Noticed Welchie/Nachi in Your Bandwidth Bill, Yet?

Pinkboard Panther asks: "I have recently received my bill for Internet usage for last month and discovered it is 4 times higher than expected. Since there had been no increase in usage of the sites I run I had to search elsewhere for the exorbitant increase. Eventually I tracked it down to my firewall being bombarded with 20,000 ICMP Echo requests a minute from many different IP addresses. This adds up to $A10 per hour or $A240 a day. I still need to battle with my ISP over whether I should be paying for this. It seems that the Welchie/Nachi worm sends out pings to find what machines are out there before it moves onto deeper probes. I can't believe that I am the only site out there which is being attacked in this way. There must be lots of other sites out there who are affected this way. Maybe they just haven't received their bills, yet?"

Use NetFlow to prove it was Nachi traffic.

[Mordant]

See these links for more info.

Re:Use NetFlow to prove it was Nachi traffic.

[Mordant]

And here's one more.

Standing class action law suit

[m0smithslash]

We were just commenting today on how there should be a standing class action law suit against Microsoft. We could not think of a real reason, be you seem to have one here. The loss of business and revenue, whether from your pocket or your ISP's pocket, mulitplied acorss many ISPs seems like a case to me

My ISP is having almost continual problems being flooded with random worm noise.

Re:Standing class action law suit

[Anonvmous+Coward]

"We were just commenting today on how there should be a standing class action law suit against Microsoft. We could not think of a real reason, be you seem to have one here. The loss of business and revenue, whether from your pocket or your ISP's pocket, mulitplied acorss many ISPs seems like a case to me "

Ugh. It's funny how morals here perform a complete 180 when there's an opportunity to get Microsoft into trouble.

Here's the simple fact: Microsoft didn't write the worm.

Now you can make the argument if you like that Microsoft was negligent. Just remember, that if you follow that logic, then Linux could find itself liable down the road. Some jackass comes up with an exploit, it causes trouble, and the Linux community is punished for it. Do you really want that?

I have other issues with this line of reasoning. If I walk into a hospital with a cellular phone and intentionally use it to jam equipment there, should Nokia be sued for it? What about the company who made the equipment? Considering that the disruption was caused malisciously (sp?), then the finger needs to be pointed at me.

I would strongly urge the Slashdot Community to be very careful about what you wish for, especially when it concerns punishment for Microsoft. It's fun to hate them and all, but the consequences they recieve could wind up biting you in the butt. Eolas comes to mind...

Re:Standing class action law suit

[torpor]

Now you can make the argument if you like that Microsoft was negligent. Just remember, that if you follow that logic, then Linux could find itself liable down the road. Some jackass comes up with an exploit, it causes trouble, and the Linux community is punished for it. Do you really want that?

Yes.

That would be fair. And, nevertheless, it would at least level the playing field in the new marketing dominion for the 21st century: responsibility.

People are sick and tired of things working 'just becase of a bug', and fundamentally - at least at the level of applications that are being written today - there's no really good reason for it. The technology and mindset required to prevent these sorts of wastes of computing resources existed in the 70's.

What the 'personal computer revolution' camp- you know, the one around the big Microsoft circus tents, crammed full of dopes- often seem to forget is that this 'virus' situation is truly a problem of the *Design* of the system. In other words, Windows allows and *provides a loyal service for* anyone who wants to create an environment in which processes can be run, globally, on everyones computer, unchecked.

Its not like they couldn't have done per-user application security at the filesystem level, say, in Windows95. Hell, Linux/*BSD/*etc. had it then. They could have done it, and enforced it by making it *default* setup. Hell, they could even have done ACL in Win95, for network services... thus preventing a legion of Visual Basic worms that used to make the rounds from shareware bonanza bbs's in the days before ftp ... but ... noooo ... they chanted the 'developer' mantra and used that as a justification to not ... quite ... make ... so ... much progress out of the Windows 3.1/9x/NT/2000/XP/Me/LH upgrade cashcow...

