Immediate Help. network hijacked?

blubomber · February 1st, 2005, 03:01 PM

I think i have a hijacked computer on my work network. My firewall has ALOT of traffic load and it is slowing down everything. I am having trouble pinpointing which computer it is coming from.

Any suggestions on what ports to look at? My firewall does not show who is producing the most load.

Any help would be great! I am on the verg of sutting down all client PCs.

jkrohn · February 1st, 2005, 03:03 PM

Your firewall doesn't have logging that shows where traffic coming from?

I would setup a computer and start sniffing traffic. See who is producing the problem traffic.

Jkrohn

blubomber · February 1st, 2005, 03:08 PM

My firewall does keep a log of what traffic is going in and out, ports and IP addresses. And i am running Ethereal captures to try and pinpoint the PC. I guess this is just going to be a slow process?

elroy · February 1st, 2005, 03:31 PM

If you are dealing with a limited number of machines disconnect them one at a time and see if the traffic pattern changes. If you have a thousand machines this might be a pain.

blubomber · February 1st, 2005, 03:35 PM

Its a process of elimination.

I cut the VPN connection to one of my remote properties and all is good now at the main site. So i am off to the remote property (with fewer computers) to try and figure out the culprit there.

I will keep you up to date.

Thanks again for the help.

blubomber · February 1st, 2005, 04:37 PM

Well, i am finding out more information as i go .

It looks like it is just a firewall problem. I have two watchguard Firebox IIIs connecting the two locations. The remote firebox, it appears, is overloading the VPN connection due to a programing bug. i am going to update it and see if that fixes my problem.