Subject: Re: Calling networking specialists please... (MS Worms)
From: "Nick M V Salmon" <spam_dump@btinternet.com>
Date: 31/08/2003, 04:02
Newsgroups: alt.sci.seti

"Martin" <ml_news@ddnospamddml1dd.co.uk.dd> wrote

Nick M V Salmon wrote:

Just recently something has been keeping my ISDN connection to

BTinternet

active, even when the connection has been totally inactive at this end

for

some hours. :-(   The connection was only going down when BTinternet cut

it

at their end after 4 hours..!

I see a 92Byte packet incoming & outgoing from my router every few

seconds

and this keeps the connection alive.  The only way I can get the router

to

auto-disconnect is to reduce the 'inactivity period' setting to only 20
seconds, ...



TWENTY SECONDS! You can get __that__ long a gap???!


It takes a while sometimes but at least the connection doesn't stay up for
four hours.  It's very dependant on time of day - bad in the evenings but
daytime and well after midnight it's almost normal.



You're evidently not as popular as my box at the moment...
(:-P)


<LOL>




The 92 byte pings (ICMP Type 8) are part of the MS worms spreading their
stuff. From the kBytes/s I'm getting, there are a LOT of infected MS
systems on my cable network segment.


I suspected that might be it since it started at around the same time as
this 'blaster' worm spread 'into the wild' - in four hours it adds up to a
LOT of traffic.  I'd just ignore it and let BTinternet worry about the
length of time connections are staying up because of it but they limit time
online per month to only 150 hours - that's not a lot of four hour periods,
only twice a day is >240 hours. :-(



Check your router's settings to ensure that pings from the WAN side are
"DROP"ed (ie, no response, 'stealthed'). If it includes a firewall, also
block all the MS netbios et al noise.


_Everything_ that comes in from outside unsolicited _should_ be dropped,
that's how it's setup at the moment.  There's no firewall specificaly but
it's a NAT router and it will also (supposedly) block all 'unsolicited
packets' - this problem seems to be that it will 'reply' to a ping and
counts that as 'activity'. :-/



Here's a small sample:


[.....  snipped lot of stuff I didn't understand  ......]


[...!]

And I thought it might be quietening down by now...


I suppose it will eventually - you'd think ISPs would block the packets
somewhere if it's all coming from that damn worm. :-/

Ciao...

[UK]_Nick...

-- 
Nick M V Salmon  Master Mariner  MN(Retd.)

My four initials@btinternet.com