Sunday, November 27, 2011

CEF and load sharing

Load-sharing is one of the clumsy areas that is full of confusing parts. In this post we should be covering its ABCs, and latter on we should be covering more parts in details. We chose the name “CEF and load sharing” as the post name due to the main role that CEF plays when talking about load sharing.

In IP routing context the forwarding/switching mechanism that the router uses is the actual controller of the load sharing process (data/forwarding plane operation), having multiple routes in the routing table has no significance on how exactly will load sharing be done, you might be left with poor load sharing or no load sharing at all, although you have multiple routes for a certain destination in the routing table.

The routing protocols are responsible for placing multiple paths in the routing table in the first place (control plane operation), by default all the IGPs are capable of inserting 4 equal cost paths, while BGP defaults to only 1 (BGP behaves completely different than the IGPs, we should be covering load-sharing with BGP in details in a later post). To control the maximum paths allowed per routing protocol we can use the maximum-paths command (The maximum was 4 in IOS releases earlier than 11.0, 8 with IOS Release 12.0S based software, 16 with IOS Release 12.3T based software, and 32 with IOS Release 12.2S based software.

NOTE This post is not meant to explain CEF operation, we’ll only be focusing on CEF load-sharing, however we might consider to have a dedicated CEF inside out post later.

The most popular forwarding/switching mechanisms with Cisco routers are; Process switching (performs per-packet load-sharing), fast switching (performs per-destination load-sharing) and CEF (can do both per-packet and per-destination (completely different than fast switching per-destination load-sharing), plus also a new flavor which is per-port load-sharing).

NOTE According to Cisco, IPv4 fast switching is removed with the implementation of the Cisco Express Forwarding infrastructure enhancements for Cisco IOS 12.2(25)S-based releases and Cisco IOS Release 12.4(20)T. For these and later Cisco IOS releases, switching path are Cisco Express Forwarding switched or process switched. This makes the switching decision easier for future development of software features. Starting with the implementation of the Cisco Express Forwarding enhancements and the removal of IPv4 fast switching, components that do not support Cisco Express Forwarding will work only in process switched mode.

Load-sharing with CEF

For each destination with multiple equal cost paths (or unequal-cost in the case of EIGRP using variance, or with BGP using the BGP Link Bandwidth feature and also in the case of MPLS-TE) the router creates a 16 hash buckets, each pointing to one of the available paths.

The load sharing is controlled by the ratio of the number of buckets pointing to each path (outgoing interface), with equal-cost paths the buckets are fairly distributed (two equal cost paths results in 8 buckets per each path, three equal cost paths results in 5 per each (yes, one bucket is omitted), 4 equal cost paths results in 4 per each, and so on). While with unequal-cost scenarios each path will be associated with different number of buckets (according to the load sharing ratio).

CEF has three load-sharing options:
•per-destination (per-session):

I prefer to name it per-session – as stated in the show ip cef x.x.x.x internal command output – since it is actually done based on both the source and the destination IP addresses in the IP packet rather than solely the destination, by hashing both into a 4-bit hash value that is used to select the outgoing interface) – This is the default CEF load sharing option.

Easy AdSense by Unreal

It is clear that per-destination load-sharing performs statistical distribution of traffic, and accordingly load sharing becomes more effective as the number of source/destination pairs increases as compared to lower number of source/destination pairs. Obviously this might result in having one link overloaded while the other(s) underutilized, if a relatively heavy session flows between a certain source/destination pair over this link.

The hash calculation depends on the algorithm used. The original algorithm uses only the source and destination IP addresses to compute a 4-bit hash value, giving 16 probabilities, and thus choosing an outgoing bucket from the 16 available buckets pointing to one of the outgoing paths, this results in all the routers in the network running the same algorithm with the same results, which introduced a load sharing hitch called CEF Load-Sharing Polarization (you can see a good example for this in Cisco press book “Cisco Express Forwarding”). To circumvent this behavior the universal algorithm (the default in current IOS versions) adds a 32-bit router-specific value to the hash function (called Fixed ID, which can be manually controlled – a router uses its highest loopback IP address as this value when booting) and thus seeding the hash function on each router with a unique ID, ensuring that the same source/destination pair will hash into a different 4-bit value on different routers along the path and thus provides a better network wide load sharing and circumvent the Polarization issue.

