Monday, April 24, 2006

A Technical Query - any Techies Out There ?

In the happy steam-powered days of the 56k modem, you'd occasionally double-click the connection icon to see how many bytes you'd sent and received. You might find you'd sent a few 10s of K, and retrieved a few meg over an hour or so.

Not so since broadband.

I use a firewall (Zonealarm basic), Panda antivirus, Spybot monitoring the Windows config. Win2000 with service packs, IE6 with updates.

BT Voyager 205 ADSL router (I haven't tweaked this in any way, including the default password - should I ?)

Router goes to a Netgear switch and from there to three PCs.

For this and the previous post I've fired up the box, checked BBC news, searched my blog for the Falconer link, Google image search and Blogger. Connected for 18 minutes, received 2.5 meg, sent - a staggering 958K - nearly a meg for visits to 4 websites plus Google.

What on earth is all this data - and where the hell's it going ?


Pants said...

A lot of things have changed since the golden age of 56k dialup.

These days our operating systems, and installed applications are all expecting an internet connection. Internet Explorer sends more information to the websites you visit than ever before, applications are checking for updates, Windows itself likes to "phone home" regularly to microsoft to report who knows what information about your PC, and my personal fear is that despite anti-virus software and spybot my PC is host to virii reporting all my keystrokes to cyber-criminals.

Still....almost 1 MB sent does seem a bit steep!

AntiCitizenOne said...

It could be that "Automatic Updates" is installing some patches. You should change AU so it allways asks you before downloading.

Instead of connection via a USB ADSL Modem I allways advise people to use an ADSL modem router and this has a built in firewall (well NAT).

Laban said...

Any way of finding out where the data's going ? in other words 100K to this IP address, 400K to trhat one, etc ?

john said...

I assume that Zonealarm has logs - check those. Then get a router/firewall appliance. (The thought of my PC running Windows 2000 out there directly connected to the internet is too horrible to imagine.)

AntiCitizenOne said...

opening the command prompt and then typing ipconfig /displaydns

John-Paul said...

Download Ethereal packet tracer and watch what's happening.

Anonymous said...

another possibility is that your system has been comprimised and is being used as part of a "bot network" to send out spam.

"BT Voyager 205 ADSL router (I haven't tweaked this in any way, including the default password - should I ?)"

you should ALWAYS change the default password.

Anonymous said...

Stick with dial up .... like we do at FM Towers! Cant expect broadband down on the farm - whatever next? They will be paying us for doing nothing with the land!


P. Froward said...

You didn't change the default password?!

That was a bad idea.

In a well-known experiment, some security people tried connecting unprotected windows boxes to the internet, to see how long it would take them to be compromised. The average was sixteen minutes. That was a year and a half ago; it's probably worse now. If the router's still got the default password, you're unprotected, and you're up to your earlobes in malware. You might start with this and this. If you want to spend money, get Norton Antivirus or McAfee or some other "big name".

Don't ever trust free anti-virus or malware removal software unless it is from a very large, well-known, and slow-moving legal target like Microsoft or Norton. The fly-by-night types may be malware themselves. See this article; it'll give you a sense of the proper frame of mind for thinking realistically about data security: Namely, morbid paranoia. The author's a very sharp guy.

This looks helpful, too. Never forget: They really are out to get you. No joke.

Anonymous said...

I had exactly the same problem, connected my windoze 2000 box to the Wibbly Wobbly Web via an ADSL Modem, never again... Apart from the system sending out more data than it recieved, every two minutes it would process an incoming RPC packet which, quite effectively mind, halted the system. WTF?

you can get more detailed information by using 'netstat -e -s'. although the info is of limited -practical- use...

Most of the traffic sent is probably NetBios, useless on an internet connection. Try removing 'file and printer sharing for microsoft networks' from the 'connection items' list for the adsl modem connection, but leave it in for any other network cards you may have.

I'd also recommend you change your adsl modem to one that incorporates a router and firewall, change the default password ( write it down 'cos you will forget it...). The firewall will block a lot more unwanted traffic in addition to netbios.

Set ZoneAlarm so that 'programs must ask for internet access' deny access to any suspiciously named ones, most programs / services are just being nosey and blocking them will stifle the chatter. you'll need to do this on all the pc's connected to the router switch ports.

Windows 2000/xp is very 'chatty', there are a number of system services, protocols and applications which give away all kinds of information useful to hackerz, hijackers, spammers, ad companies, id thieves...

Securing your intranet depends a lot on the network configuration, network use and how far you want to go. for example, create a folder for sharing network files, rather than share the entire C: drive. if you append a dollar sign to the end of the Share Name that folder will not be listed when you browse the network with Explorer, you will need to map a drive instead and for that you need to know the exact folder name.

I use a Linksys wireless router with firewall, access controlled by MAC address ( WEP is a right pain unless all the wireless adapters are the same make ). Intranet access is 'secured' by an Active Domain Domain Controller. Every pc has zonealarm and AVG antivirus. plus a couple of other tricks...