[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 865
  • Last Modified:

High Outbound HTTP traffic Blue Coat Packeteer

We are using a packetshaper (blue coat) device 135-10014804. we have a higher than normal bandwidth going OUT using the HTTP protocol. We have used the IP addresses in the Top talkers report to identify several machines on our domain that had viruses and have fixed them. However we noticed that there are quite a few EXTERNAL IP addresses in the TOP TALKERS list. I may be missing something, but if it is OUTBOUND HTTP traffic and we are looking at the top TALKERS list... shouldn't all the IP addresses be internal ones to our own network
0
ianmac50
Asked:
ianmac50
  • 2
  • 2
1 Solution
 
surbabu140977Commented:
Yes, logically  there should be only internal IP's. But to be very sure please paste some of the public IP's that you are seeing and let us know where you are located. We can (you can too) use the list to see where/who owns the IP and can decide whether they are real viruses/trojans/malwares or vallid ones.

Just enter the ip below and it will show you who is the owner.

http://www.whatismyipaddress.com/ip-lookup

Best,
0
 
ianmac50Author Commented:
Seems strange all traffic has reverted back to only internal IPs sending outbound http traffic (top talkers). yes we had already done a reverse lookup on the IPs we saw and one was a data centre provider in the ukraine and the other was a streaming service. Other than a hacker or virus I can't see how external IPs would be sending from inside our network. Even if it was a virus or a trojan sending out traffic surely the originating IP should be one of ours (ie the infected machine). The top listeners should give us the culprit site (ie the destination of the traffic) however I would have thought all the talkers should be our IPs..
0
 
surbabu140977Commented:
Not necessarily, trojans/worms do mask IP's to prevent tracking from source. Otherwise it's easy to heal the infected m/c. Nice to hear everything back to normal.
0
 
ianmac50Author Commented:
Not alot of detail was in the answer, it really only told me what I already knew it made me feel better that someone was agreeing with me but wasn't an  indepth response with detailed information to back up the reasons behind the response
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now