Re: [WISPA] I need Mikrotik Help
We also watch for those kinds of connections Ron. It's almost always a virus. Sometimes a file sharing program though those are usually limited to 20 or so connections. Marlon(509) 982-2181 Equipment sales(408) 907-6910 (Vonage) Consulting services42846865 (icq) And I run my own wisp!64.146.146.12 (net meeting)www.odessaoffice.com/wirelesswww.odessaoffice.com/marlon/cam - Original Message - From: Ron Wallace To: WISPA General List Sent: Monday, July 31, 2006 8:32 PM Subject: Re: [WISPA] I need Mikrotik Help Thanks John, I have noticed that many of them from one user are in sequence everyother number 2,4,6,8, for example in the destination addr. I'll have a look at that.>-Original Message->From: John J. Thomas [mailto:[EMAIL PROTECTED]>Sent: Monday, July 31, 2006 09:36 AM>To: 'WISPA General List'>Subject: Re: [WISPA] I need Mikrotik Help>>>How many is "some"? They may be boxes that have been compromised with a worm, trojan, virus or spyware. Look closely at the destination ports they are connecting to. If the addresses/ports are in sequence, they may have malware on their PC.>>John >>>-Original Message->>From: Ron Wallace [mailto:[EMAIL PROTECTED]>>Sent: Monday, July 31, 2006 04:24 AM>>To: [EMAIL PROTECTED], wireless@wispa.org>>Subject: [WISPA] I need Mikrotik Help>>>>To all,>>>>I have some abusive users, when I look at IP Firewall Connections I find a some users with over a hundred (100) instances listed in the source address column. I think its flooding my network. I have 2 T1's and 81 users. We're growing faster than I can install new customers.>>>>I am using Canopy 900, Canopy 2.45, & Tranzeo 2.45. I have activated the SM, SNMP, BOOTP Server and Client filters on the canopy devices.>>>>How can I limit the number of active instances of these abusive users on the Mikrotik?>>>>Ron Wallace >>Hahnron, Inc. >>220 S. Jackson Dt. >>Addison, MI 49220 >>>>Phone: (517)547-8410 >>Mobile: (517)605-4542 >>e-mail: [EMAIL PROTECTED] >>[EMAIL PROTECTED] >>>>>>>-- >WISPA Wireless List: wireless@wispa.org>>Subscribe/Unsubscribe:>http://lists.wispa.org/mailman/listinfo/wireless>>Archives: http://lists.wispa.org/pipermail/wireless/> -- WISPA Wireless List: wireless@wispa.orgSubscribe/Unsubscribe:http://lists.wispa.org/mailman/listinfo/wirelessArchives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] I need Mikrotik Help
Anything less than 20 is ok by me. 50+ and they get a phone call, usually to tell them to shut off their computer because they don't have a music sharing program running. It's almost always either a virus or a system that's been hacked and is being used as an illegal ftp site. Marlon(509) 982-2181 Equipment sales(408) 907-6910 (Vonage) Consulting services42846865 (icq) And I run my own wisp!64.146.146.12 (net meeting)www.odessaoffice.com/wirelesswww.odessaoffice.com/marlon/cam - Original Message - From: Ron Wallace To: WISPA General List Sent: Monday, July 31, 2006 8:40 PM Subject: Re: [WISPA] I need Mikrotik Help How many? 2 maybe 4, not many. but one has generated over 500 boxes in the firewall connections listing.>-Original Message->From: John J. Thomas [mailto:[EMAIL PROTECTED]>Sent: Monday, July 31, 2006 09:36 AM>To: 'WISPA General List'>Subject: Re: [WISPA] I need Mikrotik Help>>>How many is "some"? They may be boxes that have been compromised with a worm, trojan, virus or spyware. Look closely at the destination ports they are connecting to. If the addresses/ports are in sequence, they may have malware on their PC.>>John >>>-Original Message->>From: Ron Wallace [mailto:[EMAIL PROTECTED]>>Sent: Monday, July 31, 2006 04:24 AM>>To: [EMAIL PROTECTED], wireless@wispa.org>>Subject: [WISPA] I need Mikrotik Help>>>>To all,>>>>I have some abusive users, when I look at IP Firewall Connections I find a some users with over a hundred (100) instances listed in the source address column. I think its flooding my network. I have 2 T1's and 81 users. We're growing faster than I can install new customers.>>>>I am using Canopy 900, Canopy 2.45, & Tranzeo 2.45. I have activated the SM, SNMP, BOOTP Server and Client filters on the canopy devices.>>>>How can I limit the number of active instances of these abusive users on the Mikrotik?>>>>Ron Wallace >>Hahnron, Inc. >>220 S. Jackson Dt. >>Addison, MI 49220 >>>>Phone: (517)547-8410 >>Mobile: (517)605-4542 >>e-mail: [EMAIL PROTECTED] >>[EMAIL PROTECTED] >>>>>>>-- >WISPA Wireless List: wireless@wispa.org>>Subscribe/Unsubscribe:>http://lists.wispa.org/mailman/listinfo/wireless>>Archives: http://lists.wispa.org/pipermail/wireless/> -- WISPA Wireless List: wireless@wispa.orgSubscribe/Unsubscribe:http://lists.wispa.org/mailman/listinfo/wirelessArchives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] I need Mikrotik Help