NOTE There is a third available algorithm called the tunnel algorithm, I couldn’t find or understand its anatomy, but Cisco stated that this algorithm is meant to solve load sharing when tunneling techniques such as MPLS, GRE and L2TP are in operation, since with tunneling the traffic pattern is taken down to a small number of sessions (between the tunnel head/tail ends) which will introduce another form of traffic polarization. This algorithm also uses a unique per-router ID to work around this issue, again I can’t find more details about this algorithm, but if I do I’ll let you know.

Packets are handled in a round-robin fashion, ensuring that the traffic is balanced over multiple links. However, using Per-packet load sharing is not generally recommended, because it most commonly results in out-of-order packets, affecting TCP traffic throughput (since TCP will bother to fix the out-of-order) and UDP data loss (since UDP will not bother to fix the out-of-order) and to make things more scary out-of-order packets might be interpreted as an attack by firewalls.

The default CEF load sharing mode is per-destination, and we can change this using the ip load-sharing per-packet interface command on the outgoing interfaces involved.

NOTE Since load sharing decisions are made on the outbound interfaces, thus either choosing to do per-packet or per-destination load sharing should be done on the outbound interfaces.
•per-port (per-flow)

This is the most adequate option (was introduced with IOS 12.4(11)T release) with networks with low number of sources/destinations with the majority of the traffic between hosts that use different port numbers, commonly seen with Real-Time Protocol (RTP) streams, it simply adds the layer 4 source or destination ports or both in the CEF hashing function. This option is enabled via the ip cef load-sharing algorithm include-ports command in the global configuration.

The most common scenario with this option as the only effective solution is when having a subnet of hosts NATed to a single IP then having a router with multiple paths in the path to their traffic destination, per-destination option is obviously useless in this case if all the hosts are communicating with a single destination, since it is always a single source/destination pair, and accordingly if the layer 4 ports are involved in the hashing function this would enhance the load sharing process.

I hope that I’ve been informative.

Mirza Mukaram Baig

ARP Caching and TimeOut

From time to time I find myself craving to the fundamentals; I do this for two main reasons, the first one is that fundamentals are the building blocks of all complex networking topics and deeply understanding them makes a better engineer, the second one is longing to simplicity after doing some complex tasks.

One of these fundamentals that is worth reviewing is the Address Resolution Protocol, this protocol is one of the main building blocks of any network existing on earth today.

Every time a network device is sending an Ethernet frame to another device, it constructs a frame and to construct the frame it needs to find the hardware address mapping of the IP address. ARP is responsible for doing this job.

Each time a device sends an ARP message, network resources are consumed. This means that for two hosts to communicate; ARP messages should be exchanged between them and repeated for every packet. Imagine how ugly is this when transferring large data streams like large file exchange via FTP.

ARP caching provides the solution for this efficiency problem as explained below.

ARP Caching

If you know you are going to send many emails to a friend; is it effective to call him every time asking for his email address?. I think the answer is no unless you are fascinated by listening to his voice. Simply you call him one time asking for the address and cache the information somewhere for future uses and that’s exactly what ARP does.

When a host sends an ARP request to another host and a reply is received the sender caches the received information is a table for later use.

Easy AdSense by Unreal

Going back to our analogy of the email sender, what if you know that you are not going to send any more emails to your friend “God keep you friends ” Is it still effective to keep his address in your cache table ?. I think not, you have to timeout unused information. Again this is exactly what ARP does.

If an ARP entry is not used a specific amount of time called the ARP timeout the entry is removed from the caching table.

There is no standard value for this amount of time and it varies from one vendor to another. I will limit my discussion to Cisco devices to clear up the idea.

One more point to mention here is that entries in the ARP table can be static; created by manual configuration or dynamic; created automatically by the normal operation of the protocol. Static entries remain in the table forever and are not timed out.

The default timeout timer for is 4 hours for Cisco devices, this means that a dynamic ARP entry will remain for 4 hours in the cache table before the router attempt to refresh the entry. If the entry is no longer needed it will be removed.

