[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Huge Unexplained Bandwidth Usage

On Thu Mar 06 2003 at 03:23, "Peter Maag" wrote:

 [ ... munch on lots of stuff about unwelcome incoming broadcast traffic ... ]

>    http://www.maager.com/files/bandwidth/iptraf5.gif

  (why oh why did you have to run iptraf on a windoze box from a
  telnet logon from dos shell?  It is so hard to read.  Besides, it
  is trivial to make "snapshots" like this using linux).

There seems to be a lot of netbios (ports 137-139) traffic there.
And a lot of ARP traffic too.  Almost certainly most of it is local.

>    I have no idea how to stop this broadcast traffic from being charged
> against me...........I have a feeling this is more of a provider's
> issue, but I figured this list is probably much more intelligent :-)

You can't stop any traffic targeted at your box (even if indirectly
targeted via broadcast) from reaching it with a local firewall
(although that is certainly necessary -- mandatory! -- for local

Keep the statistics, you'll have a good case to present to your ISP
if/when they charge you for the traffic.  I'd talk to them anyway
about this... you don't want your bandwidth (which you are paying
good bucks for) to be limited by this rubbish.

Much of this traffic is likely to be generated by other clients
within your ISP's network who are letting their own boxes "leak"
broadcast traffic from their own (crappy) windows boxes (ie, lack of
good firewall, routing for networks behind them, stupidly and
needlessly broadcasting netbios traffic into the internet, etc).  In
that case hopefully you won't be charged for it (as it is
"internal").  [I didn't say this, but if other clients have their
netbios ports open, then it is not too difficult to direct missles
at the netbios ports on these boxes to crash them:-]

It reminds me of when the network.vbs and redcode was in full swing
(and more recently other things like the sql slammer worm, mass
mailer viruses etc)... we were being charged for this unwelcome
traffic (it was like a constant knocking at the door).  We were
dropping the packets (and it was so persistent!), but the packets
had come across the link into our network and there was nothing we
could do about it.  We pleaded that they block this traffic on their
side of the link, but bluntly refused as a matter of "policy".  A
legal battle eventuated when we gathered statistics to prove our
case (and to prove that they were indeed charging us for it), but I
have since left that company and haven't heard what came of it.

We also had to deal with heaps of netbios (windows networking),
netbeui and ipx traffic that came from dialup clients... bad
configuration on their end (eg, they were looking for a PDC to logon
to, very bad).  We had no choice in the end but to drop the packets
but happily (and unfortunately) charge them for the traffic (ie, it
was their problem).

Internet pollution is a sad fact of life.  Mostly thanks to
microslop's inherently poor security and default configuration
options for its networking.

So, you'll need to differentiate what is being originated within
your ISP's own network, and what is coming from the internet
"proper".  In any case, the bandwidth this soaking up is terrible
and I would not hesitate to complain about that... they should
configure their routers to drop these packets outright.

>    Thanks for the help.

Good luck with this.

>     Peter Maag


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]