Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

unable to track the virus traffic

Hi Experts i have problem with one of my wan router seeing lot of unknow ip's (looks like its virus traffic) but i am unable to track this ip's and which host , device is generating this traffic

the sample below .

does anyone come accross this problem

0.99.69.0 0.52.137.106 1 2728

0.99.69.0 0.52.139.107 1 2728

0.254.69.0 0.150.183.104 1 2728

0.99.69.0 0.52.141.107 1 2728

0.99.69.0 0.52.140.107 1 2728

0.99.69.0 0.119.206.106 1 2728

0.99.69.0 0.52.143.107 1 2728

0.21.69.0 0.160.94.89 1 2728

0.99.69.0 0.52.142.107 1 2728

0.99.69.0 0.52.129.106 1 2728

0.203.69.0 1.162.172.123 1 2728

0.147.69.0 0.68.223.183 1 2728

0.147.69.0 0.60.244.229 1 2728

0.99.69.0 0.119.192.106 1 2728

0.99.69.0 0.52.131.106 1 2728

0.99.69.0 0.52.133.107 1 2728

4 REPLIES

Re: unable to track the virus traffic

Hello,

You have difficulties tracking the infected or malicious host(s) because they are modifying their source IP addresses and network devices allow them to do such a thing. Normally at network edge you are supposed to do some filtering (e.g. ACLs, uRPF) to minimize spoofing issues.

Since it is impossible to trace back by the source IP addresses, I would suggest you examined the traffic levels on interfaces and the CPU usage of your routers, beginning with the one you spotted the problem in the first place.

If this issue is causing a real problem on your network devices, then it is also likely you will see a lot of packets that might cause unusually high CPU usage on your routers. In this case, you should be careful to examine the packet/second counters on your interfaces (many small packets could be hiding behind a seamingly low bandwidth usage). Start by examining the interface with unusually high packet/second counters. (You are the best person to decide what is normal traffic in your interfaces and what is not.) This will lead you to another device and so on, until you find an interface close to the infected or malicious host, and hopefully you can isolate the problem to only one host.

Kind Regards,

M.

Re: unable to track the virus traffic

This is very interesting. Getting rated with a 2.0 after almost two weeks with nobody participating in the conversation and supplying additional information. Some people are simply like that. Enjoy yourselves!

What I would add to the NetPro ideas is to see who is rating whom with what. :-)

Kind Regards as usual,

M.

Hall of Fame Super Gold

Re: unable to track the virus traffic

Maria, never mind. Some people just want the ready recipe that fixes everything. Anything less, and they are unhappy.

I've rated your post a '5', because as the usual it makes a lot of sense.

Keep the good work, it is much appreciated!

Re: unable to track the virus traffic

Thanks a lot dear! I was about to say that I will keep posting whether they like it or not, even if they would rate me with 0.0 if that was possible :-)))

118
Views
17
Helpful
4
Replies