Manualshelf

User's Manual

ManualsBrandsSHANGHAI UTT TECHNOLOGIES ManualsElectronicsRouter
421422423424425426427428429430
UTT Technologies Appendix B FAQ
http://www.uttglobal.com Page 412
8. How to troubleshoot faults caused by worm
viruses or hacker attacks on the Device?
Note
Each of the following points can only be used as a reference for network troubleshooting,
but cannot be used as a basis for finding a network virus or attack.
A. How to find out who is using an IP/Port Scanner
When using an IP/Port Scanner, a host sends a larger number of ICMP/UDP/TCP
packets to the target host in a very short time to detect whether the target IP address
exists or there are open ports on the target host. The host using an IP/Port Scanner can
generate a large amount of traffic, and too much traffic (i.e., too heavy network load) will
cause network congestion, thus the other users may be unable to surf the Internet
normally.
On the Device, you can find out who is using an IP/Port Scanner through the following
three ways.
1) You can view the NAT Statistics list in the Status > NAT Stats page to find out if
there is a LAN host whose Overflow is larger than 100. If a hosts concurrent NAT
sessions has reached the maximum value (configured in the Security > NAT
Session Limit page), any further request for creating a new session will be discarded,
and the Overflow will be updated synchronously; so if a hosts Overflow is larger
than 100, the host is suspicious of using an IP/Port Scanner.
2) You can view the NAT Statistics list in the Status > NAT Stats page to find out if
there is a LAN host whose Tx Packets is far larger than Rx Packets. An IP/Port
Scanner often uses a forged source IP address to send out packets, this will cause
that the response packets cannot arrive at the sender; so if a hosts Tx Packets is far
larger than Rx Packets, the host is suspicious of using an IP/Port Scanner.
3) You can view system logs in the Status > System Log page to find out if there is a
NAT exceeded log message. For example, the log message of ³NAT exceeded
192.168.16.221´ means that the host with IP address 192.168.16.221 has exceeded
the maximum concurrent NAT sessions limited by the Device (configured in the
Security > NAT Session Limit page), and this host is suspicious of an IP/Port
Scanner.
Note
Recommended solution: It is recommended that you stop all the running