Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Windows Update and Network Bandwidth?

Posted by Cliff on from the bandwidth-hogs dept.

Brett Glass asks: "As we reviewed the cache statistics for our small ISP today, we noted that the traffic generated by Microsoft's Windows Update feature constituted 45% -- no, that's not a misprint -- of our total throughput. Because so many computers on the Internet run Windows, this massive resource drain occurs whenever Microsoft announces major security holes (as it did this week). The traffic could be greatly reduced, and service to users much improved, if the updates were cacheable at the ISP. But Microsoft has set up the service in such a way that the data can't be cached. (It's digitally signed, so inserting Trojans into the cache is virtually impossible; in any event, no more of an issue than intercepting the data stream.) Are others out there seeing the same pattern? How might Microsoft be convinced to make its updates cacheable, so as not to waste unthinkable amounts of bandwidth?"

26 of 144 comments (clear)

  1. can't be cached? by greck · · Score: 5, Informative

    I can only speak from what I've seen in our offices, but squid (running in transparent proxy mode) very definitely caches content from Windows Update... I set it up about six month ago and remeber being really surprised (because I think I very reasonably expected it not to).

    1. Re:can't be cached? by Blkdeath · · Score: 4, Informative
      I can only speak from what I've seen in our offices, but squid (running in transparent proxy mode) very definitely caches content from Windows Update... I set it up about six month ago and remeber being really surprised (because I think I very reasonably expected it not to).

      Our store Squid server caches the likes of IE 6.1, Media Player and DirectX, but the vast majority of the Critical/Security updates are not cached. Our connection is quick enough to handle it, but a PITA nonetheless due to the dozens of machines requiring updates every week.

      --
      BD Phone Home!

      Shameless plug. Like you weren't expecting it.

    2. Re:can't be cached? by greck · · Score: 2, Informative

      It cached SP3 when we installed it--that must have contained some security roll-ups. I wonder what the rhyme is to what sticks in the cache and what doesn't...

    3. Re:can't be cached? by bobibleyboo · · Score: 5, Informative

      I can also vouch for this I had a Linux Mandrake SNF Server running a transparent squid server (with a little tweaking to the max file size and the average file size) I was able to cut out about 90% of the windows update traffic at the site (The site had about 200 users) none of the transactions where cached but when it came to downloading the updates and service packs it works wonderfully.

    4. Re:can't be cached? by lifeless · · Score: 3, Informative

      Well, the sites I run happily cache all the udpates available via windows update. The only thing that doesn't cache is the https:// transfers (which I understand to be the catalog of available fixes).

      You might want to analyze exactly what is occuring in your site(s).

      Cheers,
      Rob
      (Squid core developer)

    5. Re:can't be cached? by Wolfrider · · Score: 5, Informative

      --Check your squid.conf, and look for # TAG: maximum_object_size (bytes)
      # Objects larger than this size will NOT be saved on disk.

      # maximum_object_size 4096 KB
      maximum_object_size 32767 KB

      --
      .
      == WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
    6. Re:can't be cached? by freakkster · · Score: 1, Informative

      I seem to remember trying this once:
      use a redirector in squid and point customers to the local version on your website a la http://www.squid-cache.org/Doc/FAQ/FAQ-15.html Seems basic to me

      --
      make sig make: *** No rule to make target `sig'. Stop
  2. there is the way that large corperations do it by rritterson · · Score: 4, Informative

    Here at Berkeley all of the Windowsupdates come from an internal server instead of externally. That way they control who gets the updates and when.

    You can download the updates individually, and there is probably a way to have them downloaded to the server automatically. All you have to do is convince the users to download them from you and install them manually. Can you block traffic from the autoupdate applet? I bet that would significantly reduce traffic, at the cost of insecure customers.

    What about running an internal WU server and changing the DNS entry at the local level to a local server? You'd have to keep the catalog of updates stocked and refreshed constantly, for multiple OS's, so I don't know how cost effective it might be.