You can show the ARP table using the command show arp and change the timeout timer for a specific interface using the interface level command arp timeout seconds.

R1#show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet - sa00.0a11.0001 ARPA FastEthernet0/0
Internet 97 sa02.0a11.0002 ARPA FastEthernet0/0
Internet 8 sa00.0a11.0003 ARPA FastEthernet0/5
Internet 136 sa04.0a11.0004 ARPA FastEthernet0/2

!-- setting the timeout for 10 seconds
R1(config-if)#int f0/2
R1(config-if)#arp timeout 15

!-- see the debug output, shows 15 seconds difference between replies
Jan 1 00:01:14: IP ARP: sent req src sa00.0a74.0005,
dst ca02.0a74.0008 FastEthernet0/0
Jan 1 00:01:14: IP ARP: arp_process_request:, hw: sa02.0a74.0008; rc: 3
Jan 1 00:01:14: IP ARP: rcvd rep src sa02.0a74.0008, dst FastEthernet0/0
Jan 1 00:01:14: IP ARP: creating entry for IP address:, hw: sa02.0a74.0008
Jan 1 00:01:24: IP ARP: sent req src ca00.0a74.0008,
dst ca02.0a74.0008 FastEthernet0/0
Jan 1 00:01:24: IP ARP: arp_process_request:, hw: ca02.0a74.0008; rc: 3
Jan 1 00:01:24: IP ARP: rcvd rep src ca02.0a74.0008, dst FastEthernet0/0
Jan 1 00:01:24: IP ARP: creating entry for IP address:, hw: ca02.0a74.0008
Note: ARP cache table is not the same as MAC address table used by switches and each one has its own different timers.

Thank you once again.


Wednesday, July 20, 2011

How To Install Loop back Adapter in Win 7

I Found while i was searching for installation of Virtual Adapter, 
The key step I was missing was how to find the Hardware Wizard:
Click the Start menu.
Search for “cmd".
Right-click on “cmd” and select “Run as Administrator”
Enter “hdwwiz.exe”
From that point on it's the same approach as under Vista, i.e.:
In the "Welcome to the Add Hardware Wizard", click Next.
Select "Install the hardware that I manually select from a list (Advanced)" and click Next.
Scroll down and select "Network adapters" and click Next.
Select under Manufacturer "Microsoft" and then under Network Adapter "Microsoft Loopback Adapter" and click Next.
I've tested this and it's working for me (connecting the host to a VPC using the loopback adapter).

Sunday, July 3, 2011

Cisco Catalyst 2960 switch IOS recovery

Sometimes in my lab happens that students delete IOS of the switch from its flash. Unfortunately switches does not have rommon to realize quick IOS recovery over tftp. Only one way is over Xmodem.

Cat 2960 switchIOS recovery

To speed up the process of the recovery we may setup Xmodem speed to higher rate as default 9600 bits:
Set the speed rate to 115200 baud on the switch prompt of the switch:
switch: set BAUD 115200
Of course we lose our console session and therefore we need to restart it with the correct speed settings. Then  we may realize the recovery.
Enter copy command:
copy xmodem: flash:filename
for our Cat2960-24TTL:
switch:copy xmodem: flash:c2960-lanbasek9-mz.122-52.SE.bin
Begin the Xmodem or Xmodem-1K transfer now...
and start sending of the file over console Xmodem software.

Recovery over HyperTerminal

Choose Transfer > Send File.
and than we choose as protocol the Xmodem and in filename click Browse and select the Cisco IOS image (.bin file) from the disk to be uploaded.
and click Send to send the file,

Recovery over Putty

Putty does not support Xmodem protocol, tears.

Final steps

To boot the new image that we just copied over with the Xmodem procedure issue the boot flash:filename command, as the example shows:
switch: boot flash:c2960-lanbasek9-mz.122-52.SE.bin
After the Xmodem recovery, we set the BAUD rate back to 9600. If the set BAUD 9600 command does not bring the baud rate to 9600, issue the unset BAUD command in order to bring the baud rate to a default value of 9600 bps.

