What is going on with my Dialup? - Networking

This is a discussion on What is going on with my Dialup? - Networking ; I am using Debian loaded from DVDs so the following is not some Windows update phenomenon. Since I left college this summer, I no longer have access to the campus Hi-speed Internet. So for now I am stuck on a ...

+ Reply to Thread
Results 1 to 19 of 19

Thread: What is going on with my Dialup?

  1. What is going on with my Dialup?

    I am using Debian loaded from DVDs so the following is not some Windows
    update phenomenon.

    Since I left college this summer, I no longer have access to the campus
    Hi-speed Internet. So for now I am stuck on a rural dial up line that
    somehow the phone company has limited to about 26k throughput. I am
    trying to find out from the telco what is going on and why not 56k, but
    for now I am watching the lights on an external modem and they are
    revealing some stuff that I don't like.

    I am not much of a telecommunications guru (read: not at all) but it would
    appear that most of the traffic on my link is not mine. I realize that
    there is a certain amount of handshaking on initial connect, and some may
    be Firefox looking for updates (although I have turned off all of that I
    can find). But there is a lot left over that I can't explain.

    As an example... I was adding a couple of DVDs to my Netflix queue. It
    seemed very slow, taking almost a minute between screens even with the
    pictures turned off. Then I noticed the lights on the modem which
    indicated a continual receive with an occasional send even after the page
    was loaded and Firefox indicated "Done". It would continue for two
    minutes or so. I went to google and the same thing happened.

    Then I went through Firefox and turned off every update, feed and
    automatic check I could find. Made no difference. So I loaded Konqueror
    and surfed with that and got the same results - an unasked for receipt of
    something that is minutes long and that happens at random intervals of
    about 2 to 5 minutes.

    Next I logged off and dialed back in with no browser at all. I should
    have just talked to the ISP hardware and then dropped into a passive mode
    with an occasional keep alive blip. But sure enough, in about 20 seconds
    in comes a 3 minute continuous receive.

    The above post indicates two problems. Something is stealing a bunch of
    what little bandwidth I have, and (I think) somebody is talking to me
    unasked. This would never be noticed on a broadband link unless someone
    was running some kind of trace.

    What is the easist way to determine what is incoming on an Internet
    connection? I know that I could learn Snort or such like, but I am just
    starting my first career and there isn't a whole lot of time left for
    playing. A Linux utility of some kind, maybe?

    Thanx any
    Tom

  2. Re: What is going on with my Dialup?

    Am Wed, 16 Jul 2008 21:46:16 -0500 schrieb Tom Wyley:

    > Next I logged off and dialed back in with no browser at all. I should
    > have just talked to the ISP hardware and then dropped into a passive mode
    > with an occasional keep alive blip. But sure enough, in about 20 seconds
    > in comes a 3 minute continuous receive.


    keepalive? (your isp drops the connection after a while)

    > The above post indicates two problems. Something is stealing a bunch of
    > what little bandwidth I have, and (I think) somebody is talking to me
    > unasked. This would never be noticed on a broadband link unless someone
    > was running some kind of trace.


    Usually you'll have a p2p connection, so you don't get other packets
    except the packet ist for you.

    > What is the easist way to determine what is incoming on an Internet
    > connection? I know that I could learn Snort or such like, but I am just
    > starting my first career and there isn't a whole lot of time left for
    > playing. A Linux utility of some kind, maybe?
    >
    > Thanx any
    > Tom



    Snort is an ids an sniffer like tcpdump, wireshark etc. is what you are
    looking for.

    cheers

  3. Re: What is going on with my Dialup?

    Tom Wyley wrote:
    > I am using Debian loaded from DVDs so the following is not some Windows
    > update phenomenon.


    > Since I left college this summer, I no longer have access to the campus
    > Hi-speed Internet. So for now I am stuck on a rural dial up line that
    > somehow the phone company has limited to about 26k throughput. I am
    > trying to find out from the telco what is going on and why not 56k, but


    You may have to accept 26k in a rural area since modems negotiate speed
    and long phone lines to the ISP will limit what speed can be negotiated.
    But the particular modem or modem configuration can also limit speed.
    So it's a good idea to learn all you can about the modem to make sure
    the configuration is the best it can be.

    You won't get 56k in the U.S., all I've ever gotten is 50667 bps and
    that's a rare exception, most of the time it's 48000 or 49999 bps.
    And there's a FCC limit of 53kbps, if I remember correctly.

    > for now I am watching the lights on an external modem and they are
    > revealing some stuff that I don't like.


    ....

    > Next I logged off and dialed back in with no browser at all. I should
    > have just talked to the ISP hardware and then dropped into a passive mode
    > with an occasional keep alive blip. But sure enough, in about 20 seconds
    > in comes a 3 minute continuous receive.


    > The above post indicates two problems. Something is stealing a bunch of
    > what little bandwidth I have, and (I think) somebody is talking to me
    > unasked. This would never be noticed on a broadband link unless someone
    > was running some kind of trace.


    If there is an Internet connection there will be kiddies trying to break
    into it and cause trouble. Even on a PPP connection a firewall is a good
    idea.

    > What is the easist way to determine what is incoming on an Internet
    > connection? I know that I could learn Snort or such like, but I am just
    > starting my first career and there isn't a whole lot of time left for
    > playing. A Linux utility of some kind, maybe?


    This dumps traffic on ppp0 to standard output:
    tcpdump -v -i ppp0

    This dumps traffic without DNS lookup for the IP addresses:
    tcpdump -vn -i ppp0

    There will be a lot of output over 3 minutes in either case, most
    of which won't be of much more value than what you see in 3 seconds.
    There will be a learning curve. I don't know what, if any, GUI traffic
    sniffing tools are available.

