"Unusually high router traffice... No/Slow internet access"

Posted on 2005-04-13
Last Modified: 2013-11-29
Okay, my knowledge is limited so bear with me...
Our network runs off of two servers, server1 is the domain controller (W2K) running dhcp etc..., and server2 is
W2K3 server running citrix terminal services for our remote offices.
All machines/servers are plugged into two Linksys unmanaged switches, which are then plugged into a Cisco router
(the router is Comcasts, and is our gateway).  Everything was fine until last Wed. when we suddenly began having
internet connection problems, the connection usually didn't work, and when it did it was extremely slow...
After checking lines, swapping routers etc... Comcast came to the conclusion that it was our network.
Too much traffic coming into our network via certain ports?!? (1483,1493,1494,1314,4214,1031)
I know that 1494 was opened up for our Citrix users, and 1604 was pointed to our static ip, aside from that
I don't know where to go from here to verify or dispute their claim.  I think they're just passing the buck,
but I can't say for sure, and since I can't refute it, they won't do anything more for us...
Can someone help.  Until we get this fixed, we have 3 remote offices w/people doing crosswords...
Question by:RVicente99
    LVL 4

    Assisted Solution

    run an ip port scanner from one your machine from the internal network, also if you have a server check that your server are all fully patched up.

    it might be that your server infected with virus and is trying to send a lot of things out, so that is why everything is slow because upload is to the max.

    other possibility is someone is running peer to peer network inside your work and is chewing up all of the available bandwidth.

    LVL 87

    Assisted Solution

    Check your system for anyone running P2P software, like kazaa, or emule, Also check for malware on your PCs. You can use the following instructions to do that:

    Turn off System Restore (Control Panel, System).
    start msconfig (Start, Run, msconfig), select the startup tab and remove the ticks from any programs you aren't sure of what they might be.
    Let your PC be restarted
    Download and install Spybot S & D (
    Let the installer activate the teatimer and update Spybot.
    Click on "make registry backup", wait until done and click on next.
    Let the scan finish, then select all the found items and select clean.
    If the system wasn't able to clean out everything it found, let it reboot. Spybot should startup before you logon, do another scan.
    Again select all found items and clean. When finished select "immunize", then close spybot.
    Download and install Adaware (
    Let the installer do an update, then scan the system.
    Select all found items and let them be removed.
    A reboot may also be necessary here.
    If either Spybot or adaware or both still weren't able to remove all malware, reboot your system to safemode and let the tool which couldn't remove a malware do another scan. If it is adaware, change the scan settings to scan within archives, then start a scan.
    Again select all found malware and let them be removed.
    if you still have malware on your system after that, download the latest version of HijackThis:

    run it and save the log. Paste the log to the following website:

    Click the "analyze" button and you will have an analysis of your log.
    Now paste the analyzed log here, so we can help further (provided you don't get enough info from the log and can do it yourself).
    next make sure your AV Software is uptodate and running. Let the system do a thorough AV scan.

    Accepted Solution

    a quick google search turned up this info runs on port 1314
    a RAS server called Radiator run port 4214
    1031 is a known trojan exploited port.

    A good practice is to close all non-usage ports. Only opening the ones you know you need to use. All those you listed above can be closed. except for 1494 because you know whats using that. There is software available that will scan your ports for usages

    Also get yourself a good trojan/spyware scanner like webroots spy sweeper.

    Also get a port scanner to watch for activity
    is the location of a decent port scanner. It will only detect the port if its open and being used.

    Get all the ports locked down and control your environment then see if the traffic is still high. if it is then take data that to comcast.

    LVL 9

    Assisted Solution

    I concur with the above...nearly the same thing happened at our building last year, everyone's internet access crawled or became inaccessible.  Traced the problem down to one workstation at one of the tennants in the building.  Their network was isolated from ours, so we weren't attacked by the worm that had bit him, but that worm generated so much traffic that it saturated the meager 1.1mbps SDSL line we used at the time, leaving little left for the rest of us.

    As soon as I unplugged the offending workstation from their router everyone else returned to normal, then I went about cleansing the infected pc, reconnected it to their network, and all was good.

    You could always fire up a packet sniffer and see what the traffic is and where it's comming from/going to to narrow it down but it may be faster to unplug cat 5 cables from whatever router is blinking like mad (if your envoronment permits that...probably doesn't but I was able to do that on ours because the tennant that had the mad blinking router really was only networked for internet access and their print sharing.  I could risk interrupting a print job on their end since they were interfering with my net access ;))
    LVL 23

    Assisted Solution

    by:Tim Holman
    I would run on one of your network PCs to work out exactly what's going on.  This does sound very much like a worm/virus outbreak.

    Author Comment

    The problem was two-fold:  First, there was a problem with Comcast's router. It was creating a log of interference/noise, thus causing a dramatic slow-down with our connection.  The other was that Comcast had decided to migrate users in our area onto another DNS server w/out letting us know, causing the outages and eventually a total loss of service.
    Thanks for all your suggestions though.  I'm going to split the point amongst all who responded.
    LVL 87

    Expert Comment

    Thanx too!

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Join & Write a Comment

    Before I go to far, let's explain HA (High Availability) and why you should consider it.  High availability is the mechanism used to provide redundancy to any service at the same site and appears as a single service to the users of that service.  As…
    We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now