In late August 2003, Adelphia started taking measures to protect its network from the effects of the Blaster/LoveSan worms, Welchia/Nachi worms, and their variants by dropping, filtering, and/or rate limiting certain outbound ICMP packets. These measures continue to this day and the effects of them do change when equipment or configurations are changed.

The Adelphia imposed ICMP packet restrictions cause inaccurate packet loss reports when using the standard Windows Tracert program, the Windows Pathping program, and the Line Quality test here at Broadband Reports. The standard Windows, Mac OS, and Linux Ping programs are unaffected, so if just using the standard Ping program results in no packet loss, there isn't really a problem. Linux and Mac OS X users using Traceroute also shouldn't be affected by the ICMP packet limitations as those trace route programs use outbound UDP packets by default.

---

•Here's an example of rate limiting as seen when using Windows tracert utility:
(Notice every 2nd or 3rd packet is lost consistently through the entire trace.)

C:\>tracert 216.239.51.104
 
Tracing route to 216.239.51.104 with TTL of 32:
 
1 16ms * 13ms 69.168.192.1
2 15ms * 12ms 68.168.227.1
3 42ms * 41ms 68.168.225.49
4 42ms * 42ms g1-03-03-00.a0.buf00.adelphiacom.net [66.109.14.45]
5 * 42ms * g1-03-00-00.r0.buf00.adelphiacom.net [66.109.1.33]
6 72ms * 62ms p3-01-01-00.n0.nyc90.adelphiacom.net [66.109.0.205]
7 * 70ms * p3-01-00-00.n0.dca91.adelphiacom.net [66.109.0.82]
8 71ms * 67ms p3-00-00-00.r0.dca91.adelphiacom.net [66.109.0.166]
9 * 67ms * unk-426d0186.adelphiacom.net [66.109.1.134]
10 68ms * 68ms eqixva-google-gige.google.com [206.223.115.21]
11 * 68ms * 216.239.47.122
12 70ms * 71ms 216.239.47.102
13 67ms * 65ms 216.239.51.104
 
Traceroute complete.

•Here's an example of filtering or dropping when using Windows tracert utility:
(Notice every packet at the 3rd hop and beyond is lost.)

Tracing route to lax.speakeasy.net [64.81.45.2]
over a maximum of 30 hops:
1 35 ms 31 ms 26 ms 68-232-238-1.losaca.adelphia.net [68.232.238.1]
2 16 ms 28 ms 24 ms ca-mthomeid-cmts2-143-185.losaca.adelphia.net [67.23.143.185]
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
^C

•Here's an example of equipment purposely dropping all pings directed at it:
(Notice the 1st hop doesn't respond at all, which would be 100% packet loss.)

Tracing route to p15.www.dcn.yahoo.com [216.109.118.78] with TTL of 32:
 
1 * * * Request timed out.
2 12ms 11ms 17ms 68.168.161.105
3 12ms 14ms 13ms 68.168.161.105
4 36ms 10ms 9ms a1-02-00-00.a0.pit75.adelphiacom.net [66.109.14.89]
5 12ms 10ms 10ms a1-00-00-00.c0.pit75.adelphiacom.net [66.109.1.65]
6 24ms 25ms 24ms p3-01-01-00.c1.chi75.adelphiacom.net [66.109.0.209]
7 24ms 38ms 23ms p3-00-00-00.p0.chi91.adelphiacom.net [66.109.3.26]
8 24ms 21ms 21ms exchange-cust1.chi.equinix.net [206.223.119.16]
9 31ms 31ms 27ms ge-2-0-9.p550.pat1.dce.yahoo.com [216.115.97.21]
10 31ms 27ms 29ms vlan220-msr2.dcn.yahoo.com [216.115.96.165]
11 28ms 29ms 29ms ge3-1.bas1-m.dcn.yahoo.com [216.109.120.149]

•Here's an example of the effects the limiting has on the BBR Line Quality test:
(Notice the "picket fence" on the ping plot graphs, packet loss on the low/medium bandwidth tests, and packet loss on the first hop ping. Although if the "simple ping packet loss" check doesn't show 0% loss there is a problem)

Whether the ICMP packets are dropped, filtered, or rate limited depends on the severity of the effect those worms/viruses had on that part of the network, what particular equipment is currently installed in that part of the network, and how it is configured. Not all network equipment can be configured to deal with the offending packets the same way, so different techniques had to be used. In some areas, you may find combinations of techniques were used, such as ICMP packets being filtered at the CMTS, only to be totally dropped at a router further down the line.

---

To see a more accurate trace result which isn't affected by these Adelphia imposed ICMP packet limitations, use a different program that can trace using UDP packets.

Here's a short list of recommended trace route programs for Windows users:

•PingPlotter has a shareware version (not the freeware version) that can use ICMP, UDP, or TCP packets in traces. PingPlotter graphically shows latency, packet loss, and route history, so its excellent for beginners and advanced users alike. Make sure you turn on UDP packets in the Advanced Options menu, see this page for more setup instructions: PingPlotter Packet Options. It has a full-feature enabled 30-day trial period, so you can try it out long enough to run some tests before you have to pay.

•Ftrace is a program with output very similar to the standard Windows trace and ping utilities but it can utilize UDP packets. There is also a GUI enabled version that you can launch from your Windows desktop which also includes some very handy "copy" buttons for posting those traces here at BBR. To use UDP pings make sure you use the -u option (i.e. ftrace -u yahoo.com)

•VisualRoute is another Windows program that can do traces using UDP packets. Just don't believe the maps it generates as they are often very inaccurate. Read the manual for instructions on how to turn on UDP packets.

These programs don't use UDP packets by default, make sure you enable it.

---

Read this article for a bit of insight on the effects of the worms mentioned above: Internetnews: 'Friendly' Welchia Worm Wreaking Havoc or read this BBR thread for even more insight: Nachi the new champion bad boy. See this Adelphia page for more information on current virus activity: Adelphia E-safety page.

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by MacLeech
last modified: 2005-08-05 16:18:57