    > Thanx any
    > Tom


    --
    Clifford Kite
    /* Speak softly and carry a +6 two-handed sword. */

  4. Re: What is going on with my Dialup?

    On Wed, 16 Jul 2008, in the Usenet newsgroup comp.os.linux.networking, in
    article , Tom Wyley wrote:

    >So for now I am stuck on a rural dial up line that somehow the phone
    >company has limited to about 26k throughput. I am trying to find out
    >from the telco what is going on and why not 56k, but for now I am
    >watching the lights on an external modem and they are revealing some
    >stuff that I don't like.


    1. Are you using the "correct" init-string according to the manufacturer
    of your un-named modem?
    2. "rural dial up" suggests you are some distance from town - how noisy
    is the phone line? 56K (and indeed anything over about 26K tends to
    want to see a "clean" phone line - 26-33.6K is almost harder than 37-56K
    on a noisier line.
    3. Looking at modem lights isn't as informative as looking at the actual
    data transfers.

    >I am not much of a telecommunications guru (read: not at all) but it
    >would appear that most of the traffic on my link is not mine.


    You're possibly seeing windoze "messenger spam" (UDP to ports 1025-1035)
    but that should be relatively light. OTHER THAN THAT, your connection
    is a point-to-point link, and the only traffic on that link is to/from
    your computer.

    >I realize that there is a certain amount of handshaking on initial
    >connect, and some may be Firefox looking for updates (although I have
    >turned off all of that I can find). But there is a lot left over that
    >I can't explain.


    Let's start by not using a browser. Most browsers are happy to try to
    load every piece of eye-candy and other crap. What traffic do you see
    when the browser isn't running?

    >Next I logged off and dialed back in with no browser at all. I should
    >have just talked to the ISP hardware and then dropped into a passive mode
    >with an occasional keep alive blip. But sure enough, in about 20 seconds
    >in comes a 3 minute continuous receive.


    Figure out where the command line is, and run 'netstat -anptu' and see
    what is talking to what. See the man page for netstat so you understand
    what it's telling you.

    >The above post indicates two problems. Something is stealing a bunch of
    >what little bandwidth I have, and (I think) somebody is talking to me
    >unasked. This would never be noticed on a broadband link unless someone
    >was running some kind of trace.


    Depending on what all you installed, there shouldn't be that much open
    for "others" to connect to you. Nearly all of that traffic is _probably_
    due to client things you are running - but you won't know that until
    you find out what the traffic is. Most people install all kinds of
    extra trash that they think might be interesting, and don't know what
    it's actually doing.

    >What is the easist way to determine what is incoming on an Internet
    >connection?


    [compton ~]$ netstat -anptu
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 8972/sshd
    [compton ~]$

    Doesn't really tell you, but the firewall is only accepting connections
    from two ranges totalling 1500 addresses (a /22 and two /24s).

    >I know that I could learn Snort or such like, but I am just starting my
    >first career and there isn't a whole lot of time left for playing.


    -rw-rw-r-- 1 gferg ldp 155096 Jan 23 2004 Security-HOWTO
    -rw-rw-r-- 1 gferg ldp 278012 Jul 23 2002 Security-Quickstart-HOWTO

    Should be on your system in /usr/share/HOWTO (or use your favorite search
    engine) - and there are a number of other good ones.

    Old guy

  5. Re: What is going on with my Dialup?

    O
    > You may have to accept 26k in a rural area since modems negotiate speed
    > and long phone lines to the ISP will limit what speed can be negotiated.
    > But the particular modem or modem configuration can also limit speed.
    > So it's a good idea to learn all you can about the modem to make sure
    > the configuration is the best it can be.
    >
    >


    As it turns out, the Telco has put "combiners" on the lines to get two
    customers on one piece of copper. So I will never get over 26k from here.

    Tome

  6. Re: What is going on with my Dialup?

    >
    > 1. Are you using the "correct" init-string according to the manufacturer
    > of your un-named modem?
    > 2. "rural dial up" suggests you are some distance from town - how noisy
    > is the phone line? 56K (and indeed anything over about 26K tends to
    > want to see a "clean" phone line - 26-33.6K is almost harder than 37-56K
    > on a noisier line.


    I found today that the phone company has put combiners on the lines around
    here so as to get two customers on one piece of copper. The bandwidth is
    only 30k on each side.

    > Let's start by not using a browser. Most browsers are happy to try to
    > load every piece of eye-candy and other crap. What traffic do you see
    > when the browser isn't running?
    >
    > Figure out where the command line is, and run 'netstat -anptu' and see
    > what is talking to what. See the man page for netstat so you understand
    > what it's telling you.
    >

    I can handle the command line ok but netstat is a big little program so I
    am RTFMing to figure it out. Looks to be about a zillion combinations of
    options.

    > Depending on what all you installed, there shouldn't be that much open
    > for "others" to connect to you. Nearly all of that traffic is _probably_
    > due to client things you are running - but you won't know that until you
    > find out what the traffic is. Most people install all kinds of extra
    > trash that they think might be interesting, and don't know what it's
    > actually doing.


    This is just a basic Debian install with stuff for a programmer (C, Perl,
    Tk, Mysql, and so forth). Not much else. I have a Smoothwall box
    between me and the modem with all ports except 80 and 441 closed. I can
    see all the Windows trojan junk hitting me but nothing in the firewall
    shows anything that I can corrilate to a 2 and 3 minute unrequested receive
    package.

