0

We had an issue where we noticed approximately 170GB of data downloaded as http traffic over a one week period on our network. After locking down many services and running a hub as an in between capture point with a tracing package we noticed that the traffic was coming from one of our non production virtual machines. Actually it was a SBS 2008 test environment. The issue would go away once we disconnected the one office that housed this virtual machine.

Once the virtual machine was stopped or disconnected the traffic trickle would go away. The bandwidth was approximately 900Kbps steady when it would start running. We looked around for any such large downloaded data and noticed that there is no large data footprint on the virtual machine or any other network shares/servers.

We don't have any ftp or other WAN side services open except an SSH tunnel on a non standard port that is pretty locked down.

My question is what could of caused such a high amount of download on our end. To give an example there was 162GB download with only 6GB uploaded from our WAN ip.

To clarify it appeared that we had downloaded 162GB of data and uploaded 6GB of data from our end.

I can give more information if needed.

dasko
  • 1,244
  • 1
  • 22
  • 29
  • 1
    SBS2008? Try looking at WSUS on the SBS server. – joeqwerty Mar 15 '13 at 20:56
  • we can try disabling the wsus and seeing if that does anything thanks for the suggestion. – dasko Mar 15 '13 at 21:54
  • Forefront security was the issue. As soon as we removed it from the SBS install package from this non production test server the traffic never appeared again. Even though people might think this is not a real question it is best to leave this comment here so maybe someone can stumble across it in google, if they are looking for a suggestion to what could cause high network bandwidth with an SBS 2008 Server on their internal network. – dasko Mar 20 '13 at 18:43

1 Answers1

1

One of your servers is doing something it shouldn't. You don't know what it is but you expect us to tell you? Sorry but all we can tell you is to investigate further.

Start by reading your logs, if that doesn't give you the answer look at netstat, then try packet sniffing - see if you can identify what it's downloading and where from.

and noticed that there is no large data footprint

Check the server for smaller recently modified files. If you're only looking at how much of your WAN/internet pipe it's using then check if it's sending lots data elsewhere.

symcbean
  • 19,931
  • 1
  • 29
  • 49