Saturday, July 2, 2011

Connect Vmware VM 2 GNS3 Lab

1. Select network adapter "Host only" to your Virtual machine in Vmware 
2. Check from Windows Network connections how this network adapter (vmnet1) is named.
3. Add cloud to your workspace in GNS3
4. Configure cloud and select the network adapter you just checked from Windows Network connections menu.

  • Right Click cloud and select Configure
  • Select your cloud C0
  • Select NIO Ethernet
  • Select Generic Ethernet NIO
  • Select appropriate adapter from drop-down menu and press Add button

5. Connect cloud to your topology. (For example to router)
6. Assing IP addresses from same subnet to the Virtual Machine and to emulated router in GNS3.
7. Ping between router and virtual machine should be successful.

Tuesday, June 28, 2011

Configure the Native VLAN on Both Side Of The Trunk

Be sure to remember to configure the native VLAN on both sides of the trunk link or you will get this error until you do so (or disable CDP):

*Mar  1 01:35:01: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/13 (1), with sw1 FastEthernet0/13 (10).
They come in once every minute (CDP updates go every 60 seconds by default):
*Mar  1 01:38:01: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/13 (1), with sw1 FastEthernet0/13 (10).
*Mar  1 01:39:01: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/13 (1), with sw1 FastEthernet0/13 (10).
*Mar  1 01:40:01: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/13 (1), with sw1 FastEthernet0/13 (10).
sw2(config-if)#do sh cdp
Global CDP information:
        Sending CDP packets every 60 seconds
        Sending a holdtime value of 180 seconds
        Sending CDPv2 advertisements is  enabled
What happens if you disable CDP?  Will you still get the error?
sw1(config)#do sh run int fa0/13
Building configuration…
Current configuration : 128 bytes
interface FastEthernet0/13
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport mode trunk
sw2(config-if)#do sh run int fa0/13
Building configuration…
Current configuration : 110 bytes
interface FastEthernet0/13
 switchport trunk encapsulation dot1q
 switchport mode trunk
 no cdp enableend
sw1#sh int fa0/13 trunk
Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      on           802.1q         trunking      10
sw1#sh int fa0/13 switch | i Native VLAN
Administrative Native VLAN tagging: enabled
sw1#sh cdp int fa0/13
FastEthernet0/13 is up, line protocol is up
  Encapsulation ARPA
  Sending CDP packets every 60 seconds  Holdtime is 180 seconds
sw2#sh int fa0/13 trunk
Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      on           802.1q         trunking      1
sw2#sh int fa0/13 switch | i Native VLAN
Administrative Native VLAN tagging: enabled
sw2#sh cdp int fa0/13
[Note: No output because we've disabled CDP]sw2#
It’s been a few minutes and no alarms(on either switch):
*Mar  1 01:42:14: %SYS-5-CONFIG_I: Configured from console by console
sw1#sh clo
*01:48:09.468 UTC Mon Mar 1 1993
*Mar  1 01:41:51: %SYS-5-CONFIG_I: Configured from console by console
sw2#sh clo
*01:45:09.826 UTC Mon Mar 1 1993
Another good reason to run CDP.  

Sunday, May 29, 2011

Configuring a Trunk Port

          The Enterprise Edition Software, Cisco IOS Release 11.2(8)SA6, does not support trunk negotiation via the Dynamic   Trunk Protocol (DTP), formerly known as Dynamic ISL (DISL). If you are connecting a trunk port to a Catalyst 5000 switch or other DTP device, use the non-negotiate option on the DTP-capable device to configure the switch port to not generate DTP frames.

This example shows how to configure a port as a trunk, verify the trunk configuration, and save the change to the startup configuration file:
Switch# configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)# interface fa0/1

Switch(config-if)# switchport mode trunk

Switch(config-if)# switchport trunk encapsulation isl

Switch(config-if)# end

Switch# show interface fa0/1 switchport

Name: Fa0/1
Switchport: Enabled

Administrative mode: trunk

Operational Mode: trunk
Administrative Trunking Encapsulation: isl

Operational Trunking Encapsulation: isl

Negotiation of Trunking: Disabled
Access Mode VLAN: 0 ((Inactive))
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: 1-3,1002-1005
Trunking VLANs Active: 1-3
Pruning VLANs Enabled: NONE
Switch# copy running-config startup-config

Building configuration...

