kind of traffic logs, and if your end of the link is overloaded, your won't be able to either... And you might be charged extra for any retransmits... Wonders how much extra I'd have to pay to get trustworth, detailed connection logs, by provenance/ip/port for any given connexion size/usage... A
Re:hmm interesting... (Score:1)
It's not hard to identify the other end of the link. One of the things these worms, or at least one of them (Welchi) does is access the root document of your httpd server if you have one running. So you get lots of hits to http://www.yourdomain/, aka index.html, coming from various IP addresses. The most obvious way these hits are distinguished from normal browser accesses is they don't load images or stylesheets.
So if you
Re:hmm interesting... (Score:2)
If this is a business account with someone like earthlink then threaten to take them to court to get the logs and IP addresses, I belive that one of the homeland security acts or such require ISP to have this information on hand for security reasons. You need to make it clear to them that you have been hacked or attacked. If you have a server in some colo location and they a
Re:hmm interesting... (Score:2)
While you'r
Downstream firewalls won't help much (Score:2)
Something would need to be done further upstream, at say the ISP. A web frontend to iptables would not be too hard to create, however it would be difficult/repetitive for dialup users who get disconnected after a handful of hours.
Using Windows 98 on a 4 hour dialup modem connection, the
Shields up ? (Score:1)
Your system has achieved a perfect "TruStealth" rating. Not a single packet ? solicited or otherwise ? was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselv
Re:hmm interesting... (Score:2)
i assume it's just proof that the virus writer(s) are as retarded as i'd always thought - or maybe they're really smart and have some reason to flood everything.
Re:hmm interesting... (Score:2)
You'll see all LEDs on your switches light up when a _single_ infected machine is plugged in.
One friggin ISP here has totally blocked ICMP pings probably because of the worms. You can't use ping for testing and trouble-shooting now. Which is a pain, while I have alternatives on my own systems, when you are troubleshooting at a customer's site you often don't have these alternatives
Re:hmm interesting... (Score:2)
i don't know where i read they were spoofed, but obviously i was smoking crack, and the crack smoked me while i tested it.
must have nmapped someone behind a firewall the few times i checked - but i just got a fat hit off a Win Me/XP/2003 machine.
thank goodness it'll time out in 2003 - oh, thank you virus writer for the infinite wisdom that this needed to go on for FIVE MONTHS.
Re:hmm interesting... (Score:2)
Against whom?
Not Microsoft, hopefully.
I think the blame should rest on the Admins who are too lazy to patch their systems.
But of course people won't do that.
That would actually make SENSE...
20 cents a meg, anyone..? (Score:5, Informative)
"I run linux.. I'm not affected by Windows worms and viruses" - Yeah, you wish..!
Re:20 cents a meg, anyone..? (Score:2)
Re:20 cents a meg, anyone..? (Score:2)
Re:20 cents a meg, anyone..? (Score:2)
Here's some 'no shit' numbers direct from telecom's site [telecom.co.nz] (blatently whoring for another +5 Informative..
Re:20 cents a meg, anyone..? (Score:2)
Re:20 cents a meg, anyone..? (Score:1)
Re:20 cents a meg, anyone..? (Score:2, Interesting)
I'm getting thousands of these pings (Score:1)
It's extremely annoying, and has caused me to block the response.
Re:I'm getting thousands of these pings (Score:1)
Just out of curiosity, I captured ICMP echo request traffic to my ADSL firewall for the last HOUR: got exactly 120 packets, less than 5 KB total... totally irrelevant.
Maybe the folks who are getting lots and lots of it are being targets of a good'old DDoSes instead of simply being scanned by worms?
I would investigate that more throughly if I was in their place, instead of just assuming it's worm traffic.
nachi (Score:2, Informative)
Re:nachi (Score:2)
tcpdump is only to find the culprit.
Continuously flickering activity light (Score:3, Interesting)
Re:Continuously flickering activity light (Score:3, Interesting)
Re:Continuously flickering activity light (Score:2)
Re:Continuously flickering activity light (Score:1)
A couple months ago mine went from flickering to solid on. My firewall keeps stats on blocked packets, seems to be about 95% ping attempts (Nachi probes probably) and 5% attempts to access Windows Netbios ports.
Re:Continuously flickering activity light (Score:1)
At what point is all this background traffic too much? I think its already passed that point.