In my opinion, it can be demonstrated fairly clearly that through negligence on Microsofts' part - and their boneheaded desire to 'control^H^H^H^H^H^H^Hservice the entire market at all costs' - they have managed to deliver a product so faulty that it regularly, frequently, is a source of massive productivity loss.

Computer Viruses are so 80's. By now, 2003, we should not be having these problems with our computers.

(Some of us, actually, don't. I haven't had a single problem with a virus infection on my personal computing systems since, I guess it was the early days of DOS 3.1 ... which was the last time I ever attempted to use a Microsoft product in a production scenario.)

Re:Standing class action law suit

[thogard]

Microsoft made bad software and they will get sued for it. This flaw isn't a direct flaw (read Naders Unsafe at Any Speed about the Corvair) but an indirect flaw (Pintos that went boom after being hit). There are two different classes of product irresponsibility and MS is clearly guilty because they didn't do everything in their power to stop this problem and it lead to direct financial damages to others. They are going to get sued and they will not win.

In Australia, the big problem was the excessive abouts people ended up paying when their links went full thottle and the ISP is clicking away at $.20/megabyte. That is a result of giving Telstra too much power and clueless mangment of the entire telcom regulations and that is mostly Sen Alston's fault. What I think would be interesting is get enough people for a class action aginst MS and tell them you won't sue if they get Alston out of his current job. I'm not sure what would happen, but it would be fun to watch from the sidelines.

Yup... more info here

[Anonymous+Cowdog]

I've been asking around about this, and it's amazing how many people are just brushing it off as nothing. It is a serious issue for IP addresses that are being hit.

Here are some more posts on the topic, elsewhere. Note how some people just say "Oh, you are getting hits! Hits are good, no?".

http://www.webmasterworld.com/forum39/1435.htm

http://lists.jammed.com/incidents/2003/08/0369.htm l

http://www.derkeiler.com/Mailing-Lists/linuxsecuri ty/2003-08/0002.html

The blocking rules people suggest (see page five of the first link) don't work at my site, for some reason. Maybe it's because I only have access to .htaccess, not my own httpd.conf.

hmm interesting...

[josepha48]

you get charged case someone else uses up your bandwidth by a worm... Well I'd threaten to sue, and then sue, but I think someone else here mentioned there is a class action lawsuit about this.

However they probably just see the ping using up your bandwidth and that is what they are looking at. I'd probably start loging all IP addresses that are pinging your server and then go after all these users. After all they are infected with this worm and until people who get on the internet start being responsible for keeping their machines firewalled, updates and locked down as much as possible from hackers these things will continue. Most of the MS worms could be prevented if people used zone alarm or black ice or another firewall product. Also most of the Linux and bsd exploits could be avoided if they setup firewalls and update their systems and kept on top of security.

No it is not your fault, so go after those who are using up YOUR bandwidth and sue them and make them pay. It is their irresponsibility and stupidity that are causing these problems.

20 cents a meg, anyone..?

[zcat_NZ]

Yep, that's what full-rate ADSL customers pay for traffic in New Zealand, once they get past their pitiful 500M monthly allowance.

"I run linux.. I'm not affected by Windows worms and viruses" - Yeah, you wish..!

Re:20 cents a meg, anyone..?

[thogard]

They claim its becasue of the huge costs of running the underseas cables. In NZ that doesn't explain the .02/mb for NZ traffic over the 500m. All the compaines that run underseas cables have been replacing their transponders to reduce their expenses. If they put in new transponders they can go up to 150km between them where the old ones were needed ever 20km. When they upgrade the transponders they get a gain out of the fiber in the order of 1000x or even more. There was already a glut of bandwidth between the US, NZ and Aus before the upgrades started. Tyco also appears to be putting down a new cable from Guam.

I've been working on starting a WISP in both NZ and AUS and its be an interesting situation. My base station for a kiwi town is stuck in customs in Australia. Australia requires a $10,000/yr telecomuniations license if you sell network services but for that you get the rights to dig holes anyplace you want.

In some areas I could provide a typical home users 10 gig/mo of broadband for a cost of about $18/mo. That includes the upstream pipes but not their radio, installation, tech support or the stupid telecom license.