    Like I said, what is happening probably also happens on broadband lines
    also - it is just the speed of my line that makes it obvious.

    Will check out netstat.

    Thanks
    Tom

  7. Re: What is going on with my Dialup?

    On Thu, 17 Jul 2008, in the Usenet newsgroup comp.os.linux.networking, in
    article <5IudndO9Xp7Nf-LVnZ2dnUVZ_iydnZ2d@oco.net>, Tom Wyley wrote:

    >I found today that the phone company has put combiners on the lines
    >around here so as to get two customers on one piece of copper. The
    >bandwidth is only 30k on each side.


    Phone companies are only required to provide a "voice grade" type of
    connection, which can be pretty horrible. Modems use a modulation
    scheme called trellis modulation using fixed frequencies - the
    information being carried as a combination of amplitude and carrier
    phase changes. This is what allows a "56k" connection to go over a
    wire that only carries 300 to 3000 Hertz voice.

    >I can handle the command line ok but netstat is a big little program
    >so I am RTFMing to figure it out. Looks to be about a zillion
    >combinations of options.


    The one you are interested in is 'netstat -anptu' which shows
    all connections (-a), using numbers (-n) rather than hostnames,
    displays the process name/ID that "owns" the connection on "this" end
    (-p) and shows TCP (-t) and UDP (-u) connections. This will tell you
    what process/program is using the connection. You can then isolate
    that process/program to see what started it by using the 'ps'
    command - specifically 'ps afuwx' and looking for the problem ID
    and/or program name. Note that both commands are a 'snapshot' of
    what is happening when you press the Enter key - neither knows about
    what recently happened, or what may happen later. They only know about
    "right now".

    >This is just a basic Debian install with stuff for a programmer (C,
    >Perl, Tk, Mysql, and so forth). Not much else. I have a Smoothwall
    >box between me and the modem with all ports except 80 and 441 closed.
    >I can see all the Windows trojan junk hitting me but nothing in the
    >firewall shows anything that I can corrilate to a 2 and 3 minute
    >unrequested receive package.


    441 is a bit unusual - are you sure you don't mean 443? Assuming
    those are closed to _inbound_ packets (or are you running a web server
    that everyone is trying to access), it's most likely some traffic in
    response to that which you are generating. If all you are running is
    client software (no servers), then you need not open/forward any
    server ports. Your client uses a _random_ port number between 1025
    and ~65000 on your end, and talks to remote servers on well known ports
    like '80' for web-crap, '443' for secure web-crap, or 119 for Usenet.
    The remote server talks back to you _from_ it's well known port _to_
    that high random port number. If you aren't running a server, ports 0
    to 1024 on your side should not be in use.

    You'll probably find that you have some "helper" programs running to get
    automatic updates, check the mail, news, and who knows what else. If
    you are not running a server, then any attempt by a remote system to
    connect to you will be ended with one packet:

    Remote_systemort_$NUMBER -> Your_systemort_$FOO "Hello"
    Your_systemort_$FOO -> Remote_systemort_$NUMBER "No one here"

    That's it - maybe 40-70 bytes in each direction, and the connection is
    ended. If there is no server, then the only traffic will be in response
    to something your system initiated.

    Your_systemort_$NUMBER -> Remote_systemort_$BAR "Hello"
    Remote_systemort_$BAR -> Your_systemort_$NUMBER "Hi - what?"
    Your_systemort_$NUMBER -> Remote_systemort_$BAR "Good to see you"
    Your_systemort_$NUMBER -> Remote_systemort_$BAR "Send me $CRAP"
    Remote_systemort_$BAR -> Your_systemort_$NUMBER "Here it comes!!!"
    and away we go, with three tons of what-ever it was that you asked
    them for. (Yes, this is a bit simplified, but the concept is accurate.)

    Bottom line - no servers on your end means only a tiny blip of traffic
    as your computer tells the remote "I'm sorry, but the number you dialed
    is not in service - CLICK!". If there _is_ a server, you have to figure
    out what ('netstat' will tell you that) and why ('ps' will help there).
    If there is traffic, but you aren't running any servers (netstat shows
    no port "LISTENING"), then it's something you asked for, and the
    'netstat' and 'ps' commands should be able to help you find it.

    >Like I said, what is happening probably also happens on broadband lines
    >also - it is just the speed of my line that makes it obvious.


    That's where those HOWTOs come in handy.

    Old guy

  8. Re: What is going on with my Dialup?

    On 2008-07-18, Moe Trin wrote:
    > On Thu, 17 Jul 2008, in the Usenet newsgroup comp.os.linux.networking, in
    > article <5IudndO9Xp7Nf-LVnZ2dnUVZ_iydnZ2d@oco.net>, Tom Wyley wrote:
    >
    > ...
    >
    > That's it - maybe 40-70 bytes in each direction, and the connection is
    > ended. If there is no server, then the only traffic will be in response
    > to something your system initiated.
    >
    > Your_systemort_$NUMBER -> Remote_systemort_$BAR "Hello"
    > Remote_systemort_$BAR -> Your_systemort_$NUMBER "Hi - what?"
    > Your_systemort_$NUMBER -> Remote_systemort_$BAR "Good to see you"
    > Your_systemort_$NUMBER -> Remote_systemort_$BAR "Send me $CRAP"
    > Remote_systemort_$BAR -> Your_systemort_$NUMBER "Here it comes!!!"
    > and away we go, with three tons of what-ever it was that you asked
    > them for. (Yes, this is a bit simplified, but the concept is accurate.)
    >
    > Bottom line - no servers on your end means only a tiny blip of traffic
    > as your computer tells the remote "I'm sorry, but the number you dialed
    > is not in service - CLICK!". If there _is_ a server, you have to figure


    Cannot a firewall be configured to simply ignore any incoming requests,
    so that there would be no response at all, instead of saying the
    equivalent of "not in service"?


