Re: [smartBridges] HELP net traffic and where is it coming from

[Leonel Garcia Rosas]

In that case, I will use iptraf in the linux box
It's a very good utility that can monitor every packet in/out of the machine
Do you have the Linux box as a firewall?
WAN----Router----eth0 Linux eth1----Your LAN/Wireless
that's the ideal configuration, linux can help a lot monitoring/securing 
your lan
when you found where the traffic is coming, you can ask your ISP to 
block that ip range
and stop eating your bandwidth

One cause, remember Blaster, machines with that virus scan IP randomly
may be some of your clients has the virus and are scanning IP to the outside
of your network
Other possible cause,
If some of customers are downloading from a P2P application 
(Kazaaaaaaaaaaaaa)
when you disconnect the wan, all the traffic stops, thats normal, so, 
you can not
relay on this to discard the fact that the traffic is from/to some of 
your customers

--
---
Leonel Garcia Rosas
PREGA Sistemas
Puebla 421 Nte. Cd. Obregon, Sonora
Tel.- (644) 415-3394


Blazen Wireless wrote:

question how do you set up the filter?? it asks for a name I made it 
test but it also wants a filter string?? do I put anything in for that?
 
Thanks please contact me off line if needed so as not to tie up 
resources here on the forum
 
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
 

    ----- Original Message -----
    From: Scott Damron <mailto:[EMAIL PROTECTED]>
    To: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
    Sent: Thursday, September 11, 2003 8:53 AM
    Subject: RE: [smartBridges] HELP net traffic and where is it
    coming from
    Have you made sure your WIN2000 box is up to date?  The previous
    suggestion of running ethereal is about the only way you will
    truely know where it is coming from.
     
    Scott

        -----Original Message-----
        From: [EMAIL PROTECTED]
        <mailto:[EMAIL PROTECTED]>
        [mailto:[EMAIL PROTECTED] On Behalf Of Blazen
        Wireless
        Sent: Thursday, September 11, 2003 8:42 AM
        To: [EMAIL PROTECTED]
        Subject: Re: [smartBridges] HELP net traffic and where is it
        coming from
        Well it does not appear to be the mail linux box as much as it
        is the dns server win 2000 what's strange is I can physically
        unplug the cable from the box and the outgoing traffic stops
        yet the incoming is still going??? I unplug the wan and it
        goes away..
         

            ----- Original Message -----
            From: Scott Damron <mailto:[EMAIL PROTECTED]>
            To: [EMAIL PROTECTED]
            <mailto:[EMAIL PROTECTED]>
            Sent: Thursday, September 11, 2003 8:30 AM
            Subject: RE: [smartBridges] HELP net traffic and where is
            it coming from
            If you are running an old linux box that you don't have a
            root password for, that means it is more than likely out
            of date as far as patches go.  That means it could
            possibly be "Rooted" and that is not a good thing!!! 
            There are alot of DNS DDOS attachs out there, I would
            download ethereal and watch the traffic VERY closely for a
            couple of hours.
             
            Scott

                -----Original Message-----
                From: [EMAIL PROTECTED]
                [mailto:[EMAIL PROTECTED] On Behalf Of
                Blazen Wireless
                Sent: Thursday, September 11, 2003 8:16 AM
                To: [EMAIL PROTECTED]
                Subject: [smartBridges] HELP net traffic and where is
                it coming from
                I have Brilan bandwidth control and for kicks I put my
                servers behind it and just yesterday I noticed that I
                have a steady 250kbps up and down on my DNS and my
                mail server I unplug the Lan connection to my T-1 and
                the problem goes away so I know it is not my wireless
                customers? I did a sweep and found nor worms on my
                2000 machine I do have Linux 6.4 machine that I don't
                know root so cant run any kind of scan but it appears
                that it is coming from the WWW? how can I tell what IP
                or where this is coming from its almost like a DNS???
                things are functioning normal but a little slow since
                this is taking some of the bandwidth?? can or would my
                ISP (megapath) be able to tell where it is coming from???
                 
                I have a strange feeling the WAR has started between
                me and the competition since they threatened to do
                something for their 3 customers jumping ship and
                coming to me because of their poor service!
                 
                I have TCP IP Dump but cant really see any thing
                specific to those IP addresses??
                 
                Martin & Steve
                Blazen Wireless

                www.blazenwireless.com <http://www.blazenwireless.com>



----------ANNOUNCEMENT----------
Don't forget to register for WISPCON IV
http://www.wispcon.info/us/wispcon-iv/wispcon-iv.htm
The PART-15.ORG smartBridges Discussion List
To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges <yournickname>
To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges)
Archives: http://archives.part-15.org