IP Flooding ?

[Hamish]

I have a Win2K server that is demonstrating signs of IP spoofing and Denial
of Service. The server connects to the internet via a DUN connection shared
using ICS. In the last two days the network has slowed to nothing and
several network apps including mail and web access have failed while trying
to access resources on the server or on the external network.

I have noticed that while the DUN connection is active the modem and DUN
properties indicates a constant stream of data being uploaded from the
server. The network functions normally when the DUN connection is disabled.

The problem is not ISP specific as I have tried alternates. There is no
firewall present (please no lectures, its not my network).

Can anyone help me to isolate the cause of this problem?

 

[Keith W. McCammon]

I have noticed that while the DUN connection is active the modem and DUN

properties indicates a constant stream of data being uploaded from the
server. The network functions normally when the DUN connection is

disabled.

It's likely been compromised, and is being used to store some manner of
illegal material (music, warez, etc.).

The problem is not ISP specific as I have tried alternates. There is no
firewall present (please no lectures, its not my network).

No lecture, as requested, but that's what happens. If there's no firewall,
this type of thing should be expected reguarly. We won't lecture you, but
you should sure as hell lecture someone else

Can anyone help me to isolate the cause of this problem?

Try a packet sniffer, such as Snort. Also try running something like
filemon (Google it), to see if unfamiliar files are getting a lot of
activity.