Re: 1000% increase in traffic

[Jason Storm <sec () ORGONE NEGATION NET>]

if i was in your shoes;

1) run tcpdump on a box on the LAN to get an idea of what the traffic is,
where its generated, and where its going.

2) if its generated by one box, take that box offline immediately and
begin forensic work on it.  hell, it could just be napster.  then again,
it could be something far less innocent.

3) if you are seeing traffic that indicates you are being used as a
broadcast for a dos attack, (what appears to be say, one host pinging your
broadcast and every box responding to that one ip), then you need to
configure your border routers to drop broadcast requests, no biggie.

-jason


 On Fri, 9 Feb 2001, Bob Wright wrote:

> Hello guys, thank you for reading this email.. I beleave i might have an exploited box on my hands, At my place of 
> employment we usally range about 728b/s as our average for output (128k Connection)  Now starting at friday at 12am 
> to sat 12pm (about) MRTG (traffic analyser) showed us averaging about 7744b/s !! on a weekend at that late of night. 
> And all out to boot. This worries me because of our data (of coarse) or that we might have a possible client on one 
> of the many machines for a DDOS. Now i have searched through most my logs, inet logs and i cant find a thing..... the 
> logs do not LOOK like they were tamperd with. These are what i think could have happend.
>
> 1) Employee sending files home thinking that no one will be able to detect it.
> 2) DDOS client on one or several machines
> 3) We had a intrusion and the great guy he is decided to send our files to himself
> 4) <input here>
>
>     I am new to this, im only an intern however they expect me to look into this? any how i would like to hear what 
> you guys out there who have experience think, and as always i love any possible links you might have which discuss 
> general procedure or any site that deals with network security.
>
> I thank you again for reading my email.
>
> -Robert Wright