So the background....

My network is as slow as pond water and MRTG shows a HUGE spike in outbound traffic.
Debugging ip packet detail on the routers doesn't show anything unusual, and my ACL's are not taking massive hits (like they did when Welchia went wild) so I span the port on my switch that connects to my router and hook up my laptop to it to do an ethereal capture. My poor router is taking about 10000 packets per second from my LAN. When I sort the traffic I see that I have what appears to be dozens of addresses sourced from outside my network SYN flooding two sites. Fortunately, all the SYNs are coming from the 4000 range, so I quickly write an ACL blocking tcp 4000 - 4999. By monitoring the ACL's, and with some help from my interns unplugging patch cords one at a time while I watch the ACL we isolate it to three machines that are sending all this traffic. Those machines are currently unplugged from the network.

So it appears to me that I have some sort of infection that is creating embryonic tcp connections to two pre-determined sites. It also appears that this infection is spoofing it's source address, and changing that source several times per second. All three machines have the most recent Symantec DAT files on them, and all three turned up clean in a virus scan performed this morning. Now it's time to really start digging. It is my hope that someone here might be able to point me in the right direction to find what is causing this.

Thanks,
TK