How many? 2 maybe 4, not many. but one has generated over 500 boxes in the firewall connections listing.>-Original Message->From: John J. Thomas [mailto:[EMAIL PROTECTED]>Sent: Monday, July 31, 2006 09:36 AM>To: 'WISPA General List'>Subject: Re: [WISPA] I need Mikrotik Help>>>How many is "some"? They may be boxes that have been compromised with a worm, trojan, virus or spyware. Look closely at the destination ports they are connecting to. If the addresses/ports are in sequence, they may have malware on their PC.>>John >>>-Original Message->>From: Ron Wallace [mailto:[EMAIL PROTECTED]>>Sent: Monday, July 31, 2006 04:24 AM>>To: [EMAIL PROTECTED], wireless@wispa.org>>Subject: [WISPA] I need Mikrotik Help>>>>To all,>>>>I have some abusive users, when I look at IP Firewall Connections I find a some users with over a hundred (100) instances listed in the source address column. I think its flooding my network. I have 2 T1's and 81 users. We're growing faster than I can install new customers.>>>>I am using Canopy 900, Canopy 2.45, & Tranzeo 2.45. I have activated the SM, SNMP, BOOTP Server and Client filters on the canopy devices.>>>>How can I limit the number of active instances of these abusive users on the Mikrotik?>>>>Ron Wallace >>Hahnron, Inc. >>220 S. Jackson Dt. >>Addison, MI 49220 >>>>Phone: (517)547-8410 >>Mobile: (517)605-4542 >>e-mail: [EMAIL PROTECTED] >>[EMAIL PROTECTED] >>>>>>>-- >WISPA Wireless List: wireless@wispa.org>>Subscribe/Unsubscribe:>http://lists.wispa.org/mailman/listinfo/wireless>>Archives: http://lists.wispa.org/pipermail/wireless/> -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] I need Mikrotik Help
Thanks John, I have noticed that many of them from one user are in sequence everyother number 2,4,6,8, for example in the destination addr. I'll have a look at that.>-Original Message->From: John J. Thomas [mailto:[EMAIL PROTECTED]>Sent: Monday, July 31, 2006 09:36 AM>To: 'WISPA General List'>Subject: Re: [WISPA] I need Mikrotik Help>>>How many is "some"? They may be boxes that have been compromised with a worm, trojan, virus or spyware. Look closely at the destination ports they are connecting to. If the addresses/ports are in sequence, they may have malware on their PC.>>John >>>-Original Message->>From: Ron Wallace [mailto:[EMAIL PROTECTED]>>Sent: Monday, July 31, 2006 04:24 AM>>To: [EMAIL PROTECTED], wireless@wispa.org>>Subject: [WISPA] I need Mikrotik Help>>>>To all,>>>>I have some abusive users, when I look at IP Firewall Connections I find a some users with over a hundred (100) instances listed in the source address column. I think its flooding my network. I have 2 T1's and 81 users. We're growing faster than I can install new customers.>>>>I am using Canopy 900, Canopy 2.45, & Tranzeo 2.45. I have activated the SM, SNMP, BOOTP Server and Client filters on the canopy devices.>>>>How can I limit the number of active instances of these abusive users on the Mikrotik?>>>>Ron Wallace >>Hahnron, Inc. >>220 S. Jackson Dt. >>Addison, MI 49220 >>>>Phone: (517)547-8410 >>Mobile: (517)605-4542 >>e-mail: [EMAIL PROTECTED] >>[EMAIL PROTECTED] >>>>>>>-- >WISPA Wireless List: wireless@wispa.org>>Subscribe/Unsubscribe:>http://lists.wispa.org/mailman/listinfo/wireless>>Archives: http://lists.wispa.org/pipermail/wireless/> -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] I need Mikrotik Help
Thanks Larry, that is very useful. I shall follow all of the advice I get. -Original Message-From: Larry Yunker [mailto:[EMAIL PROTECTED]Sent: Monday, July 31, 2006 11:36 AMTo: 'WISPA General List'Subject: Re: [WISPA] I need Mikrotik Help Ron, When the number of active connections for any single user exceeds about 10 to 15 simultaneous connections, you generally have one of two things occurring. Either the subscriber has been infected by some sort of virus/spyware or the customer is running some sort of peer-to-peer networking software (i.e. Kaaza, winMX, Limewire, Bittorrent, etc, etc, etc). Either of these situations will result in increased latency and decreased overall available network throughput on the Canopy systems. On the Tranzeo system, the effect is far worse. Since Tranzeo is 802.11b based, there is no polling mechanism to ensure timely delivery of packets. the effect of a continuous streams of outbound traffic is dropped packets. Dropped packets