News archive 2002 - Koos van den Hout

Lately the log of my Linux firewall has become unreadable due to the high
amount of port 137/udp traffic. Traffic rose over 1 packet/minute which is
(was?) somewhat unusual in my 'part of the woods' (an IP block dedicated to
DSL customers of an ISP).

There is only so much room in the kernel message buffer, room which I like
to keep for serious system troubles such as failing disks. At certain times,
the *only* thing in the message buffer was dropped port 137/udp traffic.

So I started asking around.. only to find that more places are seeing the
same rise in traffic, but no real reason why, nor any news reports on the
reasons of increased traffic.

Several reasons exist. Some 'scanners' use this kind of request to find
open machines. Some viruses use this to spread themselves.

An earlier rise has been seen in April/May 2000.
Sans describes this in an article Port 137 scan. They give scanning
activity and a virus named network.vbs as probable reasons for this
traffic.

I captured some of the traffic using tcpdump, giving:

22:03:17.964361 cable.ip.1025 > my.dsl.ip.137: [udp sum ok]
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0x100
OpCode=0
NmFlags=0x1
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=* NameType=0x00 (Workstation)
QuestionType=0x21
QuestionClass=0x1

(ttl 111, id 62037, len 78)

Compared, doing an 'nmblookup -A' gives in traffic:

22:00:07.416647 unix.machine.34098 > my.dsl.ip.137: [udp sum ok]
>>> NBT UDP PACKET(137): QUERY; REQUEST; UNICAST
TrnID=0x5EC7
OpCode=0
NmFlags=0x0
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=* NameType=0x00 (Workstation)
QuestionType=0x21
QuestionClass=0x1

(DF) (ttl 245, id 29589, len 78)

Which only sees the differences that the unix nmblookup approach
sets a df bit, and that nmblookup is better at the Transaction ID
(TrnID).

I mailed the same as I wrote in my previous piece on
ISPs and filesharing contents in a mail to the Sans editor.

After more then a week, I got a reply, which was in its entirety:

It really all boils down to whether organizations and individuals take
copyrights seriously. It appears that you do not. I do....

I would have expected a better thought-out reply from someone who gets to
write in the role of Sans newsletter editor.

HP printers with 'Internet ready' overdo the 'Internet ready' bit since anyone with port 80 access to the printer can change the configuration, even when an access-list has been set using the jetdirect config file. Set an administrator password and firewall the printer.

I have a public webcam running again giving you the view outside my living room window. Need to fix the problem with light in the evening .. good optical cardboard is hard to find (optical cardboard is very very black).

Reply to SANS NewsBites Vol. 4 Num. 49 article/editorial comment

Quoting The SANS Institute who wrote on Wed, Dec 04, 2002 at 08:25:37AM -0700:

> --26 November 2002 ISPs May Limit Bandwidth Consumption
> Some high speed ISPs are considering placing limits on the amount of
> bandwidth their customers may consume each month. If they decide
> to do it, it could significantly curtail file-swapping activity,
> which makes up a large portion of network traffic.
> http://news.com.com/2100-1023-975320.html

> [Editor's Note (Schultz): Peer-to-peer file sharing not only consumes
> a great amount of network bandwidth, but it also often involves
> illegal downloading of copyrighted materials. One would think that
> ISPs would realize this and take measures to preclude such activity.

In my opinion, an ISP should not police the *content* of what you do with
your Internet connection. Who is the ISP to decide that any connection
made by the user is bad.

File sharing as-is does not damage the Internet. Part (yes, a large part)
of what offers is not legal to share. According to normal laws for the
countries the ISP clients are in. Those laws should apply. If a district
attorney or a judge orders a user disconnected for law-breaking, the ISP
should disconnect that user. The ISP should not police the content of what
their user does by itself. The user can then apply to this decision
through the normal ways of justice.