    --


  9. Re: What is going on with my Dialup?

    On Sat, 19 Jul 2008, in the Usenet newsgroup comp.os.linux.networking, in
    article ,
    Jim Cochrane wrote:

    >Moe Trin wrote:


    >> Bottom line - no servers on your end means only a tiny blip of traffic
    >> as your computer tells the remote "I'm sorry, but the number you dialed
    >> is not in service - CLICK!".


    >Cannot a firewall be configured to simply ignore any incoming requests,
    >so that there would be no response at all, instead of saying the
    >equivalent of "not in service"?


    In addition to the regular HOWTOs from then LDP, see

    http://www.netfilter.org/documentation/HOWTO/

    That's the "default" result when using 'iptables' "DROP" rule. To have
    the firewall reject with an ICMP Type 3 Code 3 (Port Unreachable) or
    similar, you have to provide an extra rule of "REJECT with". In most
    cases, you provide a "default" rule which would be a DROP, but you can
    also forward it to an unused port, and have that port provide the
    "normal" RST flagged TCP packet.

    There is a huge debate of whether it's better to provide no response
    verses the RST or ICMP 3,3. Some feel this makes their computer
    invisible, neglecting to note that were their computer non-existent,
    the upstream router would normally provide an ICMP Type 3 Code 1 (Host
    Unreachable). I've actually seen idiots who configured their firewall
    to mimic the 'Host Unreachable' response - I say 'idiots' because the
    resulting ICMP error comes from the IP address that is supposedly
    unreachable. The lack of response causes the remote computer to make
    additional tries - so you aren't saving any bandwidth by silently
    discarding unwanted packets. As far as the bad guys are concerned, the
    lack of response confirms that the computer does exist, is reachable,
    and is using some form of firewall. This _MAY_ attract more attention
    compared to the effect of a more normal RST or ICMP 3,3. Your choice.

    Others think that by not responding to unwanted packets, they can hide
    information about their computer, such as operating system type and
    version. See the documentation that comes with the popular 'nmap' tool

    [compton ~]$ whatis nmap
    nmap (1) - Network exploration tool and security scanner
    [compton ~]$

    for considerably more details on this technique, and some simple means
    of defeating such probes.

    There is one situation when it _IS_ desirable to ignore unwanted
    packets. This is the case for UDP. Messenger spam (usually messages
    that appear to be windoze warning messages, directed to UDP ports 1025
    to 1030 or so) are often using spoofed source addresses. Looking at the
    IP headers of such packets, there are usually some glaringly obvious
    indications that the source is spoofed (such as using IP addresses that
    haven't been released by IANA - see that one fairly often). This means
    that there is no reason to send a FOAD packet to a non-existent or
    innocent host that had nothing to do with the UDP spam.

    Finally, there is a case where dropping packets causes you problems.
    The most common problem is 'identd' or 'auth' on tcp/113. You connect
    to a remote system, and it sends a query to this port - basically
    asking "who is your user who is connecting to my port ?". It
    waits until it gets an answer - either a response from the identd that
    is running on your system, or a port rejection from the network stack
    because you aren't running identd. If you DROP these packets, rather
    than rejecting or answering them, you have to wait ten to thirty
    seconds for the remote client to time out before your desired
    connection goes through. I see this on a number of servers I connect
    to on a regular basis. My solution is to have a special rule for
    these known servers to this specific port.

    The gotcha if you are silently discarding unwanted packets is that you
    have to do so for all 65536 ports and all 256 possible protocols (there
    is more to the world of IP than TCP, UDP, and ICMP). See the 'nmap'
    documentation for a lot more details and concepts.

    Old guy

  10. Re: What is going on with my Dialup?

    Tom Wyley wrote:
    > I noticed the lights on the modem which
    > indicated a continual receive with an occasional send even after the page
    > was loaded and Firefox indicated "Done". It would continue for two
    > minutes or so. I went to google and the same thing happened.


    Are you sure it is not a background prefetch being done by the browser?
    The newer browsers do this. I think on broadband, the browser
    performance has greatly improved, but I have seen some dog slow browsers on
    dial up connections, but I haven't yet managed to get round to tracing
    this. (This problem has been occuring on third party systems using
    Micros~1dows, but most people are planning to switch over to a broadband
    provider, so the priority for investigating this has been low.)

    I would run tcpdump in a console window, do your browsing, then switch
    to the terminal window and have a look what is happening when the modem
    light starts to come on.

    Let us know what you find.

    Regards,

    Mark.

    --
    Mark Hobley,
    393 Quinton Road West,
    Quinton, BIRMINGHAM.
    B32 1QE.

  11. Re: What is going on with my Dialup?

    On Fri, 18 Jul 2008, in the Usenet newsgroup comp.os.linux.networking, in
    article , Tom Wyley wrote:

    >> Phone companies are only required to provide a "voice grade" type of
    >> connection, which can be pretty horrible.


    >However, the inquiry led me to a many years old local newspaper
    >investigation (way back when most people were on dialup) about a sudden
    >drop in everyone's connection speed. Apparently the Telco was
    >massively installing these combiner things all over the area. The
    >reporter was told that nobody at the phone company was authorized to
    >give any info or comment on the matter.


