Slashdot Mirror

← Back to Stories (view on slashdot.org)

Noticed Welchie/Nachi in Your Bandwidth Bill, Yet?

Posted by Cliff on from the those-pesky-extra-packets-you-didn't-ask-for dept.

Pinkboard Panther asks: "I have recently received my bill for Internet usage for last month and discovered it is 4 times higher than expected. Since there had been no increase in usage of the sites I run I had to search elsewhere for the exorbitant increase. Eventually I tracked it down to my firewall being bombarded with 20,000 ICMP Echo requests a minute from many different IP addresses. This adds up to $A10 per hour or $A240 a day. I still need to battle with my ISP over whether I should be paying for this. It seems that the Welchie/Nachi worm sends out pings to find what machines are out there before it moves onto deeper probes. I can't believe that I am the only site out there which is being attacked in this way. There must be lots of other sites out there who are affected this way. Maybe they just haven't received their bills, yet?"

94 comments

  1. AAARRRGGGGG !!!!! by Anonymous Coward · · Score: 0

    It's their fault for not stopping the ping requests at their firewall !! Talk like a pirate #gh !!

  2. Overcharging by mnmn · · Score: 0

    well here in Toronto, both the major ISPs, Rogers and Sympatico have a nice habit of overcharging these days. Bills of $100 per month and over are not un heard of. There are over 50 broadband providers but many are small-name untested services I wouldnt wanna risk trying. But since the Rogers and Sympatico both have started bandwidth caps, it is time to give the ones without such caps a chance. Let capitalism take its course.

    --
    "Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
    1. Re:Overcharging by thebigmacd · · Score: 1

      Sympatico has removed caps on the High Speed and Ultra High Speed services.

    2. Re:Overcharging by kidlinux · · Score: 1

      "But since the Rogers and Sympatico both have started bandwidth caps..."

      When is the last time you checked on these caps? Both Rogers and Sympatico removed them. When I came back to school at the beginning of the month and was getting my apartment internet service, I called both of them and asked. Both said "No caps!" I went with rogers because I think anything over POTS is crap. Plus I hate Bell with a passion.

      The best Canadian ISP, afaic, is Shaw Cable. I bet they'd be very reasonable in a situation like this. But they don't have caps either.

      --
      -kidlinux.
    3. Re:Overcharging by SuiteSisterMary · · Score: 1
      There are over 50 broadband providers but many are small-name untested services I wouldnt wanna risk trying.

      I'd be surprised if any of them were selling anything other than Sympatico and Rogers.

      Kind of hard to lay your own cable network these days.

      --
      Vintage computer games and RPG books available. Email me if you're interested.
    4. Re:Overcharging by PktLoss · · Score: 1

      When Cogeco started leaning towards enforcing their bandwidth caps (amongst other serious snafu's), I signed up with a local broadband ISP (www.jet2.net). To be honest, I have never had a problem.

      Its the same price as Sympatico or Cogeco, good speeds and no issues. I also havent been dicked around for having port 80 running a service, or being double billed.

      I don't get 24x7 technical support, but thats not generally an issue, the service went down once (bell cut my line), they refunded that month.

      --
      paul reinheimer
    5. Re:Overcharging by Anonymous Coward · · Score: 0

      bullshit. i have rogers cable and the upload cap is still in place. try uploading a large file ane see your speed go down to 64Kbps (YES... thats 64 KILOBITS...about as fast as a modem) on your high speed connection.

  3. Use NetFlow to prove it was Nachi traffic. by Mordant · · Score: 4, Informative

    See these links for more info.

    1. Re:Use NetFlow to prove it was Nachi traffic. by Mordant · · Score: 3, Informative

      And here's one more.

    2. Re:Use NetFlow to prove it was Nachi traffic. by dmiller · · Score: 1

      And another and yet another. (yes, this is self-promotion)

  4. Standing class action law suit by m0smithslash · · Score: 3, Interesting
    We were just commenting today on how there should be a standing class action law suit against Microsoft. We could not think of a real reason, be you seem to have one here. The loss of business and revenue, whether from your pocket or your ISP's pocket, mulitplied acorss many ISPs seems like a case to me

    My ISP is having almost continual problems being flooded with random worm noise.

    --
    Your friend and well-wisher
    m0smithslash
    http://www.ferociousflirting.com
    1. Re:Standing class action law suit by SpaceLifeForm · · Score: 1
      I agree totally.

      Going slightly off-topic here...
      It seems to me that Microsoft is a *huge* drag on the overall economy these days.
      And it's not just due to the network background noise,
      but putting up with all of the Microsoft holes that can be exploited over the net.

      Maybe the Department of Homeland Security should sue them. ;-)

      --
      You are being MICROattacked, from various angles, in a SOFT manner.
    2. Re:Standing class action law suit by Anonvmous+Coward · · Score: 4, Insightful

      "We were just commenting today on how there should be a standing class action law suit against Microsoft. We could not think of a real reason, be you seem to have one here. The loss of business and revenue, whether from your pocket or your ISP's pocket, mulitplied acorss many ISPs seems like a case to me "

      Ugh. It's funny how morals here perform a complete 180 when there's an opportunity to get Microsoft into trouble.

      Here's the simple fact: Microsoft didn't write the worm.

      Now you can make the argument if you like that Microsoft was negligent. Just remember, that if you follow that logic, then Linux could find itself liable down the road. Some jackass comes up with an exploit, it causes trouble, and the Linux community is punished for it. Do you really want that?

