- May 12, 2015
- 2
- 0
- 4,510
Over this past weekend I got a call that nothing worked on the network. Not likely but ok. It took me a while to get back there and sure enough everything was locked up with switches in weird light patterns. No logons, no dhcp, no internet! No nothing! Local consoles on various servers were fine but no network access for anything. Started pulling plugs to try and isolate a source and with some reconfiguration I got one switch configured with core services but no clients. I started adding things back until I was able to see where it was coming from and had a look with MS Network Monitor.
Whenever a particular link from another switch was added in things would get ugly. Network monitor showed me multicast packets that just keep growing until they swamped everything. Usually only takes a few minutes to build up. Network Monitor reports MAC addresses for source and destination but neither of the MACs reported exist on this network and they are from an unknown manufacturer.
At the far end of this cable is an extension to the main network that has not had any recent changes in a couple of years. There is a little router that isolates a student lab and a bunch of office systems. The lab is Linux mint and the offices are Win7. This whole event started at 10 o'clock at night and it's pretty much a sure thing no one was in the building on a Friday night. After multiple power cycles on everything possible...it just went away.
The first thing I thought of was a really nasty virus but after many checks and updates nothing of that sort. There's only about 20 systems with 4 printers and everything has been checked many times since with not even a hint of a problem.
I now have Wireshark standing by and ready to capture whenever it should start up again but this just really creeps me out and I'm glad it was on a weekend. A few dozen users looking over my shoulder is no fun.
If anybody has seen anything like this I'd sure be happy to hear what you found.
Whenever a particular link from another switch was added in things would get ugly. Network monitor showed me multicast packets that just keep growing until they swamped everything. Usually only takes a few minutes to build up. Network Monitor reports MAC addresses for source and destination but neither of the MACs reported exist on this network and they are from an unknown manufacturer.
At the far end of this cable is an extension to the main network that has not had any recent changes in a couple of years. There is a little router that isolates a student lab and a bunch of office systems. The lab is Linux mint and the offices are Win7. This whole event started at 10 o'clock at night and it's pretty much a sure thing no one was in the building on a Friday night. After multiple power cycles on everything possible...it just went away.
The first thing I thought of was a really nasty virus but after many checks and updates nothing of that sort. There's only about 20 systems with 4 printers and everything has been checked many times since with not even a hint of a problem.
I now have Wireshark standing by and ready to capture whenever it should start up again but this just really creeps me out and I'm glad it was on a weekend. A few dozen users looking over my shoulder is no fun.
If anybody has seen anything like this I'd sure be happy to hear what you found.
Facebook
Twitter
Instagram