    The more appropriate contact would be your state's public utilities
    commission - the organization that actually oversees the telephone
    (and electric, and water, and gas) service providers. They would only
    step in if the utility was violating some standard[s], and as noted
    the standard for telephone service is that the call goes through and
    you can converse with the other party. It won't be hi-fi, and despite
    the ads, you won't be able to "hear a pin drop" - you'll get have a
    good enough connection to be able to understand the words spoken at
    the other end.

    >> The one you are interested in is 'netstat -anptu' which shows all
    >> connections (-a), using numbers (-n) rather than hostnames, displays
    >> the process name/ID that "owns" the connection on "this" end (-p)


    >Netstat gives a ton of info.


    That is bad news. On my system at the moment, there are _two_ items
    listed besides the header - the LISTENING ssh server, and the
    ESTABLISHED connection to port 119 on the remote news server.

    So - how many 'LISTENING' lines do you have? Those are network servers
    you are running whether you know it or not. How many 'ESTABLISHED'
    lines do you have? Those are active conversations you are holding.
    Now unless the port number on your end is port 9 (the bit bucket),
    you are running something, and you'll need to find out why. Now, you
    can ignore anything to/from 127.0.0.1 (which is one application on your
    computer talking to another application on your computer). It's the
    rest of the stuff you need to be concerned with.

    >So far I am still just playing with it and not trying to trap anything
    >real, but I did see one 2 minute session to data.coremetrics.com after
    >my dialup connect and before I did anything. Still googling for who or
    >what they are.


    What was the port number on "your" end? What process was that? It's
    generally easier to determine what stuff is by looking at your end,
    because that is the stuff that's under your control.

    >I don't think so. When I install Debian, I do it from scratch, apt by
    >apt rather than use a canned version. Just the kernel and enough stuff
    >to be able to access the machine and then just the packag(es) I need.


    Don't forget that apt will install dependencies automagically.

    Old guy

  12. Re: What is going on with my Dialup?

    On 2008-07-19, Moe Trin wrote:
    > On Sat, 19 Jul 2008, in the Usenet newsgroup comp.os.linux.networking, in
    > article ,
    > Jim Cochrane wrote:
    >
    >>Moe Trin wrote:

    >
    >>> Bottom line - no servers on your end means only a tiny blip of traffic
    >>> as your computer tells the remote "I'm sorry, but the number you dialed
    >>> is not in service - CLICK!".

    >
    >>Cannot a firewall be configured to simply ignore any incoming requests,
    >>so that there would be no response at all, instead of saying the
    >>equivalent of "not in service"?

    >
    > In addition to the regular HOWTOs from then LDP, see
    >
    > http://www.netfilter.org/documentation/HOWTO/
    >
    > That's the "default" result when using 'iptables' "DROP" rule. To have
    > the firewall reject with an ICMP Type 3 Code 3 (Port Unreachable) or
    > similar, you have to provide an extra rule of "REJECT with". In most
    > cases, you provide a "default" rule which would be a DROP, but you can
    > also forward it to an unused port, and have that port provide the
    > "normal" RST flagged TCP packet.


    Thanks, Moe, for the excellent response.

    I guess the situation is a lot less black-and-white than one would be
    led to believe by using GRC's port test:

    https://www.grc.com/x/ne.dll?bh0bkyd2

    You're one of those rare persons from whose posts people can actually
    gain good, detailed knowledge, rather than just reading opinions with
    perhaps a little bit of data to back them up.


    Thanks.

    > There is a huge debate of whether it's better to provide no response
    > verses the RST or ICMP 3,3. Some feel this makes their computer
    > invisible, neglecting to note that were their computer non-existent,
    > the upstream router would normally provide an ICMP Type 3 Code 1 (Host
    > Unreachable). I've actually seen idiots who configured their firewall
    > to mimic the 'Host Unreachable' response - I say 'idiots' because the
    > resulting ICMP error comes from the IP address that is supposedly
    > unreachable. The lack of response causes the remote computer to make
    > additional tries - so you aren't saving any bandwidth by silently
    > discarding unwanted packets. As far as the bad guys are concerned, the
    > lack of response confirms that the computer does exist, is reachable,
    > and is using some form of firewall. This _MAY_ attract more attention
    > compared to the effect of a more normal RST or ICMP 3,3. Your choice.
    >
    > Others think that by not responding to unwanted packets, they can hide
    > information about their computer, such as operating system type and
    > version. See the documentation that comes with the popular 'nmap' tool
    >
    > [compton ~]$ whatis nmap
    > nmap (1) - Network exploration tool and security scanner
    > [compton ~]$
    >
    > for considerably more details on this technique, and some simple means
    > of defeating such probes.
    >
    > There is one situation when it _IS_ desirable to ignore unwanted
    > packets. This is the case for UDP. Messenger spam (usually messages
    > that appear to be windoze warning messages, directed to UDP ports 1025
    > to 1030 or so) are often using spoofed source addresses. Looking at the
    > IP headers of such packets, there are usually some glaringly obvious
    > indications that the source is spoofed (such as using IP addresses that
    > haven't been released by IANA - see that one fairly often). This means
    > that there is no reason to send a FOAD packet to a non-existent or
    > innocent host that had nothing to do with the UDP spam.
    >
    > Finally, there is a case where dropping packets causes you problems.
    > The most common problem is 'identd' or 'auth' on tcp/113. You connect
    > to a remote system, and it sends a query to this port - basically
    > asking "who is your user who is connecting to my port ?". It
    > waits until it gets an answer - either a response from the identd that
    > is running on your system, or a port rejection from the network stack
    > because you aren't running identd. If you DROP these packets, rather
    > than rejecting or answering them, you have to wait ten to thirty
    > seconds for the remote client to time out before your desired
    > connection goes through. I see this on a number of servers I connect
    > to on a regular basis. My solution is to have a special rule for
    > these known servers to this specific port.
    >
    > The gotcha if you are silently discarding unwanted packets is that you
    > have to do so for all 65536 ports and all 256 possible protocols (there
    > is more to the world of IP than TCP, UDP, and ICMP). See the 'nmap'
    > documentation for a lot more details and concepts.
    >
    > Old guy