      I have other issues with this line of reasoning. If I walk into a hospital with a cellular phone and intentionally use it to jam equipment there, should Nokia be sued for it? What about the company who made the equipment? Considering that the disruption was caused malisciously (sp?), then the finger needs to be pointed at me.

      I would strongly urge the Slashdot Community to be very careful about what you wish for, especially when it concerns punishment for Microsoft. It's fun to hate them and all, but the consequences they recieve could wind up biting you in the butt. Eolas comes to mind...

    3. Re:Standing class action law suit by TheLink · · Score: 1

      No.

      You could not think of a real reason? So you're just looking for an excuse to justify your bias or hidden reasons.

      There are plenty of other battles worth fighting where the real reasons are obvious to you. So why not fight those instead?

      Winning the wrong battle can be very costly.

      --
    4. Re:Standing class action law suit by torpor · · Score: 3, Insightful

      Now you can make the argument if you like that Microsoft was negligent. Just remember, that if you follow that logic, then Linux could find itself liable down the road. Some jackass comes up with an exploit, it causes trouble, and the Linux community is punished for it. Do you really want that?

      Yes.

      That would be fair. And, nevertheless, it would at least level the playing field in the new marketing dominion for the 21st century: responsibility.

      People are sick and tired of things working 'just becase of a bug', and fundamentally - at least at the level of applications that are being written today - there's no really good reason for it. The technology and mindset required to prevent these sorts of wastes of computing resources existed in the 70's.

      What the 'personal computer revolution' camp- you know, the one around the big Microsoft circus tents, crammed full of dopes- often seem to forget is that this 'virus' situation is truly a problem of the *Design* of the system. In other words, Windows allows and *provides a loyal service for* anyone who wants to create an environment in which processes can be run, globally, on everyones computer, unchecked.

      Its not like they couldn't have done per-user application security at the filesystem level, say, in Windows95. Hell, Linux/*BSD/*etc. had it then. They could have done it, and enforced it by making it *default* setup. Hell, they could even have done ACL in Win95, for network services... thus preventing a legion of Visual Basic worms that used to make the rounds from shareware bonanza bbs's in the days before ftp ... but ... noooo ... they chanted the 'developer' mantra and used that as a justification to not ... quite ... make ... so ... much progress out of the Windows 3.1/9x/NT/2000/XP/Me/LH upgrade cashcow...

      In my opinion, it can be demonstrated fairly clearly that through negligence on Microsofts' part - and their boneheaded desire to 'control^H^H^H^H^H^H^Hservice the entire market at all costs' - they have managed to deliver a product so faulty that it regularly, frequently, is a source of massive productivity loss.

      Computer Viruses are so 80's. By now, 2003, we should not be having these problems with our computers.

      (Some of us, actually, don't. I haven't had a single problem with a virus infection on my personal computing systems since, I guess it was the early days of DOS 3.1 ... which was the last time I ever attempted to use a Microsoft product in a production scenario.)

      --
      ; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
    5. Re:Standing class action law suit by Anonymous Coward · · Score: 1, Interesting

      A better solution would be to put the blame (and the cost) on those who directly cause the inconvenience. If the users of infected machines are hit where it hurts most, they will look for better solutions, at which point you get what you want: Safer systems through the magic of market economy. I think inbound traffic should be free. Only outbound traffic is under the customer's control. Don't want to pay for pings? Don't answer them. This way, all traffic is paid for once, not twice like now btw.

    6. Re:Standing class action law suit by Door-opening+Fascist · · Score: 1

      I don't think a sufficient case could be made against Microsoft yet. But maybe you should talk to your legal department about suing the people whose computers were infected. Then they could turn around and sue M$ for allowing a worm onto their computer.

    7. Re:Standing class action law suit by GoofyBoy · · Score: 1

      >Yes.
      >That would be fair. And, nevertheless, it would at least level the playing field in the new marketing dominion for the 21st century: responsibility.

      If you care about the future of Linux you do not want this.

      Say that MS gets sued for a bug. They have lawyers, money and insurance so that legal liability isn't a huge concern. Look at how much money they tossed at SCO. Thats some department's weekly salary cost, not a problem.

      Say that a group working/responsible for Linux code gets sued. Can a handful students/individuals handle the multi-million dollar lawsuit? (Corporations will be going after them.) Could you? How much time and effort would it take to go through the entire process to get a not guilty judgement? And all it takes is one judgement against coders and that will freeze the vast majority of OpenSource development. Would you do something free when you could be devistated by the consequences?

      --
      The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
    8. Re:Standing class action law suit by thogard · · Score: 2, Interesting

      Microsoft made bad software and they will get sued for it. This flaw isn't a direct flaw (read Naders Unsafe at Any Speed about the Corvair) but an indirect flaw (Pintos that went boom after being hit). There are two different classes of product irresponsibility and MS is clearly guilty because they didn't do everything in their power to stop this problem and it lead to direct financial damages to others. They are going to get sued and they will not win.

      In Australia, the big problem was the excessive abouts people ended up paying when their links went full thottle and the ISP is clicking away at $.20/megabyte. That is a result of giving Telstra too much power and clueless mangment of the entire telcom regulations and that is mostly Sen Alston's fault. What I think would be interesting is get enough people for a class action aginst MS and tell them you won't sue if they get Alston out of his current job. I'm not sure what would happen, but it would be fun to watch from the sidelines.