    --
    -Ryan
    AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
    1. Re:there is the way that large corperations do it by shyster · · Score: 2, Informative
      This is done with windows and some such server. It will only push out updates to registered members of the domain (which ISP customers are not) and requires a huge network to even justify the expense.

      Yeah, except the fact that SUS is a free download. Maybe you're talking about Systems Management Server which does cost a bit, but does a lot more than just security updates.

    2. Re:there is the way that large corperations do it by Finni · · Score: 2, Informative
      That's no longer true. See this page, third question.

      Q. Can I run SUS on an Active Directory domain controller?

      A. Yes, SUS 1.0 SP1 allows for this.

  3. Re:How big are these things? by shunnicutt · · Score: 2, Informative

    The good news about Apple's updates are that they can be downloaded from the web and stored on the local network, or you can direct Software Update to download the update to your desktop.

    This makes it easy to share with others who might not have the bandwidth to download these freakin' things.

  4. Several options available by questionlp · · Score: 5, Informative
    There are a couple of options that you can choose to help reduce the amount of bandwidth used to pull down and install Windows Updates. The first one, which is available for free and runs on Windows 2000 Server, is Microsoft's Software Update Services which allows you to create a local store of the updates (for any language and all supported platforms) and point the client Windows Update to the internal server. It's not perfect but it works in a lot of cases.

    Another option is to use a systems management package (LANDesk, ZENworks, SMS, etc.) to build the packages and deploy them while only using your internal network bandwidth (once you've downloaded the hotfixes anyway).

    Of course, the two options above are really meant for company networks, but even those can help reduce the bandwidth used for more important things.

  5. Out of my experience by jsse · · Score: 5, Informative
    Yes you can't cache it. That save Microsoft a lot of trouble and the trouble is on you. :)

    First step is to download the patches/update manually and save them elsewhere accessable to all users:

    Second, we found that users would rather use windowsupdate.microsoft.com then to go to our patches/update repository, that make sense. You could forbid your users from accessing windowsupdate.microsoft.com, but it might have a problem, as some update might actually request windowsupdate.microsoft.com during installation.

    Therefore, we limit the priority of traffic in/out of windowsupdate.microsoft.com. Eventually we lower the prior of entire microsoft.com because that's really necessary. Users could access to windowsupdate.microsoft.com on their own as usual - if they don't mind holding up their machines for a couple of days. :)

    This works great. Larger and bigger patches are stored locally for users, while they could still access to windowsupdate for smaller patches/fixes. Our bandwidth load lessen(to a certain degree, we still can't solve that 5-15% Netbios traffic jam :)

    Hope this help.
  6. Re:How big are these things? by tedDancin · · Score: 3, Informative

    Not being a windows user, how big are the windows updates and how often do they come?

    Since Microsoft release patches via Windows Update so frequently, they are usually fairly small. 1MB-5MB downloads are frequent, with the occasional 10MB+ one every now and then. There are updates practically every few days, so having a Windows Update Server running will negate the expense of everyone having to download redundant files.

    Some help about storing Windows Update files for later can be found here.

    --

    Ladies, form queue here -->
  7. You could... by maunleon · · Score: 2, Informative

    ...download the updates yourself and either push them to the users through something like SMS, or have a program check the registry in the login script. It is fairly simple.

    If it's a big problem, just block off windowsupdate and redirect them to your own page. You could implement a simple scan using something like HFNetChk. It's command line and works well.

    Hey, look at it this way.. at least your users are updating! That puts them above 90% of the users out there.

  8. Re:How big are these things? by eht · · Score: 2, Informative

    so can the ones on windows update

    either you can build your own windows update server or at the very least download the individual updates and store them just as files

    and you can even build them into an iso image, my win2k cd has sp3 built into it so whenever I build a new machine it's already there, and you can do that with most of the updates

  9. Re:Would you all bitch if it was another vendor? by Anonymous Coward · · Score: 1, Informative

    are you thinking with both brain cells here?

    the red hat updates are cacheable yet individually gpg-signed. they are also freely distributable by anyone. you can set up a red hat satellite proxy server for your organization. you can download once straight from red hat's FTP server (the URLs are conveniently listed in the emails) and push them to each machine. there are probably 50 different ways you can write perl scripts to fix the problem.

    seriously, this is a difference between FREE SOFTWARE and VENDOR LOCK-IN. Even Brett Glass can understand what FREE means in this context.