    --


  13. Re: What is going on with my Dialup?

    On Mon, 21 Jul 2008, in the Usenet newsgroup comp.os.linux.networking, in
    article ,
    Jim Cochrane wrote:

    >Thanks, Moe, for the excellent response.
    >
    >I guess the situation is a lot less black-and-white than one would be
    >led to believe by using GRC's port test:


    I don't know what to think about Mr. Gibson. In the mid-1980s, his
    'Spin-Rite' application was useful for setting hard disk interleave
    ratios. When he got into network security, he seems to have decided
    to take short-cuts, and ignore the problems those create. His
    "Shields Up" scanner was pretty much pure hype - initially scanning
    just _ten_ TCP ports. By mid-2003, it was up to thirteen!!! (21, 23,
    25, 79, 80, 110, 113, 135, 139, 143, 443, 445 and 5000). While that
    might catch some windoze vulnerabilities (didn't know windoze ran a
    finger daemon), it misses just about everything else. If you run a
    packet sniffer while getting a scan today, you'll see more ports
    checked, but still far from complete.

    You do have to look at the tool you are trying to use. I find that
    nmap is very useful (I'm told this is what the grc.com port scan is
    actually using), but you have to read the large amount of documentation
    that comes with it to get the best results.

    >You're one of those rare persons from whose posts people can actually
    >gain good, detailed knowledge, rather than just reading opinions with
    >perhaps a little bit of data to back them up.


    Yeah, I do tend to get long winded at times. Thanks!

    Old guy

  14. Re: What is going on with my Dialup?

    Moe Trin wrote:
    > On Mon, 21 Jul 2008, in the Usenet newsgroup comp.os.linux.networking, in
    > article ,
    > Jim Cochrane wrote:
    >
    >> Thanks, Moe, for the excellent response.
    >>
    >> I guess the situation is a lot less black-and-white than one would be
    >> led to believe by using GRC's port test:

    >
    > I don't know what to think about Mr. Gibson. In the mid-1980s, his
    > 'Spin-Rite' application was useful for setting hard disk interleave
    > ratios.


    OH Really was that like version 1

    SpinRite is a computer software program for scanning magnetic data
    storage devices such as hard disks, recovering data from them and
    refreshing their surfaces

    When he got into network security, he seems to have decided
    > to take short-cuts, and ignore the problems those create. His
    > "Shields Up" scanner was pretty much pure hype - initially scanning
    > just _ten_ TCP ports. By mid-2003, it was up to thirteen!!! (21, 23,
    > 25, 79, 80, 110, 113, 135, 139, 143, 443, 445 and 5000). While that
    > might catch some windoze vulnerabilities (didn't know windoze ran a
    > finger daemon), it misses just about everything else. If you run a
    > packet sniffer while getting a scan today, you'll see more ports
    > checked, but still far from complete.



    Ya back in the good old days...... Guess its been a while since you
    looked at shields up a scan of "common ports" is now 26 and a you cam
    select a "all service ports" which will scan your system's first 1056 ports


    >
    > You do have to look at the tool you are trying to use. I find that
    > nmap is very useful (I'm told this is what the grc.com port scan is
    > actually using), but you have to read the large amount of documentation
    > that comes with it to get the best results.
    >
    >> You're one of those rare persons from whose posts people can actually
    >> gain good, detailed knowledge, rather than just reading opinions with
    >> perhaps a little bit of data to back them up.

    >
    > Yeah, I do tend to get long winded at times. Thanks!
    >
    > Old guy


  15. Re: What is going on with my Dialup?

    On Thu, 24 Jul 2008, in the Usenet newsgroup comp.os.linux.networking, in
    article <0ff96g.f5p.ln@freebee.ddns.org>, Send wrote:

    >Moe Trin wrote:


    >> I don't know what to think about Mr. Gibson. In the mid-1980s, his
    >> 'Spin-Rite' application was useful for setting hard disk interleave
    >> ratios.

    >
    >OH Really was that like version 1


    Version 1.2 from 1988 apparently. It's hard for modern computer experts
    to believe, but a 3000 RPM MFM drive connected to an 8 bit ISA bus
    drive controller was far faster at delivering bits than the 4.77 MHz
    8088, or even the 6 MHz 80286 of the IBM PC, PC-XT, and PC-AT (and
    clones) could handle. Putting the terms 'hard disk interleave ratio'
    into a search engine should provide you with a fair amount of reading
    material.

    >SpinRite is a computer software program for scanning magnetic data
    >storage devices such as hard disks, recovering data from them and
    >refreshing their surfaces


    Originally, SpinRite, and the somewhat similar Htest/Hformat from Paul
    Mace Software could be used to optimize the interleave ratio. The
    need for this hack went away in the late 1980s when 16 bit drive
    controllers became the default, and new drives came pre-formatted
    without interleave. It's not even possible to set the interleave on
    drives built after about 1990. I guess Gibson reused the product name
    for something completely different. I haven't bothered with those
    types of programs as I got rid of windoze in 1992.

    >> His "Shields Up" scanner was pretty much pure hype - initially
    >> scanning just _ten_ TCP ports. By mid-2003, it was up to thirteen!!!


