In message <6.0.0.22.2.20031120125430.031eaeb0@LOCALHOST>, "Jared B. Reimer" wr
ites:
Greetings.
Another independent ISP operator and I have noticed a pretty significant
increase in traffic to and from our broadband (DSL) subscribers since
August. It's been a fairly steady uptick, at least in my case, resulting
in a doubling of overall average traffic to/from these folks since then.
Have others seen a similar trend? Any thoughts as to what the cause may
be? Our best guess a virus/worm, possibly being used as a spam relay or
other proxy at this point...
At the IETF Plenary, Bernard Aboba showed a graph of spam, with a
marked uptick since SoBig.F in August. My guess is worm-deposited spam
relays, though Joel's guess of Nachi or Welchia can't be ruled out,
either, without flow data.
--Steve Bellovin, error
I would say all of the above, plus the normal "back from summer holidays, weather is getting worse, lets go on-line instead" phenomena, and "there is now more to do online including cool higher bandwidth net content" all add to higher usage. But I would certainly say worm traffic is a big one.
---Mike
: >Another independent ISP operator and I have noticed a pretty significant
: >increase in traffic to and from our broadband (DSL) subscribers since
: >August. It's been a fairly steady uptick, at least in my case, resulting
: >in a doubling of overall average traffic to/from these folks since then.
: >
: >Have others seen a similar trend? Any thoughts as to what the cause may
: >be? Our best guess a virus/worm, possibly being used as a spam relay or
: >other proxy at this point...
: At the IETF Plenary, Bernard Aboba showed a graph of spam, with a
: marked uptick since SoBig.F in August. My guess is worm-deposited spam
: relays, though Joel's guess of Nachi or Welchia can't be ruled out,
: either, without flow data.
Don't forget the NTFS ADS spam crap. >:-(
scott
Steven M. Bellovin writes on 11/20/2003 4:28 PM:
At the IETF Plenary, Bernard Aboba showed a graph of spam, with a marked uptick since SoBig.F in August. My guess is worm-deposited spam
relays, though Joel's guess of Nachi or Welchia can't be ruled out, either, without flow data.
A ballpark estimate from a couple of friends who run small cable ISPs in India, and from a look at our mailserver log stats, says that yes, this is mostly because of open proxies and trojans infecting unpatched windows machines on broadband. Swen, MiMail and Jeem.mail.pv seem to be the worst offenders wrt spamming trojans, right now.
Nachi and Welchia are almost as bad. I'd say blame can be split equally between the two.
Improperly patched machines infected with Nachi (aka Welchia) have been
noted transmitting in excess of 500,000 ICMP echo requests via Class B
alphabet lookups per hour. The one characteristic of Nachi that simplifies
the identification of the infected machines is the fact that each of these
echo requests are 92 byte pings. Any monitoring tools or packet sniffers
configured to look for these 92 byte pings will greatly simplify the
identification of the specific source addresses.