Subject: Re: Calling networking specialists please... (MS Worms)
From: Martin
Date: 31/08/2003, 00:44
Newsgroups: alt.sci.seti

Nick M V Salmon wrote:
Hi Folks

Just recently something has been keeping my ISDN connection to BTinternet
active, even when the connection has been totally inactive at this end for
some hours. :-(   The connection was only going down when BTinternet cut it
at their end after 4 hours..!

I see a 92Byte packet incoming & outgoing from my router every few seconds
and this keeps the connection alive.  The only way I can get the router to
auto-disconnect is to reduce the 'inactivity period' setting to only 20
seconds, ...


TWENTY SECONDS! You can get __that__ long a gap???!

You're evidently not as popular as my box at the moment...
(:-P)


The 92 byte pings (ICMP Type 8) are part of the MS worms spreading their stuff. From the kBytes/s I'm getting, there are a LOT of infected MS systems on my cable network segment.

Check your router's settings to ensure that pings from the WAN side are "DROP"ed (ie, no response, 'stealthed'). If it includes a firewall, also block all the MS netbios et al noise.

Good luck,
Martin



Here's a small sample:

Aug 31 00:34:12 muse06 kernel: Shorewall:net2all:DROP:IN=eth0 ... SRC=...108.217.223 DST=... LEN=92 TOS=0x00 PREC=0x00 TTL=120 ID=28950 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=36736

Aug 31 00:34:16 muse06 kernel: Shorewall:net2all:DROP:IN=eth0 ... SRC=...108.3.201 DST=... LEN=92 TOS=0x00 PREC=0x00 TTL=125 ID=50299 PROTO=ICMP TYPE=8 CODE=0 ID=256 SEQ=51426

Aug 31 00:34:19 muse06 kernel: Shorewall:net2all:DROP:IN=eth0 ... SRC=...108.36.122 DST=... LEN=92 TOS=0x00 PREC=0x00 TTL=125 ID=11450 PROTO=ICMP TYPE=8 CODE=0 ID=256 SEQ=64272

Aug 31 00:34:21 muse06 kernel: Shorewall:net2all:DROP:IN=eth0 ... SRC=...108.26.132 DST=... LEN=92 TOS=0x00 PREC=0x00 TTL=125 ID=3755 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=3043

Aug 31 00:34:29 muse06 kernel: Shorewall:net2all:DROP:IN=eth0 ... SRC=...108.122.71 DST=... LEN=92 TOS=0x00 PREC=0x00 TTL=118 ID=59568 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=38217

Aug 31 00:34:53 muse06 kernel: Shorewall:net2all:DROP:IN=eth0 ... SRC=...105.63.158 DST=... LEN=92 TOS=0x00 PREC=0x00 TTL=119 ID=36327 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=21139

Aug 31 00:34:56 muse06 kernel: Shorewall:net2all:DROP:IN=eth0 ... SRC=...106.139.178 DST=... LEN=92 TOS=0x00 PREC=0x00 TTL=121 ID=14312 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=4778

Aug 31 00:35:10 muse06 kernel: Shorewall:net2all:DROP:IN=eth0 ... SRC=...108.30.181 DST=... LEN=92 TOS=0x00 PREC=0x00 TTL=125 ID=21856 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27721

Aug 31 00:35:31 muse06 kernel: Shorewall:net2all:DROP:IN=eth0 ... SRC=...108.42.40 DST=... LEN=92 TOS=0x00 PREC=0x00 TTL=125 ID=28023 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=32329

Aug 31 00:35:56 muse06 kernel: Shorewall:net2all:DROP:IN=eth0 ... SRC=...105.194.93 DST=... LEN=92 TOS=0x00 PREC=0x00 TTL=120 ID=59113 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=61886

Aug 31 00:35:59 muse06 kernel: Shorewall:net2all:DROP:IN=eth0 ... SRC=...108.12.228 DST=... LEN=92 TOS=0x00 PREC=0x00 TTL=125 ID=20661 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28489

Aug 31 00:36:11 muse06 kernel: Shorewall:net2all:DROP:IN=eth0 ... SRC=...107.93.58 DST=... LEN=92 TOS=0x00 PREC=0x00 TTL=118 ID=19426 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27719

Aug 31 00:36:22 muse06 kernel: Shorewall:net2all:DROP:IN=eth0 ... SRC=...107.144.29 DST=... LEN=92 TOS=0x00 PREC=0x00 TTL=125 ID=6641 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=16315

Aug 31 00:36:53 muse06 kernel: Shorewall:net2all:DROP:IN=eth0 ... SRC=...108.157.4 DST=... LEN=92 TOS=0x00 PREC=0x00 TTL=120 ID=59016 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=63502

[...!]

And I thought it might be quietening down by now...


-- 
----------
- Martin -
- 53N 1W -
----------