    >Ya back in the good old days...... Guess its been a while since you
    >looked at shields up a scan of "common ports" is now 26 and a you
    >cam select a "all service ports" which will scan your system's first
    >1056 ports


    I have no reason to use such a shoddy tool. Wow - 26 ports! I suspect
    you really mean the first 1024 TCP ports, and 32 others that windoze
    normally has open. It's laughable to compare that to even the "Fast
    Scan Mode" of nmap uses (ports listed in the services file which comes
    with nmap - a bit over 2200 tcp ports _alone_). Want something even
    faster and not subject to the vagaries of your ISP filtering? Try
    running the command 'netstat -anptu'.

    Old guy

  16. Re: What is going on with my Dialup?

    [I'm a little late responding...]

    On 2008-07-22, Moe Trin wrote:
    > On Mon, 21 Jul 2008, in the Usenet newsgroup comp.os.linux.networking, in
    > article ,
    > Jim Cochrane wrote:
    >
    >>Thanks, Moe, for the excellent response.
    >>
    >>I guess the situation is a lot less black-and-white than one would be
    >>led to believe by using GRC's port test:

    >
    > I don't know what to think about Mr. Gibson. In the mid-1980s, his
    > 'Spin-Rite' application was useful for setting hard disk interleave
    > ratios. When he got into network security, he seems to have decided
    > to take short-cuts, and ignore the problems those create. His
    > "Shields Up" scanner was pretty much pure hype - initially scanning
    > just _ten_ TCP ports. By mid-2003, it was up to thirteen!!! (21, 23,
    > 25, 79, 80, 110, 113, 135, 139, 143, 443, 445 and 5000). While that
    > might catch some windoze vulnerabilities (didn't know windoze ran a
    > finger daemon), it misses just about everything else. If you run a
    > packet sniffer while getting a scan today, you'll see more ports
    > checked, but still far from complete.
    >
    > You do have to look at the tool you are trying to use. I find that
    > nmap is very useful (I'm told this is what the grc.com port scan is
    > actually using), but you have to read the large amount of documentation
    > that comes with it to get the best results.
    >
    >>You're one of those rare persons from whose posts people can actually
    >>gain good, detailed knowledge, rather than just reading opinions with
    >>perhaps a little bit of data to back them up.

    >
    > Yeah, I do tend to get long winded at times. Thanks!
    >
    > Old guy


    Maybe so sometimes, but your long-winded posts tend to be full of good/useful
    information. :-)

    --


  17. Re: What is going on with my Dialup?

    Jim Cochrane wrote:
    > [I'm a little late responding...]
    >
    > On 2008-07-22, Moe Trin wrote:
    >> On Mon, 21 Jul 2008, in the Usenet newsgroup comp.os.linux.networking, in
    >> article ,
    >> Jim Cochrane wrote:
    >>
    >>>Thanks, Moe, for the excellent response.
    >>>
    >>>I guess the situation is a lot less black-and-white than one would be
    >>>led to believe by using GRC's port test:

    >>
    >> I don't know what to think about Mr. Gibson. In the mid-1980s, his
    >> 'Spin-Rite' application was useful for setting hard disk interleave
    >> ratios. When he got into network security, he seems to have decided
    >> to take short-cuts, and ignore the problems those create. His
    >> "Shields Up" scanner was pretty much pure hype - initially scanning
    >> just _ten_ TCP ports. By mid-2003, it was up to thirteen!!! (21, 23,
    >> 25, 79, 80, 110, 113, 135, 139, 143, 443, 445 and 5000). While that
    >> might catch some windoze vulnerabilities (didn't know windoze ran a
    >> finger daemon), it misses just about everything else. If you run a
    >> packet sniffer while getting a scan today, you'll see more ports
    >> checked, but still far from complete.
    >>
    >> You do have to look at the tool you are trying to use. I find that
    >> nmap is very useful (I'm told this is what the grc.com port scan is
    >> actually using), but you have to read the large amount of documentation
    >> that comes with it to get the best results.
    >>
    >>>You're one of those rare persons from whose posts people can actually
    >>>gain good, detailed knowledge, rather than just reading opinions with
    >>>perhaps a little bit of data to back them up.

    >>
    >> Yeah, I do tend to get long winded at times. Thanks!
    >>
    >> Old guy

    >
    > Maybe so sometimes, but your long-winded posts tend to be full of good/useful
    > information. :-)
    >


    Ditto... I find myself saving a lot of what you post to refer back to
    down the road.
    I'm glad I followed a post from over a.o.l.u and found you here.
    Is this group new? Only see posts from a month back.

  18. Re: What is going on with my Dialup?

    On Mon, 04 Aug 2008, in the Usenet newsgroup comp.os.linux.networking, in
    article <4yOlk.20514$N87.8769@nlpi068.nbdc.sbc.com>, clay wrote:

    >Ditto... I find myself saving a lot of what you post to refer back to
    >down the road.


    Flattery will get you nowhere ;-)

    >Is this group new? Only see posts from a month back.