    9. Re:Standing class action law suit by torpor · · Score: 1

      I do care about the future of Linux, but one thing that everyone that has been involved in Linux has to understand that free, open, honest source code has its liabilities. Linux coders *MUST* be careful not to break laws, and violate other intellectual property - and the only way to do this is to continue to have open publication of the code for others to review.

      If Linux went to court over some IP issue, then that would be fair - the courts are *supposed* to be a fair-dealing arena for the addressing of wrongs. Yes, it would suck to have Linux go up against a million-dollar lawyer, but then: if the law is broke, the law is broke. Fix it.

      --
      ; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
    10. Re:Standing class action law suit by darkmeridian · · Score: 1

      There's a legal theory for enabling evil acts. Pretend I leave my car keys in my car with the motor running. Someone drives my car away and hits someone. I can be sued by the person who got hit.

      Fair? Perhaps not. Possible? Yes.

      --
      A NYC lawyer blogs. http://www.chuangblog.com/
    11. Re:Standing class action law suit by volkris · · Score: 1

      Here's a thought:

      You willingly plug your computer into the public internet. You therefore take the responsibility for anything that the public internet does to your computer.

      It's not like these viruses are breaking the technological rules of the internet. It's not as if they're circumventing IP. They're operating within the rules that you agree to when you jack in, so you have no room to complain when bad things happen.

    12. Re:Standing class action law suit by Yottabyte84 · · Score: 1

      Well, you shouldn't be paying for incoming traffic where there is not an established connection... With UDP you could consider sending UDP packets back to be an established connection.

  5. Yup... more info here by Anonymous+Cowdog · · Score: 4, Informative

    I've been asking around about this, and it's amazing how many people are just brushing it off as nothing. It is a serious issue for IP addresses that are being hit.

    Here are some more posts on the topic, elsewhere. Note how some people just say "Oh, you are getting hits! Hits are good, no?".

    http://www.webmasterworld.com/forum39/1435.htm

    http://lists.jammed.com/incidents/2003/08/0369.htm l

    http://www.derkeiler.com/Mailing-Lists/linuxsecuri ty/2003-08/0002.html

    The blocking rules people suggest (see page five of the first link) don't work at my site, for some reason. Maybe it's because I only have access to .htaccess, not my own httpd.conf.

    1. Re:Yup... more info here by dougmc · · Score: 1
      Note how some people just say "Oh, you are getting hits! Hits are good, no?".
      These are probably the same people who think that the WWW *is* `The Internet'.
    2. Re:Yup... more info here by Drantin · · Score: 1

      nah... It's the people that think every URL starts with 'www.'

      --
      Actio personalis moritur cum persona. (Dead men don't sue)
    3. Re:Yup... more info here by thilmony · · Score: 1

      a little OT here, but I purposely set up websites for my users not using www.????.com to confuse them and teach them not all websites starts with www.

      --
      YES, there is a McDonald's in Hanoi Square.
    4. Re:Yup... more info here by pmz · · Score: 1

      1. Whore 2. ??? 3. Profit!!!

      With a one like that, you need no two--it is implied.

      --
      Healthcare article at Kuro5hin
  6. hmm interesting... by josepha48 · · Score: 3, Insightful
    you get charged case someone else uses up your bandwidth by a worm... Well I'd threaten to sue, and then sue, but I think someone else here mentioned there is a class action lawsuit about this.

    However they probably just see the ping using up your bandwidth and that is what they are looking at. I'd probably start loging all IP addresses that are pinging your server and then go after all these users. After all they are infected with this worm and until people who get on the internet start being responsible for keeping their machines firewalled, updates and locked down as much as possible from hackers these things will continue. Most of the MS worms could be prevented if people used zone alarm or black ice or another firewall product. Also most of the Linux and bsd exploits could be avoided if they setup firewalls and update their systems and kept on top of security.

    No it is not your fault, so go after those who are using up YOUR bandwidth and sue them and make them pay. It is their irresponsibility and stupidity that are causing these problems.

    --

    Only 'flamers' flame!
    Does slashdot hate my posts?

    1. Re:hmm interesting... by perlchild · · Score: 1

      No it is not your fault, so go after those who are using up YOUR bandwidth and sue them and make them pay. It is their irresponsibility and stupidity that are causing these problems.
      But most Isps don't keep that kind of traffic logs, and if your end of the link is overloaded, your won't be able to either... And you might be charged extra for any retransmits... Wonders how much extra I'd have to pay to get trustworth, detailed connection logs, by provenance/ip/port for any given connexion size/usage... At least traffic logs detailed enough that traffic abusers might be easily noticed on the bill, and the attackers could be charged, according to the gravity of the offense. Maybe that's why my bandwidth provider won't identify the other end of the link, they don't want me to be able to protest that it's not my fault...

    2. Re:hmm interesting... by Anonymous+Cowdog · · Score: 1

      >Maybe that's why my bandwidth provider won't identify the other end of the link

      It's not hard to identify the other end of the link. One of the things these worms, or at least one of them (Welchi) does is access the root document of your httpd server if you have one running. So you get lots of hits to http://www.yourdomain/, aka index.html, coming from various IP addresses. The most obvious way these hits are distinguished from normal browser accesses is they don't load images or stylesheets.

      So if you already have a web server, look in those logs. Otherwise, install Apache and run it for a few days to get a sampling of the logs, which will show you where some of the infected hosts are. However, this is only useful as a sample, because at least in my case so far I haven't seen much repetition of originating IPs. I do not believe the originating IPs are spoofed, btw, they are just Windows machines that have been infected.