And you didn't notice this before, because? (Score:3, Interesting)
This is going to sound harsh, but maybe they actually *look* at their logs and traffic graphs with a little more frequency than you imply that you do, noticed something was amiss and put the onus on the ISP to block it? You quadrupled your bandwidth for the month - that's one *serious* anomaly whether it's steady noise or intermittant spikes, and as such should have been red-flagged no later than day two, and that's assuming you only get a daily email from a cron. With this data you could have requested your ISP filter the traffic upstream, and made a fair claim against paying the already incurred traffic and an insistance against future traffic.
I'd think long and hard about going to court with this, because there is a pretty good chance that the ISP's lawyers are going to bring this up. If they do, then your companies' technical competence is likely to be brought into question in a big way, and in a public forum too. You might be better off writing this off as experience, setting up some better monitoring tools and moving on.
Of course, you might have some mitigating circumstances, such as... Well, actually, I can't think of any technical reasons why you couldn't spot this kind of traffic, is there one?
Re:And you didn't notice this before, because? (Score:4, Interesting)
Here's the reason: I don't know how to do it.
Okay, granted, it's not a GOOD reason. The thing is, I have a webstats monitor to check my WWW bandwidth, but I don't know how to check my OVERALL bandwidth. Good thing my ISP doesn't charge by the k.
Still, since your post seems quite confident that this should be an easy thing to do, I humbly (and sincerely) request that you give us some suggestions on how to actually monitor such traffic.
As an example, I'm running e-smith 5.5 on my home server. How would I monitor ALL my bandwidth? Not a step-by-step howto, mind you, just a "here's a great site" or "here's a good product" would help.
Thanks in advance.
Re:And you didn't notice this before, because? (Score:1)
Another place to get the data is from the firewall. At this level you can get the data broken down by access type -- ICMP, GRE, HTTP, DNS, etc.
Re:And you didn't notice this before, because? (Score:4, Interesting)
It is in the context of the poster - (s)he has a firewall and appears to be running a web hosting company. You on the otherhand appear to be a home user, so you may not have as much latitude depending on your ISP and how much control you have over how you get online.
The first place to start is your router, since all traffic must pass through it, or a dedicated firewall immediately behind it. The simplest way to acquire traffic stats is with SNMP using a tool like MRTG [ee.ethz.ch] which is how I do it. If you have no control over the router, then you might be able to get the same figures off the port on your switch that it connects to. I say might, because this assumes that you have a switch (likely these days) and that it supports SNMP (not quite as likely).
Falling back further; no central point of ingress/egress you can monitor and a non-managed switch/hub... OK, we need to look at the traffic on the host NICs directly, on a per host basis. That means a bandwith monitoring and logging tool; any software site will have loads (search on "bandwidth and log") and most host based firewalls can provide this information for you as well.
Re:And you didn't notice this before, because? (Score:3, Informative)
We [earlham.edu] use Cricket [sourceforge.net] to monitor the bandwidth usage on our T1s. Take a look at our PacketShaper reports [earlham.edu]. You can also look at the root [earlham.edu] of the server to see the other stuff that can be monitored.
Over in CS [earlham.edu], we use Ganglia [sourceforge.net] to monitor [earlham.edu] the network usage coming out of each individual machine.
First off (Score:2, Funny)
Re:First off (Score:2)
Not just websites (Score:2)
If this keeps up, I'm looking at ~800MB of additional traffic.
Know what'd suck? (Score:2)
Seems to me that either billing practices need to be reworked, or the net needs to be modified with considerations like this in mind.
Re:Know what'd suck? (Score:2)
The answer is simple...
If you can find it in your hear to forgive me, just send $1 to Sorry Dude, 742 Evergreen Terrace, Springfield. You have the power!
Due Diligence on the part of the ISP (Score:2, Interesting)
Most pings are not 92 bytes exactly. The pings this virus sends out are 92 bytes with a payload of 'AA' repeated to pad it out to 92 bytes.
You mileage may vary, though, as I have several thousands of dollars monthly worth of l
not just icmp (Score:2)
Once we blocked the icmp probes, the web requests stopped, and our usage went down to something resembling sensible. The icmp probles are all 92 bytes in length, so they're easy enough to block if you have a decent router (ours is a linux pc). Before I knew about the icmp probes, I was blocking the worms'
No connection (Score:1)
Averaging 13 - 14 MB per day (Score:1)
you're missing the point (Score:1)