cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
428
Views
17
Helpful
4
Replies

unable to track the virus traffic

sunilferrao
Level 1
Level 1

Hi Experts i have problem with one of my wan router seeing lot of unknow ip's (looks like its virus traffic) but i am unable to track this ip's and which host , device is generating this traffic

the sample below .

does anyone come accross this problem

0.99.69.0 0.52.137.106 1 2728

0.99.69.0 0.52.139.107 1 2728

0.254.69.0 0.150.183.104 1 2728

0.99.69.0 0.52.141.107 1 2728

0.99.69.0 0.52.140.107 1 2728

0.99.69.0 0.119.206.106 1 2728

0.99.69.0 0.52.143.107 1 2728

0.21.69.0 0.160.94.89 1 2728

0.99.69.0 0.52.142.107 1 2728

0.99.69.0 0.52.129.106 1 2728

0.203.69.0 1.162.172.123 1 2728

0.147.69.0 0.68.223.183 1 2728

0.147.69.0 0.60.244.229 1 2728

0.99.69.0 0.119.192.106 1 2728

0.99.69.0 0.52.131.106 1 2728

0.99.69.0 0.52.133.107 1 2728

4 Replies 4

marikakis
Level 7
Level 7

Hello,

You have difficulties tracking the infected or malicious host(s) because they are modifying their source IP addresses and network devices allow them to do such a thing. Normally at network edge you are supposed to do some filtering (e.g. ACLs, uRPF) to minimize spoofing issues.

Since it is impossible to trace back by the source IP addresses, I would suggest you examined the traffic levels on interfaces and the CPU usage of your routers, beginning with the one you spotted the problem in the first place.

If this issue is causing a real problem on your network devices, then it is also likely you will see a lot of packets that might cause unusually high CPU usage on your routers. In this case, you should be careful to examine the packet/second counters on your interfaces (many small packets could be hiding behind a seamingly low bandwidth usage). Start by examining the interface with unusually high packet/second counters. (You are the best person to decide what is normal traffic in your interfaces and what is not.) This will lead you to another device and so on, until you find an interface close to the infected or malicious host, and hopefully you can isolate the problem to only one host.

Kind Regards,

M.

This is very interesting. Getting rated with a 2.0 after almost two weeks with nobody participating in the conversation and supplying additional information. Some people are simply like that. Enjoy yourselves!

What I would add to the NetPro ideas is to see who is rating whom with what. :-)

Kind Regards as usual,

M.

Maria, never mind. Some people just want the ready recipe that fixes everything. Anything less, and they are unhappy.

I've rated your post a '5', because as the usual it makes a lot of sense.

Keep the good work, it is much appreciated!

Thanks a lot dear! I was about to say that I will keep posting whether they like it or not, even if they would rate me with 0.0 if that was possible :-)))

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: