October 9th, 2001, 09:01 AM
huge ADSL packet outflow
-->Anyone have any idea why my DSL connection monitor shows fantastic amounts of outflowing packets (~into the hundreds of thousands a minute)? I got on phone with DSL provider, ran tests, the modem functions fine w/o ethernet control, so they think its a trojan, however 3 different updated trojan scanners find no evidence, and problem starts and stops suddenly. When symptoms are present, i get kicked off of webpages followed by a "socket error".
-->(running: Win2000 w/ZoneAlarmPro, Panda Titanium antivirus, all current Win2K patches, security levels high, grc.com shield tested well and port checkers seem to show no odd ports.) Netstat -a , a function i am only just learning, shows only difference between symptomatic and non-symptomatic states to be something called "bootpc" at port *:* (present when symptomatic).
October 9th, 2001, 02:19 PM
October 9th, 2001, 02:34 PM
Well stupid me, clicked the wrong button and it wouldn't let me delete the post. Back to what I was saying.....
Hundreds of thousands a minute? What is your DSL speed, 300 MB/s ? Well besides the speed, sounds like you've investigated this very well. Try using the attached program, since you said you were new to watching connections at the command prompt. This will help show all the connections going to/from your machine in an easier to read format. If the only thing you are doing is web surfing, you should see a bunch of port 80 connections. If you have an internal network setup with that machine, you may see a few port 139 connections for drive sharing. All the IP's that show up in the program, try investigating a few. If you are surfing yahoo.com and notice you seem to be connected to someone at ***.AOL.COM I would start to get suspicious.
If all else fails and no one is connected, everything is configured properly. Might be something wrong with the NIC card in your system, corrupt drivers, misconfiguration, etc. Maybe the modem itself is the source of the problem.
Good luck troubleshooting....
October 10th, 2001, 03:18 AM
Thanks for the reply!
-->Apparently, i was mistaken in watching the numbers blur for outflowing BYTES, not packets, so that was my mistake. But, the DSL techs were mystified with the volume...
-->Anyway, while using both the Netstat -a -n function AND the portmonitor you offered, i notice the port 80s you mentioned, as well as several used by the firewall and the occasional Panda-titanium updates. I also noticed several that have no external port ( "n/a"), but are instead "listening" . I am guessing these are okay.
-->Your help is appreciated.
Obey All Orders Without Question...The comfort you\'ve demanded is now mandatory. --Jello Biafra
October 10th, 2001, 03:48 AM
Socket Error? Was that all it said? Perhaps your system ran out of sockets, who knows... A buggy program, reserving sockets and never binding them to ports? I dunno...
But if the problem continues, and it' still really bugging you, I would suggest getting Tiny Personal Firewall (tinysoftware.com), and then using it's 'Firewall Status Window'. This arranges connections by Application, Protocol, Local Address(Ip/host and port), Destination Address (If applicable) State, creation time, Bytes transmitted, speed of sending, bytes recieved, and speed of recieving.
That way, you can probably find the filename of the program that is sending out the most data, or at least at the greatest rate. You don't have to have the firewall itself enabled and blocking/permitting data, in order to use the 'view' function, although it does have to be installed.
You can also try netstat with it's -s option, to see statistics and look for excessive errors in a category. You should probably pipe the output to more or redirect to a file though, since it can be long.
[HvC]Terr: L33T Technical Proficiency
October 11th, 2001, 12:49 AM
Yeah, I like tiny personal firewall's status monitor too, I would use that instead of the netmon tool, but I'm having trouble getting it to let file/print sharing connections through to my server. It has two network cards, one for internet, another for internal LAN. It's great at closing those evil ports 135, 139, etc for the internet, but I can't seem to modify the rules to let the LAN connections through. Do I need to junk the rules for port 139 and try making up some of my own?
October 11th, 2001, 01:46 AM
Well, it's true, I wish tiny had seperate rules for different adapters...
Just add your home network IP range to the 'Trusted Hosts' list, and let that list get full access (assuming you 'trust' them!). Nobody on the net is going to be using a lan-reserved IP address anyway.
Now, I'm using an OLDER Tiny version AFAIK, and I have a tiny bug. Deleting an entry in the trusted-computers section wipes my whole firewall ruleset. Happened twice, but I don't know what exactly causes it, so I just back it up before I do anything to the trustful addresses.
[HvC]Terr: L33T Technical Proficiency
October 11th, 2001, 01:58 AM
Im pretty sure that a smurf attack (and other Dos attacks) operate by sending huge amounts of data to the victim through PC's that have been "hijacked"...
Just a thought...and something to be wary of.