unable to track the virus traffic

Unanswered Question
Jan 3rd, 2008

Hi Experts i have problem with one of my wan router seeing lot of unknow ip's (looks like its virus traffic) but i am unable to track this ip's and which host , device is generating this traffic

the sample below .

does anyone come accross this problem

0.99.69.0 0.52.137.106 1 2728

0.99.69.0 0.52.139.107 1 2728

0.254.69.0 0.150.183.104 1 2728

0.99.69.0 0.52.141.107 1 2728

0.99.69.0 0.52.140.107 1 2728

0.99.69.0 0.119.206.106 1 2728

0.99.69.0 0.52.143.107 1 2728

0.21.69.0 0.160.94.89 1 2728

0.99.69.0 0.52.142.107 1 2728

0.99.69.0 0.52.129.106 1 2728

0.203.69.0 1.162.172.123 1 2728

0.147.69.0 0.68.223.183 1 2728

0.147.69.0 0.60.244.229 1 2728

0.99.69.0 0.119.192.106 1 2728

0.99.69.0 0.52.131.106 1 2728

0.99.69.0 0.52.133.107 1 2728

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (4 ratings)
Loading.
marikakis Thu, 01/03/2008 - 05:38

Hello,

You have difficulties tracking the infected or malicious host(s) because they are modifying their source IP addresses and network devices allow them to do such a thing. Normally at network edge you are supposed to do some filtering (e.g. ACLs, uRPF) to minimize spoofing issues.

Since it is impossible to trace back by the source IP addresses, I would suggest you examined the traffic levels on interfaces and the CPU usage of your routers, beginning with the one you spotted the problem in the first place.

If this issue is causing a real problem on your network devices, then it is also likely you will see a lot of packets that might cause unusually high CPU usage on your routers. In this case, you should be careful to examine the packet/second counters on your interfaces (many small packets could be hiding behind a seamingly low bandwidth usage). Start by examining the interface with unusually high packet/second counters. (You are the best person to decide what is normal traffic in your interfaces and what is not.) This will lead you to another device and so on, until you find an interface close to the infected or malicious host, and hopefully you can isolate the problem to only one host.

Kind Regards,

M.

marikakis Thu, 01/17/2008 - 15:15

This is very interesting. Getting rated with a 2.0 after almost two weeks with nobody participating in the conversation and supplying additional information. Some people are simply like that. Enjoy yourselves!

What I would add to the NetPro ideas is to see who is rating whom with what. :-)

Kind Regards as usual,

M.

Paolo Bevilacqua Thu, 01/17/2008 - 15:20

Maria, never mind. Some people just want the ready recipe that fixes everything. Anything less, and they are unhappy.

I've rated your post a '5', because as the usual it makes a lot of sense.

Keep the good work, it is much appreciated!

marikakis Thu, 01/17/2008 - 15:36

Thanks a lot dear! I was about to say that I will keep posting whether they like it or not, even if they would rate me with 0.0 if that was possible :-)))

Actions

This Discussion