Evening all. On Mon, Oct 13, 2003 at 04:51:08PM +1300, Ewen McNeill said:
And snooping on Citylink (which is implemented as a big LAN) shows much-higher-than-I'd-normally-expect volumes of ICMP echo requests flying around from all sorts of random addresses to all sorts of other random addresses.
Just a small point of protest here, there isn't higher volumes of anything floating around Citylink - due to some extra filtering and whining at ISP's from yours truly, noise levels have been lower in the last couple of months than any time in the previous year. If you're seeing elevated echo request volumes on your Citylink tail, it's because somebody is sending them to your router from the Interweb - it's not something magically endemic to WIX, it is a big LAN, but it's certainly not a big hub. Increased worm probing tends to manifest as increased ARP requests, rather than ICMP packets. That, FWIW, is why 95% of all the noise-to-every-port on Citylink is ARP requests to unused IP numbers. 3% is flooding unicast, and about 2% is the noise that everybody actually grizzles about - IPX, Appletalk, RIP, OSPF, Netbios announcements and the usual other blah). The ARP noise is quite dependant on worm activity levels, which is why I'm on at various ISP's to filter their unused IP space (about 50% of the arp traffic is localised around two ISP's, as most ISP's are filtering already) - although traffic levels are low at the moment, it can blow out pretty quickly. ISP's (in fact, anybody who runs a public IP subnet over APE or WIX), please null route the numbers in those subnets that you don't use, if you don't already. If nothing else, it'll stop other users filching traffic from you. Cheers Si