    3. Re:hmm interesting... by josepha48 · · Score: 1
      Then you need to switch ISP. I'm not 100% sure I understand the problem fully. Is this a DSL web server? If so you have the logs.

      If this is a business account with someone like earthlink then threaten to take them to court to get the logs and IP addresses, I belive that one of the homeland security acts or such require ISP to have this information on hand for security reasons. You need to make it clear to them that you have been hacked or attacked. If you have a server in some colo location and they are keeping your server for you then you need to contact them and tell them your system was attached and you cannot access it and you need these logs.

      YOU need to be proactive about this and do whatever it takes to get this information and sue if necessary. Otherwise you can just kiss your money goodbye.

      --

      Only 'flamers' flame!
      Does slashdot hate my posts?

    4. Re:hmm interesting... by Hubert_Shrump · · Score: 1

      if it's nachi/welchie - good luck tracking down the originating IP - most of them are spoofed.

      i assume it's just proof that the virus writer(s) are as retarded as i'd always thought - or maybe they're really smart and have some reason to flood everything.

      --
      Keep your packets off my GNU/Girlfriend!
    5. Re:hmm interesting... by innosent · · Score: 1

      I agree [almost] completely, except that you should not pay unless ordered to by a court, and you should file a lawsuit. Since you don't live in the US (and hance the parent's mention of HomeSec doesn't help), I'm not sure what laws you have to protect you, or how discovery proceedings work, but I would assume that there is some method to see all of the information they have on the subject, and from there you should easily be able to prove that it is not something you should be responsible for.

      While you're waiting for the court proceedings to finish, it might be a good time to change providers, and make sure you have a good lawyer go over the contract, so you don't get stuck with things like this again. If you are to be billed for bandwidth usage, you should have a clause in there stipulating what types of packets count, and connectionless protocols should not count, or should at least be billed at a [much] lower rate.

      --
      --That's the point of being root, you can do anything you want, even if it's stupid.
    6. Re:hmm interesting... by TheLink · · Score: 1

      They're not spoofed. Most of them are infected machines. They are scanning entire network ranges for other machines to infect.

      You'll see all LEDs on your switches light up when a _single_ infected machine is plugged in.

      One friggin ISP here has totally blocked ICMP pings probably because of the worms. You can't use ping for testing and trouble-shooting now. Which is a pain, while I have alternatives on my own systems, when you are troubleshooting at a customer's site you often don't have these alternatives. Most routers, firewalls etc don't have modified traceroutes or pings that do other protocols.

      --
    7. Re:hmm interesting... by Hubert_Shrump · · Score: 1

      you're right.

      i don't know where i read they were spoofed, but obviously i was smoking crack, and the crack smoked me while i tested it.

      must have nmapped someone behind a firewall the few times i checked - but i just got a fat hit off a Win Me/XP/2003 machine.

      thank goodness it'll time out in 2003 - oh, thank you virus writer for the infinite wisdom that this needed to go on for FIVE MONTHS.

      --
      Keep your packets off my GNU/Girlfriend!
    8. Re:hmm interesting... by taernim · · Score: 1

      A Class Action lawsuit?
      Against whom?

      Not Microsoft, hopefully.
      I think the blame should rest on the Admins who are too lazy to patch their systems.

      But of course people won't do that.
      That would actually make SENSE... :/

      --
      "PC Load Letter? What the $@#% does that mean?!"
  7. 20 cents a meg, anyone..? by zcat_NZ · · Score: 4, Informative

    Yep, that's what full-rate ADSL customers pay for traffic in New Zealand, once they get past their pitiful 500M monthly allowance.

    "I run linux.. I'm not affected by Windows worms and viruses" - Yeah, you wish..!

    --
    455fe10422ca29c4933f95052b792ab2
    1. Re:20 cents a meg, anyone..? by Klaruz · · Score: 1

      Wow that's crazy. What's the reason for that? I know NZ is a long haul from a large land mass, but still. I can eat up 500 meg with a few days of surfing for just news and the small bit of audio/video. Do they send the packets by trained monkey requiring constant care and feeding? Or is there something about NZ that makes a DSLAM 10,000 times more expensive than elsewhere in the world?

    2. Re:20 cents a meg, anyone..? by Stillman · · Score: 1

      The reason for that is Telecom NZ. An ex-SOE spun off into a private company, who have an effective monopoly on DSL service provision due to the fact that they own 90% of the copper in the ground. There are other providers, but most lease the copper (or just the DSL service) from Telecom. Zcat is exaggerating slightly with his 500M allowance - there are 128k and 256k flatrate plans available with high/no caps, but most businesses opt for the 4-7Mb/s "full" capped plans - and the caps are low, and the costs are high.

      --
      Prisoner #655321
    3. Re:20 cents a meg, anyone..? by zcat_NZ · · Score: 1

      I did say 'full rate'.

      Here's some 'no shit' numbers direct from telecom's site (blatently whoring for another +5 Informative.. :-)

      --
      455fe10422ca29c4933f95052b792ab2
    4. Re:20 cents a meg, anyone..? by GreenKiwi · · Score: 1

      Yeah, the have a JetStream Starter plan, where your bandwidth is capped by the ISP, usually to 5-10 gigs. Much more reasonable than 500 megs, however, it's still extremely easy to bang over 5 gigs of traffic w/o downloading any MP3s or music.

