March 31st, 2004, 02:14 PM
2048 Active Connections
Hello all, I am having a problem here. Here at our 200 node network we have a Firewall in place. It can only have a 2048 active connection limit. Well I noticed our internet has been real sluggish and its only because the firewall has hit its limit. 2048 sessions is way to high than our regular 50 active connections. I am suspecting we have computers that are infected with some type of virus. What is the easiest way to pinpoint which computers are making all these request?
March 31st, 2004, 04:11 PM
sniffing, ethereal, tcpdump......or like setting very verbose logging on your firewall and reading the logs. Could be a couple people using p2p programs. I find it a little strange that you are in charge of 200 computers and cannot figure this out it is very basic.
Do unto others as you would have them do unto you.
The international ban against torturing prisoners of war does not necessarily apply to suspects detained in America\'s war on terror, Attorney General John Ashcroft told a Senate oversight committee
-- true colors revealed, a brown shirt and jackboots
March 31st, 2004, 04:33 PM
What type of firewall (software or Hardware) do you have installed as it may make a difference on the tools use to solve the problem?
Also are all your computers installed with an up to date antivirus?
In any case check your logs to see if they give you some hint as to what is happening.
\"America is the only country that went from barbarism to decadence without civilization in between.\"
\"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
March 31st, 2004, 04:52 PM
Sounds like you most likely have a system or more then one system with a worm. Easiest way I've found to locate it is to setup a system running ethereal on a spanned port that can sniff the traffic heading for the firewall. Run a capture in promiscuous mode to capture all packets passing by the interface.
Using a filter of:
dst net not [your internel network]
Replace [your internal network] with something like 172.30 or 192.168.252 depending on your network configuration.
Will help you narrow down the results since that will grab only traffic heading out of the network. Depending on your traffic you will probably only want to do a 5 or 10 second capture.
In that capture you are looking for a system in your network sending packets to lots of external destinations many times in the same range.
Once you locate one, go run virus scans on it and/or remove it from the network and see if the problem goes away. You may have more then one system causing the issue.