Network Performance/Security Woes

**cMags** · 01-21-2007, 12:25 PM

<CN>
3Mbit connection sucking - possible infestation - any ideas on how to help?
</CN>

<novel>
So my 3Mbit connection has ***** the bed this week. I called up my provider to see if there was something going on on their side (ice storm up here this week took out power for a couple days, so I was hoping it was just downed lines or something), but they said all was good. However, on all the computers on my network, I'm getting dropped connections, way slow performance (took me about 5 minutes to get to OT from the main site), and sometimes no connection at all (even the WAN IP on my router drops out). Even just running a ping will show high times and drops (see the attached output file).

I typically run a Bit Torrent client, an FTP server when tranferring files to/from friends, VOIP phone, Web, and IM. Talking with the tech, the first thing he told me is that my 3Mbit connection isn't enough for all that

I've been running this type of setup for years on other providers (I've used AT&T, Comcast, RCN, Verizon DSL, and now Charter which sucks). This issue can't be all my fault. Even when everything was running smoothly, I'd have to stop any downloads in order to use my VOIP which should take only 200k bandwith.

Anyways, while talking with the tech, he had me run some ping's, netstat -a, and tracert's to see if anything was up on my end. My netstat was showing a BUNCH of open ports (see attached). Does anyone have any recommendation of a good freeware port scanner/monitor that might tell me what app is using what ports?

Also, this issue seems to be network wide. Is it possible I've got some type of virus/worm/adware that has installed itself over the network or even worse, on the network (like in the router)? Any recommendations of what I can run to try to clean out something like this? (I've got Symantec AntiVirus Corporate, Check Point Integrity firewall, and Ad-Aware SE Personal, Build 1.06r1 installed currently.) What kind of software can scan a whole Windows workgroup network?

Any ideas would be appreciated. I can't even download half-meg files at times - it'll start up and then drop to 0.2k and just hang. Sometimes it even crashes whatever client is trying to download. Help!! And Thanks!

</novel>

**Pistolen08** · 01-21-2007, 12:35 PM

I like peerguardian

Have you tried directly plugging the uplink to your computer to see if you get the same results? Your router/switch could be bad.

**will1384** · 01-21-2007, 02:12 PM

If you have windows PCs make sure you have anti spy ware
like "Ad Aware" or "Spybot - Search & Destroy" or "Spy Ware Blaster"

and good anti virus like "AVG" or "Avast"

"Process Explorer" can show you whats running

"Autoruns" can disable junk

"Hijack This" or "Rootkit Buster" or "RootKit Hook Analyzer"
or "Rootkit Revealer" can help with root kits

"Angry IP Scanner" and "Active Ports" and "Current Ports"
are good network tools

"Ethereal" will tell you every thing thats going on in your network

Go to Portableapps.com for a lot of the programs above made to run
on a flash/thumb drive

Hope this helps

If you have a good router - set up the proper way - your other boxes
dont need firewalls, because your router is the firewall,

you could try some on line firewall tests, like

http://www.hackerwatch.org/probe/

or

https://www.grc.com/x/ne.dll?bh0bkyd2

And like what was said, maybe you router is bad - or needs a reset, make
sure to check it after the reset - in case it goes back to defalut

**cMags** · 01-22-2007, 09:49 AM

^^ Now that's what I'm talking about! I knew I could count on this forum for some help with this issue.

I took a look at my system with Process Explorer and some port viewer on the Sysinternals site and nothing looks out of the ordinary. (Took me a while to download these programs because the damn network kept timing out.) I'm just having trouble trying to figure out where the issue lie. I don't think it's the PC, because I've seen it on two brand new installs. One of those new installs I hooked directly to the modem. Problem is, I can't prove anything to my provider (who provides the modem) because everytime I run a tracert everything looks fine to them - any other timeouts are out on the internet (which they obviously can't control).

I'll try pouring over the open ports and watch with Ethereal or Wireshark, and try to get some captures of issues while connected directly. Maybe I can at least provide enough of a case to get a replacement modem, and then I can replace my router and see if that clears up the issue.

Damn these things are hard to track down...

Also, does anyone know of any type of infection that could attack my router? As if it got into the router's memory? How could I scan that? Anything that could attack the modem in a similar fashion?

**DarquePervert** · 01-22-2007, 10:10 AM

I had a similar situation where machines kept getting flooded off the network.

Turns out it was a chatty NIC. When that was replaced, all was good.

Chick all the NICs on your network.

**dan__wright** · 01-22-2007, 10:25 AM

we've had something similar at work, brought the entire site to a crawl, completely flooding out switches (4.7 Million packets per second) and 1GB backbones.

turns out someone had made a feeback loop with a unmanaged desktop switch, every port was on constant with broadcasts, unplugged it and everything went quiet. check what the activity on yopur network is like, start disconnecting switches untill traffic drops, when it goes quite the switch you just unplugged is where the traffics coming from, then start unplugging ports on that untill you find the culprit.

**cMags** · 01-22-2007, 11:50 AM

^^ The past two posts are good ideas - I'll look into it, but it's only a home network, so there's at most 5 PC's on at once and there are no switches.

I'll try using one PC at a time to narrow down the NIC's and see where it goes. I still feel like I'm on a wild goose chase with this issue

**digimotojoel** · 01-22-2007, 12:24 PM

I have heard of instances where service providers run scans accross ports to make sure their customers are not running server software (FTP/Web Servers etc.) and shut them down. I would try taking all your computers down except for one (that you don't do anything with) / reset your router&modem and see if that solves your issue. At least this might help you identify if there is an issue on one of the computers or if it is a network/provider issue. If you are using a wireless router, make sure everything is locked down.

**RPI Geek** · 01-22-2007, 05:48 PM

Try some of the options for netstat: "netstat -b" is a good start. If you don't recognize the .exe, run a search on google to find out what it really is. If you want to see all the available options, try "netstat /?"

My ping to mp3car.com was similar to what you got, so I wouldn't worry about that.

You can shut down all your services and run a connection speed test at www.dslreports.com

Also, try rebooting your router. I've had experiences where if I ran speeds above a few hundred kbps the (netgear) router just crapped out, and I've had experiences with routers starting to run slowly if they've been on for a long time or if they get hot. One time I actually had to reset it to its factory defaults before it sped up.

Good luck!

**RPI Geek** · 01-22-2007, 05:52 PM

Oh! Look at your network cables too, if they're crimped that can really mess things up.

Edit: I keep thinking of new things but don't want to triple-post
http://www.snort.org/ - I haven't used it myself, but if you have a spare computer it can really do a lot.