    5. Re:20 cents a meg, anyone..? by thogard · · Score: 2, Interesting

      They claim its becasue of the huge costs of running the underseas cables. In NZ that doesn't explain the .02/mb for NZ traffic over the 500m. All the compaines that run underseas cables have been replacing their transponders to reduce their expenses. If they put in new transponders they can go up to 150km between them where the old ones were needed ever 20km. When they upgrade the transponders they get a gain out of the fiber in the order of 1000x or even more. There was already a glut of bandwidth between the US, NZ and Aus before the upgrades started. Tyco also appears to be putting down a new cable from Guam.

      I've been working on starting a WISP in both NZ and AUS and its be an interesting situation. My base station for a kiwi town is stuck in customs in Australia. Australia requires a $10,000/yr telecomuniations license if you sell network services but for that you get the rights to dig holes anyplace you want.

      In some areas I could provide a typical home users 10 gig/mo of broadband for a cost of about $18/mo. That includes the upstream pipes but not their radio, installation, tech support or the stupid telecom license.

      NZ has a bit of a problem with their phone switches in that they used a model that isn't used anywhere else in the world. That chould cause some price increase over other systems but since they use the same phones as the rest of the world, it can't be that bad.

    6. Re:20 cents a meg, anyone..? by Anonymous Coward · · Score: 0

      Why should a ISP plain connection respond to outside the ISP ping requests?

      ISP's are at fault if they don't manage the worms attacks with appropriate rules without causing user problems... NOT TO CHARGE THEM!

      But, anyway you are in NZ, which means that you can exactly swap ISP as if one could swap a shirt...

      I would pay the normal trafic and would hangle on the extra charge with grounds of unfounded trafic, not your trafic. But not sure what contractual contrains you would have... (but some pressure should be usefull, after all, worms are here to stay).

    7. Re:20 cents a meg, anyone..? by CoyoteNZ · · Score: 1

      but most businesses opt for the 4-7Mb/s "full" capped plans - and the caps are low, and the costs are high. I believe the reason that most businesss opt for the fast services, is that the slow 128 or 256DLS service with higher caps are for residential usage only, and businesses aren't allowed to use them!

      --
      I have nothing against humans personally, but as a group they stink. --- Quinn, War of the Worlds Series.
  8. I'm getting thousands of these pings by sa3 · · Score: 1

    I get random pings on my 56k dial-up, on an adsl connection, on another 56k dial-up, on a cable connection, I had someone on another dial-up isp run tcpdump and they get it too.

    It's extremely annoying, and has caused me to block the response.

    1. Re:I'm getting thousands of these pings by durval · · Score: 1

      Hello,

      Just out of curiosity, I captured ICMP echo request traffic to my ADSL firewall for the last HOUR: got exactly 120 packets, less than 5 KB total... totally irrelevant.

      Maybe the folks who are getting lots and lots of it are being targets of a good'old DDoSes instead of simply being scanned by worms?

      I would investigate that more throughly if I was in their place, instead of just assuming it's worm traffic.

      --
      Best Regards,
      Durval Menezes.
      I have never met a computer that didn't like me.
  9. nachi by graf0z · · Score: 2, Informative
    According to this analysis, a simple packetsniffer (like tcpdump) should reveal if it's nachi: if its echo-request storm detects a living IP, a MS RPC DCOM exploit follows (eg on ports 135 or 445).

    /graf0z.

    1. Re:nachi by TheLink · · Score: 1

      Heck just the arp requests are bad enough - all the lights on the affected switches light up.

      tcpdump is only to find the culprit.

      --
  10. Black Ice by Vaevictis666 · · Score: 4, Informative
    I don't know if things have changed since I looked at it last, but the latest version of Black Ice Defender was a port monitor, not a firewall.

    The difference is that a real firewall (Like Zone Alarm or Sygate (free is down at the bottom)) will block the traffic, prompt you to allow/disallow it, and then follow instructions.

    Black Ice, on the other hand, will simply watch ports, log traffic, and when someone tries to access your RPC port or whatnot, it simply sets a flag "Serious Error - Someone Hacking" and starts blinking in the system tray. No real response, no ability to block it in the future, just simple monitoring.

    In other words, it's a complete waste of CPU cycles from a security standpoint, and if you're using it for traffic monitoring you'd be better served with Ethereal.

    1. Re:Black Ice by Xenophon+Fenderson, · · Score: 2, Insightful

      Maybe we were looking at different products. IIRC, BlackICE Defender had firewall functionality. The new version, now named RealSecure Desktop, shares IDS signatures with other RealSecure products and can do the whole "active response" thing, including blocking packets, sending TCP RSTs, etc. If you use the enterprise version, it is administered centrally using the ISS SiteProtector console software (which is why we're looking at it at $ORK).

      In fact, I seem to recall being impressed with its application-specific firewalling over-and-above Zone Alarm Pro. But I've slept since then, and could be misremembering something.

      --
      I'm proud of my Northern Tibetian Heritage
    2. Re:Black Ice by prostoalex · · Score: 1

      No real response, no ability to block it in the future, just simple monitoring.

      Right Click on the intruder's name -> Block Intruder -> For Hour/For Day/For Month/Forever.

      The same for Trust Intruder.

    3. Re:Black Ice by Vaevictis666 · · Score: 1
      Hmm... OK it looks a lot better than when I last took a look at it if I go by the product blurb.

      Yes it was BlackICE Defender, by Network ICE, that I was referring to, but that was quite a while back. And as far as App-specific firewalling that's why I use Sygate. I never could get myself to like Zone Alarm, and I never got around to re-evaluating BlackICE.

