Slashdot Mirror

← Back to Stories (view on slashdot.org)

Noticed Welchie/Nachi in Your Bandwidth Bill, Yet?

Posted by Cliff on from the those-pesky-extra-packets-you-didn't-ask-for dept.

Pinkboard Panther asks: "I have recently received my bill for Internet usage for last month and discovered it is 4 times higher than expected. Since there had been no increase in usage of the sites I run I had to search elsewhere for the exorbitant increase. Eventually I tracked it down to my firewall being bombarded with 20,000 ICMP Echo requests a minute from many different IP addresses. This adds up to $A10 per hour or $A240 a day. I still need to battle with my ISP over whether I should be paying for this. It seems that the Welchie/Nachi worm sends out pings to find what machines are out there before it moves onto deeper probes. I can't believe that I am the only site out there which is being attacked in this way. There must be lots of other sites out there who are affected this way. Maybe they just haven't received their bills, yet?"

12 of 94 comments (clear)

  1. Use NetFlow to prove it was Nachi traffic. by Mordant · · Score: 4, Informative

    See these links for more info.

    1. Re:Use NetFlow to prove it was Nachi traffic. by Mordant · · Score: 3, Informative

      And here's one more.

  2. Standing class action law suit by m0smithslash · · Score: 3, Interesting
    We were just commenting today on how there should be a standing class action law suit against Microsoft. We could not think of a real reason, be you seem to have one here. The loss of business and revenue, whether from your pocket or your ISP's pocket, mulitplied acorss many ISPs seems like a case to me

    My ISP is having almost continual problems being flooded with random worm noise.

    --
    Your friend and well-wisher
    m0smithslash
    http://www.ferociousflirting.com
    1. Re:Standing class action law suit by Anonvmous+Coward · · Score: 4, Insightful

      "We were just commenting today on how there should be a standing class action law suit against Microsoft. We could not think of a real reason, be you seem to have one here. The loss of business and revenue, whether from your pocket or your ISP's pocket, mulitplied acorss many ISPs seems like a case to me "

      Ugh. It's funny how morals here perform a complete 180 when there's an opportunity to get Microsoft into trouble.

      Here's the simple fact: Microsoft didn't write the worm.

      Now you can make the argument if you like that Microsoft was negligent. Just remember, that if you follow that logic, then Linux could find itself liable down the road. Some jackass comes up with an exploit, it causes trouble, and the Linux community is punished for it. Do you really want that?

      I have other issues with this line of reasoning. If I walk into a hospital with a cellular phone and intentionally use it to jam equipment there, should Nokia be sued for it? What about the company who made the equipment? Considering that the disruption was caused malisciously (sp?), then the finger needs to be pointed at me.

      I would strongly urge the Slashdot Community to be very careful about what you wish for, especially when it concerns punishment for Microsoft. It's fun to hate them and all, but the consequences they recieve could wind up biting you in the butt. Eolas comes to mind...

    2. Re:Standing class action law suit by torpor · · Score: 3, Insightful

      Now you can make the argument if you like that Microsoft was negligent. Just remember, that if you follow that logic, then Linux could find itself liable down the road. Some jackass comes up with an exploit, it causes trouble, and the Linux community is punished for it. Do you really want that?

      Yes.

      That would be fair. And, nevertheless, it would at least level the playing field in the new marketing dominion for the 21st century: responsibility.

      People are sick and tired of things working 'just becase of a bug', and fundamentally - at least at the level of applications that are being written today - there's no really good reason for it. The technology and mindset required to prevent these sorts of wastes of computing resources existed in the 70's.

      What the 'personal computer revolution' camp- you know, the one around the big Microsoft circus tents, crammed full of dopes- often seem to forget is that this 'virus' situation is truly a problem of the *Design* of the system. In other words, Windows allows and *provides a loyal service for* anyone who wants to create an environment in which processes can be run, globally, on everyones computer, unchecked.

      Its not like they couldn't have done per-user application security at the filesystem level, say, in Windows95. Hell, Linux/*BSD/*etc. had it then. They could have done it, and enforced it by making it *default* setup. Hell, they could even have done ACL in Win95, for network services... thus preventing a legion of Visual Basic worms that used to make the rounds from shareware bonanza bbs's in the days before ftp ... but ... noooo ... they chanted the 'developer' mantra and used that as a justification to not ... quite ... make ... so ... much progress out of the Windows 3.1/9x/NT/2000/XP/Me/LH upgrade cashcow...

      In my opinion, it can be demonstrated fairly clearly that through negligence on Microsofts' part - and their boneheaded desire to 'control^H^H^H^H^H^H^Hservice the entire market at all costs' - they have managed to deliver a product so faulty that it regularly, frequently, is a source of massive productivity loss.

      Computer Viruses are so 80's. By now, 2003, we should not be having these problems with our computers.

      (Some of us, actually, don't. I haven't had a single problem with a virus infection on my personal computing systems since, I guess it was the early days of DOS 3.1 ... which was the last time I ever attempted to use a Microsoft product in a production scenario.)

