[ previous ] [ next ] [ threads ]
 
 From:  "Joe Lagreca" <joe at BIGnetOnline dot com>
 To:  "Lee Sharp" <leesharp at hal dash pc dot org>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] How to monitor network activity?
 Date:  Wed, 12 Sep 2007 21:04:31 -0700
Lee,

Thanks for the information.  I did view the firewall state tables, and
found which computers were the offenders.  Turned out it was a Vista
machine running mozy backup software, that wasn't following the
bandwidth throttling rules it was programmed with.

To correct the problem, I just played with traffic shaping, and gave
https lower outbound priority.  As well as giving realtime protocols,
such as RDP higher priority.  It seemed to have helped.

I was worried at first that there was a worm or some type of virus.
But at this point, I think I may be safe.

Thanks again for the pointers.

-- 
Joe LaGreca
Founder & Owner, BIGnet Online
619-393-1733 Office
619-318-3246 Cell
www.BIGnetOnline.com


On 9/12/07, Lee Sharp <leesharp at hal dash pc dot org> wrote:
> Joe Lagreca wrote:
> > I have a client that is running a m0n0wall.  I have been watching
> > their network activity via the traffic graph, and I see that their
> > outbound traffic has been pegged all day.  I would like to find out
> > which machine is causing this and why.  How can I go about figuring
> > this out?  Is there some SNMP monitoring utility I can run that will
> > give me per user bandwidth information, etc?  Thanks.
>
> Welcome to the Storm Worm.  I got quite good at this. (Thanks in no
> small part to the list.
>
> 1) Go to Firewall states, and take a snapshot.
> 2) View Delta.  You don't need to wait more than 10 seconds or so, as
> Storm sends a lot of traffic.
> 3) Sort by IP. The offending IP will have a lot of traffic to many
> hosts.  Up to 300 a minute.
> 4) Go to the LAN section of the firewall rules and create a new rule
> High that blocks all from that IP.
> 5) Watch the net performance get so much better.  Wait for a ticked off
> user to call.  See if they recognize the system name from the DHCP
> Leases section for that IP.
> 6) Have beer.
>
> This is my LAN ruleset for a hotel that gets a lot.  I just disable the
> default rule to clean it up enough to work.  DHCP is .100 - .200
>
>
> X       *       192.168.68.224/28       *       *       *       Virus Block
>
> X       *       192.168.68.208/28       *       *       *       Virus Block
>
> ^       *       *       *       *       *       Default LAN -> any
>
> ^       LAN net         *       *       80 (HTTP)       HTTP LAN -> any
>
> ^       LAN net         *       *       443 (HTTPS)     HTTPS LAN -> any
> ^       LAN net         *       *       110 (POP3)      POP3 LAN -> any
> ^       LAN net         *       *       25 (SMTP)       SMTP LAN -> any
> ^       LAN net         *       *       21 (FTP)        FTP LAN -> any
>
> ^       LAN net         *       *       143 (IMAP)      IMAP LAN -> any
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>