    4. Re:Black Ice by Vaevictis666 · · Score: 1

      and if you're away from the machine while it happens, what's the default? If it defaults to allow then what's the point?

    5. Re:Black Ice by prostoalex · · Score: 2, Informative

      That would be Tools->Edit BlackICE Settings, then Firewall tab and level of protection (Paranoid, Nervous, Cautious, Trusting). Defaults to Trusting :-)

    6. Re:Black Ice by UnrefinedLayman · · Score: 1
      a real firewall (Like Zone Alarm or Sygate
      Sorry, but Zone Alarm and Sygate are not real firewalls. They're cheap hooks. A real firewall doesn't run in your system tray; it runs in a room, by itself.
  11. rate limiting may indeed help (a bit) by graf0z · · Score: 2, Interesting
    In times of dDoS and flooding worms, ISPs should offer rate limiting initial packets to their customers, eg. by forcing rules like "max. N tcp/SYN or ICMP echo-request per IP per second"

    (Linux/netfilter example:

    iptables -A FORWARD -d $IP -j ACCEPT -p tcp --syn -m limit --limit 10/s --limit-burst 20

    iptables -A FORWARD -d $IP -j DROP -p tcp --syn

    iptables -A FORWARD -d $IP -j ACCEPT -p icmp --icmp-type echo-request -m limit --limit 10/s --limit-burst 20

    iptables -A FORWARD -d $IP -j DROP -p icmp --icmp-type echo-request )

    Would not really help, but lower the impact.

    /graf0z.

  12. Continuously flickering activity light by cyberman11 · · Score: 3, Interesting

    My router WAN activity light and modem activity light and are continuously flickering, even when no computers on my LAN are turned on. I tried replacing my Linksys BEFSR41 router with a Belkin F5D5231-4 router, and switching from a DSL modem to a cable modem but the new lights flicker just as much as the old ones. Since my computer is powered off, the continuous activity must be coming from the internet. I guess either hackers or worms.

    1. Re:Continuously flickering activity light by Anonymous Coward · · Score: 0

      [cue Twilight Zone theme]

      I just did this very saem thing, down to the unplugging all my boxes to see if the light was due to internal infection.

      Sounds like I need to complain to my DSL provider.

    2. Re:Continuously flickering activity light by Bitsy+Boffin · · Score: 2, Interesting

      More likely broadcast ARP requests ("give me hardware address for xxx.xxx.xxx.xxx"), the more machines on your section of the network, the more "background" traffic of this type you'll see.

      --
      NZ Electronics Enthusiasts: Check out my Trade Me Listings
    3. Re:Continuously flickering activity light by surprise_audit · · Score: 1

      I was wondering about that too, so one day I took my router/firewall out of the loop and conencted my Linux box directly to the cable modem. Ethereal showed almost all the traffic to be "arp: who has xx.xx.xx.xx", with a small sprinkling of other packets.

    4. Re:Continuously flickering activity light by AlienFactor · · Score: 1
      My router WAN activity light and modem activity light and are continuously flickering, even when no computers on my LAN are turned on.

      A couple months ago mine went from flickering to solid on. My firewall keeps stats on blocked packets, seems to be about 95% ping attempts (Nachi probes probably) and 5% attempts to access Windows Netbios ports.

    5. Re:Continuously flickering activity light by Datasage · · Score: 1

      As said before, its probably ARP packets. I used ethereal and found that i was reciving over 100 ARP packets per second. Granted, the packets are small, but over time it adds up.

      At what point is all this background traffic too much? I think its already passed that point.

      --
      In America we are imprisoned by our fear of them.
  13. And you didn't notice this before, because? by Zocalo · · Score: 2, Interesting
    Maybe they just haven't received their bills, yet?"

    This is going to sound harsh, but maybe they actually *look* at their logs and traffic graphs with a little more frequency than you imply that you do, noticed something was amiss and put the onus on the ISP to block it? You quadrupled your bandwidth for the month - that's one *serious* anomaly whether it's steady noise or intermittant spikes, and as such should have been red-flagged no later than day two, and that's assuming you only get a daily email from a cron. With this data you could have requested your ISP filter the traffic upstream, and made a fair claim against paying the already incurred traffic and an insistance against future traffic.

    I'd think long and hard about going to court with this, because there is a pretty good chance that the ISP's lawyers are going to bring this up. If they do, then your companies' technical competence is likely to be brought into question in a big way, and in a public forum too. You might be better off writing this off as experience, setting up some better monitoring tools and moving on.

    Of course, you might have some mitigating circumstances, such as... Well, actually, I can't think of any technical reasons why you couldn't spot this kind of traffic, is there one?

    --
    UNIX? They're not even circumcised! Savages!
    1. Re:And you didn't notice this before, because? by DaveJay · · Score: 3, Interesting

      I can think of one good reason -- although it's a reason that applies to me, not the person who posted the article.

      Here's the reason: I don't know how to do it.

      Okay, granted, it's not a GOOD reason. The thing is, I have a webstats monitor to check my WWW bandwidth, but I don't know how to check my OVERALL bandwidth. Good thing my ISP doesn't charge by the k. :)

      Still, since your post seems quite confident that this should be an easy thing to do, I humbly (and sincerely) request that you give us some suggestions on how to actually monitor such traffic.