Your comment seems to suggest thinking along the lines (like the RIAA)
'since filesharing can and is abused for transferring content which has
copyrights applied, all filesharing must be forbidden'. This is the same
line of thinking as the RIAA showed in sueing mp3.com for making the mp3
format popular which can be used for transferring contents of CD's while
mp3.com only offers mp3 format files for which no copyright violations
occur by downloading them.

You might bring up open smtp relays here. These damage the structures
the Internet is build on.

Technical reasons are a reason to not allow certain types of traffic (such
as traffic seeming to originate from a different IP then your own). But an
ISP should be open and clear about what they filter and why. A change in
filtering should be seen as a change in the offered amount of "Internet"
so it is a change in contract between ISP and user.

Bytes transferred through an ISP are a finite resource. With a price.
Paying for overusage of this resource is reasonable to me, if the ISP
is clear enough on what they consider 'enough' and 'too many' bytes
transferred. A counter can be applied both by the customer and ISP to
see when the user is over his limits. This puts the choice how important
each of those bytes is to the user at the user who is responsible.

The original article has the order of things right. If people find they
have to be careful with their bandwidth usage, they should use it wisely.
Yes, this might make sharing files a lot less interesting, unless you
have something you really want to spread.

> Where I work someone has developed "KO," the "KaZaA Obliterator,"
> which detects and kills sessions involving use of KaZaA and other
> peer-to-peer file sharing programs altogether.

Work is a different place. At work, management can set rules on what can > (Shpantzer): One company working on the P2P bandwidth issue
> claims that these applications hog as much as 60% of bandwidth
> on the internet. Also see the link for a University of Chicago
> study of the Gnutella P2P network effects on bandwidth patterns.]
> http://www.theregister.co.uk/content/22/27092.html]

Koos van den Hout
(speaking for himself)

Ik sta op de HCC dagen 2002 (zoals jaarlijks) en de stand heeft na wat hackwerk een van buiten af bereikbare webserver met webcam. Aanbiedingen op de HCC beurs vallen tegen, beursgoodie van het jaar lijkt het keycord te zijn.

More pictures on-line and a better framework for it. Categories include random pictures, cat pictures and bruggen in Utrecht.

Yes, I owe several people a report of my Alaska Holiday. I am working on a nice set of webpages, in both English and Dutch. Learning stylesheets and multi-language support in the process.

Sunday I ended up in a stranded train because of the storm that went over the Netherlands. Besides 4 and a half hours of catching up on my newspapers, I also took some pictures of the surroundings. It is hard to get the idea of storm captured in an image.

Upgraded my home DSL connection. Note to self: update /etc/ppp/pap-secrets too for the login stuff, otherwise it won't work.

Recently I visited the US and I got exposure to some of the TV there.
Although my primary interest was some of the programming used to fill
the gaps between commercials, I also saw some of the commercials.

Commercials that use even the slightest form of exaggeration in
physical form have tiny letters in the bottom of the screen with
disclaimers such as "Done by professional stuntdrivers on a closed
circuit" or "Screen images were added later".

But commercials for DVD are different. The commercials say (especially
the ones from Disney, which stuck in my mind for some reason) :

"You can now own this movie on DVD!"

This is a blatant lie.

Given the developments in DVD and the direction the "entertainment
industry" is going, the correct text should be:

"You can now buy a revocable license to play this DVD on licensed
equipment in the right region of the world for a limited audience"

Because the DVD will only play on DVD players for which the DVD
royalties have been payed enough to get all the DVD player keys.

And DVD player keys can be revoked. The whole thing with DVD 'encryption'
is that there are 400 player keys and that a future DVD can omit the
key of a player (this fact is used to remind DVD player builders to keep
playing by the rules of the DVD consortium).

DVD players have the whole region thing. I'm not going to delve
into that subject any further.

In the Dutch version, the warning at the beginning (the unskippable
part) tells you the DVD can only be watched in a small family circle
("Huiselijke kring"). Presumably you need a different DVD (with a
different pricetag) if you want to show it at the sports club.

So, I propose that the advertising of DVDs should be changed to reflect
all this.

