RE: Increase in traffic to/from DSL subs since August?
Improperly patched machines infected with Nachi (aka Welchia) have been noted transmitting in excess of 500,000 ICMP echo requests via Class B alphabet lookups per hour. The one characteristic of Nachi that simplifies the identification of the infected machines is the fact that each of these echo requests are 92 byte pings. Any monitoring tools or packet sniffers configured to look for these 92 byte pings will greatly simplify the identification of the specific source addresses. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Suresh Ramasubramanian Sent: Thursday, November 20, 2003 9:27 PM Cc: [EMAIL PROTECTED] Subject: Re: Increase in traffic to/from DSL subs since August? Steven M. Bellovin writes on 11/20/2003 4:28 PM: At the IETF Plenary, Bernard Aboba showed a graph of spam, with a marked uptick since SoBig.F in August. My guess is worm-deposited spam relays, though Joel's guess of Nachi or Welchia can't be ruled out, either, without flow data. A ballpark estimate from a couple of friends who run small cable ISPs in India, and from a look at our mailserver log stats, says that yes, this is mostly because of open proxies and trojans infecting unpatched windows machines on broadband. Swen, MiMail and Jeem.mail.pv seem to be the worst offenders wrt spamming trojans, right now. Nachi and Welchia are almost as bad. I'd say blame can be split equally between the two. -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: Increase in traffic to/from DSL subs since August?
icmp followed by port 135 connection attempts? nachi or welchia... flow logs are highly useful in understanding gross behavioral changes in user usage patterns. joelja On Thu, 20 Nov 2003, Jared B. Reimer wrote: Greetings. Another independent ISP operator and I have noticed a pretty significant increase in traffic to and from our broadband (DSL) subscribers since August. It's been a fairly steady uptick, at least in my case, resulting in a doubling of overall average traffic to/from these folks since then. Have others seen a similar trend? Any thoughts as to what the cause may be? Our best guess a virus/worm, possibly being used as a spam relay or other proxy at this point... Many thanks, -- Jared -- -- Joel Jaeggli Unix Consulting [EMAIL PROTECTED] GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
Re: Increase in traffic to/from DSL subs since August?
On Thursday, November 20, 2003 10:00 PM, Jared B. Reimer [EMAIL PROTECTED] wrote: Greetings. Another independent ISP operator and I have noticed a pretty significant increase in traffic to and from our broadband (DSL) subscribers since August. It's been a fairly steady uptick, at least in my case, resulting in a doubling of overall average traffic to/from these folks since then. Have others seen a similar trend? Any thoughts as to what the cause may be? Our best guess a virus/worm, possibly being used as a spam relay or other proxy at this point... Traffic at LINX and AMS-IX started to grow again in Juli/August as well after having slowed down for months. At DE-CIX we see also a bis increase in traffic since August. No idea what this is. IMHO it's to much traffic for being virus/worm. Arnold
Re: Increase in traffic to/from DSL subs since August?
At 04:28 PM 20/11/2003, Steven M. Bellovin wrote: At the IETF Plenary, Bernard Aboba showed a graph of spam, with a marked uptick since SoBig.F in August. My guess is worm-deposited spam relays, though Joel's guess of Nachi or Welchia can't be ruled out, either, without flow data. I would say all of the above, plus the normal back from summer holidays, weather is getting worse, lets go on-line instead phenomena, and there is now more to do online including cool higher bandwidth net content all add to higher usage. But I would certainly say worm traffic is a big one. ---Mike
Re: Increase in traffic to/from DSL subs since August?
Jared B. Reimer wrote: Greetings. Another independent ISP operator and I have noticed a pretty significant increase in traffic to and from our broadband (DSL) subscribers since August. It's been a fairly steady uptick, at least in my case, resulting in a doubling of overall average traffic to/from these folks since then. Have others seen a similar trend? Any thoughts as to what the cause may be? Our best guess a virus/worm, possibly being used as a spam relay or other proxy at this point... Welchia would generate large amounts of traffic from the subscribers but not really that much towards them because it sends it´s traffic to random IP prefixes, thus possibility of hitting local prefixes is not that great. (cannot remember if it had some bias) Most consumer heavy networks which used to have spare capacity in the DSL access enjoy instant traffic growth if they or their upstream upgrades their peers, making more bandwidth available to p2p applications. And last, not least, zombierunners from certain netblocks probably send instructions to your users to spew messages around the world advertising their wares. Just as a side note, we recently announced product to automatically sandbox and un-sandbox infected machines. Works with dynamic addresses also. Pete
Re: Increase in traffic to/from DSL subs since August?
: Another independent ISP operator and I have noticed a pretty significant : increase in traffic to and from our broadband (DSL) subscribers since : August. It's been a fairly steady uptick, at least in my case, resulting : in a doubling of overall average traffic to/from these folks since then. : : Have others seen a similar trend? Any thoughts as to what the cause may : be? Our best guess a virus/worm, possibly being used as a spam relay or : other proxy at this point... : At the IETF Plenary, Bernard Aboba showed a graph of spam, with a : marked uptick since SoBig.F in August. My guess is worm-deposited spam : relays, though Joel's guess of Nachi or Welchia can't be ruled out, : either, without flow data. Don't forget the NTFS ADS spam crap. :-( scott
Re: Increase in traffic to/from DSL subs since August?
Steven M. Bellovin writes on 11/20/2003 4:28 PM: At the IETF Plenary, Bernard Aboba showed a graph of spam, with a marked uptick since SoBig.F in August. My guess is worm-deposited spam relays, though Joel's guess of Nachi or Welchia can't be ruled out, either, without flow data. A ballpark estimate from a couple of friends who run small cable ISPs in India, and from a look at our mailserver log stats, says that yes, this is mostly because of open proxies and trojans infecting unpatched windows machines on broadband. Swen, MiMail and Jeem.mail.pv seem to be the worst offenders wrt spamming trojans, right now. Nachi and Welchia are almost as bad. I'd say blame can be split equally between the two. -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
