Re: Unwanted Uploading.

ads nat <adsnat@xxxxxxxxx> · Sat, 6 Sep 2003 21:16:53 -0700 (PDT)

Hi,
By giving command "tcpdump -v -nn icmp"
I get follwoing :
*****
09:31:38.307409 202.63.164.12 > 202.183.69.130: icmp: echo request (DF) (ttl 58,
 id 0, len 84)
09:31:39.308771 202.63.164.12 > 202.183.69.130: icmp: echo request (DF) (ttl 58,
 id 0, len 84)
09:31:40.310974 202.63.164.12 > 202.183.69.130: icmp: echo request (DF) (ttl 58,
 id 0, len 84)
09:31:41.312619 202.63.164.12 > 202.183.69.130: icmp: echo request (DF) (ttl 58,
 id 0, len 84)
09:31:42.314766 202.63.164.12 > 202.183.69.130: icmp: echo request (DF) (ttl 58,
 id 0, len 84)
09:36:38.961942 202.63.164.12 > 202.183.69.130: icmp: echo request (DF) (ttl 58,
 id 0, len 84)
09:36:39.964662 202.63.164.12 > 202.183.69.130: icmp: echo request (DF) (ttl 58,
 id 0, len 84)
09:36:40.967854 202.63.164.12 > 202.183.69.130: icmp: echo request (DF) (ttl 58,
 id 0, len 84)
09:36:41.969910 202.63.164.12 > 202.183.69.130: icmp: echo request (DF) (ttl 58,
 id 0, len
 84)
09:36:42.978050 202.63.164.12 > 202.183.69.130: icmp: echo request (DF) (ttl 58,
 id 0, len 84)
******

My Server ethrenet external ID is 202.183.69.130
How to go ahead.
Thanks

Chris Brenton <cbrenton@xxxxxxxxxxxxxxxx> wrote:
ads nat wrote:
>
> When talked with users user says their is no extar ordinary 
> increase in uploading or downloading. My ISP say there must be some
> virus/worm in the network.

Sounds like you are one of the sites flooding people with icmp :(

Try this:
tcpdump -v -nn icmp

Look at the source IP's of the echo-request packets and fix your systems.

If that does not help, try a tool like ntop or iptraf which will tell 
you who is generating all the traffic.

HTH,
C

Do you Yahoo!?

Yahoo! SiteBuilder - Free, easy-to-use web site design software