means timed-out web pages and dropped email sessions. It gets far worse when you start dealing with games and VoIP. Even 1% packet loss can result in unusable games. Likewise, the very slightest IP interruption can make VoIP sessions experience jitter, echoing, and garbled signal. It is important that you determine the specific customers that are causing the excessive streams. Look at the ports in use and the destination addresses. Determine if the traffic is likely P-t-P or an infection. If it's P-t-P, you should be able to control the volume of the traffic by using the P-t-P throttling mechanisms available through the Mikrotik software. If it's an infection, you should disassociate the user from your AP's until the infection can be resolved. If you simply firewall the outbound traffic, you probably won't solve anything. Many infections cause the PC to continuously send out packets regardless of whether those packets ever arrive at a valid destination. Therefore, the infection will keep sending/flooding your AP even if you block the subscriber from successfully reaching the internet via a Mikrotik firewall. Larry Yunker Network Consultant WISP Advantage [EMAIL PROTECTED] - Original Message - From: Ron Wallace To: [EMAIL PROTECTED] ; wireless@wispa.org Sent: Monday, July 31, 2006 6:24 AM Subject: [WISPA] I need Mikrotik Help To all, I have some abusive users, when I look at IP Firewall Connections I find a some users with over a hundred (100) instances listed in the source address column. I think its flooding my network. I have 2 T1's and 81 users. We're growing faster than I can install new customers. I am using Canopy 900, Canopy 2.45, & Tranzeo 2.45. I have activated the SM, SNMP, BOOTP Server and Client filters on the canopy devices. How can I limit the number of active instances of these abusive users on the Mikrotik? Ron Wallace Hahnron, Inc. 220 S. Jackson Dt. Addison, MI 49220 Phone: (517)547-8410 Mobile: (517)605-4542 e-mail: [EMAIL PROTECTED] [EMAIL PROTECTED] -- WISPA Wireless List: wireless@wispa.orgSubscribe/Unsubscribe:http://lists.wispa.org/mailman/listinfo/wirelessArchives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] I need Mikrotik Help
Ron, When the number of active connections for any single user exceeds about 10 to 15 simultaneous connections, you generally have one of two things occurring. Either the subscriber has been infected by some sort of virus/spyware or the customer is running some sort of peer-to-peer networking software (i.e. Kaaza, winMX, Limewire, Bittorrent, etc, etc, etc). Either of these situations will result in increased latency and decreased overall available network throughput on the Canopy systems. On the Tranzeo system, the effect is far worse. Since Tranzeo is 802.11b based, there is no polling mechanism to ensure timely delivery of packets. the effect of a continuous streams of outbound traffic is dropped packets. Dropped packets means timed-out web pages and dropped email sessions. It gets far worse when you start dealing with games and VoIP. Even 1% packet loss can result in unusable games. Likewise, the very slightest IP interruption can make VoIP sessions experience jitter, echoing, and garbled signal. It is important that you determine the specific customers that are causing the excessive streams. Look at the ports in use and the destination addresses. Determine if the traffic is likely P-t-P or an infection. If it's P-t-P, you should be able to control the volume of the traffic by using the P-t-P throttling mechanisms available through the Mikrotik software. If it's an infection, you should disassociate the user from your AP's until the infection can be resolved. If you simply firewall the outbound traffic, you probably won't solve anything. Many infections cause the PC to continuously send out packets regardless of whether those packets ever arrive at a valid destination. Therefore, the infection will keep sending/flooding your AP even if you block the subscriber from successfully reaching the internet via a Mikrotik firewall. Larry Yunker Network Consultant WISP Advantage [EMAIL PROTECTED] - Original Message - From: Ron Wallace To: [EMAIL PROTECTED] ; wireless@wispa.org Sent: Monday, July 31, 2006 6:24 AM Subject: [WISPA] I need Mikrotik Help To all, I have some abusive users, when I look at IP Firewall Connections I find a some users with over a hundred (100) instances listed in the source address column. I think its flooding my network. I have 2 T1's and 81 users. We're growing faster than I can install new customers. I am using Canopy 900, Canopy 2.45, & Tranzeo 2.45. I have activated the SM, SNMP, BOOTP Server and Client filters on the canopy devices. How can I limit the number of active instances of these abusive users on the Mikrotik? Ron Wallace Hahnron, Inc. 220 S. Jackson Dt. Addison, MI 49220 Phone: (517)547-8410 Mobile: (517)605-4542 e-mail: [EMAIL PROTECTED] [EMAIL PROTECTED] -- WISPA Wireless List: wireless@wispa.orgSubscribe/Unsubscribe:http://lists.wispa.org/mailman/listinfo/wirelessArchives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
