Network Flood

[GregG]

I'm pulling my hair out on this one. An XP workstation is bringing down
my home network and keep resetting a DSL router. I really cannot
rebuild it as it has so much stuff on it.

I do know what is causing this but there is an extensive message
exchange between an XP workstation and a Domain Controller/DNS/NAT
server. 2 other workstations are not involved. It's happening almost
all the time with short intermissions. I shut down all applications and
stopped all services at XP, which are possible to stop without
degrading functionality.

Network monitor shows thousands of frames in a minute coming from
server to workstation. They are all the SAME:

Protocol = HOPOPT - IPv6 Hop-by-Hop Option; Packet ID = 0; Total IP
Length = 0; Options = No 0.0.0.0 0.0.0.0 IP

At the same time (and this is weird) XP sends thousands of DNS request
to my DNS server for different internet domains (for thousands of
different domains I never heard of!!) for Mail Exchange. My DNS in turn
floods the internet querying provider's DNS and bringing DSL router
down once in a while. Example:

DNS 0x14AE:Std Qry for wvbr.com. of type Mail Xchg on class INET addr.
MATRIX 140.120.100.107 IP

I fight this for 3 days. No viruses or spyware is found (scanned with 3
different applications). Processor at 99% idle. Regmon shows constant
access of dnscache service and parameters in tcpip service.

Can anyone help?

 

[Peter R. Fletcher]

Bad network card or other hardware problem?

I'm pulling my hair out on this one. An XP workstation is bringing down
my home network and keep resetting a DSL router. I really cannot
rebuild it as it has so much stuff on it.

I do know what is causing this but there is an extensive message
exchange between an XP workstation and a Domain Controller/DNS/NAT
server. 2 other workstations are not involved. It's happening almost
all the time with short intermissions. I shut down all applications and
stopped all services at XP, which are possible to stop without
degrading functionality.

Network monitor shows thousands of frames in a minute coming from
server to workstation. They are all the SAME:

Protocol = HOPOPT - IPv6 Hop-by-Hop Option; Packet ID = 0; Total IP
Length = 0; Options = No 0.0.0.0 0.0.0.0 IP

At the same time (and this is weird) XP sends thousands of DNS request
to my DNS server for different internet domains (for thousands of
different domains I never heard of!!) for Mail Exchange. My DNS in turn
floods the internet querying provider's DNS and bringing DSL router
down once in a while. Example:

DNS 0x14AE:Std Qry for wvbr.com. of type Mail Xchg on class INET addr.
MATRIX 140.120.100.107 IP

I fight this for 3 days. No viruses or spyware is found (scanned with 3
different applications). Processor at 99% idle. Regmon shows constant
access of dnscache service and parameters in tcpip service.

Can anyone help?

Please respond to the Newsgroup, so that others may benefit from the exchange.
Peter R. Fletcher

 

[GregG]

Bad network card or other hardware problem?
Please respond to the Newsgroup, so that others may benefit from the exchange.
Peter R. Fletcher

Thanks Peter,

I already changed nics. Switch seems Ok because because other
workstations are not affected even if swaped ports with troubled one.

 

[Peter R. Fletcher]

I missed the bit in your original post where it appears that at least
the DNS flood is coming from (or at least through) XP - all the
zeroes in the network monitoring results made me think of a hardware
fault.

I would suggest two approaches:

1) it looks as if you have tested by substitution all possible
hardware causes except bad cabling. Try running a new, temporary cable
between the XP machine and your switch. I frankly don't expect this to
solve the problem, but network cabling problems can sometimes give
rise to very strange symptoms indeed.

2) Boot another OS on the XP machine and see whether the flood
continues. There are a number of trial versions of different flavours
of Linux which have come out on computer magazine cover disks and/or
can be downloaded and burnt to CD-Rs and run from the CD. Assuming
that your hardware is fairly vanilla, you should be able to access the
network from the "foreign" OS. If the "foreign" OS can access the
network and doesn't flood it, I would have to assume that you either
have a very well hidden piece of malware, or part of your XP network
stack has been corrupted in a particularly spectacular fashion. If
that't the case, you are probably going to have to do at least a
Repair reinstall of XP. If a foreign OS booted and running from a
clean CD also causes the same behaviour on the network, it has to be
network hardware-related, or just conceivably something in the MoBo..

Thanks Peter,

I already changed nics. Switch seems Ok because because other
workstations are not affected even if swaped ports with troubled one.

Please respond to the Newsgroup, so that others may benefit from the exchange.
Peter R. Fletcher

 

[GregG]

I missed the bit in your original post where it appears that at least
the DNS flood is coming from (or at least through) XP - all the
zeroes in the network monitoring results made me think of a hardware
fault.

I would suggest two approaches:

1) it looks as if you have tested by substitution all possible
hardware causes except bad cabling. Try running a new, temporary cable
between the XP machine and your switch. I frankly don't expect this to
solve the problem, but network cabling problems can sometimes give
rise to very strange symptoms indeed.

2) Boot another OS on the XP machine and see whether the flood
continues. There are a number of trial versions of different flavours
of Linux which have come out on computer magazine cover disks and/or
can be downloaded and burnt to CD-Rs and run from the CD. Assuming
that your hardware is fairly vanilla, you should be able to access the
network from the "foreign" OS. If the "foreign" OS can access the
network and doesn't flood it, I would have to assume that you either
have a very well hidden piece of malware, or part of your XP network
stack has been corrupted in a particularly spectacular fashion. If
that't the case, you are probably going to have to do at least a
Repair reinstall of XP. If a foreign OS booted and running from a
clean CD also causes the same behaviour on the network, it has to be
network hardware-related, or just conceivably something in the MoBo..

Thanks Peter for guidelines.

I suspect this indeed was a very well hidden malware. I was hit by a
virus about 3 weeks ago. Cleaned it (thoroughly I thought according to
various antivirus/antispyware applications/utilities and personal
experience with this type of events). But, you never know and
apparently something was still out there, created a channel bypassing a
firewall (as in addition to frames I mentioned XP began receiving SMTP
requests from various external hosts). In any case I still do not know
what it was but it appears to stop acting once I did XP repair.

A side note. This is probably known but just in case for someone going
through similar problem - before doing XP repair always disable
Antivirus software. I remember that from upgrading to XP but failed to
do it this time while repairing. Had to use a recovery console to
disable Norton antivirus. Otherwise repair process kept failing
rebooting the machine in the middle of installation while installing
drivers.

 

[Peter R. Fletcher]

Thanks Peter for guidelines.

I suspect this indeed was a very well hidden malware. I was hit by a
virus about 3 weeks ago. Cleaned it (thoroughly I thought according to
various antivirus/antispyware applications/utilities and personal
experience with this type of events). But, you never know and
apparently something was still out there, created a channel bypassing a
firewall (as in addition to frames I mentioned XP began receiving SMTP
requests from various external hosts). In any case I still do not know
what it was but it appears to stop acting once I did XP repair.

A side note. This is probably known but just in case for someone going
through similar problem - before doing XP repair always disable
Antivirus software. I remember that from upgrading to XP but failed to
do it this time while repairing. Had to use a recovery console to
disable Norton antivirus. Otherwise repair process kept failing
rebooting the machine in the middle of installation while installing
drivers.

Glad you got it sorted. The problem you describe with reinstalling in
the presence of AV software isn't 100% consistent, and may depend on
the version and on other software installed - I have got away with it
in the past. Your recommendation is a sensible one, however.

Please respond to the Newsgroup, so that others may benefit from the exchange.
Peter R. Fletcher