packet flood problems on isp(dialup)??

[devassoc]

I wonder if anyone has experienced what we are seeing on
a couple of low cost isps?

We see multiple echo request packets from the network...sometimes more than 20 and then port 135 dce endpoint resolution request packets...Our software echos the icmp echo request packets and sends a reset packet to the dce request but it just doesn't shut them off. At times these packets just take all the bandwidth from the connection and we are unable to access pop3 or send mail via smtp. There are also a few igmp group member request packets but they don't seem bothersome(we just ignore these).

We have a third isp that sends echo request packets and when we echo back the packets are not sent again, which I thought should be the behavior...this particular isp does have a problem in that it frequently issues an unreachable icmp packet, which pretty much ends the connection.

Are these isps just totally bogged down? Why are they sending these packets? Is there any solution aside from getting another isp?

Thanks in advance.

 

[kippy13]

Hi,
Port 135 is assocciated with the MSBLAST virus-I am not sure if the problem resides on your side of the network. It would be advisble running an up to date scan on all ur PC's they using a removal tool to remove it then patch the PC so it wont get it again- on the other hand the problem could be at the ISP side-they may have the Blaster somewhere else and it is trying to infect your network. Would be worth advising them that u are having an issue.
Do you have a firewall running? If so it would be useful to close port 135 as its not used for much else.
Let me know how u got on?
JP

 

[MaxPipeline]

Sounds like classic MSBLAST worm situation. Make sure your Windows is completely up to date on patches (windowsupdate.microsoft.com). Also make sure you have good Antivirus software and that it is also completely up to date. If you still see this problem, then it may be coming from your ISP. This could be another user that your ISP has connected that is in turn attempting to infect everyone else on that ISP's network. You should report this immediately to your ISP so that they can isolate the user and block ICMP at the source.

 

[devassoc]

Thanks MaxPipeLine and Kippy13.

I dug a little more into the packet data and I can see
that the stray packets are comming from all over the
western part of the U.S. We are located in So. CA.

In our particular case, which is an embedded application,
windows is not applicable, nor is antivirus. We are at the
mercy of what the isp sends to us...connected via POTS and
dialup...just a standard isp account.

We do filter these packets out but sometimes there are so
many of them that they take all the channels available bandwidth. From both of your comments, I can only attribute that to a misbehaving isp that isn't doing a very good job
of filtering out errant packets.

Thanks again.

 

[kippy13]

I would change ISP if the problem persists as badly as it is now.

"Sometimes I do not know but I try hard"- R.F. Haughty 1923