RE: [WISPA] I need Mikrotik Help
I have a queation in general: in the typical wireless installation at public or general muni type APs, are the IP addresses given to the users in a many-to-one NAT like home routers or in a 1-to-1 NAT with each internal address NATted with a public address? I've been to CEAS and MAAWG meetings regularly over the past two years and have been involved with network- remediated Trojan/Worm/Virus technology from a variety of vendors. So far, they have avoided specifying how they treat wireless networks but, instead, concentrate on DSL/Cable. There, of course, a cable modem most often faces a Linksys or Netgear many-to-one NAT. ...sometimes several cascaded! Thank you. . . . j o n a t h a n -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John J. Thomas Sent: Monday, July 31, 2006 8:37 AM To: WISPA General List Subject: Re: [WISPA] I need Mikrotik Help How many is "some"? They may be boxes that have been compromised with a worm, trojan, virus or spyware. Look closely at the destination ports they are connecting to. If the addresses/ports are in sequence, they may have malware on their PC. John >-Original Message- >From: Ron Wallace [mailto:[EMAIL PROTECTED] >Sent: Monday, July 31, 2006 04:24 AM >To: [EMAIL PROTECTED], wireless@wispa.org >Subject: [WISPA] I need Mikrotik Help > >To all, > >I have some abusive users, when I look at IP Firewall Connections I find a some users with over a hundred (100) instances listed in the source address column. I think its flooding my network. I have 2 T1's and 81 users. We're growing faster than I can install new customers. > >I am using Canopy 900, Canopy 2.45, & Tranzeo 2.45. I have activated the SM, SNMP, BOOTP Server and Client filters on the canopy devices. > >How can I limit the number of active instances of these abusive users on the Mikrotik? > >Ron Wallace >Hahnron, Inc. >220 S. Jackson Dt. >Addison, MI 49220 > >Phone: (517)547-8410 >Mobile: (517)605-4542 >e-mail: [EMAIL PROTECTED] >[EMAIL PROTECTED] > > -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] I need Mikrotik Help
How many is "some"? They may be boxes that have been compromised with a worm, trojan, virus or spyware. Look closely at the destination ports they are connecting to. If the addresses/ports are in sequence, they may have malware on their PC. John >-Original Message- >From: Ron Wallace [mailto:[EMAIL PROTECTED] >Sent: Monday, July 31, 2006 04:24 AM >To: [EMAIL PROTECTED], wireless@wispa.org >Subject: [WISPA] I need Mikrotik Help > >To all, > >I have some abusive users, when I look at IP Firewall Connections I find a >some users with over a hundred (100) instances listed in the source address >column. I think its flooding my network. I have 2 T1's and 81 users. We're >growing faster than I can install new customers. > >I am using Canopy 900, Canopy 2.45, & Tranzeo 2.45. I have activated the SM, >SNMP, BOOTP Server and Client filters on the canopy devices. > >How can I limit the number of active instances of these abusive users on the >Mikrotik? > >Ron Wallace >Hahnron, Inc. >220 S. Jackson Dt. >Addison, MI 49220 > >Phone: (517)547-8410 >Mobile: (517)605-4542 >e-mail: [EMAIL PROTECTED] >[EMAIL PROTECTED] > > -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
[WISPA] I need Mikrotik Help
To all, I have some abusive users, when I look at IP Firewall Connections I find a some users with over a hundred (100) instances listed in the source address column. I think its flooding my network. I have 2 T1's and 81 users. We're growing faster than I can install new customers. I am using Canopy 900, Canopy 2.45, & Tranzeo 2.45. I have activated the SM, SNMP, BOOTP Server and Client filters on the canopy devices. How can I limit the number of active instances of these abusive users on the Mikrotik? Ron Wallace Hahnron, Inc. 220 S. Jackson Dt. Addison, MI 49220 Phone: (517)547-8410 Mobile: (517)605-4542 e-mail: [EMAIL PROTECTED] [EMAIL PROTECTED] -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/