Sources:
http://dvddemystified.com/
http://www.eff.org/IP/Video/DVDCCA_case/dvd-bogk.html
http://www.tbtf.com/resource/CSS-Leitner.html

Familie leden of mensen die algemeen op zoek waren naar de naam van den Hout.. ik heb nu ook de domeinnamen vandenhout.info en vandenhout.com.

Simply said: yes it does. Limited, but it works.

The long answer:
Sometimes you receive unwanted e-mail (spam) telling you some company will
make a huge stock profit the next few days because some breakthrough or
other reason that they will become worth a lot more. It looks like a genuine
stock tip. But you never asked for it. You then ask yourself "what's the
catch".

The catch is that the spam is the reason of the stock profit. The idea of
this spam is to artificially inflate the price of a stock because of huge
trading and then use this to make a profit. The exact story is much better
explained at

http://ga.to/mmf/SpamExplained/Pumpndump.html

so I will not repeat that here.

December 4th 2001 I got spam about the BTLY stock. I'll repeat the first bit
here:

MAJOR CONTRACT ANNOUNCEMENTS AND HUGE NEWSLETTER COVERAGE THIS WEEK FOR BTLY!

This wednesday, BTLY will be profiled by some major
newsletters along with the release of significant
news regarding explosive sales for the Company.

Sort of "act now, this is a sure winner!".

And then I looked up the symbol on finance.yahoo.com, and got to:

http://finance.yahoo.com/q?s=BTLY.OB&d=c&k=c4&t=5d the 5 day trading and
http://finance.yahoo.com/q?s=BTLY.OB&d=c&k=c4&t=1d the 1 day trading.

(Funny how yahoo likes short url's)

so it looks like it sort-of-worked.

If the perpetrator bought their stock at $0.10 and sold at $0.13 (given the
sharp edges in the graph that sounds reasonable to me, but I'm no
stock-expert) then he/she made a 30% profit.

Later addition: I can't get "historical" charts of a day on Yahoo, but I can
link to historical trading volumes which show that December
4th was a day with exceptional trading.

I am back in one piece from my travels through the beautiful state of Alaska in the US. I took loads of pictures and made a lot of notes, so more follows.

Ik ben toe aan vakantie. Mijn geduld met mensen is momenteel wat minder dan gemiddeld en ik wil weg. Gelukkig zijn er wilde vakantieplannen.

I bought a CyberDrive scsi cd-rom drive last November (HCC) and kept having termination problems. But no manual. So I got tired and bought a different (faster) drive and searched for technical support pages for the CyberDrive to return it for repairs. Where I found a Technical issues page explaining that 'jumper open' is terminated and 'jumper closed' is not terminated. That was the other way around from what I expected after all other scsi devices with jumpers.

My first IOS upgrade.. interesting are the parts where an error in the settings will leave the router very non-booting.

Some sites will go to court because other sites link to pages on their site
so you can get to interesting bits of the site without clicking through
loads of index pages with al their banner ads.
Especially newspaper sites seem to be infected with this disease.

But with Apache Webserver it is perfectly possible to set the rules for
linking to articles on a site without having to look EXTREMELY STUPID
because you need lawyers to avoid links to your site in stead of someone
who configures your webserver. Last time I checked a technician who can
configure special access rules in Apache was still cheaper then a lawyer.

But hey, if you want to become the ridicule of the Internet community,
go ahead. They will have a laugh at your expense and post on places like
Slashdot that you don't "get it".

If you want some opinions on the subject of deep linking, search Google.
Jakob Nielsen has written a good article about deep linking
being good linking. And Jakob Nielsen isn't just another name when it
comes to web usability and user interfaces.

On my other site, The Virtual Bookcase I promote deep linking.
Please link to any book or author on the site, the URLs are made to stay the
same.

This is all about linking to interesting content on your site. There is
a different bit of 'deep linking' which is more commonly known as
'bandwidth theft'.