NZ has a bit of a problem with their phone switches in that they used a model that isn't used anywhere else in the world. That chould cause some price increase over other systems but since they use the same phones as the rest of the world, it can't be that bad.

nachi

[graf0z]

According to this analysis, a simple packetsniffer (like tcpdump) should reveal if it's nachi: if its echo-request storm detects a living IP, a MS RPC DCOM exploit follows (eg on ports 135 or 445).

/graf0z.

Black Ice

[Vaevictis666]

I don't know if things have changed since I looked at it last, but the latest version of Black Ice Defender was a port monitor, not a firewall.

The difference is that a real firewall (Like Zone Alarm or Sygate (free is down at the bottom)) will block the traffic, prompt you to allow/disallow it, and then follow instructions.

Black Ice, on the other hand, will simply watch ports, log traffic, and when someone tries to access your RPC port or whatnot, it simply sets a flag "Serious Error - Someone Hacking" and starts blinking in the system tray. No real response, no ability to block it in the future, just simple monitoring.

In other words, it's a complete waste of CPU cycles from a security standpoint, and if you're using it for traffic monitoring you'd be better served with Ethereal.

Re:Black Ice

[Xenophon+Fenderson,]

Maybe we were looking at different products. IIRC, BlackICE Defender had firewall functionality. The new version, now named RealSecure Desktop, shares IDS signatures with other RealSecure products and can do the whole "active response" thing, including blocking packets, sending TCP RSTs, etc. If you use the enterprise version, it is administered centrally using the ISS SiteProtector console software (which is why we're looking at it at $ORK).

In fact, I seem to recall being impressed with its application-specific firewalling over-and-above Zone Alarm Pro. But I've slept since then, and could be misremembering something.

Re:Black Ice

[prostoalex]

That would be Tools->Edit BlackICE Settings, then Firewall tab and level of protection (Paranoid, Nervous, Cautious, Trusting). Defaults to Trusting :-)

rate limiting may indeed help (a bit)

[graf0z]

In times of dDoS and flooding worms, ISPs should offer rate limiting initial packets to their customers, eg. by forcing rules like "max. N tcp/SYN or ICMP echo-request per IP per second"

(Linux/netfilter example:

iptables -A FORWARD -d $IP -j ACCEPT -p tcp --syn -m limit --limit 10/s --limit-burst 20

iptables -A FORWARD -d $IP -j DROP -p tcp --syn

iptables -A FORWARD -d $IP -j ACCEPT -p icmp --icmp-type echo-request -m limit --limit 10/s --limit-burst 20

iptables -A FORWARD -d $IP -j DROP -p icmp --icmp-type echo-request )

Would not really help, but lower the impact.

/graf0z.

Continuously flickering activity light

[cyberman11]

My router WAN activity light and modem activity light and are continuously flickering, even when no computers on my LAN are turned on. I tried replacing my Linksys BEFSR41 router with a Belkin F5D5231-4 router, and switching from a DSL modem to a cable modem but the new lights flicker just as much as the old ones. Since my computer is powered off, the continuous activity must be coming from the internet. I guess either hackers or worms.

Re:Continuously flickering activity light

[Bitsy+Boffin]

More likely broadcast ARP requests ("give me hardware address for xxx.xxx.xxx.xxx"), the more machines on your section of the network, the more "background" traffic of this type you'll see.

And you didn't notice this before, because?

[Zocalo]

Maybe they just haven't received their bills, yet?"

This is going to sound harsh, but maybe they actually *look* at their logs and traffic graphs with a little more frequency than you imply that you do, noticed something was amiss and put the onus on the ISP to block it? You quadrupled your bandwidth for the month - that's one *serious* anomaly whether it's steady noise or intermittant spikes, and as such should have been red-flagged no later than day two, and that's assuming you only get a daily email from a cron. With this data you could have requested your ISP filter the traffic upstream, and made a fair claim against paying the already incurred traffic and an insistance against future traffic.

