RE: Help - ICMP Traffic Killing ISA
- From: "Ray Dzek" <rdzek@xxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Sun, 19 Oct 2003 10:15:54 -0700
We are getting clobbered. The ICMP traffic is definately coming from
inside. We are running the scans and cleaning as we go. My question is how
the heck do I get ISA to tell me where the damn ICMP traffic is coming from?
The IPP logging is turned on, but shows all the traffic originating from the
external interface. and the FW and WEB logs do not show anything either. I
do not run an authenticated ISA because of our mix of clients, but why the
heck can't I at least get an IP or MAC address to track back to the infected
machine?
----- Original Message -----
From: "John Tolmachoff (Lists)" <johnlist@xxxxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Friday, October 17, 2003 10:43 PM
Subject: [isalist] RE: Help - ICMP Traffic Killing ISA
http://www.ISAserver.org
Make sure and do a full virus scan on the ISA server.
Try disconnecting the internal NIC cable and see if the Pings stop.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
> -----Original Message-----
> From: Ray Dzek [mailto:rdzek@xxxxxxxxxxxxxxx]
> Sent: Friday, October 17, 2003 9:15 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Help - ICMP Traffic Killing ISA
>
> http://www.ISAserver.org
>
> We had some visitors come in from out of town and help themselves to an
> ethernet port which unleashed Welchia and Blaster on our internal network.
> (Yes .. there will be public floggings at noon today). But I am trying to
> track down where the stragglers are on the network that are still
infected.
> I have been using netmonitor and other tools to find the "screamers" on
the
> LAN. I was also trying to use Wintail to simply tell me who on the
network
> is generating the traffic. When I tail the ippextd logs, I see all the
ICMP
> traffic scrolling, but it all looks like it is coming from the external
> interface of ISA. There is no corresponding traffic in the webextd or
> fwextd logs. If I stop the fw and web services, the ippextd logs continue
> to scroll with ICMP traffic. What is up?
>
> Thanks in advance.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> johnlist@xxxxxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
rdzek@xxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