      As an example, I'm running e-smith 5.5 on my home server. How would I monitor ALL my bandwidth? Not a step-by-step howto, mind you, just a "here's a great site" or "here's a good product" would help.

      Thanks in advance.

    2. Re:And you didn't notice this before, because? by Shaleh · · Score: 1

      For corporates the router connected to the internet has statistics in it like packets sent, received etc. There are many tools to monitor these routers some open others you pay for. If you start to notice spikes or a general increase in volume you can contact the upstream to try to get some of it blocked.

      Another place to get the data is from the firewall. At this level you can get the data broken down by access type -- ICMP, GRE, HTTP, DNS, etc.

    3. Re:And you didn't notice this before, because? by Zocalo · · Score: 3, Interesting
      Still, since your post seems quite confident that this should be an easy thing to do, I humbly (and sincerely) request that you give us some suggestions on how to actually monitor such traffic.

      It is in the context of the poster - (s)he has a firewall and appears to be running a web hosting company. You on the otherhand appear to be a home user, so you may not have as much latitude depending on your ISP and how much control you have over how you get online.

      The first place to start is your router, since all traffic must pass through it, or a dedicated firewall immediately behind it. The simplest way to acquire traffic stats is with SNMP using a tool like MRTG which is how I do it. If you have no control over the router, then you might be able to get the same figures off the port on your switch that it connects to. I say might, because this assumes that you have a switch (likely these days) and that it supports SNMP (not quite as likely).

      Falling back further; no central point of ingress/egress you can monitor and a non-managed switch/hub... OK, we need to look at the traffic on the host NICs directly, on a per host basis. That means a bandwith monitoring and logging tool; any software site will have loads (search on "bandwidth and log") and most host based firewalls can provide this information for you as well.

      --
      UNIX? They're not even circumcised! Savages!
    4. Re:And you didn't notice this before, because? by Door-opening+Fascist · · Score: 2, Informative

      We use Cricket to monitor the bandwidth usage on our T1s. Take a look at our PacketShaper reports. You can also look at the root of the server to see the other stuff that can be monitored.

      Over in CS, we use Ganglia to monitor the network usage coming out of each individual machine.
  14. First off by Anonymous Coward · · Score: 2, Funny

    I would ask my ISP to stop charging me in hex.

    1. Re:First off by GoofyBoy · · Score: 1

      Another fine example of how a Funny Anonyomous Coward is worth suffering through 100 Trolling Anonyomous Cowards.

      --
      The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
  15. Nachi/Welchia and Cox.net by Anonymous Coward · · Score: 0

    abuse@cox.net IGNORES Nachi/Welchia reports. Just fucking ignores them. I keep geting hit by about 200 different machines DAILY from other customers on the Cox network, and guess what they do about these IDIOTS... NOTHING. I guess that they're just planning on waiting around for the worm to kill itself off on Dec. 30th.

    Morons...

  16. Downstream firewalls won't help much by BladeMelbourne · · Score: 2
    Downstream firewalls won't help much. The traffic will still travel through the cable/wires to your computer, it's just that the packets get ignored. These dropped packets still count towards your bandwidth limit/charge.

    Something would need to be done further upstream, at say the ISP. A web frontend to iptables would not be too hard to create, however it would be difficult/repetitive for dialup users who get disconnected after a handful of hours.

    Using Windows 98 on a 4 hour dialup modem connection, the number of times I ran netstat and discovered foreign machines connected to port 135 was astounding - even when there were no file shares available. Whenever I had SQL Server 2000 SP3 running, within 30 minutes my modem lights would blink like crazy, until I temporarily stopped the DB service.

    Now I run Linux with iptables blocking all ports except 80 (Apache) and 81 (IIS-4). No attacks can get to my Win98 VMWare Workstation.

    You can test what ports are open/closed/stealth at this URL: https://grc.com/x/ne.dll?bh0bkyd2

    But this wouldn't solve Pinkboard Panther's problem - some blocks would need to be implmented further up-stream.

    Mike

  17. Am I missing the point? by Anonymous Coward · · Score: 0

    Even if I block it at my firewall, it still gets TO my firewall, hence it's using my pipe and therefore my bandwidth, so I'll still be charged. So, again assuming I'm not missing the point, what needs to happen is my ISP needs to filter that stuff BEFORE it gets to my pipe. Even better, the ISP of the offender should be doing egress filtering of Nachi, etc. so it never gets to me in the first place.

  18. Not just websites by __aafkqj3628 · · Score: 1

    I doubt that my site will have a problem with that (since it missed the blaster thing), but I'm awaiting to see my bandwidth bill for my normal internet usage this month from my ISP (for my home usage). I've already been quite busy on the internet and I've clocked over 400 of the Swen worm being downloaded from my many email accounts in less than two days.
    If this keeps up, I'm looking at ~800MB of additional traffic.

  19. Know what'd suck? by Anonvmous+Coward · · Score: 1

    I guess this shows a fundamental problem with the internet as a commercial entity. It's kind of like being charged every time your phone rings. Imagine your bill going up because a bunch of autodialers were set up to call random numbers.

    Seems to me that either billing practices need to be reworked, or the net needs to be modified with considerations like this in mind.

    1. Re:Know what'd suck? by SoCalChris · · Score: 1

      It's kind of like being charged every time your phone rings. Imagine your bill going up because a bunch of autodialers were set up to call random numbers.

      The answer is simple...

      If you can find it in your hear to forgive me, just send $1 to Sorry Dude, 742 Evergreen Terrace, Springfield. You have the power!