The first time I had to deal with this was not set up as 'bandwidth
theft', but someone who linked to all kinds of images on my site
from some discussion board to 'get back at me' (I reported a portscan
from an IP unknown to me to the ISP where they decided to kill the
account).

This showed in my web-logs as an interesting new set of external
referrers. So I visited the referring pages and found all kinds of
interesting name-calling.

So.. I dug around the Apache website and found the
Apache mod_rewrite manual which has special 'cookbook'
entries for cases like this. Using the Apache mod_rewrite module
it's possible to do almost anything based on the URL and the environment
variables. The HTTP_REFERRER is one of those.

So, copying and adapting a cookbook entry from that guide, I got to a
.htaccess file with:

RewriteEngine on

RewriteBase /~koos

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://idefix.net/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.idefix.net/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://images\.google\..*/.*$ [NC]
RewriteRule .*\.(jpg|gif|au|wav|mp3)$ - [F]

And that stopped most of the stupidy then. The images will just give a 403
when directly linked or a broken image when linked from a page.

A few months later I grepped my logs for 403 errors and found that other
places also linked images and never bothered to check the results because
the pages were filled with linked images. So a slight update was needed to
give a bigger hint..

RewriteEngine on

RewriteBase /~koos

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://idefix.net/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.idefix.net/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://images\.google\..*/.*$ [NC]
RewriteRule .*\.(jpg|gif)$ stealing.gif [T=image/gif,L]

'stealing.gif' is an animated gif with the text 'stealing bandwith is lame'.

Looking in the logs, it seems the message is getting through. A bit.

Debian has released Debian 3.0 (woody) as stable version. Now make all the jokes about 'giving a woody'.

De volgende slogans zijn afgekeurd voor deze campagne:

"Je stond pas 5 jaar op de wachtlijst ? Ja, dan loop je zo'n huis mis."

"Wat leuk dat u de keuken gerenoveerd heeft.. nu gaat de huur omhoog."

"Nee, die parketvloer moet er uit.. in originele staat opleveren."

Watch The Virtual Bookcase for new additions in information and some redesign of the pages.

The Generating Alcatel Speedtouch graphs micro-howto now contains a pointer to the scripts I use so you can build those graphs yourself.

I installed a new server at home.. and made the webpage about it.

A new irregular, Spammers and dealing with the aftermath.

Today I got an e-mail from a guy somewhere "I got this spamcop report and
I'm not really sure what this says.. looks like our webserver is sending
spam!"

So, I logged into that machine, became root (something with old accounts
never getting cleaned up) and looked in the cgi-bin directory for my
favorite web-spamming script:

---------- 1 root other 13559 May 19 1999 FormMail.pl

That's after I did a 'chmod 0 FormMail.pl'. Indeed, that was the culprit
of the webserver starting to spam. After that I tried to get an idea of
the health of the mail-queue. It took the 'mailq' command way too long to
get any idea of the state of the mail-queue, so I did

:/var/spool/mqueue# echo * | wc -w

which came somewhere over 6700. I stopped the mail daemons and tried mailq
again, this time just to get an idea whether there was any legitimate
mail in there (from or to the owners of the machine). There wasn't.
The directory entry for the mail-queue had grown to 300 kilobyte. This on
a Solaris 2.6 machine with UFS which means that that directory entry
is hosed.. or at least very slow. I did an rm -rf on the directory mqueue,
remade it after that was done and restarted the mail system.

