Hi everyone,
this is my first post here.
Here's the situation. My company has a SonicWALL pro 200 firewall appliance with three ports, one for LAN one for WAN and a DMZ.
We have 3 Domain controllers running Windows 2000 Advanced Server. One is located behind the LAN and services our internal users. We shallcall it the WKCL.com domain and users get to the internet out the WAN
port on the Sonicwall. On the DMZ port we have two other domain
controllers, each separate domains. One is exchange.ICL.com and it is
our mail server. The other is our webserver and it is called
web.webikl.com. So in essence we have three completely separate
domains, two of which share the DMZ port. All IPs are static and are
on the same subnet.
Here's the problem: several times a day our webserver puts out 28000
UDP packets per second, more than a million bytes of stuff, which
pounds the DMZ on our SonicWALL, opening up 30000 ports and shutting
down all communications for everyone, including the LAN. The only fix is to reboot the webserver and wait for it to happen again a few hours later.
Steps I've taken: We are running Norton AV 2003 with the latest definitions on all our DC's and scans happen daily. No viruses have been found.
I have run separate trojan scans on all DC's, using TauScan and no trojans have been found.
We thought we might have had a routing loop so we nuke and paved all hree DC's and made them separate domains that don't need to replicate to each other (previously they did). I have also attempted to put the webserver outside the DMZ but the problem reappeared and pounded our router. Putting the webserver outside without protection isn't really an option either, as it is critical to our business.
I have put on Network Monitor and Performance Monitor. Performance
Monitor shows me that it's definitely the webserver doing this and it is UDP packets, not TCP packets going out.
Network Monitor shows me that the destination IP's seem to be
completely random as is the destination ports. The only common port is the source port 1434 which is Microsoft SQL monitor. I can't shut out this port as management says webserver needs it.
On the surface it looks like an attack but as the servers are brand new, with all SP's and hotfixes applied and running behind the firewall, it doesn't seem likely.
What else should I be looking at? Any ideas would be greatly appreciated.
this is my first post here.
Here's the situation. My company has a SonicWALL pro 200 firewall appliance with three ports, one for LAN one for WAN and a DMZ.
We have 3 Domain controllers running Windows 2000 Advanced Server. One is located behind the LAN and services our internal users. We shallcall it the WKCL.com domain and users get to the internet out the WAN
port on the Sonicwall. On the DMZ port we have two other domain
controllers, each separate domains. One is exchange.ICL.com and it is
our mail server. The other is our webserver and it is called
web.webikl.com. So in essence we have three completely separate
domains, two of which share the DMZ port. All IPs are static and are
on the same subnet.
Here's the problem: several times a day our webserver puts out 28000
UDP packets per second, more than a million bytes of stuff, which
pounds the DMZ on our SonicWALL, opening up 30000 ports and shutting
down all communications for everyone, including the LAN. The only fix is to reboot the webserver and wait for it to happen again a few hours later.
Steps I've taken: We are running Norton AV 2003 with the latest definitions on all our DC's and scans happen daily. No viruses have been found.
I have run separate trojan scans on all DC's, using TauScan and no trojans have been found.
We thought we might have had a routing loop so we nuke and paved all hree DC's and made them separate domains that don't need to replicate to each other (previously they did). I have also attempted to put the webserver outside the DMZ but the problem reappeared and pounded our router. Putting the webserver outside without protection isn't really an option either, as it is critical to our business.
I have put on Network Monitor and Performance Monitor. Performance
Monitor shows me that it's definitely the webserver doing this and it is UDP packets, not TCP packets going out.
Network Monitor shows me that the destination IP's seem to be
completely random as is the destination ports. The only common port is the source port 1434 which is Microsoft SQL monitor. I can't shut out this port as management says webserver needs it.
On the surface it looks like an attack but as the servers are brand new, with all SP's and hotfixes applied and running behind the firewall, it doesn't seem likely.
What else should I be looking at? Any ideas would be greatly appreciated.