?
Solved

"Unusually high router traffice... No/Slow internet access"

Posted on 2005-04-13
7
Medium Priority
?
368 Views
Last Modified: 2013-11-29
Okay, my knowledge is limited so bear with me...
Our network runs off of two servers, server1 is the domain controller (W2K) running dhcp etc..., and server2 is
W2K3 server running citrix terminal services for our remote offices.
All machines/servers are plugged into two Linksys unmanaged switches, which are then plugged into a Cisco router
(the router is Comcasts, and is our gateway).  Everything was fine until last Wed. when we suddenly began having
internet connection problems, the connection usually didn't work, and when it did it was extremely slow...
After checking lines, swapping routers etc... Comcast came to the conclusion that it was our network.
Too much traffic coming into our network via certain ports?!? (1483,1493,1494,1314,4214,1031)
I know that 1494 was opened up for our Citrix users, and 1604 was pointed to our static ip, aside from that
I don't know where to go from here to verify or dispute their claim.  I think they're just passing the buck,
but I can't say for sure, and since I can't refute it, they won't do anything more for us...
Can someone help.  Until we get this fixed, we have 3 remote offices w/people doing crosswords...
0
Comment
Question by:RVicente99
7 Comments
 
LVL 4

Assisted Solution

by:sriwi
sriwi earned 300 total points
ID: 13773975
run an ip port scanner from one your machine from the internal network, also if you have a server check that your server are all fully patched up.

it might be that your server infected with virus and is trying to send a lot of things out, so that is why everything is slow because upload is to the max.

other possibility is someone is running peer to peer network inside your work and is chewing up all of the available bandwidth.

cheers
0
 
LVL 88

Assisted Solution

by:rindi
rindi earned 300 total points
ID: 13774020
Check your system for anyone running P2P software, like kazaa, or emule, Also check for malware on your PCs. You can use the following instructions to do that:

Turn off System Restore (Control Panel, System).
 
start msconfig (Start, Run, msconfig), select the startup tab and remove the ticks from any programs you aren't sure of what they might be.
 
Let your PC be restarted
 
Download and install Spybot S & D (http://www.safer-networking.org/en/index.html)
Let the installer activate the teatimer and update Spybot.
Click on "make registry backup", wait until done and click on next.
Let the scan finish, then select all the found items and select clean.
If the system wasn't able to clean out everything it found, let it reboot. Spybot should startup before you logon, do another scan.
Again select all found items and clean. When finished select "immunize", then close spybot.
 
Download and install Adaware (http://lavasoft.com).
Let the installer do an update, then scan the system.
Select all found items and let them be removed.
A reboot may also be necessary here.
 
If either Spybot or adaware or both still weren't able to remove all malware, reboot your system to safemode and let the tool which couldn't remove a malware do another scan. If it is adaware, change the scan settings to scan within archives, then start a scan.
Again select all found malware and let them be removed.
 
 
 
if you still have malware on your system after that, download the latest version of HijackThis:
 
http://www.hijackthis.de/downloads 
run it and save the log. Paste the log to the following website:
 
http://www.hijackthis.de/en 
 
Click the "analyze" button and you will have an analysis of your log.
Now paste the analyzed log here, so we can help further (provided you don't get enough info from the log and can do it yourself).
 
next make sure your AV Software is uptodate and running. Let the system do a thorough AV scan.
0
 

Accepted Solution

by:
sgwillett earned 300 total points
ID: 13774111
a quick google search turned up this info

http://search-dev.develooper.com/~rcaley/speech_pm_1.0/Speech/Festival/Synthesiser.pm runs on port 1314
a RAS server called Radiator run port 4214
1031 is a known trojan exploited port.

A good practice is to close all non-usage ports. Only opening the ones you know you need to use. All those you listed above can be closed. except for 1494 because you know whats using that. There is software available that will scan your ports for usages

Also get yourself a good trojan/spyware scanner like webroots spy sweeper.

Also get a port scanner to watch for activity
http://www.famatech.com/radmin/utility/pscanner.php
is the location of a decent port scanner. It will only detect the port if its open and being used.

Get all the ports locked down and control your environment then see if the traffic is still high. if it is then take data that to comcast.

Steve.
0
Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

 
LVL 9

Assisted Solution

by:fixnix
fixnix earned 300 total points
ID: 13774244
I concur with the above...nearly the same thing happened at our building last year, everyone's internet access crawled or became inaccessible.  Traced the problem down to one workstation at one of the tennants in the building.  Their network was isolated from ours, so we weren't attacked by the worm that had bit him, but that worm generated so much traffic that it saturated the meager 1.1mbps SDSL line we used at the time, leaving little left for the rest of us.

As soon as I unplugged the offending workstation from their router everyone else returned to normal, then I went about cleansing the infected pc, reconnected it to their network, and all was good.

You could always fire up a packet sniffer and see what the traffic is and where it's comming from/going to to narrow it down but it may be faster to unplug cat 5 cables from whatever router is blinking like mad (if your envoronment permits that...probably doesn't but I was able to do that on ours because the tennant that had the mad blinking router really was only networked for internet access and their print sharing.  I could risk interrupting a print job on their end since they were interfering with my net access ;))
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 300 total points
ID: 13775451
I would run www.ethereal.com on one of your network PCs to work out exactly what's going on.  This does sound very much like a worm/virus outbreak.
0
 

Author Comment

by:RVicente99
ID: 14048339
The problem was two-fold:  First, there was a problem with Comcast's router. It was creating a log of interference/noise, thus causing a dramatic slow-down with our connection.  The other was that Comcast had decided to migrate users in our area onto another DNS server w/out letting us know, causing the outages and eventually a total loss of service.
Thanks for all your suggestions though.  I'm going to split the point amongst all who responded.
0
 
LVL 88

Expert Comment

by:rindi
ID: 14049988
Thanx too!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question