0

In our small company we have very high traffic outbound from local network to server which is getting blocked, and slow downs our server respond time. Especially at night.

I am not security specialist so I am not sure what where and how to check that.

This information above I have from out IT partner which send email that this my be caused by hackers... But they are very slow in action. I need to get this situation to normal ASAP.

What could be reason of that and what to learn to fix that problem?

Best regards.

hal9k2
  • 3
  • 1
  • 5
  • Those high traffic generally caused by malwares. You may find which computer spreading malware to network by unplugging machines from network one by one while watching network activity on switch or hub lights. – Sencer H. Feb 10 '14 at 09:37
  • Could be malware, could be staff setting up BitTorrent seeds overnight on their systems. It's very difficult to tell. Where's the traffic going to? A few isolated IPs, or hundreds of different ones? Is it on a common port? Have you looked at the data being sent? – Polynomial Feb 10 '14 at 09:44

2 Answers2

0

If you are not versed in network problems it will be very difficult for you to find the origin of the problem, but just in case you are, you can do the following but you will need to have a registry of which PC/Server has which IP.

  1. Have a look to the log in the firewall that blocks the traffic and check for the IP (or IPs) of origin.
  2. Go to the PC/server, check if there is any "normal" software that might be causing the problem and if you can't find any then it is probably malware so you will need to nuke it from orbit.

For the not versed or if you haven't got any registry:

  1. Find the router which connects all the PCs.
  2. Check the light/lights which are blinking.
  3. If you find any reason for those PCs generating traffic or unsure leave them plugged.
  4. If not, disconnect the cables and wait until morning to find which PCs can't access to internet. (You will notice when they shout).

As a way to improve and to easily solve future problems, consider having fixed IPs for every server/user PC and consider having the cables labelled to easily identify which cable correspond with which PC/Server.

It shouldn't take more than half a day to verify these problems for an IT network guy in an small enterprise.

Community
  • 1
kiBytes
  • 3,450
  • 15
  • 26
0

There are many reasons you could have high traffic volumes at night. Besides malware or filesharing many companies are moving to cloud based backup systems, and set up their backups to be at night. The first thing I'd do is contact heads of server groups and inform them of the problem. Ask them if they have any jobs going, and tell them it is impacting services. If your network supports QoS, look to get it set up to guarantee bandwidth to vital services.

If the traffic does not seem legitimate, or you are not getting any help from your internal groups, then you need more information. Most network devices with any intelligence at all can give you port statistics, and most can be polled with snmp. Talk to your network people and see if they have cacti, solarwinds, or the like. If not, set up cacti or another free snmp grapher and start collecting information. Once you have a few days of stats you can then see which ports are using the bandwidth, and you can find what's attached to the port. Look up the MAC address of the device and then map it to an ARP entry, then do a DNS on the IP from the arp table.

Once you know the offending machine, you can then investigate the cause. Find the owner of the box and tell them it's causing trouble, get them to investigate it. If you are the owner do your own investigation. Look for legitimate causes first, there are plenty of them. Once you exhaust those look for malware, you may need to do a span of the port to see what traffic is being sent.

GdD
  • 17,291
  • 2
  • 41
  • 63