From owner-freebsd-questions@FreeBSD.ORG Fri Oct 31 10:09:39 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EFE1616A4CF for ; Fri, 31 Oct 2003 10:09:39 -0800 (PST) Received: from devil.zeanah.com (ip-66-80-73-53.iad.megapath.net [66.80.73.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id BEF7E43F93 for ; Fri, 31 Oct 2003 10:09:37 -0800 (PST) (envelope-from derek@zeanah.com) Received: from zeanah.com ([192.168.9.6]) by devil.zeanah.com (8.12.9/8.12.9) with ESMTP id h9VIGutc030232; Fri, 31 Oct 2003 13:16:57 -0500 (EST) (envelope-from derek@zeanah.com) Message-ID: <3FA2A6B3.3060908@zeanah.com> Date: Fri, 31 Oct 2003 13:15:15 -0500 From: Derek Zeanah User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5a) Gecko/20030718 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Aaron Sloan , freebsd-questions@freebsd.org References: <00bb01c39f0a$28392970$d3a8a8c0@barney> In-Reply-To: <00bb01c39f0a$28392970$d3a8a8c0@barney> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: ICMP being blocked by ATT X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Oct 2003 18:09:40 -0000 >I was chatting with our internet provider who gets their feed from ATT, >he notified me that they are blocking all ICMP protocols. >By gosh by golly, I can't ping, tracert, nothing... Is this new? >Shall I complain? > I'm not sure you'll be able to do much. You remember that last batch of Microsoft RPC worms? There was another that followed it up, supposedly designed to "fix" the vulnerability, but that's questionable. Anyway, this follow-up (called Welchia, among other things) has a nasty habit of causing pingstorms. It wants to ping the entire IP address space sequentially, from what I can tell, looking for new hosts to try and infect. I've seen one infected machine consume so much bandwidth that no-one else could access the T1, going through each IP sequentially... Anyway, my ISP (Megapath) shut off ICMP traffic temporarily to make the network usable gain; now tracert's coming from outside the network behave as advertized, but anything initiated within the network gets stomped. AT&T is probably doing the same, and I doubt they'll change anything until Welchia runs its course.