I'd think long and hard about going to court with this, because there is a pretty good chance that the ISP's lawyers are going to bring this up. If they do, then your companies' technical competence is likely to be brought into question in a big way, and in a public forum too. You might be better off writing this off as experience, setting up some better monitoring tools and moving on.

Of course, you might have some mitigating circumstances, such as... Well, actually, I can't think of any technical reasons why you couldn't spot this kind of traffic, is there one?

Re:And you didn't notice this before, because?

[DaveJay]

I can think of one good reason -- although it's a reason that applies to me, not the person who posted the article.

Here's the reason: I don't know how to do it.

Okay, granted, it's not a GOOD reason. The thing is, I have a webstats monitor to check my WWW bandwidth, but I don't know how to check my OVERALL bandwidth. Good thing my ISP doesn't charge by the k. :)

Still, since your post seems quite confident that this should be an easy thing to do, I humbly (and sincerely) request that you give us some suggestions on how to actually monitor such traffic.

As an example, I'm running e-smith 5.5 on my home server. How would I monitor ALL my bandwidth? Not a step-by-step howto, mind you, just a "here's a great site" or "here's a good product" would help.

Thanks in advance.

Re:And you didn't notice this before, because?

[Zocalo]

Still, since your post seems quite confident that this should be an easy thing to do, I humbly (and sincerely) request that you give us some suggestions on how to actually monitor such traffic.

It is in the context of the poster - (s)he has a firewall and appears to be running a web hosting company. You on the otherhand appear to be a home user, so you may not have as much latitude depending on your ISP and how much control you have over how you get online.

The first place to start is your router, since all traffic must pass through it, or a dedicated firewall immediately behind it. The simplest way to acquire traffic stats is with SNMP using a tool like MRTG which is how I do it. If you have no control over the router, then you might be able to get the same figures off the port on your switch that it connects to. I say might, because this assumes that you have a switch (likely these days) and that it supports SNMP (not quite as likely).

Falling back further; no central point of ingress/egress you can monitor and a non-managed switch/hub... OK, we need to look at the traffic on the host NICs directly, on a per host basis. That means a bandwith monitoring and logging tool; any software site will have loads (search on "bandwidth and log") and most host based firewalls can provide this information for you as well.

Re:And you didn't notice this before, because?

[Door-opening+Fascist]

We use Cricket to monitor the bandwidth usage on our T1s. Take a look at our PacketShaper reports. You can also look at the root of the server to see the other stuff that can be monitored.

Over in CS, we use Ganglia to monitor the network usage coming out of each individual machine.

First off

I would ask my ISP to stop charging me in hex.

Downstream firewalls won't help much

[BladeMelbourne]

Downstream firewalls won't help much. The traffic will still travel through the cable/wires to your computer, it's just that the packets get ignored. These dropped packets still count towards your bandwidth limit/charge.

Something would need to be done further upstream, at say the ISP. A web frontend to iptables would not be too hard to create, however it would be difficult/repetitive for dialup users who get disconnected after a handful of hours.

Using Windows 98 on a 4 hour dialup modem connection, the number of times I ran netstat and discovered foreign machines connected to port 135 was astounding - even when there were no file shares available. Whenever I had SQL Server 2000 SP3 running, within 30 minutes my modem lights would blink like crazy, until I temporarily stopped the DB service.

Now I run Linux with iptables blocking all ports except 80 (Apache) and 81 (IIS-4). No attacks can get to my Win98 VMWare Workstation.

You can test what ports are open/closed/stealth at this URL: https://grc.com/x/ne.dll?bh0bkyd2

But this wouldn't solve Pinkboard Panther's problem - some blocks would need to be implmented further up-stream.

Mike

Due Diligence on the part of the ISP

[freebase]

I don't know how things work in your neck of the woods, but here all I had to do was threaten to take my business to another provider because the ISP in question had not bothered to even attempt to filter the 92 byte ICMP echo requests coming from the Internet into their own network.

Most pings are not 92 bytes exactly. The pings this virus sends out are 92 bytes with a payload of 'AA' repeated to pad it out to 92 bytes.

You mileage may vary, though, as I have several thousands of dollars monthly worth of leverage.