Thanks for the information. I did view the firewall state tables, and
found which computers were the offenders. Turned out it was a Vista
machine running mozy backup software, that wasn't following the
bandwidth throttling rules it was programmed with.
To correct the problem, I just played with traffic shaping, and gave
https lower outbound priority. As well as giving realtime protocols,
such as RDP higher priority. It seemed to have helped.
I was worried at first that there was a worm or some type of virus.
But at this point, I think I may be safe.
Thanks again for the pointers.
Founder & Owner, BIGnet Online
On 9/12/07, Lee Sharp <leesharp at hal dash pc dot org> wrote:
> Joe Lagreca wrote:
> > I have a client that is running a m0n0wall. I have been watching
> > their network activity via the traffic graph, and I see that their
> > outbound traffic has been pegged all day. I would like to find out
> > which machine is causing this and why. How can I go about figuring
> > this out? Is there some SNMP monitoring utility I can run that will
> > give me per user bandwidth information, etc? Thanks.
> Welcome to the Storm Worm. I got quite good at this. (Thanks in no
> small part to the list.
> 1) Go to Firewall states, and take a snapshot.
> 2) View Delta. You don't need to wait more than 10 seconds or so, as
> Storm sends a lot of traffic.
> 3) Sort by IP. The offending IP will have a lot of traffic to many
> hosts. Up to 300 a minute.
> 4) Go to the LAN section of the firewall rules and create a new rule
> High that blocks all from that IP.
> 5) Watch the net performance get so much better. Wait for a ticked off
> user to call. See if they recognize the system name from the DHCP
> Leases section for that IP.
> 6) Have beer.
> This is my LAN ruleset for a hotel that gets a lot. I just disable the
> default rule to clean it up enough to work. DHCP is .100 - .200
> X * 192.168.68.224/28 * * * Virus Block
> X * 192.168.68.208/28 * * * Virus Block
> ^ * * * * * Default LAN -> any
> ^ LAN net * * 80 (HTTP) HTTP LAN -> any
> ^ LAN net * * 443 (HTTPS) HTTPS LAN -> any
> ^ LAN net * * 110 (POP3) POP3 LAN -> any
> ^ LAN net * * 25 (SMTP) SMTP LAN -> any
> ^ LAN net * * 21 (FTP) FTP LAN -> any
> ^ LAN net * * 143 (IMAP) IMAP LAN -> any
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch