?
Solved

Strange Looking Packet Capture

Posted on 2014-01-22
3
Medium Priority
?
273 Views
Last Modified: 2014-03-20
Below are screenshots from a packet capture from Wire Shark.  We have two managed switches that are currently set to shutdown any suspected port of a DOS attack.  We have witnessed the switch shutting down the WAN port numerous times.  If we disable the DOS port check in the switches than eventually our ISP will shutdown our internet service.  

We began by blaming malware for this and have done numerous scans of every desktop with multiple products and have found no infections.

The UDP packets that are outbound have check sum errors and the Inbound UDP packets are fine.

Any ideas?
DesktopL.png
DesktopB.png
0
Comment
Question by:MPATechTeam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 84

Accepted Solution

by:
Dave Baldwin earned 750 total points
ID: 39801971
Doesn't the local IP address tell you which machine they are coming from?  Have you tried TCPView http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx and/or Process Explorer http://technet.microsoft.com/en-us/sysinternals/bb896653 to identify the program that is doing this?

It is the goal of the malware and virus writers to create a program that is not identified as a virus or malware.  Anti-virus and anti-malware authors are always playing catch-up to identify and eliminate the new programs.
0
 
LVL 16

Assisted Solution

by:gurutc
gurutc earned 750 total points
ID: 39803146
Also, if you don't have too many local PCs you can try shutting them down one at a time to see if that stops the flood.

- gurutc
0
 

Author Closing Comment

by:MPATechTeam
ID: 39942686
These were helpful in tracking down the trouble.
0

Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

INTRODUCTION "Virut" is a nasty, polymorphic file infector, and it infects every executable and screensaver file on access.  Some variant also infects .htm, html, .rar and .zip archives, and latest variants infects php and asp.  It patches system…
It started not too long ago. It was at first annoying. My keystrokes seemed to be randomly generated, not the ones I typed on the keyboard. For some reason this only happened in certain applications (especially browsers such as IE11, Firefox and Chr…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses
Course of the Month8 days, 11 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question