Hello, 
I have a sign of infection in my netowork. The infected computers send packets to port 445, thereby consuming all my upload. my arp is set to reply-only. i disabled the arp entries of the infected systems and dropped packets to port 455. But that did not solve the problem.
How can I stop constant upload from the computers
you definitely can stop the virus - this is known MS virus.
do this:
/ip firewall rule forward
add dst-port=445 protocol=tcp action=drop
add dst-port=445 protocol=udp action=drop
add dst-port=135-139 protocol=tcp action=drop
add dst-port=135-139 protocol=udp action=drop
on all routers, the closer to infected client the better. This will stop ALL microsoft netbios based viruses. Of course, inform infected client about the infection and ask him to clear it up.
bye, mp3turbo.
If itâs a wireless client, itâs still going to be having a serious effect on the AP they are connected to because itâs going to consume valuable bandwidth before the router gets a chance to drop the packets. Virusâs, ping floods, those kinds of things can quickly cripple an AP.
At least in our case, when we find a client doing something like this, I disable their connection completely via the wireless access table and give them a call. Once theyâve confirmed theyâve found and cleaned up the infected machine, then and only then do I let them back online.
Check demo.mt.lv on firewall rules. there are a lot of rules for worms
Maxi
I am having the same issueâŚ
the wifi link is being compromised because the packets have to travel all the way back to the router before they are dropped.
How can a cable or DSL provider not have this problem?
What is theyâre trick? I am not trying to become an AV salesmanâŚ
They have the problem also, they just have more of a bandwidth buffer to absorb it usually.
you are all right, I stated:
on all routers, the closer to infected client the better.
in my post. The closer to client the better means that the best solution is on clients side before the traffic gets into the radio (of course) - this involves you have control over clients system. If they use dump APs or clients without management features, youâre stuck.
Note I also said on ALL ROUTERS. Stopping the virus on your most external router is not going to help you too much, because the virus could and will run thru your network, infect next clients and eleviate the problem etc. etc.
bye, mp3turbo.
Thanks for the your response. I have added the firewall entry and the the spoofing still perssiteted. It there a way I can block or reduce upload to router from the infected computer.
Have a nice day.
yes, definitely - use /queue simple:
/queue simple
add name=âinfected-customerâ target-address=a.b.c.d/32 limit-at=30000/30000 max-limit=52000/52000
this will give the customer:
a) GUARANTEED download 30000 bits/s = 30kbit/s = speed of analog modem
b) GUARANTEED upload 30000 bits/s = 30kbit/s = speed of analog modem
c) MAXIMUM download 52000 bits/s = 52kbit/s = speed of fast analog modem
d) MAXIMUM upload 52000 bits/s = 52kbit/s = speed of fast analog modem
he can have as many viruses as he can imagine, this will limit him. No questions asked, no exceptions.
Do this on router as close to customer as possible. If you limit him on your most outer router (closest to real Internet), you still give change to this infected customer to spread viruses on your network FULL SPEED.
bye, mp3turbo.
By stopping this at the infected computer. The infected computer will keep sending as long as the gatewayâs mac address is in gateway arp table.
Also blocking ports tcp 135 + 445 plus udp 137-139 will block most infections to occurr in the first place. However if you have designed a flat network there is just a matter of time before all will be infected (ie. someone brings in an infected laptop etc.)
as long as there is no infected computers on the network I donât want to limit the upload speed of my customers. BUT if there is ANY virus-generated traffic on the network I want to block itâs traffic. So I would like to automate this process.
What I need is a script that checks the amount of incoming packets within a period of time, on a specified WiFi interface. If this value overrides a specified value itâs quite sure that a virus is active on the specified subnet. If this script sends an email(>>SMS) I can be sure that 20 of our custumers wonât suffer just because one of our custumers has a virus. Is any script like that available?
Not that i know of.
Personally i always shape bandwith both ways as most of my customerâs customers use P2P software 24/7.
ok, thatâs all right, BUT: if these customers send out SYN/any packets (these packets are small so the number of packets can be high even with low BW), that shaped BW is too high for a virus..
I wouldnât care about viruses if i shaped my users BW to 20-30kbit/s outgoing, but for a customer itâs unacceptable..
Do us all a favor and disconnect that zombie machine from the internet 100%. Do not allow them to even connect until they have cleaned up their machine. Allowing a zombie machine to port scan and infect more computers while you know about it could put your business at risk, itâs somewhat like watching a burglar break in to peoples houses over and over and not reporting it.
If you know the source IP of these zombies then disconnect them from access to the internet. If you wish then setup a redirect to port 80 on a machine somewhere on your network telling them of the violation and that they have to clean up before they get reconnected.
The FTC has finally started to talk to ISPs about this very thing. A zombie = TONS OF SPAM. Please block them.
Sam
What is the best way to actually track down who the âzombieâ is?
I know that I have several on my network and I would love to just pull the plug on them, but we arenât sure how to track them down.
If you have some ideaâs let me know and I will get them shut down.. 
It would be my pleasure to eliminate them from our network!!!
Nate
A few signs might be clients scanning tons of machines on port 137-139 (going outbound), port 445, or other known vulnerability ports. Zombies (computers that are part of a botnet) usually get infected themselves and then turn around and try to use the same exploit on many others. Once infected they usually will always be trying to find an IRC server on port tcp 6667-6670 to talk to their master. Using the packet sniffer or torch in MT will be able to help you track these down. Also, installing a snort machine alongside your gateway would help automate all of the detection.
If you find an IP address that is zombified on your internal network you can just block that IP address from connecting outbound by placing a firewall rule on the forward chain. Once theyâve cleaned up their machine allow them back out. If they are using DHCP you might want to block their MAC address instead. There is a lot more that I didnât cover, however the basic goal is to keep these zombies from causing any damage to others.
Sam
I am aware of the problems with viruses. PPS count is everything.
We block these things at CPE. MS Filesharing is denied by default and only opened for the few that request it. Generally we do not allow it but for certain customers that are willing to agree to the extra reponsibility of monitoring their use very closely. We generally discourage use of LAN protocols on the internet and often refer to VPNâs.
Also we use automatic home-grown tools and scripts to detect such behaviour.
Support people get an e-mail and can then call the customer to help them.
If the support people are polite then the customers -love- this kind of personal service. We already have a written package that they can get on website or e-mail for information on the virii.
could you share these scripts? Iâd need only a script to detect high packet count per interface per period of timeâŚ
I really do not want to, considering they are a part of our MT based products.
However i can tell you that if you use:
/ interface monitor-traffic
you can easily achieve your own with a little bit of scripting. Try:
/ interface monitor-traffic ether1 do={ :environment print }
And you will see the environment variables available to monitor.
sten
do you sell your main MT package , that includes the scripts you are talking about
Randy