My organisation is connected to the internet via a 64 k dataline. I use network address translation(NAT) and access list on my router to map internal ip addresses to the outside and give staff access to the internet. The problem is that internet traffic seems to be at pick all the time despite the number of computers accessing the internet. I suspect that some computers are sending traffic continuously to the internet. So, is there a way of detecting which ip addresses or which computers are sending this traffic? Can spam increase the amount of traffic in such magnitude? If so is there a way of blocking spam on the router or which ever? Is there anything I need to take into consideration to control traffic flow on my router interface before it goes out to the internet
Depending on the number of computers on your LAN, the 64K line could easily become saturated.
One command that I have found helful to determine which systems are send or receiving the most traffic is the "ip accounting" interface command.
Then wait about a minute and do a "show ip accounting". Depending on how you have NAT setup (i.e.one to one, or one to many) you may get different results.
This command has been helpful to me in detecting the Nachi virus. If I do a "show ip accounting" and see a system sending 1 packet that is 92 bytes to various systems, then I can deduce it probably has the Nachi virus.
You could also create an IP extended access-list that permits and logs all kinds of IP traffic. Then, you could either do a "show log" command periodically, to see what kind of traffic it is and who's sending it; or, if you're logging to a Syslog server, you can just review the accumulated logs there.
I use it as a crude intrusion detection system. Some of the things I look for: machines trying to connect to Microsoft networking ports 135, 137, 138, 139, 445, on subnets where no such computers exist. Or machines doing ping sweeps. Or machines attempting to connect to Microsoft SQL Server ports 1433 or 1434, where no SQL Server system exists. All of which are symptoms of some of the more recent worms (Nachi, Blaster, SQL) that have gone around the Internet.
If the source IP address of this traffic is on one of my networks, that machine gets cut off from Internet and intranet access until it can be cleaned.