Solved

Slow Network and loss of gateway connection

Posted on 2004-10-19
12
765 Views
Last Modified: 2012-06-27
My network for some reason is grinding to halting speed and all computers seem to lose connectivity with the gateway - this effect is affecting vpn's coming in from the outside as well.  My hubs are all showing constant network traffic.

I've been running ethereal but i'm not sure what to look for.

Any help here would be greatly appreciated.

thx in advance
0
Comment
Question by:loupis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
  • +2
12 Comments
 
LVL 3

Expert Comment

by:browolf
ID: 12353104
what sort of network? domain based?

if u can post/host a text file of the ethereal traffic somewhere we can all have a look.
0
 
LVL 4

Expert Comment

by:pakitloss
ID: 12354260
Also while you are at it can you do an internal portscan of the subnet and post the ports open? We need to find out for one as well wether this traffic is coming from the inside or the outside. Next I would scan your outside network to see whats open. My first guess is filesharing. Look for ports like 6889 and up and LOTS of packets coming form them. One or two machines on a small network using BitTorrenet can bring things to a screeching halt. What do you have for a firewall?

Mike
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12360659
Sure looks like you have a worm loose on your network...

Try shutting down PC's and servers one at a time until they are all offline and see if you can catch the culprit...
Then bring them all back up one at a time. Someone else might take over and bring the network back down..

We saw this all over the place with MSBlast, Welchia/Nachi worms earlier this year.

If you can, block ICMP at the router ingress port (stop all ICMP from going out the router/firewall)
Can you be more specific in the network equipment you have?
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 

Author Comment

by:loupis
ID: 12364706
the domain is a 2k sbs and the router is a cisco1720 with an adsl card

icmp should be blocked out but not in

i'll attach an etherial clip - how many lines of text can I post here- or would you need to see?

I'm in the process of a powerdown on all computers now.

andy



0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12365080
If you have a 1720, try this to help:

access-list 110 deny icmp any any echo
access-list 110 permit ip any any

  interface fast 0
   ip access-group 110 in
   ip accounting output-packets
   ip route-cache flow

Then use:
  "sho access-list 110"  to see the hit-count increase on the deny entry - yes | no = clue
  "sho ip accounting output-packets"  highest number of packets to inside IP = clue
  "sho ip cache flow" shows source/destination pairs and ports (in hex)

Sort your ethereal capture by port number. look for any specific port that has a lot of activity that is outside the "normal' ports on your network..




0
 
LVL 4

Expert Comment

by:pakitloss
ID: 12373792
I agree with lrmore,

You will find many ports open but the majority of which will have nothing traffic wise of the magnatude or the storm you are getting. The offending port(s) will be spewing out packets. If you have your machines on a managed switch like a cisco 2924 you could type from enable mode "sho int accounting" and if need be clear the interface counters and watch the ports. "clear counters" and then just keep re-running the "sho int accounting" command.

Mike
0
 

Author Comment

by:loupis
ID: 12374397
I think I found a solution here -  Though maybe i'm running down the wrong highway.

I examined the majority of the packets and they were dns.  So i dug in a little bit deeper and found out that the primary dns server at my isp had been changed without letting me know.  I plugged in the new numbers into my dns forewarders and in my IP NAME-SERVER on my c1720 and it seems to be running smoothly right now.  (i can at least get here to communicate with you gurus.)  

Does this make sense/

andy
0
 
LVL 3

Accepted Solution

by:
browolf earned 125 total points
ID: 12375144
if the problems' gone away then that was most likely the solution.
you probably had dns packets going round in circles.  
0
 

Author Comment

by:loupis
ID: 12375771
hmm - dns wasn't the answer -

I didn't get much from the cisco - when the problems hapenning i can't access the router

catch 22
0
 

Assisted Solution

by:ecrit
ecrit earned 125 total points
ID: 12376525
With little information this is gonna be hard ut here is a guess.
goto command prompt and type net stat.
if you see alot of traffic on port 445 I would bet you have a worm.
Yes port 445 is used for netbios but recent worms have been using this port also.

If you are using ethereal what ips and ports are repiticious?
0
 
LVL 4

Assisted Solution

by:pakitloss
pakitloss earned 125 total points
ID: 12376572
Loupis,

What you might want to do is get a laptop and plug into the hub and start sniffing packets with a clean machine while the problem is happening. Then post some of the results up here where everyone can see them.  One thing you can do is clear the counters in your router and after the next time this happens post the "sho ip accounting output-packets", "sho access-list 110" and "sho ip cache flow" from lrmoore's suggestion and paste them up here.  I'd still like to see a port scan as well myself if you could. As far as your question about the etherreal post, do what lrmoore said and sort by port and post @ 5 or so lines of the ports with the heaviest usage.

Mike
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 125 total points
ID: 12403501
Any progress? Are you still working on this?
Seems the GaoBot worm has been doing this to networks lately..
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
google exe file 5 153
Exchange in house vs office 365 for security 6 44
Master-Master-Slave BIND setup 2 28
Behavior-based and anomalies detection for Symantec 2 21
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question