| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 35355 | 2003-07-09 22:37:00 | high JS traffic on network - no reason... | falvrez (390) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 158627 | 2003-07-09 22:37:00 | Morning all Got a major here that's been happening for the last few weeks. We have a 5gig Jetstream (not starter) account for our organisation, and last month it hit 9gigs. This month with 8 days to go it's on 8 gigs. As you can imagine I'm desperately trying to find the cause of the problem. We have about 40 PCs running here, most of the staff are out during the day which gives me time to check machines over quite easily. The traffic is 90% downloading, and always during work hours. I can hear you now - Kazaa! But I've checked every single machine - no Kazaa or other type of file sharing app, no internet radio, no streaming video, and now I'm just about at my wit's end. Out of desperation yesterday afternoon at 4.30 I pulled the plug on the router to isolate the problem (and left it off all night), and after checking this morning, there's been no traffic at all during the night. One thought was that it's our server which runs 24/7, but again the traffic is only during the day, with a few hundred k here and there during the odd night (some print servers are left on - antivirus updates?). Looking at the stats for yesterday, there was downloads of between 30 and 80 megs per hour from 8am-midday - at these times I was in the office checking the machines over and there was no funny activity of any sort. We do have a VPN running with a similarly setup router/hardware firewall at our other building, but the JS account there is plodding along as per normal, so I don't expect that it's something between the two buildings. Also the only programs we run over the VPN (using Terminal Server) are a financial package and fleet package, with data traffic for these being minimal. We also run our intranet from our server here for the other building, but again we're only talking minimal packets... Has anyone, anyone at all, got some fresh thoughts on this? Look forward to any help you can offer. Cheers and thanks |
falvrez (390) | ||
| 158628 | 2003-07-10 00:28:00 | i would be inclinded to install personal firewalls on the pc's and see what programs are accessing the net. could be something simple as a keyboard or printer driver thats checking for net access. | tweak'e (174) | ||
| 158629 | 2003-07-10 00:36:00 | Thanks tweak'e Sure a keyboard driver or printer driver *could* be the culprit, but 60 megs an hour? Every hour? |
falvrez (390) | ||
| 158630 | 2003-07-10 00:44:00 | yep some of those are know to generate quite a bit of traffic ....times that by 40 pc's that could account for a lot of traffic. you could also try isolating each pc and see what trafic each pc is downloading. personal firewall is any easy way to do it. try outpost or kerio, at least you can log what addresses the pc is connecting to. |
tweak'e (174) | ||
| 158631 | 2003-07-10 01:02:00 | as already stated, get a firewall and see what packets are doing. one other thought is windows update?? that can pull lots of data and will only do it when the system is not being use for other work, eg when staff are out of the office. |
robsonde (120) | ||
| 158632 | 2003-07-10 01:58:00 | Thanks for the advice guys (?) Will look at personal firewalls, but not hopeful as even when I check the packets received on each machine it ain't that high. No machines run windows auto update, so no drama there. Most macines running win98, some 2000 and some (4 or so) XP but still no auto update enabled. Even if I walk around the macihnes and check the network status in the sys tray, very rarly so I see any activity - sure if someome is pulling between 30-80 megs an hour, I'd notice this as constant network activity? Which is why I am stumped... |
falvrez (390) | ||
| 158633 | 2003-07-10 02:12:00 | I had the same problem a few months ago. $4500 in excess MB charges and still no idea what was causing it. Our tech suspected either some kind of bulk mailing 'using' our server or someone logging in somewhere else with our login details. It stopped as soon as we started looking for it. | wotz (335) | ||
| 158634 | 2003-07-10 02:41:00 | Check your PCs and see they do not have an unrequired SMTP service loaded. When I was at ISP a few years back, a spammer used our customers incorrectly configured NT Server and his connection was hammered. People are also hunting for open SMTP ports. If you need the server, look it down and configure it correctly. Don't let it be an open relay. |
KiwiTT (4082) | ||
| 158635 | 2003-07-10 02:46:00 | You would want to check what every computer has installed. Probably someone has installed a program such as http-tunnel (http://www.http-tunnel.com) and is sending traffic via an encrypted stream through the common http ports. This effectively allows them to do anything without being detected, ie have p2p running constantly and no-one know it. The person in question, probably just shuts down the program when you start doing the inspection rounds :p Who knows, maybe they download off newsgroups? |
PoWa (203) | ||
| 158636 | 2003-07-10 02:48:00 | Also, how are you checking to see which programs are installed? I know you can remove the entries from add/remove programs without actually removing the program itself. All the person has to do is install his p2p program in a pgp disk etc, and its effectively very difficult to find :) | PoWa (203) | ||
| 1 2 3 | |||||