Monday, February 14, 2011

How to disable USB sticks and limit access to USB storage devices on Windows systems

USB storage - a possible security risk?

Decent IT administrators secure their networks behind firewalls. They install mail filters on their SMTP servers and deploy anti-virus software on all client workstations. But securing the network is not sufficient -- what happens if the users bring their own USB memory sticks and connect them to the computers at their office? A 1 Gb USB stick can sometimes hold an entire company's vital data. Within minutes or even seconds an employee has all the files they need in order to start up their own business and take all the customers with them. Alternatively, what happens if a careless user accidentally compromises the network with an infected USB stick?

What does Microsoft have to say about it?

If you, the administrator, want to establish a minimum level of security, it is absolutely necessary to control which users can connect USB memory sticks to a computer. Unfortunately, a default Windows XP or Windows 2000 installation comes with no limitations on who is able to install and use USB storage media. Microsoft knowledge base article 823732 contains instructions on how to disable USB storage access for a certain group of users; however, the article only distinguishes between whether or not a USB storage device has been installed on a particular computer. Furthermore, the instructions are limited to a stand-alone computer. According to the general rule of thumb "If it's tedious, there is a better way", I try to avoid techniques that force me to repeat certain tasks for each computer that I manage. That's what group policy objects (GPO) are for.


Mark Heitbrink describes how to disable USB storage devices entirely on all or some computers in the network. He employs an ADM template in a group policy object that disables the USB storage driver (USBSTOR). The ADM template simply sets the registry valueHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start to 4 (Disable). But his technique has a serious drawback. It only works if the USB storage driver is already installed. If it has not yet been installed, Windows' plug & play subsystem automatically resets the Start value to 3 (Manual) when it installs USBSTOR after a USB storage device is plugged in for the first time. In that case, USBSTOR remains enabled until the GPO is re-applied, usually at the next reboot. If the storage device is plugged in during that reboot, it will still be available because the USBSTOR driver is started before any GPOs are processed.

The Howto!