After mail was flowing again, I had a look in the web-logs. I decided to get
an idea of the IP numbers using FormMail.

apache/logs(584)# grep FormMail access_log | awk ' { print $1 } ' | sort | uniq -c
2 130.13.117.86
62 161.142.100.81
1 161.142.100.85
62 166.114.127.6
55 194.133.172.118
178 195.39.134.85
70 196.40.23.26
123 202.138.155.4
61 203.227.45.253
64 203.82.192.2
58 206.49.58.75
49 211.6.228.50
3911 212.29.68.133
1139 212.29.74.132
62 212.38.131.225
53 212.38.133.69
64 212.67.117.136
430 213.152.93.3
60 216.120.157.114
55 63.167.108.38

A few nslookups showed me that most of those are not in the DNS.
Interesting. A few hours later I decided to start digging for the
abuse addresses for all those networks to report the abuse. I first
cut out the ones with less then 10 entries and then started finding
the corresponding addresses using whois.arin.net, whois.ripe.net,
whois.apnic.net, whois.nic.ad.jp, whois.krnic.net. I do this kind
of searching so often I have a complete set of aliases just for
doing this work. Now for a smarter whois client that can find the
abuse@ address just given an IP.
The addresses turned out to be in the Middle East (Jordania and
Kuwait), Asia (Japan, Korea, Bangladesh) and something close-by
(cybercomm.nl). Most interesting address was a 'broadband isp'
in Bangladesh giving a hotmail address for a contact address.
In the case of the .jp nic I could not get the right name for the
net because it thought the syntax of the query was incorrect. So I
tried to find upstream providers using traceroute in those cases.

So, all abuse addresses got a nice standard mail telling them that
a FormMail script was abused for spamming and that the FormMail
script was now closed but please flog the spammer accordingly.

Now, half an hour after sending all that I have only 6 auto-replies.
And I'm not sure I'll ever hear from some of the smaller ISP's.

Spammers have no problem abusing a small ISP somewhere in a country
they can't even find on a map. They may even have used a proxy at
that ISP or a hacked machine from a totally different location.

Now I have a bill for 2 hours of my time in cleaning up this mess.
Where do I send it ?

More eighties nostalgia.. [Link expired] Rinkeldekinkel online.

24 hours in the life of a bored ADSL line.

If your webserver serves .zip files or other binary stuff, it might get 'attacked' when visitors use a so-called 'download manager' acting quite antisocial and opening a lot of connections at once (leaving no slots for other visitors). Fixed this on one popular server by installing mod_limitipconn.c for Apache. Net result: more outgoing traffic.

Vandaag gezien, een taxichauffeur die het verschil tussen een parkeerplaats en een fietspad niet weet.

Don't play with your mail-headers too much, it might backfire as it did in my case. Oops..

THE ELECTRONIC INTIFADA will equip you to challenge myth, distortion and spin in the media in an informed way, enabling you to effect positive changes in media coverage of the Palestinians and the Israeli-Palestinian Conflict.

Dingen om te doen in Utrecht als je je verveeld: bij het stoplicht op de fiets met een stopwatch meten hoe lang je wacht. 56 seconden gewacht waarvan maar 5 seconden nodig waren wegens ander verkeer en de rest leek te zijn om te voorkomen dat de fietsers sneller weg konden dan de auto's.

Back from a visit to Spain. Great weather, beautiful nature, great people and a very impressive Sagrada Familia.

The lyrics to the International friendship song aren't available online but I'll sing it anyway for national and international friends.

Interesting experiences in Sony vaio notebook (non) support.

Picture of clouds packing outside my office window.

You can visit Frank the cat who is recovering from a broken pelvis and has his own webcam (awwwwww).

Amazon makes a profit, Slashdot starts subscriptions and now microsoft advertises on slashdot. What is happening to this world ?

Measuring mainboard temperature using lm_sensors .. this is what happens when the system load goes to 100% (running rc5).

Een nogal andere idefix dan idefix.net.

A bunch of pictures titled Chasing the sunset.

The Netgear RT314 router now works with the Terayon cablemodem (as mentioned before) .. Terayon wisened up ?

Back from wintersport holiday in Flaine (France). I enjoyed it.. took snowboarding lessons which improved my snowboarding.

I changed irc client (for the first time since 1993..) to irssi.. sometimes a bit rough around the edges but it has a lot of stuff which I wanted in an irc client for Unix.

I got 15 seconds of fame when my message about the mcafee website made it into comp.risks.