[Packeteer]How do I know if my network is having worm/virus related issues? April 15, 2008Posted by ZoeL in Networking (non Cisco), Packeteer, Security.
Tags: Packeteer, Worm Attack
From Packeteer Technical Support Solution Database
Recently, excessive network traffic due to worms and viruses has overloaded many networks and networking devices (including PacketShaper). Most likely, this kind of activity will continue in the future as well.
PacketShaper can help identify performance problems due to viruses and worms and can also help block some of this undesired traffic. However, PacketShaper is NOT a firewall or an anti-virus tool that can be used to protect a network against these types of attacks.
Packeteer recommends that you use a firewall or proper anti-virus tools to protect your network from viruses and worms. People have been experiencing severe network problems as well as problems with networking devices, but may not even be aware that they are being hit by these worms or viruses.
PacketShaper can be used to identify some of these problems, but Packeteer does not guarantee that PacketShaper will be able to prevent these kinds of attacks.
In the typical networking topology, PacketShaper sits next to the router or firewall, thereby seeing all the LAN to WAN or WAN to LAN traffic. If a worm or virus is hitting your network, you will see a high number of flows to or from certain hosts. PacketShaper can track all these flows and has the ability to display a list of hosts sorted by number of flows.
Use the following CLI command to find out if you are having excessive number of flows: host info –sf –n 50
The above command will list the IP addresses with the highest number of flows. If you see a very high number of new flows and you wouldn’t expect those machines to have that many flows, this could be the sign of attack. Also the attacks may use spoofed addresses, so you may see IP addresses that don’t even exist on your network.
After you identify the abnormal IP addresses from the above list, you can use the traffic flow command to track down what kind of flows those machines are generating. Use the following command: traffic flow –tupICA
The output of the above command displays the source and destination IP address, port numbers, Inbound and Outbound classes the traffic is hitting, and the PacketWise service name.
With this much information, you can determine what kind of attack you are having, and you will be able to take necessary measures to patch the infected machines and block unwelcome traffic in the firewall.
Following is a list of the most active worms and viruses that Packeteer is currently aware of. However, this is not an exhaustive list and new ones are coming out all the time, so please do not rely completely on this list.
Intinya, kalau ada terdeteksi di Packeteer, flow yang gila-gilaan ke salah satu host di LAN. Perlu di cek dan di periksa. Trojan dan Worm biasanya create connection ke Internet gila-gilaan, melumpuhkan reserved bandwidth.