We have a mcafee anti-virus and anti-spam appliance. We used it as out internet email presence and as a web proxy. All email comes in thru it and all web traffic from our internal web proxy went thru it. The web proxy is limited to less than half of the internet bandwidth. It is behind stateful firewalls and is open to smtp and could initiate connections to the internet.
Two weeks ago our internet pipe was filled with traffic to this system. The thing that concerned me is the traffic was going into the appliance but not not coming back out. I expected that the traffic into and out of an explicit proxy would be roughly symmetrical. The traffic going into the box was around ten times the traffic coming back out. The traffic didn't stop until I put in a firewall rule to block the outside address.
The response from support amounted to "This traffic is normal for an explicit proxy. You should update the software and can rebuild it if you wish, but we don't see any problems with it".
About a week later we were swamped by traffic coming from our appliance to various addresses on the internet. Several times I had to sniff our net and block the connections to the appliance. At the end of the day we rebuilt the appliance including the new software patches. When we hooked a monitor to it before the rebuild, the screen was full of messages recommending we run fsck.
This week it started all over again. The appliance was downloading enough to fill our pipe. It didn't end until I redirected our proxy away from the appliance and blocked all http and https to/from the appliance.
Has anyone else experienced this? Any recommendations? We are no longer using our appliance to scan incoming http for viruses. My best guess is the system has been cracked. Does anyone know what else could cause these symptoms?
September 13, 2005 7:02 PM
September 27, 2005 10:23 AM