General discussion

Locked

Strange behavior(internal comp. pinging)

By A.Nader ·
We are using 512 kbps ADSL line to connect our department (about 50 computers) to the internet through a win2000 server supported with ISA server. The problem is that, sometimes, some internal computers (Win 2000 server or prof. and WinXP ) send large amounts of ICMP echo requests to IP addresses outside our subnet (130.10.0.0 , 255.255.0.0 ) causing the download rate to degrade to unacceptable levels (sometimes to 10 kbps) or even crashing the external network interface . For example, one computer may ping IP addresses from 130.7.0.1 to 130.20.255.254 successively without waiting for replies for the sent requests.

Thanks for your help

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by Curacao_Dejavu In reply to Strange behavior(internal ...

I am not behind my ISA server right now, to tell in detail , but you should allow the clients only access to the protocols they need instead of every thing ( I believe it's in policies or packet filters (they are not able to that on my network) ). Turn on the log options to see which computers are doing that and take actions, there might be a trojan horse or virus on those computers.
If you have a spare computer, you can install netprobe 0.4, and plugg it in the same "hub" as where the iSA server is plugged into. You will get a graphical view of what traffic is going on your network (to where and from where).
On the computers you can install active port to see what ports are being used, so you would be able to trck a possible trojan. both programs are free.

Is the winproxy client installed on the computers ?

Leopold

Collapse -

by Curacao_Dejavu In reply to

Do the opposite to disable:
http://support.microsoft.com/default.aspx?scid=kb;en-us;274568


Blocking and Logging Traffic on ISA Server Internal Interfaces
http://support.microsoft.com/default.aspx?scid=kb;en-us;283213

Leopold

Collapse -

by Curacao_Dejavu In reply to

The protocol rules are found here:
Open the ISA Management console (Click Start, point to Programs, click Microsoft ISA Server, and then click ISA Management.
In the tree, click the name of the server to expand the tree for the computer that is running ISA Server.
Expand Access Policy, and then click Select Protocol Rules.

Collapse -

by mm212 In reply to Strange behavior(internal ...

This sounds suspiciously like the MSBlast worm or (more likely) the Nachia worm. I would be sure the antivirus is installed and updated and do a full system scan. Symantec has removal tools for these worms. Once the worm is removed, be sure all workstations are patched through Windows Update so the rest don't also get infected.

Collapse -

by sgt_shultz In reply to Strange behavior(internal ...

sounds like Blaster to me. the fix is available at www.symantec.com for free even if you don't have norton anti-virus. microsoft has extensive info on this worm and how to deal with it...i would begin by checking my router configuration and shutting down all the ports but 80 and whatever you need for mail, pcanywhere, streaming, icq etc

Collapse -

by mistress1966 In reply to Strange behavior(internal ...

sounds to me u have the w32.Welchia worm as i have had the same prob recently and done a virus scan and thats what it came up with all is working well now :-)

Back to Windows Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums