Noticed Welchie/Nachi in Your Bandwidth Bill, Yet?

Pinkboard Panther asks: "I have recently received my bill for Internet usage for last month and discovered it is 4 times higher than expected. Since there had been no increase in usage of the sites I run I had to search elsewhere for the exorbitant increase. Eventually I tracked it down to my firewall being bombarded with 20,000 ICMP Echo requests a minute from many different IP addresses. This adds up to $A10 per hour or $A240 a day. I still need to battle with my ISP over whether I should be paying for this. It seems that the Welchie/Nachi worm sends out pings to find what machines are out there before it moves onto deeper probes. I can't believe that I am the only site out there which is being attacked in this way. There must be lots of other sites out there who are affected this way. Maybe they just haven't received their bills, yet?"

Standing class action law suit

[m0smithslash]

We were just commenting today on how there should be a standing class action law suit against Microsoft. We could not think of a real reason, be you seem to have one here. The loss of business and revenue, whether from your pocket or your ISP's pocket, mulitplied acorss many ISPs seems like a case to me

My ISP is having almost continual problems being flooded with random worm noise.

Re:Standing class action law suit

A better solution would be to put the blame (and the cost) on those who directly cause the inconvenience. If the users of infected machines are hit where it hurts most, they will look for better solutions, at which point you get what you want: Safer systems through the magic of market economy. I think inbound traffic should be free. Only outbound traffic is under the customer's control. Don't want to pay for pings? Don't answer them. This way, all traffic is paid for once, not twice like now btw.

Re:Standing class action law suit

[thogard]

Microsoft made bad software and they will get sued for it. This flaw isn't a direct flaw (read Naders Unsafe at Any Speed about the Corvair) but an indirect flaw (Pintos that went boom after being hit). There are two different classes of product irresponsibility and MS is clearly guilty because they didn't do everything in their power to stop this problem and it lead to direct financial damages to others. They are going to get sued and they will not win.

In Australia, the big problem was the excessive abouts people ended up paying when their links went full thottle and the ISP is clicking away at $.20/megabyte. That is a result of giving Telstra too much power and clueless mangment of the entire telcom regulations and that is mostly Sen Alston's fault. What I think would be interesting is get enough people for a class action aginst MS and tell them you won't sue if they get Alston out of his current job. I'm not sure what would happen, but it would be fun to watch from the sidelines.

rate limiting may indeed help (a bit)

[graf0z]

In times of dDoS and flooding worms, ISPs should offer rate limiting initial packets to their customers, eg. by forcing rules like "max. N tcp/SYN or ICMP echo-request per IP per second"

(Linux/netfilter example:

iptables -A FORWARD -d $IP -j ACCEPT -p tcp --syn -m limit --limit 10/s --limit-burst 20

iptables -A FORWARD -d $IP -j DROP -p tcp --syn

iptables -A FORWARD -d $IP -j ACCEPT -p icmp --icmp-type echo-request -m limit --limit 10/s --limit-burst 20

iptables -A FORWARD -d $IP -j DROP -p icmp --icmp-type echo-request )

Would not really help, but lower the impact.

/graf0z.

Continuously flickering activity light

[cyberman11]

My router WAN activity light and modem activity light and are continuously flickering, even when no computers on my LAN are turned on. I tried replacing my Linksys BEFSR41 router with a Belkin F5D5231-4 router, and switching from a DSL modem to a cable modem but the new lights flicker just as much as the old ones. Since my computer is powered off, the continuous activity must be coming from the internet. I guess either hackers or worms.

Re:Continuously flickering activity light

[Bitsy+Boffin]

More likely broadcast ARP requests ("give me hardware address for xxx.xxx.xxx.xxx"), the more machines on your section of the network, the more "background" traffic of this type you'll see.

And you didn't notice this before, because?

[Zocalo]

Maybe they just haven't received their bills, yet?"

This is going to sound harsh, but maybe they actually *look* at their logs and traffic graphs with a little more frequency than you imply that you do, noticed something was amiss and put the onus on the ISP to block it? You quadrupled your bandwidth for the month - that's one *serious* anomaly whether it's steady noise or intermittant spikes, and as such should have been red-flagged no later than day two, and that's assuming you only get a daily email from a cron. With this data you could have requested your ISP filter the traffic upstream, and made a fair claim against paying the already incurred traffic and an insistance against future traffic.

