How much traffic can one machine generate?

Question

Can just one machine on our network generate enough network traffic, whether it be from malware or P2P or whatever, to affect all network/internet users?

My company has many public machines available for anyone to browse the internet on. If just one of these machines became infected with a virus could it affect all internet traffic in the building? How about if a user were running P2P software?

..and what about our wireless? We have an open/unsecured wireless AP available to the public. Could someone using a wireless laptop generate/use-up enough traffic to cripple the entire network.

We are on a 5mb DSL Verizon businesss line located in a med-sized city. Lately, at certain times of the day, internet traffic is at a standstill. I cant even browse to small sites like Google.com and I cant check my mail without Outlook timing out numerous times for several hours.

Thanks.

Answer 1

Yes, one computer with malware, a torrent client, can easily saturate a 5MB link. Heck, it should be easy enough to saturate a 5MB link with just normal network traffic.

You should check some of the questions on the site related to traffic monitoring, and shaping. There is lots of good advice about methods you can discover what is causing the link to be saturated and how to fix it.

• Traffic Management recommendations
• QoS tag
• Network Traffic Monitoring
• Monitor Internet bandwidth

Answer 2

5 mbps is slow compared to what a computer can transfert. So Yes, a computer can use 100% of the internet link. There is 2 major protocols over Internet : TCP and UDP. If other users use TCP based application (like http/smtp/..) this can slow down your connection but you should not get timeout problems. If they use UDP (like if they are streaming a video or doing VoIP) they can saturate the link and you will get lots problem as you have. Just to be sure, when you have your problem with outlook, are you on a wireless network or on a wired one ?

Answer 3

• P2P Software can hog bandwidth and a 5Mbps link is quite narrow for torrent communications. A single torrent client communicating with about 25 peers each at 256Kbps will finish your uplink
• A single malware infected machine has the potential of disrupting your enterprise network and also spreading inside the enterprise faster than an infection from the internet
• A malware infected machine can also disrupt your network devices (switches/routers) and servers
• An unsecure wireless AP is probably the worst thing you can do with your network. Besides disrupting and snooping enterprise traffic, you may land up being answerable to things done by people who were never ever on your premises.
• Have you considered the possibility of on-line gaming or streaming software being used in your enterprise? That will take up the 5Mbps too

---

So, what can you do?

• Consider monitoring traffic by protocol on your uplink. If you have a router or proxy there it will help
• Talk with your ISP to give you a report that classifies the traffic utilization. That will help you figure out exactly what is hogging your bandwidth
• Confirm that your Windows machines are patched correctly and your AV/AS systems are also updated regularly with signature updates
• Explicitly firewall all inbound communications that are not part of your organization policies (if you are not supposed to run a Mail server on any machine except the mail server, block incoming port 25 for all other machines, etc).

Zoredache has already give some very good references. +1

Answer 4

No one has mentioned this yet but one computer spewing broadcast packets as fast as it can on a network can cause a lot of problems on a local network. This problem becomes more of an issue on larger networks.

One funny story with Malware. At one of my previous jobs we had compute cluster of 25 dual Xeon machines back when the MS Blaster virus came out. They were running software that would break with the MS patch that they rushed out. So to protect the cluster of computers we made sure that every computer on our network was fully patched as a level of protection. This worked great until someone brought in an infected laptop and connected to our network. We instantly had 25 dual Xeon's with gigE links flooding our network with traffic. This resulted in 100% packet loss on our local network. Forget about getting to the internet. So yes this is a real threat.

In this case the laptop was one of our sales staff but this could have easily been a guest wireless connection laptop so be careful how you set that stuff up.

Where I work now our guest wireless is not open but has a simple password, is on its own network segment that has no access to our internal networks, and traffic from that network segment is marked as low priority and limited to about 30% of our bandwidth going out to the internet.

Answer 5

Not only yes but it's likely. If you have public machines they should be behind a locked down firewall and a proxy. Microsoft ISA server works perfectly for this. Also note that if you are using outlook with your own exchange server then not only is your external connection swamped but your internal network is getting flooded as well.

Answer 6

An unsecured wireless AP is like walking out the front door at the end of the day and leaving all the windows and doors wide open... with a neon sign blinking your SSID every few seconds... the only difference, is that someone can be snooping through your network from your parking lot or office next door and you would never know.

My suggestion would be to lock down the wireless AP as soon as possible. Make sure the machines accessing are known. You can also use a service like opendns to shutdown access to "not appropriate" websites/servers from the machines inside your network you do trust. It also can be configured to catch most of the online games which tend to eat the most bandwidth.

Answer 7

I've seen regular workstations manage to saturate even 100Mb Ethernet connections, so a 5Mb ADSL line is very simple. All it takes is more than one Hulu stream going at the same time and that's a big chunk of that bandwidth right there. Also, people actively seek out unsecured public-wifi in order to use bittorrent as it is a lot harder to trace the activity back to a person who can receive a DMCA take-down notice.

Answer 8

Absolutely. This is one of those times that traffic shaping is really handy. If you can set up something running an application layer packet filter you can increase priority to the sorts of traffic you want to work reliably, and decrease priority on things you care less about. For example we will allow filesharing to burst to nearly filling the pipe, but higher priority webtraffic will slow the filesharing back down.

Options to start looking at include appliances like BlueCoat PacketShaper or software like the opensource Netfilter, and the L7 filters to classify the packets.

Answer 9

A modern laptop should be able to saturate a gigabit Internet connection, if you were to for example put it on a test network and typo an address that actually gets routed.

Or a few-years-old desktop. E.g. the first machines with onboard gigabit.

For a while I was using ability to send UDP at over 900 Mb/s as a guide of when old hardware should be kept for testing use, or thrown in the garbage. Basically it shouldn't even be used for testing purposes if it's slower than this. (It's a good way to summarize internal bus speeds, or the CPU speed, and to quickly eliminate machines without onboard gigabit or fast slots). Also ability to saturate a gigabit link meant ability to participate in network tests.

So I threw countless machines in the garbage because they'd -only- be able to max out a link 190 times faster than you're concerned about.