If we combine Mark Heitbrink's approach with the one outlined in knowledge base article 823732, we get a more reliable solution. Firstly, we need to prevent USBSTOR from being installed unless the currently logged on user is allowed to use USB storage. We do that by restricting access toUSBSTOR.INF and USBSTORE.PNF in a GPO such that PNP can't automatically install the driver. This is possible because when PNP installs a driver, the installation is performed using the priviledges of the currently logged on user. Secondly, we need to make sure that USBSTOR is not started when a USB storage device is plugged in. For that we use Mark's ADM template. The only minor drawback of my solution is that users with access to USB storage need to manually start USBSTOR before connecting USB storage devices.
  1. In Active Directory Users and Computers, open an existing GPO or create a new one and open it. Use the security settings of that GPO to specify which computers it affects.
  2. In that GPO, go to Computer Configuration – Windows Settings – Security Settings – File System and create a new entry (right-click File System and select Add File). Specify the location of USBSTOR.INF (usually SystemRoot%\Inf\USBSTOR.INF)
  3. Change the security settings of the new entry. The security settings that you specify here will be enforced on the USBSTOR.INF of every computer to which the GPO is applied. This process is not additive, which means that the previous security settings ofUSBSTOR.INF will be overwritten by the ones given in the GPO. It is therefore recommended to grant full control to SYSTEM and local administrators. But unlike in the default security settings of USBSTOR.INF, you should not grant any priviledges to Everybody. You do not need to explicitly deny access – just omit an entry for Everybody. Optionally, you can grant read access to a certain group. Members of this group will be able to use USB storage.
  4. Repeat the above two steps for USBSTOR.PNF.
  5. Download USBSTOR.ADM.
  6. Back in the GPO, right-click Administrative Templates under Computer Configuration and select Add/Remove Templates. Click Add and browse to the location of USBSTOR.ADM. Close the dialog.
  7. You should now have an additional entry called Services and Drivers in Administrative Templates. Click on it. If it is empty, select View from the menu and uncheck Show Policies Only. Click back on Services and Drivers in Administrative Templates. It should now show the USB Storage policy. Double click it, select Enabled and pick Disabled from the Startup Type drop down. Again, the policy must be enabled wheras Startup Type must be Disabled.
  8. Close the dialog as well as the GPO and boot/reboot one of your workstations. Make sure no USB strorage device is connected to that computer. Log on with administrative privileges and check the permissions of USBSTOR.INF and USBSTOR.PNF. Check the value of theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start. It should be 4. It is also ok if the UsbStor key doesn't exist at all.
  9. On the same workstation, log off and back on as a user that should not have access to USB storage. Connect a USB memory stick or a similar device. Nothing should happen. Remove the memory stick.
  10. Log on as a user that should have access to USB storage and execute net start usbstorin a command shell or at Start – Run before connecting the memory stick. The memory stick should initialized and mapped to a drive letter. If USBSTOR fails to start, it's probably because this is the first time a memory stick is plugged into the workstation in which case USBSTOR is not yet installed. Nevertheless, the memory stick should be initialized and mapped correctly but you need to reboot in order to reapply the administrative template such that USBSTOR is disabled again. Alternatively, you can disable it manually by downloading and double clicking USBSTOR.REG as well as executing net stop usbstor.
  11. Instruct the users with access to USB storage that they need to execute net start usbstor before they can connect a USB storage device.
usbstore.adm530 bytes
usbstore.reg258 bytes
( categories: Windows | Administrator )
Submitted by Hannes Schmidt on Fri, 10/15/2010 - 10:57.
Thanks! -- Hannes
Submitted by Anonymous on Tue, 10/12/2010 - 17:00.
It seems Microsoft has changed this for Windows 7... and almost none of the sites with instructions have been updated to include the new 7-specific instructions (the old method--even for Vista--didn't work in 7). Here are the new GPO settings you also need to use if you have Windows 7 clients:
Block USB in Windows 7 using Group Policy
Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access
Removable Disks: Deny execute access    Enabled
Removable Disks: Deny read access       Enabled
Removable Disks: Deny write access      Enabled

Saturday, February 5, 2011

P2P file sharing: Know the risks

Peer-to-peer (P2P) file sharing is a convenient way to share public-domain music, audio, images, documents, and software programs over the Internet.
Using P2P, you can store files on your computer and go online to search for and share files with others using the same software; programs such as BitTorrent, Morpheus, Kazaa, LimeWire, and iMesh, among many others.
It's a good idea to understand and anticipate the risks of P2P file sharing before you download your first file.
Risk #1: Exposing your computer to unwanted software
Shared files can contain security risks such as virusesspyware, and other unwanted software. A file that appears legitimate could be a virus in disguise. Unwary file sharers can download beneficial software that incorporates undisclosed spyware with it.
You can help prevent these dangers by following these steps:
Risk #2: Breaking copyright laws
Reputable P2P software is legal to use, but if you choose to do so, it's important to understand and differentiate between copyrighted and public domain material and to share responsibly.
When in doubt about a given file, it's best not to share or download it.

Tips for file sharing more safely

  • Monitor family P2P use and don't assume that using an Internet filter will protect your family from accessing or downloading unwanted or illegal material.

    Because most Internet filters cannot block P2P file sharing, it's important to set guidelines and ensure that all family members are educated about illegal file sharing.
  • Treat all downloaded files with suspicion and use updated industry standard antivirus software to scan each new file before you click it. Set your antivirus software to automatically scan your hard disk on a regular basis, or do it manually yourself.
  • Delete any pirated material found on a family computer, digital audio player, CD-ROM disc, or other storage device and consider disabling the P2P software's downloading option or blocking outside access to the program by changing your computer's Internet firewall settings.
  • Learn all you can about your P2P software and be very careful about which files you make available to others. Most P2P shared files are typically stored in a single folder on your computer (often named "Shared Files").
  • Do not store copies of copyrighted files that you have legally purchased, such as songs from a CD or a licensed retail music site in your P2P file-sharing folder.
  • Back up important files on an external storage device or a CD-ROM disc before sharing or downloading files.
  • For more information about P2P file sharing, visit the Electronic Frontier Foundation and theRecording Industry Association of America (RIAA).