I'd think long and hard about going to court with this, because there is a pretty good chance that the ISP's lawyers are going to bring this up. If they do, then your companies' technical competence is likely to be brought into question in a big way, and in a public forum too. You might be better off writing this off as experience, setting up some better monitoring tools and moving on.

Of course, you might have some mitigating circumstances, such as... Well, actually, I can't think of any technical reasons why you couldn't spot this kind of traffic, is there one?

Re:And you didn't notice this before, because?

[DaveJay]

I can think of one good reason -- although it's a reason that applies to me, not the person who posted the article.

Here's the reason: I don't know how to do it.

Okay, granted, it's not a GOOD reason. The thing is, I have a webstats monitor to check my WWW bandwidth, but I don't know how to check my OVERALL bandwidth. Good thing my ISP doesn't charge by the k. :)

Still, since your post seems quite confident that this should be an easy thing to do, I humbly (and sincerely) request that you give us some suggestions on how to actually monitor such traffic.

As an example, I'm running e-smith 5.5 on my home server. How would I monitor ALL my bandwidth? Not a step-by-step howto, mind you, just a "here's a great site" or "here's a good product" would help.

Thanks in advance.

Re:And you didn't notice this before, because?

[Zocalo]

Still, since your post seems quite confident that this should be an easy thing to do, I humbly (and sincerely) request that you give us some suggestions on how to actually monitor such traffic.

It is in the context of the poster - (s)he has a firewall and appears to be running a web hosting company. You on the otherhand appear to be a home user, so you may not have as much latitude depending on your ISP and how much control you have over how you get online.

The first place to start is your router, since all traffic must pass through it, or a dedicated firewall immediately behind it. The simplest way to acquire traffic stats is with SNMP using a tool like MRTG which is how I do it. If you have no control over the router, then you might be able to get the same figures off the port on your switch that it connects to. I say might, because this assumes that you have a switch (likely these days) and that it supports SNMP (not quite as likely).

Falling back further; no central point of ingress/egress you can monitor and a non-managed switch/hub... OK, we need to look at the traffic on the host NICs directly, on a per host basis. That means a bandwith monitoring and logging tool; any software site will have loads (search on "bandwidth and log") and most host based firewalls can provide this information for you as well.

Due Diligence on the part of the ISP

[freebase]

I don't know how things work in your neck of the woods, but here all I had to do was threaten to take my business to another provider because the ISP in question had not bothered to even attempt to filter the 92 byte ICMP echo requests coming from the Internet into their own network.

Most pings are not 92 bytes exactly. The pings this virus sends out are 92 bytes with a payload of 'AA' repeated to pad it out to 92 bytes.

You mileage may vary, though, as I have several thousands of dollars monthly worth of leverage.

Re:20 cents a meg, anyone..?

[thogard]

They claim its becasue of the huge costs of running the underseas cables. In NZ that doesn't explain the .02/mb for NZ traffic over the 500m. All the compaines that run underseas cables have been replacing their transponders to reduce their expenses. If they put in new transponders they can go up to 150km between them where the old ones were needed ever 20km. When they upgrade the transponders they get a gain out of the fiber in the order of 1000x or even more. There was already a glut of bandwidth between the US, NZ and Aus before the upgrades started. Tyco also appears to be putting down a new cable from Guam.

I've been working on starting a WISP in both NZ and AUS and its be an interesting situation. My base station for a kiwi town is stuck in customs in Australia. Australia requires a $10,000/yr telecomuniations license if you sell network services but for that you get the rights to dig holes anyplace you want.

In some areas I could provide a typical home users 10 gig/mo of broadband for a cost of about $18/mo. That includes the upstream pipes but not their radio, installation, tech support or the stupid telecom license.

NZ has a bit of a problem with their phone switches in that they used a model that isn't used anywhere else in the world. That chould cause some price increase over other systems but since they use the same phones as the rest of the world, it can't be that bad.