Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 2 subscribers
  • Views 959 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Under attack?

HalfPint
Yesterday morning we started seeing some unusual things at the firewall (7.502). The cpu usage went from minimal usage to about 20% usage, the external traffic went from peaks of up to 0.5 M, to running at 2.5 M outbound and 1.5 M inbound.  The internal and dmz connections still look basically normal.  The external connection stayed at those high levels overnight when no one was in the office.  Obviously, our internet connection is running _very_ slow.  

I'm trying to figure out what's happening.  If this were an attack I would expect the inbound traffic to be high and the outbound to be at the normal level.  Since the outbound is higher than the inbound, I'm wondering if the firewall has been compromised and is being used as a zombie or something.

Any suggestions on how I figure out what's going on is appreciated.

Larry


This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to BAlfson
    I finally made enough noise to get our consultants to take a serious look at this issue.  They tried several things to no avail.  Finally they found a problem with the web proxy and things started working.  Or whomever was attacking us gave up.  Other than the cpu usage still being higher than "normal" everything seems to be back to about the way it was prior to this incident.

    I still wonder why the outbound traffic was so high.  I doubt I'll ever know.

    Thanks for your help.

    Larry