I have a small home network, consisting of no more that 8 computers. One W2k SP3 server, one W2k SP3 machine (mine), five WinXP computers and one oldie Win98se one, used as mp3 player box + ICQ by my brother, when come home from college.
The problem is traffic. Using WGR614v1 NetGear router and FS108 NetGear switch behind it, for some, not ping critical, computers.
The problem?
There is still traffic, even when I disabled everything. First thing is, that I disabled response on ping on WAN port of the router - that way, if someone pinging me, it just generate DL traffic, not precious UL traffic - my damn ISP offering only very low UL speeds on modems, currently only 384/96 :mad:
The problem is, that when I stop everything, every applications that can access net, I still got traffic. About 3-4k DL and 200-400bytes UL.
It bother me, because this is simply something beyond my control.
With a very simple test, simply unplugging every machine from power outlet, I find, that for the UL traffic is responsible the Win2k SP3 server machine. Dunno why, but since the OS is clean and there is no spyware (not used for surfing machine) or something other, nasty, software - it must be the windows itself, trying to communicate back to Microsoft, I think.

So, I looking for solution - like banning the server it trying to communicate using hosts file, or banning the port in the router. Anyone have clue, how I get rid of this unwanted traffic? It also looks like that removing the Win2K SP3 machine get me rid of most of the unwanted DL traffic that appears from "nowhere"... ;)

Suggestions, friends, please...? :)

One user on Broadband forum already suggested that:


Terminal Services install on W2K Server, then yes, it will "phone-home" to MS, to communicate with some master TS licensing server

...witch seems to be it. Of course I has to use terminal there, however how to "deal" with this "phone-home"?
I have the server licensed, of course, and registred, but I just don't want aditional traffic to happen.

What bother me is the unknown internet traffic. I want it to be gone, because when it apear again, it's obvious that one of my boxes are infected. Now a little trojan traffic sure can hide... :(

Any possible help?

http://doublescan.wz.cz/traffic.gif

A little update - netstat -an after clean reboot (no eMule and then hudereds of IPs):

http://doublescan.wz.cz/netstat.gif

...there is nothing suspicious (and simply nothing that can generate traffic, tought the traffic during restart of the server drop to zero (hooooray!), however get back to standard rate when it booted up again. Damn.
Im affraid that netstat -an simply did NOT show the windows "home-call"... :mad: Damn M$!

And no, I have cable connection and the traffic on router is reported ZERO (at least the UL traffic, DL continue to happen, tough) when the server is restarting/offline.
So no, this is not the case.

Luckily I can at least disable the ping response, so anyone who ping my IP did not generate also UL (not just DL) traffic. Like I say, with just 96k UL this IS important.

BTW, little update - running services on my server - suggestions to disable some unnecessary ones are welcome :devil:
http://doublescan.wz.cz/services.gif

I just tried to disable every services to see, witch one cause the problems - however few can't be disabled :(
Terminal services are among them, so... :mad:

Anyone know/can determine the IP/DNS address of the TS licensing server? I will then add it to hosts file, like:
127.0.0.1 tslicense.micro*hit.com
...so every access to "tslicense.micro*hit.com" will go to the local machine - effectively blocking the traffic w/o any problems :D

Could be the negative netstat check test related to the fact, that the server is behind a firewall? :rolleyes:

I mean - what if - the outgoing traffic is simple server requests for response from "master Microsoft server" and the incomming traffic is the response, however, it will not reach the server, so it looks like it continue forever :(
IMHO it could be it.
The MS server see my IP, as the source, but the IP of the server on local network behind the firewall just does differ from the external IP, so... The reply can't reach the machine, if MS aren't have this Terminal Services licensing stuff ready for proxyservers and FW/routers in general...
(just like direct connections on ICQ/AIM)

Could be? :(

I followed other hint and installed Ad-Aware and it found 12 critical objects. Upon removing of these + reboot, the traffic is gone.

Finally no UL traffic is happening, when I end every network applications. Hoooray! :)

...now just how to get rid of about 2k DL traffic, absolutely unwanted. It could be very well just scaning/pinging (my router did not answer on ping, but still - what else this could be?) ... :rolleyes:

I followed other hint and installed Ad-Aware and it found 12 critical objects. Upon removing of these + reboot, the traffic is gone.

Finally no UL traffic is happening, when I end every network applications. Hoooray! :)

...now just how to get rid of about 2k DL traffic, absolutely unwanted. It could be very well just scaning/pinging (my router did not answer on ping, but still - what else this could be?) ... :uhh:

Others suggested using static DNS settings. However I already have set static DNS - my ISP offer automatic getting them, but this won't work behing a router, so every LAN boxes have static IP and static DNS settings as well.

At least Im almost done! :D