Noticed Welchie/Nachi in Your Bandwidth Bill, Yet?

Pinkboard Panther asks: "I have recently received my bill for Internet usage for last month and discovered it is 4 times higher than expected. Since there had been no increase in usage of the sites I run I had to search elsewhere for the exorbitant increase. Eventually I tracked it down to my firewall being bombarded with 20,000 ICMP Echo requests a minute from many different IP addresses. This adds up to $A10 per hour or $A240 a day. I still need to battle with my ISP over whether I should be paying for this. It seems that the Welchie/Nachi worm sends out pings to find what machines are out there before it moves onto deeper probes. I can't believe that I am the only site out there which is being attacked in this way. There must be lots of other sites out there who are affected this way. Maybe they just haven't received their bills, yet?"

Use NetFlow to prove it was Nachi traffic.

[Mordant]

See these links for more info.

Re:Use NetFlow to prove it was Nachi traffic.

[Mordant]

And here's one more.

Yup... more info here

[Anonymous+Cowdog]

I've been asking around about this, and it's amazing how many people are just brushing it off as nothing. It is a serious issue for IP addresses that are being hit.

Here are some more posts on the topic, elsewhere. Note how some people just say "Oh, you are getting hits! Hits are good, no?".

http://www.webmasterworld.com/forum39/1435.htm

http://lists.jammed.com/incidents/2003/08/0369.htm l

http://www.derkeiler.com/Mailing-Lists/linuxsecuri ty/2003-08/0002.html

The blocking rules people suggest (see page five of the first link) don't work at my site, for some reason. Maybe it's because I only have access to .htaccess, not my own httpd.conf.

20 cents a meg, anyone..?

[zcat_NZ]

Yep, that's what full-rate ADSL customers pay for traffic in New Zealand, once they get past their pitiful 500M monthly allowance.

"I run linux.. I'm not affected by Windows worms and viruses" - Yeah, you wish..!

nachi

[graf0z]

According to this analysis, a simple packetsniffer (like tcpdump) should reveal if it's nachi: if its echo-request storm detects a living IP, a MS RPC DCOM exploit follows (eg on ports 135 or 445).

/graf0z.

Black Ice

[Vaevictis666]

I don't know if things have changed since I looked at it last, but the latest version of Black Ice Defender was a port monitor, not a firewall.

The difference is that a real firewall (Like Zone Alarm or Sygate (free is down at the bottom)) will block the traffic, prompt you to allow/disallow it, and then follow instructions.

Black Ice, on the other hand, will simply watch ports, log traffic, and when someone tries to access your RPC port or whatnot, it simply sets a flag "Serious Error - Someone Hacking" and starts blinking in the system tray. No real response, no ability to block it in the future, just simple monitoring.

In other words, it's a complete waste of CPU cycles from a security standpoint, and if you're using it for traffic monitoring you'd be better served with Ethereal.

Re:Black Ice

[prostoalex]

That would be Tools->Edit BlackICE Settings, then Firewall tab and level of protection (Paranoid, Nervous, Cautious, Trusting). Defaults to Trusting :-)

Re:And you didn't notice this before, because?

[Door-opening+Fascist]

We use Cricket to monitor the bandwidth usage on our T1s. Take a look at our PacketShaper reports. You can also look at the root of the server to see the other stuff that can be monitored.

Over in CS, we use Ganglia to monitor the network usage coming out of each individual machine.