Finding the source of Very High In-Bound Internet Usage - Possible attack on ISA/Exchange Server
Posted on 2007-07-26
I have an Internet Security related question that I need help with. The environment is as follows:
- CISCO PIX Hardware Firewall (running NAT) - Port 25 forwarded to internal mail server (the server below).
- Windows Small Business Server 2003 Premium Edition with ISA 2004 (also runs NAT). This server also runs Exchange 2003 Server running email and collect mail that the PIX forwards through on port 25.
All of a sudden my client's Internet usage has blown out to over 40Gb a month (it was previouly averaging 15Gb). This is a very expensive problem as their ISP charges a ridiculous amount for the extra usage. I have investigated this thouroughly and know the following:
- The damage is done in the space of 4 or 5 days, with all other days experiencing normal Internet usage levels. Download usage will average at about 5Gb per day during this time (it's only a smallish site with 25 users, so that is a lot).
- The ISA 2004 Logs and Internet Access Monitor Plug-in (a program that checks the ISA logs for bandwidth usage) show that the traffic of concern is in-bound (download) and all SMTP (Port 25). Uploads are not a concern.
- ISA Logs and Internet Access Monitor Plug-in both confirm that all the traffic is coming from the IP of my ISP's Antivirus/Antispam filtering system. The system is configured such that all mail passes through the ISPs filtering service before reaching the in-house Exchange Server.
- I have checked with the ISP and they have checked the logs on their filtering servers and claim that the data was not sent from them (could the IP have been spoofed?).
- I have installed Ethereal Packet sniffer to the server and looked at the packets. I have confirmed that the packets are SMTP, and coming from the ISP's filtering server IP. I am not overly familiar with Ethereal, so am not able to interpret the packets overly well (apart from the basic info they provide).
- I have checked the ISPs daily reports and confirmed all the download usage levels to confirm everything I have said above seems to fit.
- When the SMTP traffic is being sent, there is no sign of any emails reaching the Exchange Server (and no NDRs are being sent etc). I have made sure of this - it is 4am here (I'm working around the clock) and only 3 emails have come into the Exchange Server since midnight. However the Internet Usage has been going mad all night, and if I start capturing packets with Ethereal, soon enough packets will come through on port 25 from that same IP.
I have no idea what the problem is, but can only assume it is some sort of attack. I need someone to give me some ideas as to what the attack might be and what I might be able to do about it. This cost my client a lot of money on last month's internet bill and this month is headed to the same result.
I will appreaciate any comments given.