    Not by a _long_ shot. The headers of the article I'm replying to shows

    Xref: number1.nntp.dca.giganews.com comp.os.linux.networking:484936

    while a post in a.o.l.u I replied to yesterday had

    Xref: number1.nntp.dca.giganews.com alt.os.linux.ubuntu:78914

    The number on the end is sequential - incremented for each article that
    a news server has in a specific newsgroup. Thus, the giganews server
    has seen about 79,000 articles in a.o.l.ubuntu since the group was
    created in November 2005. This group (c.o.l.n) has seen around 485,000
    articles since it was created in December 1994. This is one of 17
    Linux newsgroups in the official "Big Eight" hierarchy:

    [compton ~]$ zgrep linux big.8.list.07.15.08.gz | cut -f1 | column
    comp.os.linux.advocacy comp.os.linux.misc
    comp.os.linux.alpha comp.os.linux.networking
    comp.os.linux.announce comp.os.linux.portable
    comp.os.linux.answers comp.os.linux.powerpc
    comp.os.linux.development.apps comp.os.linux.security
    comp.os.linux.development.system comp.os.linux.setup
    comp.os.linux.embedded comp.os.linux.x
    comp.os.linux.hardware comp.os.linux.xbox
    comp.os.linux.m68k
    [compton ~]$

    and these groups should be carried by every news server. There are
    _also_ a large bunch of other groups in the 'alt.*' hierarchy and may
    be a huge number that merely include the string 'linux' in the name:

    [compton ~]$ grep -c ^alt.*linux .newsrc
    95
    [compton ~]$ grep -c linux .newsrc
    1159
    [compton ~]$

    The problem with these groups is that they are unofficial, and are
    carried at the whim of the individual news server administrator. The
    recent fiasco with the New York Attorney General "negotiating" with
    several ISPs to remove ~80 child-pr0n groups from the 'alt.binar*'
    groups illustrates this, as several dropped all 'alt.*' groups, while
    at least one eliminated Usenet entirely.

    As for how many posts you see, that is a function of the storage space
    available on the news server, and how many articles your news reader
    is configured to read. A quick check at giganews shows 65687 articles
    _claimed_ to be available in comp.os.linux.networking, which would be
    about 5 years worth of posts (if my logs are to be believed). I haven't
    checked this claim. A month back in this group is about 510 articles
    which seems to be a low number for a commercial news server.

    Old guy

  19. Re: What is going on with my Dialup?

    Moe Trin wrote:
    > On Mon, 04 Aug 2008, in the Usenet newsgroup comp.os.linux.networking, in
    > article <4yOlk.20514$N87.8769@nlpi068.nbdc.sbc.com>, clay wrote:
    >
    >>Ditto... I find myself saving a lot of what you post to refer back to
    >>down the road.

    >
    > Flattery will get you nowhere ;-)
    >
    >>Is this group new? Only see posts from a month back.

    >
    > Not by a _long_ shot. The headers of the article I'm replying to shows
    >
    > Xref: number1.nntp.dca.giganews.com comp.os.linux.networking:484936
    >
    > while a post in a.o.l.u I replied to yesterday had
    >
    > Xref: number1.nntp.dca.giganews.com alt.os.linux.ubuntu:78914
    >
    > The number on the end is sequential - incremented for each article that
    > a news server has in a specific newsgroup. Thus, the giganews server
    > has seen about 79,000 articles in a.o.l.ubuntu since the group was
    > created in November 2005. This group (c.o.l.n) has seen around 485,000
    > articles since it was created in December 1994. This is one of 17
    > Linux newsgroups in the official "Big Eight" hierarchy:
    >
    > [compton ~]$ zgrep linux big.8.list.07.15.08.gz | cut -f1 | column
    > comp.os.linux.advocacy comp.os.linux.misc
    > comp.os.linux.alpha comp.os.linux.networking
    > comp.os.linux.announce comp.os.linux.portable
    > comp.os.linux.answers comp.os.linux.powerpc
    > comp.os.linux.development.apps comp.os.linux.security
    > comp.os.linux.development.system comp.os.linux.setup
    > comp.os.linux.embedded comp.os.linux.x
    > comp.os.linux.hardware comp.os.linux.xbox
    > comp.os.linux.m68k
    > [compton ~]$
    >
    > and these groups should be carried by every news server. There are
    > _also_ a large bunch of other groups in the 'alt.*' hierarchy and may
    > be a huge number that merely include the string 'linux' in the name:
    >
    > [compton ~]$ grep -c ^alt.*linux .newsrc
    > 95
    > [compton ~]$ grep -c linux .newsrc
    > 1159
    > [compton ~]$
    >
    > The problem with these groups is that they are unofficial, and are
    > carried at the whim of the individual news server administrator. The
    > recent fiasco with the New York Attorney General "negotiating" with
    > several ISPs to remove ~80 child-pr0n groups from the 'alt.binar*'
    > groups illustrates this, as several dropped all 'alt.*' groups, while
    > at least one eliminated Usenet entirely.
    >
    > As for how many posts you see, that is a function of the storage space
    > available on the news server, and how many articles your news reader
    > is configured to read. A quick check at giganews shows 65687 articles
    > _claimed_ to be available in comp.os.linux.networking, which would be
    > about 5 years worth of posts (if my logs are to be believed). I haven't
    > checked this claim. A month back in this group is about 510 articles
    > which seems to be a low number for a commercial news server.
    >
    > Old guy


    Ok, so I knew it was a silly question/observation when I made it.
    TB showed ~ a half million posts:
    comp.os.linux.networking: 1-499837
    Apparently (whoever) my ISP (is contracting with) feels compelled to
    retain even less of this group than a.o.l.u. Over two months over there,
    ~two weeks here... And they've dropped the binary groups too.
    Well, I'm glad I stumbled in. Learned more about ports in the last day
    than since I've been playing with these computer things.
    Tried netstat -anptu soon as I got home last night, curious to see who's
    peeking in. Got a page of stuff. Mostly my two boxes chatting with
    themselves or each other. Thunderbird and ssh listening and that's about it.
    Now to rtfm and learn what it all means.
    Stay well.

+ Reply to Thread