How to better protect your PC with botnet protection and avoid malware

How to better protect your PC with botnet protection and avoid malware

Cybercriminals work tirelessly to enlist your computer in their network of computers known as abotnet, which they then use to commit crimes. Find out more about botnets, botnet protection, and how you can help protect your PC against these attackers.

What is a botnet?

The term bot is short for robot. Criminals distribute malware (malicious software) that can turn your computer into a bot, also called a zombie. When this occurs, your computer can perform automated tasks over the Internet without your knowledge.
Criminals typically use bots to infect large numbers of computers. These computers form a network, or a botnet.
Botnets can be used to send out spam email messages, spread viruses, attack computers and servers, and commit other kinds of crime and fraud. If your computer becomes part of a botnet, it might slow down and you might be inadvertently helping criminals.

How to tell if your computer is infected with malware

It's not always easy to tell if your computer has been infected with malware. If it is unusually slow, crashes or stops responding frequently, for example, these problems might be signs that your computer has been infected. However, the same problems might also point to hardware or software issues that have nothing to do with malware. Because it's difficult to tell the reasons for your computer's unusual behavior, we suggest that you follow these steps:
  1. Get a more complete list of symptoms.
  2. If, based on the complete list of symptoms, you think your computer has been infected, let Microsoft help you diagnose the problem and solve it.

How to help avoid malware

Cybercriminals use two basic strategies to penetrate your computer's defenses and enlist computers in their botnets:
  • They install malware on a computer by taking advantage of unintended vulnerabilities in its software or by breaking into accounts guarded by weak passwords.
  • They try to trick you into installing their malware.
To help secure your computer against bots, follow the advice below. For specific how-to info, seeHow to boost your malware defense and protect your PC.

Strengthen your computer's defenses

  1. Install antivirus and antispyware programs from a trusted source. Anti-malware programs scan and monitor your computer for known viruses and spyware. When they find something, they warn you and help you take action.
  2. Keep all software up to date. Regularly install updates for all your software and subscribe to automatic updates wherever possible.
  3. Use strong passwords and keep them secret. Use our password checker to determine the strength of your password.
  4. Never turn off your firewall. A firewall puts a protective barrier between your computer and the Internet. Turning it off for even a minute increases the risk that your PC will be infected with malware.
  5. Use flash drives cautiously. Putting your flash drive (sometimes called a thumb drive) in a computer that is infected could corrupt the drive, and ultimately your computer.

Do not be tricked into downloading malware

Attackers can enlist your computer in a botnet by:
  • Delivering malware in downloads that you think are pictures or movies, or through links that you click in email or instant messages (IM), or on a social network.
  • Scaring you into clicking a button or link they supply with fake warnings that your computer has a virus.
Botnet in action
Click on the Image to Enlarge

Where can I get virus-related assistance from Microsoft at no charge?

Where can I get virus-related assistance from Microsoft at no charge? 
If your Microsoft PC has been affected by a virus and you need help, you can get virus-related assistance at no charge from the Microsoft Online Safety Portal.

What are the Microsoft Security products? 
Microsoft offers several security products for both Enterprise and Home users. A summary of all Microsoft Security products is shown in the table below:
Product NameMain customer segmentMalicious softwareSpyware and Potentially unwanted softwareAvailable at no additional chargeMain distribution methods
CustomersBusinessScan and RemoveReal-time ProtectionScan and RemoveReal-time Protection
Microsoft Forefront Server Security  Volume Licensing
Microsoft Forefront Client Security  Volume Licensing
Microsoft Security Essentials Web download
Windows Live OneCare safety scanner   Web
Windows Malicious Software Removal Tool Prevalent malware families   Windows Updates/Automatic Updates
Download Center
Windows Defender   Download Center
Windows Vista
Microsoft Forefront Online Security for Exchange    Web purchase
Microsoft Forefront Threat Management Gateway  Volume Licensing