"Unusually high router traffice... No/Slow internet access"

Okay, my knowledge is limited so bear with me...
Our network runs off of two servers, server1 is the domain controller (W2K) running dhcp etc..., and server2 is
W2K3 server running citrix terminal services for our remote offices.
All machines/servers are plugged into two Linksys unmanaged switches, which are then plugged into a Cisco router
(the router is Comcasts, and is our gateway).  Everything was fine until last Wed. when we suddenly began having
internet connection problems, the connection usually didn't work, and when it did it was extremely slow...
After checking lines, swapping routers etc... Comcast came to the conclusion that it was our network.
Too much traffic coming into our network via certain ports?!? (1483,1493,1494,1314,4214,1031)
I know that 1494 was opened up for our Citrix users, and 1604 was pointed to our static ip, aside from that
I don't know where to go from here to verify or dispute their claim.  I think they're just passing the buck,
but I can't say for sure, and since I can't refute it, they won't do anything more for us...
Can someone help.  Until we get this fixed, we have 3 remote offices w/people doing crosswords...
RVicente99Asked:
Who is Participating?
 
sgwillettConnect With a Mentor Commented:
a quick google search turned up this info

http://search-dev.develooper.com/~rcaley/speech_pm_1.0/Speech/Festival/Synthesiser.pm runs on port 1314
a RAS server called Radiator run port 4214
1031 is a known trojan exploited port.

A good practice is to close all non-usage ports. Only opening the ones you know you need to use. All those you listed above can be closed. except for 1494 because you know whats using that. There is software available that will scan your ports for usages

Also get yourself a good trojan/spyware scanner like webroots spy sweeper.

Also get a port scanner to watch for activity
http://www.famatech.com/radmin/utility/pscanner.php
is the location of a decent port scanner. It will only detect the port if its open and being used.

Get all the ports locked down and control your environment then see if the traffic is still high. if it is then take data that to comcast.

Steve.
0
 
sriwiConnect With a Mentor Commented:
run an ip port scanner from one your machine from the internal network, also if you have a server check that your server are all fully patched up.

it might be that your server infected with virus and is trying to send a lot of things out, so that is why everything is slow because upload is to the max.

other possibility is someone is running peer to peer network inside your work and is chewing up all of the available bandwidth.

cheers
0
 
rindiConnect With a Mentor Commented:
Check your system for anyone running P2P software, like kazaa, or emule, Also check for malware on your PCs. You can use the following instructions to do that:

Turn off System Restore (Control Panel, System).
 
start msconfig (Start, Run, msconfig), select the startup tab and remove the ticks from any programs you aren't sure of what they might be.
 
Let your PC be restarted
 
Download and install Spybot S & D (http://www.safer-networking.org/en/index.html)
Let the installer activate the teatimer and update Spybot.
Click on "make registry backup", wait until done and click on next.
Let the scan finish, then select all the found items and select clean.
If the system wasn't able to clean out everything it found, let it reboot. Spybot should startup before you logon, do another scan.
Again select all found items and clean. When finished select "immunize", then close spybot.
 
Download and install Adaware (http://lavasoft.com).
Let the installer do an update, then scan the system.
Select all found items and let them be removed.
A reboot may also be necessary here.
 
If either Spybot or adaware or both still weren't able to remove all malware, reboot your system to safemode and let the tool which couldn't remove a malware do another scan. If it is adaware, change the scan settings to scan within archives, then start a scan.
Again select all found malware and let them be removed.
 
 
 
if you still have malware on your system after that, download the latest version of HijackThis:
 
http://www.hijackthis.de/downloads 
run it and save the log. Paste the log to the following website:
 
http://www.hijackthis.de/en 
 
Click the "analyze" button and you will have an analysis of your log.
Now paste the analyzed log here, so we can help further (provided you don't get enough info from the log and can do it yourself).
 
next make sure your AV Software is uptodate and running. Let the system do a thorough AV scan.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
fixnixConnect With a Mentor Commented:
I concur with the above...nearly the same thing happened at our building last year, everyone's internet access crawled or became inaccessible.  Traced the problem down to one workstation at one of the tennants in the building.  Their network was isolated from ours, so we weren't attacked by the worm that had bit him, but that worm generated so much traffic that it saturated the meager 1.1mbps SDSL line we used at the time, leaving little left for the rest of us.

As soon as I unplugged the offending workstation from their router everyone else returned to normal, then I went about cleansing the infected pc, reconnected it to their network, and all was good.

You could always fire up a packet sniffer and see what the traffic is and where it's comming from/going to to narrow it down but it may be faster to unplug cat 5 cables from whatever router is blinking like mad (if your envoronment permits that...probably doesn't but I was able to do that on ours because the tennant that had the mad blinking router really was only networked for internet access and their print sharing.  I could risk interrupting a print job on their end since they were interfering with my net access ;))
0
 
Tim HolmanConnect With a Mentor Commented:
I would run www.ethereal.com on one of your network PCs to work out exactly what's going on.  This does sound very much like a worm/virus outbreak.
0
 
RVicente99Author Commented:
The problem was two-fold:  First, there was a problem with Comcast's router. It was creating a log of interference/noise, thus causing a dramatic slow-down with our connection.  The other was that Comcast had decided to migrate users in our area onto another DNS server w/out letting us know, causing the outages and eventually a total loss of service.
Thanks for all your suggestions though.  I'm going to split the point amongst all who responded.
0
 
rindiCommented:
Thanx too!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.