[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 275
  • Last Modified:

Strange Looking Packet Capture

Below are screenshots from a packet capture from Wire Shark.  We have two managed switches that are currently set to shutdown any suspected port of a DOS attack.  We have witnessed the switch shutting down the WAN port numerous times.  If we disable the DOS port check in the switches than eventually our ISP will shutdown our internet service.  

We began by blaming malware for this and have done numerous scans of every desktop with multiple products and have found no infections.

The UDP packets that are outbound have check sum errors and the Inbound UDP packets are fine.

Any ideas?
DesktopL.png
DesktopB.png
0
MPATechTeam
Asked:
MPATechTeam
2 Solutions
 
Dave BaldwinFixer of ProblemsCommented:
Doesn't the local IP address tell you which machine they are coming from?  Have you tried TCPView http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx and/or Process Explorer http://technet.microsoft.com/en-us/sysinternals/bb896653 to identify the program that is doing this?

It is the goal of the malware and virus writers to create a program that is not identified as a virus or malware.  Anti-virus and anti-malware authors are always playing catch-up to identify and eliminate the new programs.
0
 
gurutcCommented:
Also, if you don't have too many local PCs you can try shutting them down one at a time to see if that stops the flood.

- gurutc
0
 
MPATechTeamAuthor Commented:
These were helpful in tracking down the trouble.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now