High Traffic from Content Delivery Networks

Question

I am having trouble on our school network recently. When browsing the internet users will often get an error from the browser saying "No Internet DNS_PROBE_FINISHED_NXDOMAIN" but when they refresh the page will load. I at first suspected our dns server since pages were having trouble resolving. I tried several different ones, but saw no difference. I called our provider but they said there was an overwhelming amount of network traffic being sent to the modem.

When monitoring network traffic, there are almost always a couple of computers sending a lot of packets. They always seem to be different computers. I can see the computers in the lab and it is usually a student that does not have a browser open running Mavis Beacon or something else that does not use internet. All our computers are running Windows 10. Traffic is always coming from some content delivery network such as akamiedge, amazonaws, or edgecastcdn.

I have tried researching this issue, but most say that these are harmless content delivery networks that Microsoft is using to download updates. I have set up all the school computers to receive all updates from Windows Server 2012 R2 with WSUS so they should not be downloading any updates from Microsoft.

I have a Netgear ProSAFE Firewall set up with Block TCP and UDP Floods left at their default limits. I have tried checking background processes on some of the pc's for network usage. Chrome is always using about .1mbps constantly and some as well as "From Microsoft backround task host" and "from microsoft download\upload host". Adobe has some background stuff, but this isn't installed on all computers.

I am at a loss as to what to try and worry about some adware on the server or router as this kind of traffic seems to come from all the computers. This happened suddenly about a month ago and I haven't been able to track it down to anything in particular. Would appreciate any suggestions. Thanks!

Is traffic coming *from* the CDNs, or is it coming from the internal computers? — Xiong Chiamiov, Dec 06 '16 at 18:25
You could have setup QoS rules for DNS or run an internal DNS server. — billc.cn, Dec 06 '16 at 18:48
Most of the packets are going to the CDNs but a small portion are coming from them. I am running a DNS server on Windows Server. — Joel Page, Dec 06 '16 at 18:53

score 0 · Accepted Answer · answered Dec 15 '16 at 17:22

Some things I found out. Under attack checks in my firewall I had "Block UDP flood" enabled and set to 25 connections per second. This is what caused the dropped DNS packets.

I tried disabling it and didn't have any DNS drops, but the modem kept crashing which is why I had turned the setting on in the first place. I set it to 100pps and haven't had any crashes or DNS drops yet.

Most of the content delivery network stuff I was seeing was caused by Windows Defender. It seems that even if it is set to receive updates from the Server, it will still download updates from Microsoft if one is not available.

I was able to fix this on the school computer by disabling BITS in Group Policy and disabling the setting. "Allow definition updates from Microsoft Update".

There are still non-school devices on the network that are not in our work-group that receive updates from Microsoft and cause a ton of traffic. This is what I was seeing when the modem crashed. That is out of my hands though since they belong to the staff.

I'd appreciate any other advice to improve the situation, but for now, the issue seems to have been solved. Thanks everyone for the advice.

Joel, you should edit your question with this additional information, rather than putting it in the answer. People will see an answer and not bother reading your question. — Tim, Dec 15 '16 at 19:01

High Traffic from Content Delivery Networks

1 Answers1