  20. Mod Parent Up by Anonymous Coward · · Score: 0

    For actually having a clue. Congrats!

  21. Shields up ? by Cobratek · · Score: 1

    Killerwall Kicks @$$

    Your system has achieved a perfect "TruStealth" rating. Not a single packet ? solicited or otherwise ? was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.

    Gotta love Linux ... its mandatory !

    --
    DONT TREAD ON ME MOÎΩN ÎABÃ
  22. Due Diligence on the part of the ISP by freebase · · Score: 2, Interesting

    I don't know how things work in your neck of the woods, but here all I had to do was threaten to take my business to another provider because the ISP in question had not bothered to even attempt to filter the 92 byte ICMP echo requests coming from the Internet into their own network.

    Most pings are not 92 bytes exactly. The pings this virus sends out are 92 bytes with a payload of 'AA' repeated to pad it out to 92 bytes.

    You mileage may vary, though, as I have several thousands of dollars monthly worth of leverage.

    --
    Sig??? I don't need no stinkin Sig!
  23. filters by Anonymous Coward · · Score: 0

    not setting up filters when you are ISP or even have a big physical network (pass-thru) is plain stupid. if they have the bandwidth they can not care, but imagine traffic leaving the country, say from usa to japan. this physical line is very precious and if zombies in either country can saturat the bandwidth with use-less traffic users in both countries get f#ck.
    of course maybe the ISP purposely don't filter the junk data so the internet feels "slow" and some decide to "upgrade" their ADSL or something only to find out that sites hosted in a foreign country are still slow ;)

    i wonder why i times of war bridges become so valuable ...

  24. confusing ? you're not really trying by DrSkwid · · Score: 1

    try :

    http://ww.domain.com

    http:/wwww.domain.com

    http://uuuuuu.domain.com

    http://wuuw.domain.com

    http://vwv.domain.com

    http://w.w.w.domain.com

    http://http.domain.com

    http://ftp.domain.com

    http://domain.domain.com

    http://web.domain.com

    http://www.domain.domain.com

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
    1. Re:confusing ? you're not really trying by Zork+the+Almighty · · Score: 1

      Come on you missed the best one :
      http://vvvvvv.domain.com

      --

      In Soviet America the banks rob you!
    2. Re:confusing ? you're not really trying by DrSkwid · · Score: 1

      well, I had to leave room for a reply.

      I prefer uuuuuu because it is double u double u double u

      --
      There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
    3. Re:confusing ? you're not really trying by Ackmo · · Score: 1
      I just tried:

      http://wvwvwvwvwvwvwv.wvwvwvwvwvw.wvwvwwv.com

      but the Internet told me that there was no web site at that address. I was kind of sad, but at the bottom of my screen, the Internet showed me a bunch of links to some Gambling, Small Business, and Home and Garden stuff that I can buy and I wasn't sad any more. Golly gee, I like this Internet thing. It's way cool!

    4. Re:confusing ? you're not really trying by Anonymous Coward · · Score: 0

      How about meow.slashdot.purr?

    5. Re:confusing ? you're not really trying by Drantin · · Score: 1

      Heh.. it works now thanks to verisign....

      http://wvwvwvwvwvwvwv.wvwvwvwvwvw.wvwvwwv.com

      --
      Actio personalis moritur cum persona. (Dead men don't sue)
  25. s/things working/things not working/ by torpor · · Score: 1

    etc.

    Apologies for my recently germanified english ...

    --
    ; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
  26. not just icmp by jamesh · · Score: 1

    The company I work for hosts 20ish web sites, and have 2 class C address ranges. If your server responds to the icmp packet, you then get hit with a 4k web request. _This_ is what pushed our usage way up.

    Once we blocked the icmp probes, the web requests stopped, and our usage went down to something resembling sensible. The icmp probles are all 92 bytes in length, so they're easy enough to block if you have a decent router (ours is a linux pc). Before I knew about the icmp probes, I was blocking the worms' http requests - obviously couldn't block the first packet but it still reduced the incoming data by about a third.

    Our isp waived the changes based on what we agreed was a reasonable estimate of traffic volume caused by the worm(s).

  27. No connection by Mumbui · · Score: 1

    I came across this article as I was searching for answers to my connection. Within the last three weeks I have been having problems connecting and I have talked to my ISP about the problem. They have sent someone twice to check my network and they always says it fine. Now the funny thing is it works for a few minutes or hours and then its gone for a long time. When I talk to the ISP am told that am giving them funny talk as the traffic on my network seems very busy. While they say its very busy, i cant even open a page on my side. Could this have something to do with those viruses? I have scanned for the viruses and even patched the software on win 2000 computers. Funny though very early mornings and evenings my connection is okay. Any help????? Anybody???

  28. Averaging 13 - 14 MB per day by complete+loony · · Score: 1

    we've got about 64 IP addresses (it was 2x class C's, but we've unrouted most addresses to reduce the cost). This worm is generating on average 13-14 MB per day. Again since I live in Australia, any excess usage is charged at .15c per MB, $2 a day or $60 per month.

    --
    09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
  29. you're missing the point by manifest37 · · Score: 1

    His FIREWALL is being bombarded with the traffic. Monitoring has nothing to do with this. He's blocking ICMP requests and throwing them away. His ISP on the other hand is charging for all bandwidth used even though this is unwanted traffic. If it is the isp's policy to charge no matter what he is screwed otherwise, if they dont't, he might have a chance to get them to disregaurd that used bandwith.