Solved

Strange Looking Packet Capture

Posted on 2014-01-22
3
267 Views
Last Modified: 2014-03-20
Below are screenshots from a packet capture from Wire Shark.  We have two managed switches that are currently set to shutdown any suspected port of a DOS attack.  We have witnessed the switch shutting down the WAN port numerous times.  If we disable the DOS port check in the switches than eventually our ISP will shutdown our internet service.  

We began by blaming malware for this and have done numerous scans of every desktop with multiple products and have found no infections.

The UDP packets that are outbound have check sum errors and the Inbound UDP packets are fine.

Any ideas?
DesktopL.png
DesktopB.png
0
Comment
Question by:MPATechTeam
3 Comments
 
LVL 82

Accepted Solution

by:
Dave Baldwin earned 250 total points
ID: 39801971
Doesn't the local IP address tell you which machine they are coming from?  Have you tried TCPView http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx and/or Process Explorer http://technet.microsoft.com/en-us/sysinternals/bb896653 to identify the program that is doing this?

It is the goal of the malware and virus writers to create a program that is not identified as a virus or malware.  Anti-virus and anti-malware authors are always playing catch-up to identify and eliminate the new programs.
0
 
LVL 16

Assisted Solution

by:gurutc
gurutc earned 250 total points
ID: 39803146
Also, if you don't have too many local PCs you can try shutting them down one at a time to see if that stops the flood.

- gurutc
0
 

Author Closing Comment

by:MPATechTeam
ID: 39942686
These were helpful in tracking down the trouble.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

INTRODUCTION "Virut" is a nasty, polymorphic file infector, and it infects every executable and screensaver file on access.  Some variant also infects .htm, html, .rar and .zip archives, and latest variants infects php and asp.  It patches system…
Some of the most commonly posted questions in the "Virus & Malware" Zones are related to the family of rogue malware with the date "2012" somewhere in the title. Examples: XP Antispyware 2012 XP Antivirus 2012 XP Security 2012   XP Home Sec…
This video discusses moving either the default database or any database to a new volume.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now