High Network Activity

0 pts.
Tags:
Availability
Bandwidth
Network monitoring
Networking
I need some help on the next step. I have three computers on the network that experience high network activity after booting i.e. the connection/activity lights on the switch go crazy. The OS's are windows server 2000, windows 2000 professional, and windows NT 4.0. All computers have active up-to-date anti-virus and have been scanned without result. All computers have also been scanned with Ad-Aware and Search & Destroy without result. There are no unknown processes running and nothing "visible" in the registry that loads upon startup. No processes in task manager are taking an inordinate amount of CPU time. This acts like a worm or malware gone bad. What do you suggest next?
ASKED: August 30, 2006  7:19 AM
UPDATED: September 3, 2006  8:29 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

This could be a number of things … Bad NIC, bad NIC configuration, bad switch or hub or even a bad cable (all of which can cause switch/hub lock or broadcast storms). There is also the possibility of a worm or slammer being embedded somewhere but you will need to narrow things down first.

1. Process of Elimination: Turn on the machines “1″ at a time, let it boot completely and see if it the problem exisits then shutdown the machine. Repeat this for the other machines one machine at a time. If it is only one machine then you can look at the hardware situation.

2. Run either NETMON or a public domain packet sniffer such as Ethereal to analyze the traffic and see what exactly is being sent. You can see if it is broadcast traffic as opposed to a flood.

3. You want to reduce or eliminate BROADCAST traffic. Make sure that you are running an internal DNS server and that all workstations and servers are pointed to it. This will reduce broadcast traffic for things such as WINS and NETBiOS calls.

Post your findings and we can look at where you stand.

Discuss This Question: 9  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Rloveall
    Thanks marcola, I did turn off the computers one at a time, which is why I know it is centered on three of them (there are nine computers in the network). I traded out the switch to remove it from the equation. I'll take a look at the network monitoring stuff and let everyone know. Thanks for the response.
    0 pointsBadges:
    report
  • Bobkberg
    It's probably not THE issue, but you might want to turn off Universal Plug & Play. That does a fair amount of broadcasting on its own. Anything you can do to cut down unnecessary traffic is generally a good thing. Bob
    1,070 pointsBadges:
    report
  • ITWizard
    From the command prompt, type: "netstat -a" This will show ports listening on each machine and what ports are communicating on the network. Each of these port numbers tie to a service name or software which you can search for on google.
    0 pointsBadges:
    report
  • Bigshybear
    Is this only on computer start up? or does activity spike on a certain time cycle? Verify that you don't have extra protocols loading on the computers - including netbeui or IPX/SPX if you are running TCP/IP. Have you tried sniffing for any packets coming off the computers at start up? I really like Ethereal for this -http://www.ethereal.com/
    0 pointsBadges:
    report
  • STEVE23
    Turning off the Browser Service so they are not checking for the Master Browser should help some.
    0 pointsBadges:
    report
  • Rloveall
    Thank you all for your help. The solution was to use Ethereal to acquire a snippet of traffic to find which ports are causing the problem, then running Vision from Foundstone.com (nice, freeware) to see which process is tied to which port. Two of the three ending up being worms as suspected. Computer one was running asus.exe (Zokrim.b), it threw me when I looked at the processes because it does have an Asus motherboard. Vision showed it had opened 30+ ports over TCP. I ended up removing it by means of hacking the registry and deleting the offending application, since two virus checkers said the computer was clean. Computer two seems to be running a variation of Sasser, meaning it sends heavy traffic over port 445 with a process named lsass.exe, but none of virus checkers nor the specific subset of removal tools can remove it, and some of the signs associated with Sasser are missing. I'm leery of removing lsass.exe from the System directory and this computer is one which I can re-format and reload. Computer three (WinNT 4.0) I'm postponing until I've had some rest, but I'm confident that one of these two worms has attached itself. Thanks again. Ethereal is an excellent tool, thanks for pointing it out.
    0 pointsBadges:
    report
  • Mortree
    Yes just removing LSASS.EXE would be bad. Local Security Authority Subsytem Service (or whatever the exact words are) is a pivotal part of the Windows security. Doubt you could find a way to login without it. If you think it is infected you can only try extracting and dropping the latest patch/SP version (that you installed) in through Repair Console after removing all supporting aspects of your worm. Remember it is a Windows Protected File though.
    0 pointsBadges:
    report
  • Mortree
    Running the Sasser removal tool shouldn't cause any harm. Then apply those missing patches. Sometimes patches alone can kill a worm by inserting a non-vulnerable version of the software in this case lsass.exe. Again this shouldn't cause a problem itself and should prevent reoccurance. The risk of patching is normally less than hand removal of worms. But hand removing or deciding to let worms run only works so long.
    0 pointsBadges:
    report
  • Mortree
    Any multihomed (two or more NICs) servers in those 3? If so you could have a routing loop. Sometimes NT/2000 "spontaneously" or obscurely configures to route stuff even when you thought you made a point to make sure that was turned. Also for the Sasser missing signs...do you have a baseline of normal network activity to that machine? Does it makes possible sense were the traffic is going? You did say that one machine at least was a server. So if you are just going by a few blinky lights (not every light on switch blinking fast), it is entirely possible that you are seeing normal network activity. Any network traffic is fast by the standards of the human brain. That is lights may look different if suddenly that server hosts a new high activity application file or all the company users from a retired file server.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following