2620 router traffic problem

[meby]

I have a virus pounding my front end router. It is consistantly running at 99%. Is there a way for me to see the actual TCP/IP address of the offending computer(s) by view a traffic log of some sort? Having to scan 500+ computers is not a cost effective course of action. Thanks.

 

[meby]

Also, I'm positive it is coming from within my network.

 

[jneiberger]

1. How did you determine that this is a virus and not just a bug causing the router to go crazy?

2. Why do you have 500+ computers that don't already have up-to-date AV software on them? ;-)

One easy thing to try is to turn on Netflow switching on a router interface that would be handling this traffic.

Go into config mode, and at the interface level you type "ip route-cache flow". Exit config mode and wait a bit, then type "show ip cache flow".

You could also turn on IP accounting but this would only help if you configured it on a router interface that was transmitting this traffic, not receiving it.

You could also create an access list that logs incoming and/or outgoing traffic from the router.

Pick your poison. I think I'd try Netflow first but others here might have some different ideas.

 

[meby]

Hehe...well:

1) Standard operating procedures around here since we have no virus protection. Which leads to...

2) Well...that's the superintendant's decision and I'm waiting on him to pull the trigger. Meanwhile the trigger is being pulled on me numerous times.

However, your cache flow suggestion is working like a champ. I appreciate your help.

 

[jneiberger]

Well, I know this doesn't help, but it's my opinion that there is simply no (good) excuse for having that many Windows machines in a network and not having virus protection. As you know, there are too many things that can go wrong if you leave yourself unprotected.

The superintendent needs to get with the program. Network security at this level is simply no longer an option.

Again, that's just my opinion.

 

[meby]

And an opinion I agree with 100%. Unfortunately, I don't get the last say on expenditures. I figure that with a few more catastropes one of 2 things will happen. He'll wisen up and get the protection needed. Or he'll get so frustrated and fire me which will allow me to get a job at a company that cares

 

[jneiberger]

Yep, there's always a silver lining to be found.

 

[ngulick]

Many thanks for asking and answering this question! You all just saved my bacon today!! I might get to go home tonight!

 

[vlf]

You could also put an access list on your router with the log option at the end of the deny statements. This will work best if you know either what ports the virus is using or a destination. A good start is to turn off Ping to and through all your routers on all interfaces. Then your routers will put the denied attempts into the router logs, or even better send them to a syslog server. At least then, you'll have proof for your superintendant.