    Microsoft probably knows EXACTLY how much of a pain this is and will happily SELL you some overpriced "Windows Update Proxy Server Professional 2000 .NET" to solve all your worries.

  10. Software Update Services by superyooser · · Score: 5, Informative
    Microsoft used to have a corporate Windows Update site where you could download all the patches as executable files. That site was retired last year in favor of something called Software Update Services. It requires running a SUS server and appears to distribute the updates only to systems running Windows 2000 or later.

    In the meantime, you should be aware that all the major service packs for Microsoft products can be downloaded as stand-alone executables. Also, the IE download page includes some critical updates. Make your own "cache" on the network, and let everybody get their updates from there.

    1. Re:Software Update Services by Brett+Glass · · Score: 4, Informative
      Microsoft's Software Update Services require you to modify all of the clients. Those that aren't modified still try to access Microsoft's Windows Update site.

      So, since ISPs can't administer their users' systems, this really isn't an answer. Caching is a much better solution.

  11. Stats for the past 24 hours are even worse.... by Brett+Glass · · Score: 3, Informative

    Just checked the stats for the past 24 hours (from a Squid cache). This time, *.windowsupdate.com generated 56.11% of the traffic, with a hit rate of only 2.37%. In short, Microsoft is eating (and expending!) huge amounts of bandwidth, and almost none of what is being transmitted can be cached. What a waste.

  12. Re:Would you all bitch if it was another vendor? by Brett+Glass · · Score: 2, Informative

    Ahem.... Red Hat updates are cacheable. But the percentage of Linux users on our network is in the single digits. Most users run Windows.

  13. ISP Caching by kmellis · · Score: 3, Informative

    Why don't you subscribe to or at least take a look the ISP-Caching mailing list?

  14. Re:How big are these things? by shyster · · Score: 2, Informative
    Probably because they're not doing internal testing of the updates, and the admin is too overworked to keep on top of the updates to download them to a central server. Best practices though, dictate that the admin download needed updates, test them on lab machines, and automatically rollout to clients. The rolling out to clients is the difficult part. Most updates can be installed unattended via CLI, but some can't. Of course, with a little effort (and something like AutoIt), all of them can be made unattended. All that's left is a way of knowing which updates have already been applied. I recommend a central database or checking the registry (with Perl or VBScript...whichever you're more comfortable with).

    Of course, if you use Microsoft's Software Update Service, then it's basically like running your own Windows Update server...and it's a free addon to Win2K servers. Client side is very similar to the Automatic Updates feature introduced in 2000 SP3 (or XP SP1)...but instead of checking MS's server it checks your own. Admins have control over what updates will be applied.

    There are also 3rd party tools like HFNetChk Pro (with a free Lite version, but it has major limitations as far as rollouts are concerned) and UpdateExpert. They basically simplify mass scanning and rollout to many machines.

    Of course, for ISP's the only thing I can think of would be to just download the files and host on a website...then educate your customers.

  15. Software Update Service by blues5150 · · Score: 3, Informative

    How about trying something like this.

    --

  16. Re:MS wants you to host one internally by REBloomfield · · Score: 2, Informative

    buy?? Windows Update Services is free, mate. Install it on your server, set the clients up via GPO, and off it goes, saves bandwidth and admin time by the bucketload.

  17. Re:MS wants you to host one internally by DrZaius · · Score: 2, Informative

    Actually, it does exist and it is called SUS. It is free (if you already own a win2k server license).

    Let me just say, SUS sucks ass.

    Microsoft's systems of GPO's makes it pretty useless -- you need to set GPO's for hosts to use your SUS servers, so if your domain has any divergence from the stock GPO's there is a good chance it isn't going to work and it will be impossible to debug in less than a month.

    I believe there was a giant thread about it on focus-ms.

    --
    -- DrZaius - Minister of Sciences and Protector of the Faith