      --
      ; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
  3. Yup... more info here by Anonymous+Cowdog · · Score: 4, Informative

    I've been asking around about this, and it's amazing how many people are just brushing it off as nothing. It is a serious issue for IP addresses that are being hit.

    Here are some more posts on the topic, elsewhere. Note how some people just say "Oh, you are getting hits! Hits are good, no?".

    http://www.webmasterworld.com/forum39/1435.htm

    http://lists.jammed.com/incidents/2003/08/0369.htm l

    http://www.derkeiler.com/Mailing-Lists/linuxsecuri ty/2003-08/0002.html

    The blocking rules people suggest (see page five of the first link) don't work at my site, for some reason. Maybe it's because I only have access to .htaccess, not my own httpd.conf.

  4. hmm interesting... by josepha48 · · Score: 3, Insightful
    you get charged case someone else uses up your bandwidth by a worm... Well I'd threaten to sue, and then sue, but I think someone else here mentioned there is a class action lawsuit about this.

    However they probably just see the ping using up your bandwidth and that is what they are looking at. I'd probably start loging all IP addresses that are pinging your server and then go after all these users. After all they are infected with this worm and until people who get on the internet start being responsible for keeping their machines firewalled, updates and locked down as much as possible from hackers these things will continue. Most of the MS worms could be prevented if people used zone alarm or black ice or another firewall product. Also most of the Linux and bsd exploits could be avoided if they setup firewalls and update their systems and kept on top of security.

    No it is not your fault, so go after those who are using up YOUR bandwidth and sue them and make them pay. It is their irresponsibility and stupidity that are causing these problems.

    --

    Only 'flamers' flame!
    Does slashdot hate my posts?

  5. 20 cents a meg, anyone..? by zcat_NZ · · Score: 4, Informative

    Yep, that's what full-rate ADSL customers pay for traffic in New Zealand, once they get past their pitiful 500M monthly allowance.

    "I run linux.. I'm not affected by Windows worms and viruses" - Yeah, you wish..!

    --
    455fe10422ca29c4933f95052b792ab2
  6. Black Ice by Vaevictis666 · · Score: 4, Informative
    I don't know if things have changed since I looked at it last, but the latest version of Black Ice Defender was a port monitor, not a firewall.

    The difference is that a real firewall (Like Zone Alarm or Sygate (free is down at the bottom)) will block the traffic, prompt you to allow/disallow it, and then follow instructions.

    Black Ice, on the other hand, will simply watch ports, log traffic, and when someone tries to access your RPC port or whatnot, it simply sets a flag "Serious Error - Someone Hacking" and starts blinking in the system tray. No real response, no ability to block it in the future, just simple monitoring.

    In other words, it's a complete waste of CPU cycles from a security standpoint, and if you're using it for traffic monitoring you'd be better served with Ethereal.

  7. Continuously flickering activity light by cyberman11 · · Score: 3, Interesting

    My router WAN activity light and modem activity light and are continuously flickering, even when no computers on my LAN are turned on. I tried replacing my Linksys BEFSR41 router with a Belkin F5D5231-4 router, and switching from a DSL modem to a cable modem but the new lights flicker just as much as the old ones. Since my computer is powered off, the continuous activity must be coming from the internet. I guess either hackers or worms.

  8. Re:And you didn't notice this before, because? by DaveJay · · Score: 3, Interesting

    I can think of one good reason -- although it's a reason that applies to me, not the person who posted the article.

    Here's the reason: I don't know how to do it.

    Okay, granted, it's not a GOOD reason. The thing is, I have a webstats monitor to check my WWW bandwidth, but I don't know how to check my OVERALL bandwidth. Good thing my ISP doesn't charge by the k. :)

    Still, since your post seems quite confident that this should be an easy thing to do, I humbly (and sincerely) request that you give us some suggestions on how to actually monitor such traffic.

    As an example, I'm running e-smith 5.5 on my home server. How would I monitor ALL my bandwidth? Not a step-by-step howto, mind you, just a "here's a great site" or "here's a good product" would help.

    Thanks in advance.

  9. Re:And you didn't notice this before, because? by Zocalo · · Score: 3, Interesting
    Still, since your post seems quite confident that this should be an easy thing to do, I humbly (and sincerely) request that you give us some suggestions on how to actually monitor such traffic.

    It is in the context of the poster - (s)he has a firewall and appears to be running a web hosting company. You on the otherhand appear to be a home user, so you may not have as much latitude depending on your ISP and how much control you have over how you get online.

    The first place to start is your router, since all traffic must pass through it, or a dedicated firewall immediately behind it. The simplest way to acquire traffic stats is with SNMP using a tool like MRTG which is how I do it. If you have no control over the router, then you might be able to get the same figures off the port on your switch that it connects to. I say might, because this assumes that you have a switch (likely these days) and that it supports SNMP (not quite as likely).

    Falling back further; no central point of ingress/egress you can monitor and a non-managed switch/hub... OK, we need to look at the traffic on the host NICs directly, on a per host basis. That means a bandwith monitoring and logging tool; any software site will have loads (search on "bandwidth and log") and most host based firewalls can provide this information for you as well.

    --
    UNIX? They're not even circumcised! Savages!